CAT | Cryptography
“In the latest security lapse involving the Internet’s widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.” (more…)
Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.
It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection. (more…)
In the article below Attorney General Eric Holder said ““It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy”
This is simply not true, and harkens back to the discredited arguments made by the FBI in the 1990’s about the Clipper Chip. It is hard enough to make secure computing systems, and we are not very good at it as all the breaches demonstrate. Intentionally introducing a vulnerability, which is the essential nature of back door or law enforcement access, is madness. If there is a back door, then keys exist, and can be compromised or reverse engineered. It is an added complexity to the system, which is almost certain to introduce other vulnerabilities. Its use would not be restricted to the US. Once it exists every government will demand access.
Social media and the cloud have tilted the balance of power absurdly towards law enforcement. This argument that they must retain access to encrypted cell phones is fatuous.
Since it was introduced, Apple has had the ability to decrypt the contents if iPhones and other iOS devices when asked to do so (with a warrant).
Apple recently announced that with iOS 8 Apple will no longer be able to do so. Predictably, there has been a roar of outrage from many in law enforcement. [[Insert my usual rant about how recent trends in technology have been massively in favor of law enforcement here]].
This is really about much more than keeping out law enforcement, and I applaud Apple for (finally) taking this step. They have realized what was for Anonymizer a foundational truth. If data is stored and available, it will get out. If Apple has the ability to decrypt phones, then the keys are available within Apple. They could be taken, compromised, compelled, or simply brute forced by opponents unknown. This is why Anonymizer has never kept data on user activity.
Only by ensuring that they can not do so can Apple provide actual security to it customers against the full range of threats, potentially least of which is US law enforcement.
The Massachusetts High Court recently ruled that a suspect can be compelled to decrypt disks, files, and devices which have been seized by law enforcement. The crux of the question before the court was whether compelling the password for decryption is forbidden by the Fifth Amendment protection against self incrimination.
The analogy one most often sees is to being compelled to provide the combination to a safe, the contents of which are subject to a search warrant. That is well settled law, you can be compelled to do so.
The court said:
We now conclude that the answer
to the reported question is, “Yes, where the defendant’s compelled decryption would not
communicate facts of a testimonial nature to the Commonwealth beyond what the defendant
already had admitted to investigators.” Accordingly, we reverse the judge’s denial of the
Commonwealth’s motion to compel decryption.
In this case, there was nothing testimonial about decrypting the files because the defendant has already admitted to owning the computers and devices, and to being able to decrypt them.
The much more interesting situation will come in a case where the defendants say they never had, or have forgotten, the password. One can not be compelled to do something impossible, but generally the proof of the impossibility falls on the defendant. In this case one would have to prove a negative. How could you prove that you don’t have the password? The only thing that can be proved is that you do, and that only by doing so.
This ruling is only binding in the sate of Massachusetts, but is likely to be influential in cases in other areas.
Steve Gibson shares recent messages exchanges with some of the developers of TrueCrypt. These further suggest a boring explanation of the shutdown, as opposed to more nefarious explanations.
For years, TrueCrypt has been the gold standard open source whole disk encryption solution. Now there is a disturbing announcement on the TrueCrypt website. Right at the top it says “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”.
The rest of the page has been changed to a notice that development on TrueCrypt stopped this May, and directions for migrating from TrueCrypt to BitLocker, the disk encryption tool built in to Windows. Of course, this is of little help to anyone using TrueCrypt on Mac or Linux. It is still possible to download TrueCrypt from the site, but the code now will not create new vaults, and warns users to migrate to a new platform.
There are certainly alternatives, but this is a real shock. On Mac, one could always use the built in FileVault tool. Linux users may have a harder time finding a good replacement.
The big question is, what the heck is actually going on here. This is all far too cryptic, with no where near enough actual information to draw intelligent conclusions.
A recent independent audit of TrueCrypt discovered “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”
There are a number of theories about what is going on ranging from credulous to paranoid.
- Like Lavabit, they received a National Security Letter requiring compromise of the code. This is their way of resisting without violating the gag order.
- They have been taken over by the government, and they are trying to force everyone to move to a less secure / more compromised solution.
- There really is a gigantic hole in the code. Releasing a fix would tell attackers the exact nature of the vulnerability, which most people would take a very long time to address. Having everyone migrate is the safest solution.
- Some personal conflict within the TrueCrypt developers is leading to a “take my ball and go home” action.
- The developers only cared about protecting windows users with XP or earlier, which did not have the built in disk encryption. Now that XP support has ended, they don’t feel it is valuable any more. This is suggested by the full wording of the announcement.
- The website or one of the developer’s computers was compromised, and this is a hack / hoax.
The whole thing is really odd, and it is not yet obvious what the best course of action might be.
The safest option appears to be to remove TrueCrypt, and replace it with some other solution, either one that is built in to the OS, or from a third party.
Attorney General’s new war on encrypted web services – Security – Technology – News – iTnews.com.au
Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.
Australians may want to start to start taking steps to protect themselves now.
End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.
Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.
Finally, let your voice be heard on this issue by reaching out to your members of parliament.
There is a good analysis of the nature and implications of the latest “Bullrun” leaks over at A Few Thoughts on Cryptographic Engineering. It is worth reading.
Declan McCullagh at CNET writes about the most recent skirmish over whether a person can be forced to decrypt their encrypted files.
In this case, Jeffery Feldman is suspected of having almost 20 terabytes of encrypted child pornography. Evidence of use of eMule, a peer to peer file sharing tool, showed filenames suggestive of such content. Child porn makes for some of the worst case law because it is such an emotionally charged issue.
A judge had ordered Mr. Feldman to decrypt the hard drive, or furnish the pass phrase, by today. After an emergency motion, he has been given more time while the challenge to the order is processed.
The challenge is over whether being compelled to decrypt data is equivalent to forced testimony against one’s self, which is forbidden by the Fifth Amendment. The prosecution position is that an encryption key is similar to a key to a safe, which may be compelled. Some prior cases have come down on the side of forcing the decryption, but not all.
If it was plausible that the suspect might not know how to decrypt the file, that would make things even more interesting. For now, the moral of the story is that you can’t rely on the Fifth Amendment to protect you from contempt of court charges in the United States if you try to protect your encrypted data. Outside the US, your mileage may vary.