If you are a US company, you are already compromised.

One of the most effective cryptosystem attacks

Silicon valley folks seem to forget that technology is always limited, especially around cryptography. From Bloomsberg:

The companies, burned by disclosures they’ve cooperated with U.S. surveillance programs, are protecting user e-mail and social-media posts with strengthened encryption that the U.S. government says won’t be easily broken until 2030.

That’s all great and all, but there’s a big problem here. It doesn’t matter at all.

Cryptosystems always have the “large-bag-of-money” attack, the “rubber-hose” attack and the “throw-you-into-jail” attack. In the US, the “throw-you-into-jail” attack is particularly easy to use, and is being used as shown by Lavabit, comments by Yahoo’s CEO and the Snowden leaks.

You see, cryptography requires trust, the ability to know that the secret keys have not been transmitted to a untrusted third party. In the US, with the Lavabit case, it has been shown that a US company can be coerced to give up the primary private keys for its cryptosystems. What is worse is that they can be forced to do this and forced to not tell anyone.

This means, put simply, as long as you are an American business, your security must be considered suspect until such laws are put into place forbidding the US government from requesting blanket access to such keys.

It doesn’t matter if you have a gold plated private fiberoptic wire encrypted with the finest 512-bit AES encryption, and guarded at both ends by men with assault rifles and hand grenades. If the US government can demand that they get the get private key, all bets are off.

The only possible way for US cloud services to be considered secure/trustworthy moving forward is for them to either blatantly violate the law (ala Lavabit), force the law to change through heavy lobbying, or move all of their operations off shore and legally ensure that the private keys are out of the reach of the US court system.

If you believe this security theater by Google and other Silicon Valley folks will make a real difference, you are a fool.

“No, we’re not playing with your toys.”

As my son grows up, I find myself doing the strangest things and having the strangest thoughts, mostly when I try to put myself into his shoes.

For the first 6 months, he was really amazing, when we put him down for the night he’d usually suck on his thumb and be out like a light. Now, I have to be slightly more cautious during those first 2-5 minutes after putting him down, lest he get distracted from his goal of sleeping. Usually, during this time, I go and clean up his toys and put them away.

However, I keep on having the strangest thought when I do it and accidentally set off one of the musical or noisy toys, especially when it really sets him off. If I was him and I heard that, what would I think?

I imagine that in his head mommy and daddy are both outside his door playing with his toys now that he is done with them. That all we do when he goes to sleep is play with his stuff.

Image

No wonder he gets upset! I would get upset too if I was put into a dark room so other people could play with my toys without me there.

US businesses need to stand up, or we must stop using them.

Silent Circle, a very respected cryptography company has made a sudden move this week, removing the default setting for encryption systems, AES and SHA-2, from their software; 2 NIST standards:

We are going to replace our use of P–384 with that new curve, or perhaps two curves. We are going to replace our use of the AES cipher with the Twofishcipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher.

Note, they don’t say that these algorithms are broken, just that they are uncertain that they not “not broken.” Considering Schneier is involved with these folks and has seen the documents, this immediately give me pause with using any cryptographic standard that NIST has outlined.

Which is utterly frustrating considering the fact that we could be entirely wrong and the standards are valid.

Now, another big reveal, this time from Lavabit’s legal proceedings:

The U.S. government in July obtained a search warrant demanding that Edward Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that protected all web traffic to the site, according to to newly unsealed documents.

Now, if you don’t know cryptography, I cannot quite express how utterly frightening this is. This means that they demanded that Lavabit hand over its root certificates. Thus, no matter what anyone did, the traffic would be easily decrypted by the US government. The NSA could have easily requested this from Google, Yahoo, etc. Thus making SSL totally pointless with those entities.

In fact, it makes doing any confidential work lying on American “cloud” hardware totally open. As in, those pictures you have on your Dropbox are likely not secure; or those confidential emails you have on your Amazon cloud server are not confidential at all; or even worse, any private details you have actually encrypted and put onto a private server in the US is likely not secure at all.

In other worse, all American businesses are suspect. Not because they are untrustworthy, but because they have no choice.

In fact, let’s go one step further. What if the NSA asked for the root certificates for a major CA? If they did, would that CA give it to them? Considering that Yahoo’s CEO has openly stated they are afraid of defying the NSA in case they will be thrown in prison:

“We can’t talk about it because it is classified,” she continued. “Releasing classified information is treason, and you are incarcerated. In terms of protecting our users, it makes more sense to work within the system.”

So, it wouldn’t be outside of belief that the NSA has gotten the private key for a major certificate authority.

If so, then SSL is broken. They can Man in the Middle any SSL communication and decrypt it trivially. So you can’t use SSL anymore and expect secrecy.

Now, what about all of those other standards outside of SSL?

Since NIST is the primary force behind AES, SHA and the other standards we are all reliant on, we cannot believe they are secure anymore. The whole system is brought down, and now needs to be rebuilt using algorithms that are free of the taint of the actions of the NSA for the past decade.

So it’s starting to look like it’s time to leave the US cloud behind until they can sort out their privacy issues.

I note though, this may be extreme, there are some solutions which can allow for servers to be used in the US where even if root certificates are requested, the data stored will remain secure. In fact, Panda Rose is working on one right now. However, if you have secure data, be it private corporate data, or private personal data, you better not put it into the hands of an American business and consider it to be secure.

This,sadly, also includes data your are concerned about corporate espionage around as the leaks have shown that the NSA has been openly involved in economic and corporate espionage as well.

Why I fired Google

One of the many reasons I’ve been leaving Google for other services.

Searal - Parallel Search

One of the examples I am showing up here is that why I am using Searal now and fired google search from my browser –

I was looking for the solution for this query “JBAS014688: Wrong type for max-threads. Expected [EXPRESSION, INT] but was OBJECT

And check out what is google results –

Google

And then I have searched on Searalwhich is saying that it provides relevant results quicker –

searal

Searalis a simple idea, but I think it definitely provides better results and solve the purpose. Not even that before this I only see what google wants me to see. But now I can independently see different results from different search engines. And then I can choose to best from it. This is one of the proofs.

View original post

How to start a secure browser: Quark

Ran across this paper today about a pretty cool new browser, Quark:

Quark, a browser whose kernel has been implemented and verified in the Coq proof assistant. We give a specification of our kernel, show that the implementation satisfies the specification, and finally show that the specification implies several security properties, including tab non-interference, cookie integrity and confidentiality, and address bar integrity.

Let’s put this into more simple terms. Unlike standard programming practice with unit tests, which essentially test cases that the developer defines, these go one step further and prove that the base kernel of the system will do precisely what is specified and nothing else, if all of the assumptions are valid about the OS-base, etc.

This is to programming what mathematical proofs are to mathematics. A unit test suite is similar to doing scientific experiments and deducing your system matches the specs perfectly, a proof in programming is precisely the same as a proof in mathematics. It stops being a theory and starting being absolute fact.

This is pretty cool, especially since the code is all there to work with; proven (literally), and entirely open for review. Perhaps this will inspire some security types to do the same with cryptographic kernels.

Epic, a privacy browser with a fatal flaw

I ran across this new browser recently, Epic.

Why should I use Epic?

When you use the Epic Privacy Browser, you get privacy in a fast, simple browser! Have a fabulous browsing experience and gain privacy over what you browse and search. Protect your browsing and searches from hundreds of companies and governments.

Awesome, except for one thing – The software is closed source, and worse is supported by essentially a form of advertising.

Epic like most browsers earns a commission on searches we drive. So the more you use Epic’s default search engine, the more you support Epic and our continued privacy efforts

Combine this with the fact it is owned by a private company based out of the US (and thus subject to NSL and the like.)

Hidden Reflex is a privately-funded software start-up company based in the United States

Sadly, great idea, bad execution. If you want to have a higher assurance of privacy, you shouldn’t use this, use an open source browser with appropriate security related plugins – NoScript, RequestPolicy, Adblock edge (Not Adblock plus, which has been compromised). These are a good start, there are others out there that can help even more.

Sadly, if you are a company that wants to provide a believable amount of privacy, you must do at least the following:

  • Your company cannot be based out of the US (Lavabit had to shut down, likely to avoid being forced to put backdoors in it’s software). I am forced to assume that any organization based out of the US is (or can be) similarly compromised.
  • Your company needs to have it’s software open sourced. You can keep the copyright on the brand however. (Open Sourced software allows for more public review of the code.)
  • You company needs to not use servers in the US to store your code or installer and you should have a hash of your installer to assure it’s not been tampered with.

Without those 3 things, you can no longer claim your software has privacy in mind and be believed anymore.

Google, this doesn’t prove anything

You can paint over this, but it will still just rust through.

Google is trying to put on a good show of security theatre recently, and the media is almost falling for it (via WaPo)

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

I really want to say this means something, but it doesn’t. As we saw just a few days ago, the NSA is more than willing and able to put backdoors into everything. They could encrypt every bit of traffic between all of their servers, and it would be meaningless if they were forced to give away the root keys via a NSL, or had someone inside of Google who could place a “bug” or get the certificates themselves.

They almost recognize this, but miss the target by about a meter.

Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers.

No, it doesn’t make any difference with mass surveillance, none at all. If they don’t fight the NSLs directly and have a proven audited system to assure that there are no spooks inside planting bugs or giving out root keys, then they haven’t done anything more than security theatre.

This doesn’t change a thing, as long as Google is in the US and these NSLs get issues without any real oversight or transparency, then they could one-time pad everything between their servers and it would mean very little. The system is compromised, it is proven to be compromised.

If you have a rusty piece of metal, no amount of rust paint will top the rust. You need to get rid of the rust first. American businesses need to show that they are willing to actually defy these orders to prove to anyone that they are trustworthy again. Lavabit did, but they don’t have the resources of Microsoft, Google or Amazon.

Sucks, but it’s a fact. If you want secure transmissions and need confidentiality, you cannot use American services with any certainty anymore, even if they put on a big show.