(New Paper) Blindly Signed Contracts: Anonymous On-Blockchain and Off-Blockchain Bitcoin Transactions

Although Bitcoin is often perceived to be an anonymous currency, research has shown that a user’s Bitcoin transactions can be linked to compromise the user’s anonymity. We present solutions to the anonymity problem for both transactions on Bitcoin’s blockchain and off the blockchain (in so called micropayment channel networks). We use an untrusted third party to issue anonymous vouchers which users redeem for Bitcoin. Blind signatures and Bitcoin transaction contracts (aka smart contracts) ensure the anonymity and fairness during the bitcoin ↔ voucher exchange. Our schemes are practical, secure and anonymous. - Blindly Signed Contracts: Anonymous On-Blockchain and Off-Blockchain Bitcoin Transactions

Is PlayStation 4 Network Traffic Especially Difficult to Decrypt?

There has been much speculation in the media about PlayStation 4 (PS4) game consoles being used in the recent Paris terrorist attacks. However there is no evidence a PlayStation 4 (PS4) was connected to the Paris attacks. Most of the media accounts quoted a Belgian Minister Jan Jambon, who made claims, days prior to the attacks, that communication via a PS4 was “the most difficult” for intelligence agencies to decrypt and track. In this blog entry I examine the Belgian Minister’s statements, analyze the secrecy and anonymity provided by Sony’s PS4 to conclude that I was unable to find any evidence supporting Minister Jambon remarks.

packets

How it started:

Soon after the terrorist attacks on Paris, Paul Tassi, a journalist at Forbes magazine, wrote:

“Following Friday night’s terrorist attacks in Paris[..], authorities are discovering just how the massacre was planned. And it may involve the most popular gaming console in the world, Sony’s PlayStation 4. [..] Evidence reportedly turned up included at least one PlayStation 4 console. Belgian federal home affairs minister Jan Jambon said outright that the PS4 is used by ISIS agents to communicate, and was selected due to the fact that it’s notoriously hard to monitor.” - How Paris ISIS Terrorists May Have Used PlayStation 4 To Discuss And Plan Attacks

A day later Tassi was forced to post a correction1 stating that there was no evidence of a PlayStation 4 (PS4) found in any of the raids and that Jan Jambon’s comments about terrorists using PS4s to communicate were made days prior to the attacks and were unrelated to the attacks. Tassi said that he “misread the minister’s statement”2. His misreading had serious repercussions, the Chair of the FCC Tom Wheeler used the incorrect Tassi story to argue for new spying laws3. Paul Tassi’s reporting was based on two quotes by Minister Jan Jambon, a Flemish politician appointed last year to the office of ‘the Vice-Premier and Minister of Security and Home Affairs, in charge of State Buildings’. The first quote comes from an interview4 conducted by Matthew Kaminsk:

Jan Jambon: “I heard that the most difficult communication between these terrorists is the PlayStation 4. ”

Matthew Kaminsk: “Really?”

Jan Jambon: “Yeah, yeah, it is very very difficult for our services, not only our services, Belgian services, all the international services, to decrypt the communication that’s done via PlayStation 4”

Matthew Kaminsk: “Have you cracked WhatsApp?”

Jan Jambon: “WhatsApp is also a difficult one, but there we could, not we not me, but the services could decrypt WhatsApp, but PlayStation 4 should be very difficult. Its a challenge.”

The second quote first appeared in the Belgian publication 'the Bulletin’ and is reportedly from the same interview with Matthew Kaminsk5.

“PlayStation 4 is even more difficult to keep track of than WhatsApp”- Jan Jambon

Since very little is known about the Paris attacks or how the terrorists communicated I will avoid speculating on that. Instead I want to investigate the two quotes made by Jambon. First, does the PS4 encrypt communication in such a way that it is “the most difficult” to decrypt when compared with other communication services? Second, is the PS4 “ more difficult to track than WhatsApp”?

How Good is the PS4 at Encrypting Network Traffic?

not private

To answer this question, I examined a recording of the network traffic sent and received by a PS4 running the game Dragon Age Inquisition. The communication can be broken into two groups: (1). communication between the PS4 and the PlayStation Network (PSN) and (2). communication between the PS4 and other parties. I will first look at PS4 to PlayStation Network (PSN) communication and then briefly describe the communication between other parties.

The PlayStation Network (PSN) is a social networking and identity service offered by Sony. According to Sony’s documentation a PS4 user must register and sign into the PlayStation Network (PSN) before playing online games6. Much of the communication functionality offered by the PS4 is provided by the PSN. I found that while a small amount of the PS4-PSN communication was in the clear (unencrypted), much of it was protected by TLS. TLS is the same encryption technology that protects HTTPS websites for instance twitter, reddit or wikipedia are protected by TLS. In TLS a client performs a protocol with the server to establish an encrypted connection by agreeing on a shared encryption key and cipher.

Like many technologies TLS can offer different levels of protection, from totally broken to very secure, depending on the version used and how it is configured. Interestingly, the PS4 was running multiple TLS clients with different versions and configurations and on the server side PSN was also running multiple versions and configurations of TLS. The more configurations you run the more likely that one of them will be broken. The versions of TLS used in the PS4 range from the very old TLS-1.0 (developed 16 years ago in 1999) to the most recent TLS-1.27 (developed in 2008).

Many of the TLS configurations I observed were insecure and provided only weak security. Some of the certificates sent by the PSN TLS servers used the insecure signature algorithms 'SHA1withRSA’. NIST depreciated it in 2011 and stated that “it shall not be used after 2013”8. Google chrome marks certificates signed with 'SHA1withRSA’ as “affirmatively insecure”.

bad sha1

Even worse, many of the PS4 clients and the PSN servers included the insecure RC4 cipher in their cipher suites9. Microsoft recommends completely disabling and disallowing RC4 on all systems and RC4 is so dangerous to use that the standards body of the internet, the IETF, wrote an RFC with the titled “Prohibiting RC4 Cipher Suites”, the RFC states:

  1. “TLS clients MUST NOT include RC4 cipher suites in the ClientHello message.”
  2. “TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message.”
  3. “If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case.”

It gets worse, because not only do some of the PS4 TLS clients include RC4 in their cipher suites, but fatally the PSN server actually uses RC4 for TLS connections (see image below). This is particular dangerous because RC4 is considered cryptographically broken. If an encrypted TLS connection uses a broken cipher an adversary might be able to decrypt the messages. For instance researchers had performed practical plaintext recovery attacks1011 against TLS when using RC4.

rc4

The above is not a complete list of all the cryptographic sins of PS4-PSN communication, but it is sufficient to show that not only is PSN significantly more vulnerable cryptographically than other standard communication platforms such as twitter, reddit, or wikipedia12 but it fails to meet the bare minimum industry best practices13.

Lets pretend for a moment that Sony deployed stronger encryption, would PS4-PSN communications be difficult for intelligence agencies to decrypt? No, let me explain why. TLS allows two parties to communicate privately but in this case one of those parties is PSN i.e. Sony. This means it is very likely that intelligence agencies only have to ask for Sony’s encryption keys to decrypt PSN traffic. Sony even says they will share PSN activity (messages, voice, videos, etc..) with appropriate authorities in their Terms of Use14:

Are we monitoring PSN? Yes but we can’t monitor all PSN activity [..]. However, we reserve the right [..] to monitor and record any or all of your PSN activity [..]. Your use of PSN and our community features may be recorded and collected by us [..]. Any information collected in this way, for example, your UGM, the content of your voice and text communications, video of your gameplay, the time and location of your activities, and your name, your PSN Online ID and IP address, may be used by us or our affiliated companies to enforce these Terms and the SEN Terms of Service, to comply with the law, [..]. This information may be passed to the police or other appropriate authorities.“ - PlayStation Software Usage Terms15

Now I will briefly look at communication between the PS4 and other parties. The PS4, once signed into PSN (PlayStation Network), allows the user to connect to other servers and parties outside the PSN. Much of the network traffic I looked at was UDP traffic from the PS4 to other home internet users. Most of these UDP packets had very high entropy suggesting that they were encrypted or compressed. If these packets are Dragon Age Inquisition game actions, then it is likely they were using the same network protocol used by PC version. These packets may also have been the VOIP (Voice Over IP) service offered by PSN to allow gamers to talk to each other. Given that user identity and credentials are managed by PSN, it seems plausible that a compromise of PS4-PSN encryption would also allow the decryption of VOIP communications.

Is the PS4 harder to track than WhatsApp?

Both WhatsApp and the PS4 limit anonymity out of the box by requiring that users associate their online identity with a real world identifier. When a user connects a PS4 to the PlayStation Network (PSN), the service learns the unique identifier of their PS4.

"SCE will also be able to know your console unique ID and your console IP address which is automatically assigned to your PS4 system by your internet service provider when you connect your PS4 system to the internet.” - PLAYSTATION4 SYSTEM SOFTWARE LICENSE AGREEMENT (Version 1.1)

Not only that but most multiplayer PS4 games require a PlayStation Plus account. Reading Sony’s documentation it seems that to registering a PlayStation Plus account you must supply credit card and billing records. I don’t own a PS4, so I have not verified this myself.

“In almost all cases, a PlayStation Plus account is needed to play online multiplayer on the PS4.” - PS4 Online Multiplayer Requirements

Similarly, WhatsApp requires that you associate your phone number with your WhatsApp username. In both services this registered information is then used to track and identify users. Thus, neither one is designed, nor appears to offer, any particular problems from a tracking perspective16.

Additionally, neither provides anywhere near the level of communications secrecy as created by secure messaging apps. All the messages sent by the WhatsApp client can be decrypted by the WhatApp server, and as we discussed earlier, since PSN/Sony manages user identities and credentials the same weakness likely exists for the PS4.

For further reading I recommend, “Forensic analysis of a Sony PlayStation 4: A first look” which shows how police can access files and data from a PS4 and that the PSN records and stores user activity on their servers (even if a PS4 was destroyed the data might still be accessible by Sony).

Conclusion:

I was not able to confirm any cryptographic benefit to using the PS4 over other standard communication tools such as gmail, facebook or twitter, nor does Sony promise the PS4 deliverers this functionality. In fact many things in their documentation suggest the opposite. Furthermore, the PS4 often requires that users give over information which could identify their real names to even begin using it making it very easy to track. This is not to say I am contradicting Minister Jambon statements17, but in my brief investigation I was not able to find any evidence to support his statements.

  1. “Correction: It has not been confirmed, as originally written, that a console was found as a result of specific Belgian terror raids. Minister Jambon was speaking about tactics he knows ISIS to be using generally.” How Paris ISIS Terrorists May Have Used PlayStation 4 To Discuss And Plan Attacks – Updated 

  2. “'This was actually a mistake that I’ve had to edit and correct,’ writer Paul Tassi told me this afternoon. 'I misread the minister’s statement, because even though he was specifically saying that PS4 was being used by ISIS to communicate, there is no public list of evidence list of what was found in the specific recent raids. I’ve edited the post to reflect that, and it was more meant to be about discussing why or how groups like ISIS can use consoles. It’s my fault, as I misinterpreted his statement.’” - Reporting Error Leads To Speculation That Terrorists Used PS4s To Plan Paris Attacks 

  3. “You know, you read in the press that they were using Playstation 4 games to communicate on, which is outside the scope of anything ever considered in CALEA,” Wheeler said. “So there’s probably opportunities to update the ‘lawful intercept’ concept.” AFTER PARIS, FCC CHAIR SEIZES ON PS4 ISIL REPORTS TO CALL FOR BROADENED WIRETAP LAW 

  4. Video can be found here at around the 40 minute mark. 

  5. I have been unable to find him making that particular comment in the recorded interview. 

  6. Sony refers to games playable without PSN as 'offline’ see “Play offline games that don’t require any connection to the PlayStation Network.” Information on Banned Accounts and Consoles 

  7. I originally had a typo here saying “TLS-2.0”. Reddit user Tandrial was kinda enough to point this out so I could fix it. 

  8. “the use of SHA-1 is deprecated for digital signature generation. The user must accept risk when SHA-1 is used, particularly when approaching the December 31, 2013 upper limit. This is especially critical for digital signatures on data for which the signature is required to be valid beyond this date. See Section 5.6.2 of [SP 800-57] for further guidance. SHA-1 shall not be used for digital signature generation after December 31, 2013.” -NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths 

  9. A ciphersuite is the set of ciphers that client or server is willing to use. The client and server when choose among these ciphers to decide on the cipher they will use for the encrypted connection. 

  10. “Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS” by Christina Garman, Kenneth G. Paterson and Thyla Van der Merwe. 

  11. “All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS” by Mathy Vanhoef and Frank Piessens. 

  12. Twitter, reddit or wikipedia all use the latest version of TLS with the most secure configurations. They should all be significantly more difficult to decrypt than PS4-PSN traffic. In some cases, an insecure TLS server configuration is only vulnerable with an insecure client, but Sony setup both both insecure TLS clients and insecure TLS servers. 

  13. Sony shouldn’t be having these problems since they control the entire ecosystem from the hardware to the OS to the software the PS4 runs which has to meet their certification requirements. They can rapidly change their configuration settings or force other parties to do the same. PSN is a walled garden without the security benefits of a walled garden. 

  14. There is some ambiguity in Sony’s use of the word “monitoring” in their terms of use. It could either mean that they can’t have record everything players do because some of it is p2p (which seems reasonable) or, and I’ve seen no evidence for this, that they can’t decrypt everything. 

  15. “14. Are we monitoring PSN? 14.1. Yes but we can’t monitor all PSN activity and we make no commitment to do so. However, we reserve the right in our sole discretion to monitor and record any or all of your PSN activity and to remove any of your UGM at our sole discretion, without further notice to you. Your use of PSN and our community features may be recorded and collected by us or sent to us by other users as described in 13.1. Any information collected in this way, for example, your UGM, the content of your voice and text communications, video of your gameplay, the time and location of your activities, and your name, your PSN Online ID and IP address, may be used by us or our affiliated companies to enforce these Terms and the SEN Terms of Service, to comply with the law, to protect our rights and those of our licensors and users, and to protect the personal safety of our employees and users. This information may be passed to the police or other appropriate authorities. By accepting these Software Usage Terms, you expressly consent to this.”- [Playstation: Software Usage Terms] (https://www.playstation.com/en-in/legal/software-usage-terms/

  16. Granted a user could buy their PS4 or mobile phone with cash but these are additional steps that users of other services don’t need to take. Any communication technology can be made private given massive amounts of effort. I could imagine someone using a mobile phone as a WhatsApp burner, but a PS4 burner gets expensive quick. 

  17. “Absence of evidence is not evidence of absence” 

A Brief Examination of Hacking Team’s Crypter: core-packer.

Update: Jos Wetzels just released an awesome blog post which analyzes weaknesses in core-packer’s cryptography. Jos Wetzels uses these weaknesses to build a proof-of-concept which defeats core-packer’s protection.

Executable Camouflage

It is EASY to bypass commonplace protection systems such as antivirus systems - David Vincenzetti, CEO of Hacking Team1

In this blog entry we investigate how Italian malware vendor Hacking Team obfuscated their malware, specifically the custom software they developed for this task called core-packer2. This analysis was a joint project between Will Cummings and Ethan Heilman.

In July 2015 Hacking Team’s source code and internal documents were leaked online by Phineas Fisher3 after compromising their network. When source code from the leak was posted to github we decided to exercise our curiosity about the techniques they used to obfuscate their malware. The Hacking Team leak provides a rare and topical view4 into the world of malware vendors catering to repressive governments5.

What are Packers and Crypters?

Packers and crypters are tools which alter malware to frustrate signature based Anti-Virus detection and analysis. They are a crude form of software camouflage.

Packer refers to the fact that a packer uses compression to “pack” an executable into a smaller size. Sometimes this is used solely to reduce file size, but for malware this packing serves a second purpose of making the malware harder to detect and analyze6. Crypters provide a similar anti-analysis function but use encryption instead of compression. Both Crypters and packers wrap the malware so that when it is run, it is unpacked or decrypted7. This behavior is similar to how a self extracting zip file works, except that this de-obfuscation process happens only in memory, whereas self-extracting zips write the uncompressed contents to disk.

To de-obfuscate the malware once it is run, a stub is added to the obfuscated program. The stub contains all the necessary instructions and cryptographic keys to unpack or decrypt the obfuscated program. When an obfuscated program is run, the stub is run first. Once the stub finishes unpacking/decrypting the malware, the stub passes control to the now de-obfuscated program. The stub is often looks innocent since it only performs a single task.

In the graphic below, we show how a crypter can be used to bypass an Anti-Virus scan for malware. Bypassing AV with the core-packer

The idea behind both of these techniques (packing/crypting) is to make it difficult for anti-malware tools to inspect the obfuscated program without running it. Modern Anti-Virus (AV) will attempt to automatically unpack malware, emulating its execution until the malicious payload is revealed and can be scanned. Crypters can include methods to bypass this, some more sophisticated than others: some authors will simply delay decryption of the payload long enough that it becomes impractical for the AV to perform this type of dynamic analysis8.

What is core-packer?

Core-packer is a crypter developed by Hacking Team (while core-packer bares the name “packer” it is in fact a crypter9). Core-packer can be compiled to both a 32-bit and 64-bit windows executable. The behavior of the 32-bit and 64-bit versions differs, the 32-bit version obfuscates executables, whereas the 64-bit version is only capable of handling DLLs.

Core-packer in Four Steps:

The four steps of crypting.

The target exe, is the malware which the packer is obfuscating. The core-packer source has been posted to github. We will be linking to relevant lines of code. Our analysis focuses on the 32-bit core-packer crypting an executable, some of the steps are different under other configurations (64bit, DLLs). The last commit to core-packer was Sept. 2013, so they may have phased it out in favor of off the shelf solutions10.

Step One: Stub Extraction. Core-packer has the stub compiled into itself. Upon being run core-packer searches through its process memory to find the stub (named pUnpackerCode in the source code). It identifies the stub code using one of four section names depending on configuration: peexe32, peexe64, pedll32, pedll64. pUnpackerCode

Once it finds the stub it extracts it so that it can perform step two.

Step Two: Stub Injection.

Core-packer loads the target exe into memory and injects the stub into the target exe. Injection

Step Three: Encrypt Target Exe’s Data and Executable Sections.

Core-packer computes a random encryption key. It then uses this key to encrypt all the executable and .text sections inside the target exe (making sure not to encrypt the stub)11. The packer uses the TEA cipher if the target is an exe, or RC412 if it is a DLL. It later saves this key into the stub so the stub can reverse the encryption. random key

Using binvis.io we visualize before and after entropy levels of the malware (shown below). The encrypted sections have a high level of entropy and appear as bright purple. Entropy comparison before and after crypting

Step Four: XOR-Encrypt the Decryption Code in the Stub.

Encryption code inside of an executable can be a sign that it has been crypted which in turn is suspicious. To obfuscate the decryption code, core-packer encrypts the TEA decryption code inside the stub by xoring all the bytes with 0x6613.

Additional Obfuscation Techniques:

Another common technique seen in core-packer is the use of GetProcAddress to obscure function imports. GetProcAddress is a Win32 API call which given a module and a function name will return the address of the named function. By using GetProcAddress to “import” suspicious functions such as VirtualProtect, malware authors can break detections. The string literals used to look up these functions can be easily signatured, forcing the author to add another level of obfuscation, for example polymorphic string encryption. Hacking Team went down a less sophisticated path: in one case, core-packer emits a number of ASCII strings into the code section and uses a bespoke function to retrieve them. The core-packer code includes numerous instances of commented-out GetProcAddress calls with type defs for function pointer to Win32 calls.That many of these lines are commented out is an indication that they may have moved away from this technique.

FUCK CRT

How was Core-Packer used to Bypass Anti-Virus Detection?

Core-packer’s first commit is Oct 2012, nine days after Citizen Lab released a report “Backdoors are Forever: Hacking Team and the Targeting of Dissent?” on Hacking Team’s malware. It seems likely that core-packer was developed to prevent future disclosures by increasing the stealth of Hacking Team’s malware. In fact in response to the Citizen Lab they wrote talking points to assure their clients that malware was safe to use. One of these talking points was that they were implementing “technical measures”, perhaps referring to core-packer.

[..]next release will introduce technical measures to lessen the chances of such a scenario happening again - Re: news14

Looking through the leaked emails we see several discussions15 of Hacking Team’s malware being discovered by Anti-Virus and taking actions to evade this detection. For the sake of brevity, we will look at one one example.

On April 24, 2013 Hacking Team malware support received the following email:

Good morning, in invisibility report for version 8.3 is ESET Smart Security reported as antivirus where RCS is working. But, today customer tryied to install it on computer with ESET and installed agent was detected by this anitivirus. [..] Will there will be available some fix for ESET software? - Subject: IUQ-855-32679: ESET Smart Security: Invisibility broken, To: rcs-support@hackingteam.com16

April 29th 2013 a member of Hacking Team changed a pointer in core-packer with the commit message “bypass ESET Win32/Kryptik”(as shown above). It appears the intention of this change was to break the signature that ESET Anti-Virus scanner was using to detect the malware. Win32/Kryptik refers to a codename given to Hacking Team’s malware by Anti-Virus vendors.

Bypassing AV with a single byte

May 2, 2013 another change was made to core-packer to alter the way in which the string ‘VirtualProtectAlloc’ is called, this change had the commit message “patch in DllEntryPoint to bypass ESET Win32/Kryptik. ??”.

On May 10, 2013 the Hacking Team support ticket tracking the ESET detection is updated to read:

Hiding enhancements for ESET was introduced in new installed release 8.3.3. I hope, problem is solved. - IUQ-855-32679: ESET Smart Security: Invisibility broken

Soon after the support ticket was marked closed, evidently because the issue was resolved.

Conclusion:

We have provided a brief sketch of Hacking Team’s core-packer and some17 of the techniques used. We also took a brief look at one episode in the cat and mouse game between malware vendors and Anti-Virus vendors. The Hacking Team leak suggests that while the current detect and flag strategy employed by Anti-Virus can be a nuisance to malware vendors, malware ultimately has the upper hand. This is not to say that Anti-Virus vendors could not adopt more effective strategies, we believe in fact that more effective strategies exist, but that the status-quo favors malware.

In our next blog entry we will use the Hacking Team files to develop a simple game modeling the AV and Malware dynamic and look at alternative strategies.

Other Resources on Hacking Team:

  1. Citizen Lab’s work on Hacking Team

  2. HACKING TEAM: A ZERO-DAY MARKET CASE STUDY

  3. 4armed has an excellent series of articles: HACKING TEAM’S KILLSWITCH – DISABLING THE GALILEO RCS REMOTELY AND SILENTLY, HACKING TEAM’S GALILEO RCS – REPURPOSING ESPIONAGE SOFTWARE, HACKING TEAM RCS ANALYSIS,GALILEO RCS – RUNNING AN ESPIONAGE OPERATION, and a few others.

  4. Gutting Hacking Team - 2012, translated into English by Hacking Team or in Russian here (page 66).

Much of our analysis was performed by staring at the source code. In light of this, if you discover any errors or details you would like to see included please let us know at @Ethan_Heilman and we will give credit for the correction or addition.

Appendix

How to build and run core-packer: After some work we were able to build and run core-packer. Based on the project files left by the authors, we found that core-packer was built with Visual Studio 2010. We were unable to get a freeware copy of Visual Studio 2010 but 2012 worked. The project will not compile on later versions of Visual Studio without some trivial code modifications.

Testing the packer on random exe’s and DLLs caused the packer to crash, but when run against binaries compiled by Hacking Team (available at DUMP_ROOT/rcs-dev%5Cshare/HOME/Ivan/full_themida_core/windows/), such as their scout or soldier malware, core-packer ran without issue. Note that the 64-bit version of core-packer appears to only work on DLLs and not exes. All our tests were performed against the 32-bit version of core-packer.

See image below: Crypting day and night.

Core-Packer May Have Violated the GPL Core-packer uses source code from the distorm project licensed under the Gnu Public License or GPL18. The GPL requires that if a software project includes GPL software, that project must distribute the source code when they distribute the compiled software. Thus, by infecting someone with malware protected by core-packer without also including the source, they may have violated the GPL. It is possible thatt when their source code was posted to github they became GPL compliant19.

  1. “Please TRUST me: #1. It is EASY to bypass commonplace protection systems such as antivirus systems or personal, network IPS aka Intrusion Prevention Systems aka modern firewalls. #2. “New generation” / “Behavioral” / “In the cloud” systems can be EASILY bypassed AS WELL. #3. “Application isolation” technologies (e.g., sandboxes) WORK, but UP TO A POINT. Many thanks to Alberto Ornaghi alor. - Confidence in antivirus falls to all-time low 

  2. Core-packer was one of many pieces of software that Hacking Team used, including several commercial off the shelf packers including vmprotect and themida and developed several pieces of software, called melters, which would disguise their malware by merging it with harmless programs. 

  3. The evidence that Phineas Fisher was behind the attack and subsequent data dump is based on a journalist Lorenzo Franceschi-Bicchierai’s statement that the person controlling Hacking Team’s compromised twitter account told him that they were also the person controlling Phineas Fisher’s twitter account and proved this by tweeting from the Phineas Fisher account. While it is the most credible narrative at this point, we do not have enough evidence to rule out other possibilities. 

  4. Timing of the leak and the debate over the US Commerce Dept’s implementation of rules governing dual use technologies (include computer surveillance technologies) under the Wassenaar Arrangement is highly suspicious. 

  5. Citizen Lab did an excellent job analyzing the human consequences of Hacking Team’s involvement with repressive governments in their paper “When Governments Hack Opponents: A Look at Actors and Technology” 

  6. UPX being one of the more famous packers. 

  7. When referring to packers/crypters we are only talking about runtime packers/crypters (that is crypters that decrypt the malware in memory when the malware is run). 

  8. It appears that core-packer uses this technique see DELAYDECRYPT function and associated assembly, we did not investigate this functionality. 

  9. “Packer” is often colloquially used to refer to both crypters and packers. We are being somewhat pedantic here in our use of exact terminology, but the security community could use more pedantry in its use of vocabulary. 

  10. In 2014 they discussed acquiring and testing additional packers

  11. A side by side comparison of the bytes of malware crypted by core-packer. On the left we have the malware prior to being crypted, on the right the malware after it has been crypted. Bitewise makeover 

  12. You may be temped to crack a joke about using RC4 in this day and age, but in this setting RC4 makes sense. You need a simple, well used, efficient stream cipher. Cryptanalytic strength isn’t particularly important when you are saving the key along with the ciphertext. It just needs to be slightly harder to break than the work necessary to extract the key from the binary. 

  13. Now you can laugh at all the people that said that the xor encryption brute forcer you wrote was useless. 

  14. “I believe that they are asking for feedback on how we are going to face the problem on a technical viewpoint: Simon and the clients already know that we sell only to govt. agencies. Replying in a too generic way will only upset them. I think we can use the same approach used for the August issue on that side: - issue related to an old version - we are already safe, but we are proactive and next release will introduce technical measures to lessen the chances of such a scenario happening again - we are active in raising the client’s awareness to such issues, to make the whole intelligence community that work with us operate in a safer way - they can operate safely, right now! No specific technical detail tough, we are not going to disclose the specific measures.” - Re: news 

  15. Anyone wanting to dive deeper need only search for Virus-Total emails in the Hacking Team leak. Its a fascinating adventure into perspectives on the malware side of Anti-Virus detection. 

  16. “Good morning, in invisibility report for version 8.3 is ESET Smart Security reported as antivirus where RCS is working. But, today customer tryied to install it on computer with ESET and installed agent was detected by this anitivirus. Please, see attached screenshots. Please let us what to do, customer must stop to work with ESET? Will there will be available some fix for ESET software? Thank you,” IUQ-855-32679: ESET Smart Security: Invisibility broken 

  17. Our analysis was by no means complete. 

  18. Distorm does offer a commercial license which can be purchased as an alternative to the GPL, but we contacted distorm and they confirmed that they did not sell Hacking Team a commercial license. This is supported by the fact that the GPL license is in the source code included in core-packer and that there is no record of distorm being paid or contacted in the Hacking Team emails. 

  19. Crypters and packers raise interesting legal questions about licenses because on one hand they are like compilers but on the other hand they inject some of their own code into the packed executable. 

Eclipse Attacks on Bitcoin’s Peer-to-Peer Network

A brave node defending itself from a partition attack.

Abstract: We present eclipse attacks on bitcoin’s peer-to-peer network. Our attack allows an adversary controlling a sufficient number of IP addresses to monopolize all connections to and from a victim bitcoin node. The attacker can then exploit the victim for attacks on bitcoin’s mining and consensus system, including N-confirmation double spending, selfish mining, and adversarial forks in the blockchain. We take a detailed look at bitcoin’s peer-to-peer network, and quantify the resources involved in our attack via probabilistic analysis, Monte Carlo simulations, measurements and experiments with live bitcoin nodes. Finally, we present countermeasures, inspired by botnet architectures, that are designed to raise the bar for eclipse attacks while preserving the openness and decentralization of bitcoin’s current network architecture.

The paper is avaliable on our project page

How many IP addresses can a DNS query return?

While creating a DNS zone file I begin to wonder how big I could make it before DNS would break. Could I map five hundred, ten thousand, one million IP addresses to a domain name? Is there a single number or would this number change depending on implementation details? It turns out there is, in fact, a single number, which across all standards compliment implementations is the maximum1 but that this number depends on the length of your domain name.

wireshark capture

DNS queries.

To make a DNS query a client will send a UDP packet asking the DNS server for the IP addresses of a particular domain name. If the response is 512 bytes or smaller, the server will just put the IP addresses in a UDP packet and send it back to the client2.

Otherwise, if the DNS response contains so many IP addresses that it can not fit in a single 512 byte UDP packet the server will send the client a UDP packet with the truncated flag set to tell the client that the response is too big and to retry over TCP. The client on receiving end of a UDP packet with a truncated flag can open a TCP connection with the DNS server and continue the DNS query.

The maximum number of IP addresses.

4095 is the maximum possible number of IP addresses returned by a DNS query. Lets look at why. A large DNS response must fit into a single TCP packet. TCP packets only reserve 2 bytes for the packet size. Thus, TCP packets can’t hold more than $2^16=65536$ bytes3. Since the domainname is included in the DNS response, the shorter the domainname the more room for IP addresses. Using the shortest valid domain name possible a.io (4 characters), there is a 13 byte overhead. Each IP address returned uses 16 bytes (as IPv4 is only 4 bytes this includes additional information), giving us the equation:

$$\mbox{size of response}=13+(16 \times \mbox{# IP addresses}) \mbox{ bytes}$$

Solving this for 65439 bytes gives us 4095 ip addresses.

EDIT: Colmmacc on twitter sent me a correction, initially I had said 4094 IP addresses, but it is actually 4095 IP address. I have fixed this in the post. Looking at ealier versions of my notes (and tweets) I see that I had 4095 as well but must have accidently changed it at some point. Colmmacc also points out some very interesting methods to shorten the domain name to fit more IP addresseses but I haven’t tried them yet see below:

  1. Although your milage may vary. Bind, at least with the small amount of RAM I had, did not work well with very large zone files. Tests instead were conducted with a purpose built DNS server. 

  2. This is not strictly true. The DNS standards in RFCs allow DNS server to reply with UDP packets larger than 512 bytes, but often implementations use 512 as the cut off since older DNS standards set the cut off at 512 bytes. For instance RFC-5966 says: ‘TCP [..] is often used for messages whose sizes exceed the DNS protocol’s original 512-byte limit.' 

  3. 65536 bytes is also the maximum packet size for UDP, so even if a DNS server was willing to deliver really large responses over UDP, you would face the same limit. 

A Response to Wertheimer’s ‘Encryption and the NSA Role in International Standards’.

Update 3: Our response has been published in the Notices of the AMS as a letter to the editor.

Update 2: Peter Woit has written a blog post reacting to Dr. Wertheimer’s letter in the AMS.

Update: Matthew Green has just written a response to Dr. Wertheimer letter.

In a recent letter to the American Mathematical Society titled ‘Encryption and the NSA Role in International Standards’, Dr. Wertheimer, a former NSA Mathematician and Research Directer, works very hard to leave the impression that the NSA did not place a backdoor in the DUAL_EC_DRBG algorithm. He never directly says that though because the evidence is so overwhelming to the contrary. Instead he chooses to engage in what can only be called aggressive and willfully misleading:

  1. He produces a history of the development of DUAL_EC_DRBG that neglects any facts about the NSA designing it for the purposes of subverting encryption. He does not mention what internal NSA documents called “a challenge in finesse” to get NIST to accept it1.
    To further his deception he never once mentions the overwhelming public evidence provided by Snowden that DUAL EC was intentionally backdoored by the NSA2. He mentions nothing about the 10 million dollars the NSA paid to have RSA make the backdoored algorithm, DUAL_EC_DRBG, the default in RSA’s library3. Are such “sins of omission” acceptable behavior by a mathematician in a mathematical publication4?

  2. He suggests strongly, but never says, that the NSA does not backdoor encryption, which we know to be false.

The most problematic is the statement that:

“[..] we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to “undermine Internet encryption.” A fair reading of our track record speaks otherwise.” - 'Encryption and the NSA Role in International Standards’

A “fair reading” is a very strange test, but the NSA’s advocacy for controlling cryptographic research, subverting internet encryption and sabotaging standards speaks quite clearly towards its broad agenda.

The NSA’s own history talks about shortening the DES key length so they could break it5. That is, the NSA willfully created insecure standards. This takes place with the backdrop of the NSA’s earlier blacklisting of Feistel (the inventor of DES) so he couldn’t find employment researching block ciphers6.

ProPublica quotes an NSA document 'One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,“’7 for the purposes of exploitation. In that same document the NSA discusses their successes in backdooring web and VPN encryption hardware to gain further exploitation capabilities8.

The NSA’s own leaked documents clearly shows a broad agenda of undermining internet encryption. Dr. Wertheimer, as both a former Technical Director of NSA’s Signals Intelligence Directorate and former Director of Research at NSA9, must know this.

He concludes his letter with:

"During those formative years I had many opportunities to present results at AMS conferences, and I remember the warm embrace of colleagues who encouraged and supported my studies. I felt then, and I feel now, a connection to the mathematics community that goes beyond scholarship.”

He is trying to make fools of that same community which showed him such warmth and friendship. This lack of respect and forthrightness to a community which nurtured him saddens me10. It shows how the NSA’s relationship with the Mathematical community is morally corrosive. It turns colleagues, friends and communities into marks11.

  1. 'The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” “Eventually, N.S.A. became the sole editor,” the memo says.’ - N.S.A. Able to Foil Basic Safeguards of Privacy on Web 

  2. “Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency.” - Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security 

  3. “Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.” - Exclusive: Secret contract tied NSA and security industry pioneer 

  4. Would it be acceptable for someone to publish a paper that suggested that there was no primes larger than 5, and wittingly neglected to mention 7? 

  5. “NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-Boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64-bit to 48-bits. Ultimately, they compromised on a 56-bit key.” Book III: Retrenchment and Reform by Tom Johnson 

  6. Some details of this are in An Introduction to Cryptography, Second Edition By Richard A. Mollin  

  7. 'One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.’ - Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security 

  8. “(TS//SI//REL TO USA, FVEY) Complete enable for [REDACTED] encryption chips used in Virtual Private Network and Web encryption devices [CCP_00009]” - (U) COMPUTER NETWORK OPERATIONS (U) SIGINT ENABLING  

  9. Wertheimer Bio 

  10. One might excuse his behavior if he was being compelled to testify and the maintenance of the secrecy of this backdoor was of great national importance, but he choose to write his letter to the AMS and the backdoor is already well known. This is merely deceit for the sake of PR. 

  11. Consider how the NSA also manipulated NIST to get the backdoored standard approved. Damaging the credibility of an organisation which thought itself a partner of the NSA. 

Are IP Address Allocations Property?

Duck or rabbit, we draw you decide.

A disclaimer before I get started. The real answer to this question is that it depends on who you ask. Different parties disagree strongly on this issue. ARIN, the Regional Internet Registry (RIR), responsible for allocating IP addresses in North America, quite clearly has stated IP addresses are not property and that viewing them as such is harmful to the internet as a whole.

6.4.1 Address space not to be considered property It is contrary to the goals of this document and is not in the interests of the internet community as a whole for address space to be considered freehold property. - ARIN Number Resource Policy Manual on Principals of IPv6 allocation

Approach

My approach will be to look at definitions of property and see to what degree do the rules and expectations of IP address allocations agree with this definition. We will use the infamous Duck test1. To quote Douglas Adams:

If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family Anatidæ on our hands. - Dirk Gently’s Holistic Detective Agency

Furthermore I dodge the issue of whether intangibles such as IP addresses or Ideas can truly be owned by focusing this essay on how people treat IP Address allocations rather than what they “truly are”. The question I ask ‘is do people treat IP address allocations as property, even if they do not name it as such, or do they treat it as something unlike property’. I do not intend to arrive as a concrete answer2 but merely present comparisons between property and types of allocations.

A definition of property

Proudhon in his typical frenetic style traces modern property rights to Roman property law:

Roman law defined property as the right to use and abuse one’s own within the limits of the law. [..] The proprietor may, if he chooses, allow his crops to rot under foot; sow his field with salt; milk his cows on the sand; change his vineyard into a desert, and use his vegetable-garden as a park: do these things constitute abuse, or not? In the matter of property, use and abuse are necessarily indistinguishable. - 'What is Property? Or, an Inquiry into the Principle of Right and Government’

James Wilson argues along a similar vein with his definition of the highest degree of property:

Property is the right or lawful power, which a person has to a thing. Of this right there are three different degrees. The lowest degree of this right is a right merely to possess a thing. The next degree of this right is a right to possess and to use a thing. The next and highest degree of this right is a right to possess, to use, and to dispose of a thing. - On the History of Property

That is, property is something with which the owner is free to do with as they wish, even if others could use the object more productively. Property rights are fundamentally orthogonal to utilitarian complaints3. Using this definition, we can frame a test:

If the holder of an IP address allocation has the right to dispose of the IP addresses in anyway, for example to not use it at all, or to freely resell it, then that allocation is being treated as if it was property.

Types of allocations

Our question is complicated by fact that there isn’t one type of IP address allocation. In fact it appears that there are at least four types of allocations.

Legacy allocations: Legacy allocations, also known as historical allocations, are IP address allocations given out by IANA. As such the parties receiving the IP addresses did not need to sign contracts governing the use of the IP addresses4. Between 1991 and 1999 IANA began delegating allocation authority to RIRs (Regional Internet Registries). Different regions setup RIRs at different times, so some parties operating in some regions were able to get legacy allocations all the way until 19995. Since legacy allocations holders didn’t sign contracts, they have often acted as though they own the IP addresses as de facto property since they had no contractual obligation to the RIRs or IANA6.

For instance holders of legacy allocations have attempted to sell/transfer legacy allocations without the consent or knowledge of RIRs. Furthermore, in violation of RIR policy and many of the associated RFCs on allocation, legacy allocation holders have allowed IP addresses to remain unused.

RFC 2050 from 1996 lists “Conservation” of addresses as a goal and says:

ISPs are required to utilize address space in an efficient manner. To this end, ISPs should have documented justification available for each assignment. The regional registry may, at any time, ask for this information. If the information is not available, future allocations may be impacted. In extreme cases, existing loans may be impacted. RFC 2050

and

The transfer of IP addresses from one party to another must be approved by the regional registries. The party trying to obtain the IP address must meet the same criteria as if they were requesting an IP address directly from the IR. RFC 2050

Yet, Merck was able to sell Amazon two /12s as of 20127. Prior to this sale, these prefixes were unrouted on the internet. That is, despite ARIN and RFCs policies on conservation, utilization and transfer of IP addresses, Merck’s legacy allocations were left fallow for long periods of time without repercussion. This agrees with our definition of property at a right to dispose, “abuse” or unuse, even when such abuse disagrees with the stated larger benefit of society. Companies are willing to pay more for legacy allocations due to their perceived “additional rights”8, and such allocations have been sold off in bankruptcy proceedings, as if they were standard transferable assets9.

Even more convincing is a court case that arose about a sale of IP prefixes from Nortel to Microsoft, during Nortel’s bankrupcy proceeding. The sale was done without consulting ARIN, in direct violation of ARIN assumed rights. ARIN attempted to intercede in the courts10. The courts settled the matter as follows:

The court held that Nortel had an exclusive right to use the legacy numbers. The court also explicitly sanctioned Nortel’s exclusive right to transfer its exclusive right to use the numbers. In recognizing Nortel’s exclusive right to use legacy IPv4 numbers, the court implicitly found that Nortel had the exclusive right to possess the numbers themselves. Consequently, Nortel could exclude others from possession and use of the same legacy IPv4 numbers. In other words, the court found Nortel possessed the customary “bundle of rights” commonly associated with the ownership of tangible or intangible property. - Property Rights in IPv4 Numbers: Recognizing a New Form of Intellectual Property

In the end both parties compromised:

Microsoft agreed to sign a special contract for legacy holders, known as a LRSA, and ARIN agreed that the transaction gave Microsoft the same de facto property rights held by the prior legacy holder, Nortel. - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 11.

The LRSAs explicitly address the issue of property rights of legacy allocations:

LRSAs purport to extinguish a priori unencumbered legacy IPv4 numbers’ property rights. They do so through the incantation a “No Property Rights” clause, ostensibly forcing legacy holders to give up claims to title and other interests in exchange for registration services from RIRs. To be sure, the identical “No Property Rights” clause is found on both the LRSA and RSA. North American legacy holders, faced with ARIN’s LRSA, are presented (and expected to accept, without revision) the following provision: Legacy Holder acknowledges and agrees that: (a) the number resources are not property (real, personal, or intellectual) of Legacy Holder; (b) Legacy Holder does not and will not have or acquire any property rights in or to any number resources for any reason, [..] - Property Rights in IPv4 Numbers: Recognizing a New Form of Intellectual Property

Standard allocations: Standard allocations or allocations are what a party would receive if they were to request an allocation from an RIR in the present day. They would be required to sign a contract reserving rights to the RIRs. Under this contract they would be required to use the IP prefixes fully and efficiently and they would not be allowed to transfer these prefixes to another party without the permission of the RIR. That is, they would not have the right to dispose of the IP addresses in any manner. This disagrees strongly with our definition of property.

Assignments: Assignments are often seen as not allocations at all, but they are “allocated” to an individual or organisation for a specific use. For instance when a customer requests public IP addresses from Amazon for an EC2 server, those IP addresses are “assigned”.

“A distinction is made between address allocation and address assignment, i.e., ISPs are "allocated” address space as described herein, while end-users are “assigned” address space.“ - ARIN Number Resource Policy Manual

These are clearly not property as they given for a period of time for a specific use to as a service. They are owned as much as someone owns a plane by buying a ticket to travel on it.

Conclusion

Are IP allocations Property?

Probably yes if you are talking about legacy allocations, no for other allocations. Legacy allocations certainly pass the duck test and are generally treated like property. It is less clear with standard allocations, but given the generally assumed right of reclaim by RIRs, standard allocations aren’t being treated as "full property”. Assignments are clearly not property.

One form of allocations we didn’t address yet are proto-allocations.

Proto-allocations Proto-allocations are a conceptual class of allocations. In most theories of property, original property owners of land receive their property by some process, either by deity, utility or the tacit consent of society. That IANA can allocate IP prefixes to RIRs and other parties begs the question, who allocated IP prefixes and the right of allocation to IANA. Since the legitimacy of proto-allocations11 effects the legitimacy of all allocations below it, which is all allocations, we suggest that someone draft a political philosopher to argue the legitimacy of protocol allocations as to shore up the legitimacy of all allocations.

the divine right of allocations

  1. I am aware that the Duck Test makes some debatable philosophical assumptions, but it provides a simple way to address this question. Additionally the choice of bird here seems ironical to me as Duck hunters, to lure unwary ducks, will intentionally create the illusion of a duck by copying it’s external properties

  2. Even if one did arrive at a concrete answer, it might not be true tomorrow with a legal case allowing society at large to reallocate unused IP addresses. It is better create a classification system which can ask, if society at large, in the last 10 years, has acted as though IP address allocations were property. 

  3. In fairness to Proudhon, he was not entirely in favor of this arrangement, but this was how he saw societies legal definition of property. Once could argue that property is necessarily utilitarian since it rests on beneficial mutual agreement as Locke appears to argue in his The Second Treatise of Civil Government, but a debate between social consent and rights does not concern us as I am arguing the mere similarity of treatment by society. 

  4. Prior to 1991, there were no RIRs with formal policies for allocating number resources, only a central registry known as the Internet Assigned Numbers Authority (IANA), run by USC’s Information Sciences Institute (Cerf, 1990). Furthermore, upon receipt of number resources from IANA, organizations did not have to sign contracts governing their use. - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 2.

  5. The time period varies from 1991 to 1999 because:

    The date varies because RIRs were established in different regions at different times. A North American organization that received address blocks in 1994 is likely to be a legacy holder, because ARIN wasn’t created until 1997, whereas in Europe RIPE-NCC was established in 1991 and had a contractual governance scheme in place by 1994. - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 2.

  6. One of the key policy issues raised by the rise of an IP number trading market is whether these legacy holders have de facto property rights in their blocks, or need approval from RIRs to sell them - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 2.

  7. The other large legacy block transaction involved the pharmaceutical company Merck. In 1992 it was given a /8 (16.78 million numbers). From that original allocation it sold to Amazon two /12s (roughly 2.1 million numbers) early in 2012 - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 8.

  8. By paying 7.5 million, MSFT invested about 11.25 per IPv4 address. Using ARIN’s fee schedule for numbers available in its free pool, Microsoft would have paid only 87,250 per year or about 13 cents per address per year in ARIN fees. To pay ARIN 7.5 million in annual fees, Microsoft would have had to hold the address blocks for 86 years, an unlikely eventuality (unless one believes that we will never get to IPv6 at all!). The disjunction between what MSFT paid Nortel and what it would have paid ARIN for perfect substitutes indicates that there are factors governing firms’ economic calculations regarding IPv4 numbers that may not be obvious to casual observers. The explanation for this puzzle, we believe, can be found in two policy factors. One is the large gap between the restrictiveness of ARIN’s “needs assessment” policies when applied to its remaining free pool allocations and when applied to transfer markets. The other explanation lies in the disjunction between the de facto property rights enjoyed by legacy holders, and the far more limited use rights of non-legacy holders. - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 9.

  9. In March 2011, it was announced as part of Nortel’s U.S. bankruptcy proceeding that Microsoft would be acquiring 666,624 IPv4 numbers from Nortel for 7.5 million. Microsoft bought 38 number blocks that had been accumulated at various times since 1989 by Nortel from IANA or from corporate acquisitions. Included in the package were sixteen /24s, four /23s, one /22, two /21s, four /20s, nine /16s, and one /17 and /18 each. A second tranche of Nortel IP numbers, sold as part of the Canadian bankruptcy process, went to Vodafone, Salesforce.com, Bell Aliant, and two smaller ISPs. The Canadian court has refused to release any information about the price of these transactions. The Teknowledge /16 sold for 590,000, or 9.00 per address. - Dimensioning the Elephant: An Empirical Analysis of the IPv4 Number Market page 8.

  10. Re: Nortel Networks, Inc. et al., D. Del., Case No. 09-101138 

  11. Is this proto-allocation a right founded on social-utility, social contract and consent, sovereign rights of nations or some so-far unnoticed deity of the internet. 

On the NSA’s Thinking Behind the Decision to Backdoor a US Cryptographic Standard.

https://www.flickr.com/photos/nitot/12248961183

“The road to developing this standard was smooth once the journey began, [..] However, beginning the journey was a challenge in finesse.” - NSA memo on backdooring US Cryptographic Standards

The NSA’s thinking on backdoors has never been publicly revealed. In this article using the Whitehouse’s own vulnerability disclosure process and informed speculation I will try to understand the NSA’s decision to backdoor the US cryptographic standard, known as Dual EC DRBG.

Dual EC DRBG Refresher

In the early 2000’s1 as part of the NSA’s project to break and weaken cryptography, known as the BULLRUN program, the agency proposed an algorithm which they had secretly backdoored as an ANSI (American National Standards Institute) standard2. The ANSI standard was then published as a NIST standard. This backdoored algorithm was the Dual Elliptic Curve Deterministic Random Bit Generator or Dual EC DRBG. The backdoor was designed such that it was only usable by someone that had access to a backdoor key but that the existence of this backdoor key was deniable. The idea being that only the NSA would have this backdoor key, giving them an ability to break cryptographic systems that used Dual EC DRBG, while those systems would remain safe from other adversaries. Since no one would know that the NSA had this ability people would continue to use communications systems protected by this technology and the NSA could listen in. For full details of the backdoor anyone interested should read Matthew Green’s excellent blog entry The Many Flaws of Dual EC DRBG which I will be drawing heavily from.

After getting Dual EC DRBG standardized the NSA then paid RSA 10 million dollars to make Dual EC DRBG the default option in their BSAFE cryptography library.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show. - Exclusive: Secret contract tied NSA and security industry pioneer

It is an interesting question as to whether RSA payoff was executed by elements of the NSA that knew BSafe was backdoored, as such an action could constitute a covert action inside the US by an intelligence organisation with a supposedly foreign mandate and a possible crime. It is at least plausible that members of the NSA, unaware of the backdoor, felt that promoting Dual EC DRBG would strengthen the cybersecurity of the US. This is one of those inherent dangers when an actor poisons their supply chain with backdoors. How does the NSA balance keeping the backdoor secret and protecting US Government communication. Tracking all the technologies an organisation as large and diverse at the US government uses seems like an impossible task.

The BULLRUN Program

Speculation on the NSA’s Thinking.

Since none of the NSA’s thinking on the Dual EC DRBG has been leaked or published, we are going to use the governments vulnerability disclosure decision making process as a window into how the NSA evaluates risks and benefits trade-offs with regard to backdoors3. The decision making process was published on April 2014, as ‘Understanding When We Disclose Cyber Vulnerabilities’4. It was written by Michael Daniel the Special Assistant to the President and Cybersecurity Coordinator, who in both his current role and previous roles has had extensive experience overseeing the intelligence community’s cybersecurity operations.

'Understanding When We Disclose Cyber Vulnerabilities’ lays out factors or questions to determine the cost and benefits of not disclosing a security vulnerability. We will examine each of these factors as they relate to the Dual EC DRBG backdoor. The statements expressed in response to the questions are my own views on how the NSA might think about an answer.

How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?

Using standardized cryptography, especially NIST standardized cryptography, is considered best practice throughout the core internet infrastructure, the US commercial ecosystem and the national security systems. Dual EC DRBG has the potential to be used in all of these situations.

Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

To reframe this question in a cryptographic context, does this backdoor impose significant risk? Unlike a software vulnerability, knowledge is not sufficient to exploit. Instead it can only be exploited by parties which have the backdoor key. That is, the risk could have been viewed as the product of two numbers, the damage done if adversaries learned the key and the probability that adversaries would learn the key. The NSA could view the backdoor as low risk if they could keep the key secret5. This despite the enormous damage to US communications security an attacker with the key would do.

Unfortunately as we will discuss below, the backdoor introduced critical security flaws into Dual EC DRBG, making it possible for adversaries to exploit Dual EC DRBG, in a limited fashion, without the key.

An additional risk which the NSA may not have considered is that the very fact that the NSA backdoored a US cryptographic standard could seriously degrade trust in the US Government, ANSI, NIST and US companies. This is exacerbated by the fact that the NSA paid a US company to make this backdoor their default. From a geopolitical context it also creates a precedent for other countries and companies engaging in this sort of tactic harming global and US security6.

How likely is it that we would know if someone else was exploiting it?

It is a passive attack so it is completely undetectable without offensive counterintelligence efforts.

How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it?

Not badly, since getting the backdoor supported and deployed would happen over a period of years, suggesting that it was not developed for an immediate intelligence task. On the time scale of years there are always alternative ways to get intelligence. As the backdoor was indiscriminate it is not specific to a particular intelligence target.

Could we utilize the vulnerability for a short period of time before we disclose it?

In fact the longer the backdoor exists, the more systems support it and the more effective it becomes. Disclosure would be counterproductive and would carry high costs to credibility and trust. The Dual EC DRBG was intended as a long term capability.

How likely is it that someone else will discover the vulnerability?

One assumes that the NSA believed that it was unlikely someone would discover the backdoor, as it would be pointless to release the backdoor if it would be quickly discovered (people avoid backdoored crypto). On the other hand the backdoor was so obvious it was noticed shortly after it was proposed as a standard7 and later rediscovered twice by cryptographers8. Not only that but Certicom, the company from whom the NSA licensed the backdoor, published a patent9 for a technique that disables the backdoor used in Dual EC DRBG. This patent explicitly mentions the backdoor.

Can the vulnerability be patched or otherwise mitigated?

The NSA could make a simple modification to Dual EC DRBG on government systems to disable the backdoor. The difficulty would be auditing, finding, and patching all the software that government systems rely on that might use Dual EC DRBG.

NSA shaping the commercial encryption market

Conclusions:

The NSA probably concluded that the fact that the backdoor couldn’t be exploited without the secret key made it low risk. The NSA’s caviler attitude toward involving US standards bodies in its deception campaign suggests that the agency may not have weighed the risk and damage to trust that would occur if the backdoor was discovered, despite the fact that the backdoor was not “well hidden”. Could it be that the NSA focused on immediate technical dimensions without strategic and policy considerations?

Designing backdoors into cryptosystems generally weakens them. This is also the case with Dual EC DRBG as Design flaws10 were introduced into Dual EC DRBG for the backdoor to work. Thus, even if the key was not revealed and the backdoor was never discovered, the security of systems that used Dual EC DRBG would still be weakened. I’m not sure what is a scarier possibility, that the NSA knew about these design flaws and released the backdoor anyways, or that the NSA was so sloppy as to not recognize the danger these flaws posed in the first place.

Related Entries

I have covered NSA backdoors before on this blog and discussed a possible design of a secure backdoor.

  1. “A complete history of Dual EC DRBG would begin with NSA’s drive to include it in the ANSI X9.82 DRBG standard, with a standardization process kicked off in the early 2000s. The draft ANSI standard includes Dual EC DRBG with all of the known parameters, along with several additional elliptic curve parameters that were not included in the NIST standards.” - A few more notes on NSA random number generators 

  2. A NIST backdoor is seems like an “own goal” for the NSA. The NIST standards are intended for US use, especially the US government use. One would think that they were concentrate their efforts on weakening foreign crypto standards rather than US, but we have yet to see any evidence of that. Furthermore using a trusted US company, such as RSA, as the “infection vector” endangers the trust in US companies that the US software export economy is built on. It seems plausible that the primary target of the backdoor could be US commercial communications. 

  3. Using the NSA’s vulnerabilities disclosure decision making procedure seems like a good fit for backdoors as well, but a very real possibility exists that the NSA has a completely different doctrine for backdoors. If so, then the conclusions we reach here could be well off the mark. 

  4. The NSA posted this guide to dispel various rumors that they knew about the heartbleed vulnerability, but choose not to warn the internet community so that they could use the vulnerability offensively. 

  5. I am highly suspect of the US Governments ability to protect its key materials given past failures such as John Anthony Walker who gave the Soviet Union the cryptographic keys used by the US navy and manuals allowing them to reconstruct Navy cipher machines. - AN ANALYSIS OF THE SYSTEMIC SECURITY WEAKNESSES OF THE U.S. NAVY FLEET BROADCASTING SYSTEM, 1967-1974, AS EXPLOITED BY CWO JOHN WALKER by Laura J. Heath. 

  6. This is one of the greatest dangers of this whole episode. If France, Russia, China, Poland, Japan etc all start using their intelligence agencies to insert vulnerabilities into the standards that protect internet communications it will greatly complicate already failing network security efforts. 

  7. “P and Q can be generated to insert a backdoor. Issue was first raised in an X9 meeting” - John Kelsey slides about the Dual EC standardization process 

  8. Two different teams of cryptographers independently discovered that Dual EC DRBG could be backdoored: 2006 and 2007

  9. “An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random.” - Elliptic curve random number generation 

  10. “Due to some quirks in the mathematics of the field operations, an attacker can now predict the next bits of Dual-EC output with a fairly small – but non-trivial – success probability, in the range of 0.1%. While this number may seem small to non-cryptographers, it’s basically a hanging offense for a cryptographic random number generator where probability of predicting a future bit should be many orders of magnitude lower.” - The Many Flaws of Dual_EC_DRBG 

Definitions of COLLECTION within the Intelligence Community and the Law.

https://www.techdirt.com/articles/20140614/17181327584/nsa-can-neither-confirm-deny-it-uses-phrases-it-used-leaked-slide.shtml

Disclaimer: I am not a lawyer, I do not have a security clearance, this is a “best effort” investigation.

What does the NSA mean when they say COLLECTION1 or ‘COLLECT it all’2? This in an important question because not only do representatives of the NSA make public statements about what they do and do not COLLECT, but Director of National Intelligence James Clapper, as well as other sources3, have stated that COLLECTION has a specific intelligence community meaning different from the common meaning.

[..] there are honest differences on the semantics of what– when someone says “collection” to me, that has a specific meaning, which may have a different meaning to him. - Director of National Intelligence James Clapper

More importantly, how the NSA interprets the word COLLECTION has ramifications for what the NSA thinks the legal limits of surveillance are.

Below we will show that the US Intelligence Community and more specifically the NSA’s internal legal directives use a very narrow definition of COLLECTION which may allow them to skirt legal restrictions on the surveillance of US Persons. Furthermore this NSA definition does not appear to be compatible with the use of the word COLLECTION in the documents which give the NSA the legal authority to engage in surveillance. In fact the NSA’s definition of COLLECTION, which we term 'COLLECTION as reporting’ may create a perverse incentive for the NSA to mass surveil US Persons rather than engage in targeted or limited surveillance.

Collection as interception:

Before we begin, lets consider the common standard usage of the term COLLECTION. For instance when people who are uninitiated into the vocabulary of the Intelligence Community ask “Should the NSA be allowed to COLLECT all American’s emails?” what exactly are they asking? They are asking should the NSA surveil, record and search all American’s emails. The word COLLECTION is being used mean an activity which includes the capturing, gathering, searching and acquisition of information. Under this definition all surveillance would count as COLLECTION, since surveillance by its very nature captures information. We term this common usage definition 'COLLECTION as interception’.

Collection as targeting

The Intelligence Cycle from Operations Security INTELLIGENCE THREAT HANDBOOK

The DoD dictionary provides the following definition:

COLLECTION: (DOD) In intelligence usage, the acquisition of information and the provision of this information to processing elements. See also intelligence process. Source: JP 2-01 - DoD dictionary

A more specific definition of COLLECTION is offered by 'The Operations Security INTELLIGENCE THREAT HANDBOOK’ which defines COLLECTION as a step in the intelligence cycle:

Collection: includes both acquiring information and provisioning that information to processing and production elements. The collection process encompasses the management of various activities, including developing collection guidelines that ensure optimal use of available intelligence resources. Intelligence collection requirements are developed to meet the needs of potential consumers. Based upon identified intelligence, requirements collection activities are given specific taskings to collect information. - Operations Security INTELLIGENCE THREAT HANDBOOK

That is, COLLECTION is not a specific activity such as surveillance or interception, but rather a step in the intelligence cycle (see picture of intelligence cycle above). COLLECTION is the step that transforms requirements into information via specific tasking/targeting.

https://www.eff.org/document/minimization-procedure-slides

https://www.eff.org/document/minimization-procedure-slides

The above slides, leaked by Snowden, from the NSA’s Cryptological School Course on Legal, Compliance, and Minimization Procedures, provides a more succinct definition: COLLECTION is targeting within the intelligence cycle4. This definition given in the slide above agrees with the last part of INTELLIGENCE THREAT HANDBOOK’s definition of COLLECTION.

To gain a more concrete picture consider the following example of COLLECTION transforming requirements into intelligence.

Requirement: Find out if Winston Smith truly loves big brother.

Collection: Find information through targeting and tasking.

  1. searching databases 'who has Winston talked to for the last 2 years’,
  2. capturing information 'break into Winston’s apartment and read his diary’.

In “searching a database” COLLECTION is happening without interception, since the information in the database existed prior to the requirement. If COLLECTION means targeting and If such databases were built by capturing or intercepting information outside of the intelligence cycle, for example through mass surveillance, such interception may not be counted as a COLLECTION activity. Under this definition the information is only COLLECTED when queries are run against it since COLLECTION only happens when someone or something is targeted to fulfill an intelligence requirement. We term this definition “COLLECTION as targeting’.

Collection as reporting

Director of National Intelligence James Clapper’s statements support the view when he says the mere interception of information is not COLLECTION, but he goes further to say that an activity only becomes COLLECTION when an analyst looks at it rather than when an analyst targets it5.

And again, going back to my metaphor, what I was thinking of is looking at the Dewey Decimal numbers of those books in the metaphorical library. To me collection of U.S. Persons data would mean taking the books off the shelf, opening it up and reading it. - Director of National Intelligence James Clapper

Following Clapper’s metaphor: if the NSA intercepts your email it is not COLLECTION. If the NSA then stores the intercepted email in a giant datacenter for 30 years, that is not COLLECTION. Even if the NSA processes6 and indexes your email it is not COLLECTION7. It only would be COLLECTION if an analyst at the NSA reads your email in an intelligence report.

Clapper was likely basing this definition on the following DoD regulation:

C2.2.1. Collection. Information shall be considered as "collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties. Thus, information volunteered to a DoD intelligence component by a cooperating source would be “collected” under this procedure when an employee of such component officially accepts, in some manner, such information for use within that component. Data acquired by electronic means is “collected” only when it has been processed into intelligible form. - DoD Regulation 5240.1-R, Procedures Governing the Activities of DoD Intelligence Components that Affect United States Persons

The DIA HUMINT legal handbook attempts to provide further insight into this definition.

So, we see that collection of information for DoD 5240.1-R purposes is more than “gathering” - it could be described as “gathering, plus … ”. For the purposes of DoD 5240.1-R, “collection” is officially gathering or receiving information, plus an affirmative act in the direction of use or retention of that information. For example, information received from a cooperating source (e.g., the FBI) about a terrorist group is not “collected” unless and until that information is included in a report, entered into a data base, or used in some other manner which constitutes an affirmative intent to use or retain that information. [..] What constitutes an intelligible form may be somewhat problematic. - Intelligence Law Handbook: Defense HUMINT Service

The handbook mentions an additional caveat, in defining retention8 with regard to COLLECTION:

'Once again, we must cautiously examine the vocabulary used in DoD 5240 .1-R. The term “retention” means more than merely retaining information in files - it is retention plus retrievability. As stated in DoD 5240.1-R – “the term retention as used in this procedure, refers only to the maintenance of information about United States persons which can be retrieved by reference to the person’s name or other identifying data.”’ Intelligence Law Handbook: Defense HUMINT Service

We call this, 'COLLECTION as reporting’9.

US laws on intelligence COLLECTION and surveillance:

Ignoring the 4th amendment10 of the US Constitution, lets examine three legal documents that restrict the surveillance powers of US intelligence and security organs.

Foreign Intelligence Surveillance Act or FISA, is a law which congress passed in 1978 as a reaction to widespread US Intelligence Community abuses11. It was amended several times between 2006 to 2008 to remove some limits on the US Intelligence Community. Since FISA doesn’t use the word COLLECTION anywhere preferring the term 'electronic surveillance’ we will skip it. A version of the full text of FISA can be found here.

USA PATRIOT Act12, is a law that congress passed in 2001 in response to the 9-11 attacks against the US. While uses the word COLLECTION once and COLLECTED several times it doesn’t provide any indication that this word is being used in a sense other than 'to gather’.

Executive Order 12333 or EO 12333, is an executive order issued in 1981 by President Reagan and amended by President Bush twice in 2004 and 2008.

(U) Executive Order 12333, as amended 2008, “United States Intelligence Activities,” establishes the overall framework tor the conduct of intelligence activities by the Intelligence Community (IC), and specifies the scope of NSA/CSS’ authorities to conduct its routine foreign intelligence mission; - United States Signals Intelligence Directive USSID SP0019 - Oversight and Compliance Policy

While congress was not involved in the creation of EO 12333, laws such as the USA PATRIOT Act refer to it directly13 and executive orders have the power of law14. Full text of a version of EO 12333 can be found here.

(U) NSA conducts the majority of its SIGINT activities solely pursuant to the authority provided by Executive Order (EO) 12333. - Legal Fact Sheet: Executive Order 12333

EO 12333 does not define COLLECTION but based on use within the document, COLLECTION can be taken to mean the capture of information. That is, it uses COLLECTION to mean the common definition, 'COLLECTION as interception’. For example it lists physically where COLLECTION can happen.

Collection of national foreign intelligence, not otherwise obtainable, outside the United States shall be coordinated with the CIA, and such collection within the United States shall be coordinated with the FBI; - Executive Order 12333

If COLLECTION in EO 12333 meant targeting, then you could intercept, in an untargeted fashion, all data flowing through the US and then merely query it from a server outside the US. Such an action clearly goes against the intent of the order and would be an utterly pointless restriction to place on the Intelligence Community. It only makes sense if COLLECTION is being used in a broader sense than 'COLLECTION as targeting/reporting’

EO 12333 also lists what methods can be used to COLLECT, notice that none of the methods listed include search queries, but they do include “electronic surveillance, unconsented physical search, mail surveillance, physical surveillance, or monitoring devices”: Clearly EO 12333 intends COLLECTION to mean surveillance and interception!

“Collection Techniques. Agencies within the Intelligence Community shall use the least intrusive collection techniques feasible within the United States or directed against United States persons abroad. Agencies are not authorized to use such techniques as electronic surveillance, unconsented physical search, mail surveillance, physical surveillance, or monitoring devices unless they are in accordance with procedures established by the head of the agency concerned and approved by the Attorney General.” - Executive Order 12333

Switching gears lets look at United States Signals Intelligence Directive SP-00018 or USSID-18. USSID-18 is an internal policy directive derived from EO 12333 and its associated legal authority. USSID-18 a guideline for how the NSA handles SIGINT or Signals Intelligence15 programs that may involve a US Person’s communications.

Derivative documents such as DoD Regulation 5240.1-R, NSA/CSS Policy 1-23, and USSID SP0018 establish policies and procedures consistent with Executive Order 12333. OVSC1100 Overview of Signals Intelligence (SIGINT) Authorities

Both EO 12333 and USSID-18 use the term COLLECTION. USSID-18 explicitly defines COLLECTION as:

3.4 (C xxx) Collection means intentional tasking and/or selection of identified nonpublic communications for subsequent processing aimed at reporting or retention as a file record. USSID-18 80 Section 3: Definitions

This definition suggestions that to COLLECT is to target (tasking or selection) and to report. That is, communications can be intercepted, stored and accessed, perhaps intentionally without being COLLECTED as long as they are not targeted/selected/tasked and reported.

Worryingly USSID-18’s definition of COLLECTION as reporting appears to be contrary to the use of COLLECTION as interception in EO 12333, despite USSID-18 being derived from the legal authority of EO 12333. One possibility is that the US Intelligence Community may have redefined the word COLLECTION in USSID-18 to circumvent the limitations placed on it by EO 12333.

This interpretation of COLLECTION as targeting/reporting rather than interception within USSID-18 is buttressed by the following slide which answers the question what to do if an analyst see’s information on a US Person. Notice the difference between 'inadvertent’ and 'incidental’.

US Persons Information

Inadvertent refers to tasking/querying which would be COLLECTION under USSID-18, it specifically says “stop COLLECTION”. That is, your target is a US Person, but the analyst didn’t know that at the time they engaged in the query against the data the NSA intercepted at some past point. Notice it doesn’t say anything about the legality of how this data was originally intercepted.

Incidental is referring to the actual interception of information. The analyst is not targeting a US-Person but is getting a US Person’s communications. Notice the slide says that this does not violate USSID-18 and you can continue intercepting this communication. This might not constitute COLLECTION of that US Person because it is not targeted at them.

For an activity to count as COLLECTION within USSID-18 must count as both targeted and reported.

DoD regulation 5240.1-R, mentioned in the section on 'COLLECTION as reporting’, also derives its authority from EO 12333, and it also uses a definition 'COLLECTION as reporting’ which appears to be incompatible with EO 12333.

Conclusion:

To summarize, we come across three definitions of COLLECTION used in the law and intelligence community:

  1. 'COLLECTION as interception’ - Information is COLLECTED when it is a taken/intercepted/recorded. Under this definition mass surveillance is COLLECTION.
  2. 'COLLECTION as targeting’ - Information is COLLECTED when a targeted query or selector is used to fulfill an intelligence requirement. Under this definition mass surveillance is not COLLECTION.
  3. 'COLLECTION as reporting’ - Information is COLLECTED when it is transformed into intelligence via targeting and tasking, placed in a report and read. Under this definition mass surveillance is not COLLECTION, even targeted surveillance would not be collection.

EO 12333, the legal authority upon which USSID-18 and 5240.1-R are based, uses definition 1, the broadest definition, COLLECTION as interception. The NSA legal training slides, the INTELLIGENCE THREAT HANDBOOK and the DoD dictionary uses definition 2 (COLLECTION as targeting). USSID-18, DoD Regulation 5240.1-R and DNI Clapper use definition 3. It is likely that this use of definition of 3 comes from the definition of COLLECTION within USSID-18, which contradicts the use of COLLECTION in EO 12333.

By defining collection narrowly in definition 2 or 3 the NSA potentially subverts the letter and spirit of EO 12333 allowing them to expand their surveillance powers16. If communications or other information is captured without a target, say through bulk surveillance, then that information it is only COLLECTED when queries are run against it (see slide on Incidental collection). This definition of COLLECTION puts far less restrictions on bulk surveillance than targeted surveillance and actually encourages the indiscriminate interception of US Person’s communications, since if the NSA narrowed the scope of its interception, then that interception could become COLLECTION. Furthermore, if targeted surveillance occurs but that surveillance doesn’t end up in a report then it has not been COLLECTED giving them even more leeway17.

It’s a beautiful thing, the destruction of words. - 1984

As former NSA chief analyst John Schindler said:

NSA has platoons of lawyers, and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole. - former NSA chief analyst John Schindler

or as the DIA legal handbook says:

Too often we have unnecessarily restricted our efforts because we either too strictly interpret the rules applicable to special collection techniques [..] What is essential is that we in the DoD intelligence business permanently vest in ourselves a capable sophistication to make. maximum use of all authorized collection techniques. The rules of engagement by which we must operate are not hindrances - they are· keys to success - Intelligence Law Handbook: Defense HUMINT Service.

Update: Further reading Just came across Dan Froomkin’s piece on uncommon Intelligence Community definitions NEW INTEL DOC: DO NOT BE ‘LED ASTRAY’ BY ‘COMMONLY UNDERSTOOD DEFINITIONS’ . He links to several other sources which I’m including below:

How to Decode the True Meaning of What NSA Officials Say

A Guide to the Deceptions, Misinformation, and Word Games Officials Use to Mislead the Public About NSA Surveillance

  1. I’m capitalizing each instance of the word as to be clear that this is being used in a very specific sense. 

  2. https://www.techdirt.com/articles/20140614/17181327584/nsa-can-neither-confirm-deny-it-uses-phrases-it-used-leaked-slide.shtml 

  3. The DIA HUMINT legal handbook also warns the reader of the specific and special Intelligence Community’s definitions of COLLECTION; definitions that even disagree between the Army and DoD documents.

    Procedure 2 introduces the reader of DoD 5240.1-R to his or her first entry into the “maze” of the regulation. To begin the journey, it is necessary to stop first and adjust your vocabulary. The terms and words used in DoD 5240.1-R have very specific meanings, and it is often the case that one can be led astray by relying on the generic or commonly understood definition of a particular word. For example, “collection of information” is defined in the Dictionary of the United States Army Terms (AR 310-11 25) as: The process of gathering information for all available sources and agencies. But, for the purposes of DoD 5240 .1-R, information is “collected” [gives another definition – see below for the continuation of this quote] - Intelligence Law Handbook: Defense HUMINT Service

  4. Of note in this slide, searching a database with a query is COLLECTION, but the target could be a subject rather than a person. If the target is an subject, say nuclear weapons proliferation, but includes US Person’s data then have you COLLECTED on that person? 

  5. It is possible that he is only talking about interception from bulk surveillance, since in that case no one is targeted by the surveillance. 

  6. Typically the intelligence cycle goes requirements -> collection -> processing -> analysis ->… but if interception is not COLLECTION, then some elements of processing (such as decryption), may occurs before COLLECTION. This suggests a different cycle: requirements -> interception -> processing -> collection -> analysis ->… 

  7. To use Clapper’s metaphor this would be the same as assigning a book a Dewey decimal number . 

  8. One could write a blog entries on what they mean by retention and dissemination. 

  9. An objection here might be that there is no difference between 'COLLECTION as targeting’ and 'COLLECTION as reporting’, but the reader should consider the case in which the NSA targets someone for COLLECTION doesn’t find anything they can use and thus doesn’t write a report. This would qualify as COLLECTION under 'COLLECTION as targeting’ but it may not qualify as COLLECTION under 'COLLECTION as reporting’. This is a powerful loophole since it might allow the NSA to investigate people without any knowledge of them being guilty and then COLLECT on the person if they find evidence. For instance the 'Intelligence Law Handbook: Defense HUMINT Service’ says:

    “Information held or forwarded to a supervisory authority, solely for the purpose of making a determination about its collectability (as described in DoD 5240.1-R, Procedure 1), and which has not been otherwise disseminated, is not "collected. ”

  10. Since the intelligence community seems to pretend it doesn’t exist we, with protest, ignore it as well. 

  11. See Church Committee which investigated abuses which included: Project SHAMROCK, Project MINARET, Operation Mockingbird, and COINTELPRO among others. 

  12. USA PATRIOT Act stands for: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, which probably qualifies at a top 10 of the most contrived acronyms. 

  13. “An investigation conducted under this section shall— (A) be conducted under guidelines approved by the Attorney General under Executive Order 12333 (or a successor order);” - USA PATRIOT Act. 

  14. How much power does the president wield with executive orders you might ask? Consider that the order which President Lincoln signed which freed Confederate slaves, the Emancipation Proclamation, was an executive Proclamation, which is an executive order intended for public consumption, so was the internment of Japanese Americans and other US Persons during the Second World War, EO9066 to be exact. 

  15. That is, the capture, storage, processing and analysis of intercepted communications or signals. 

  16. Although the NSA does have some rather powerful loopholes to exploit in EO 12333, see 'Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad’ which talks about EO 12333 and the NSA’s MUSCULAR program

  17. There is a danger here that we might see malicious actions where it is merely the incompetence of a massive bureaucracy that can’t keep the meanings of its words straight. If this is mere accident, it happens to be a very advantageous accident for those wishing to expand the surveillance powers of the security services. 

Educated guess at the redacted text in the the Presidential Surveillance Program (PSP) legal justification.
Pop-upView Separately

Educated guess at the redacted text in the the Presidential Surveillance Program (PSP) legal justification.

HTTP should come with a warning like this: “Phone has no security in plain mode”.
Pop-upView Separately

HTTP should come with a warning like this: “Phone has no security in plain mode”.

GCHQ Deception Slides Cribbed from Bell and Whaley’s Book ‘Cheating and Deception’ (1982)

Looking over the Feb 24 2014 leak of the GCHQ slide deck titled ‘The Art of Deception: Training for a New Generation of Online Covert Operations’ I noticed some of the material was taken without credit from Bell1 and Whaley’s 1982 book 'Cheating and Deception’.

For example compare GCHQ’s slide 17:

GCHQ Slide 17

with page 61 from 'Cheating and Deception’:

Cheating and Deception page 61

The terminology is exactly the same, the wording “Showing the False” has been copied verbatim from 'Cheating and Deception’. This isn’t the only slide that was borrowed from Bell and Whaley. His terminology (called CHARCS in the book) appears on slide 24 as well. Furthermore the notion that stage magic provides a foundation for the study of deception is core to the book’s approach2 and also shows up in the GCHQ’s slides 8, 15, and 16 (shown below). Slide 17, posted above, comes next.

slide 16

Clearly the author3 that prepared these slides was familiar with Bell and Whaley’s book, but the slide deck never mentions the book by name although it cites other books. Slide decks rarely cite all their sources so this was probably not an intentional slight toward 'Cheating and Deception’. Nevertheless it is interesting to consider that British Intelligence is copy terminology and ideas verbatim from 'Cheating and Deception’4 but that during his life Bell lamented that his work on deception was being all but ignored by the intelligence community:

The authors, especially and despite all, somehow continue to keep the faith and believe that out of sight over the horizon someone, someplace has a perceived need for work on deception [..]. In this, however, we may well be entering the analytically forbidden arena of self-deception. - J. Bowyer Bell

Bell died in 2003 and Barton Whaley died in 2013 just months before these slides became public.

  1. Bell had quite the life, according to wikipedia: “He was held hostage in Jordan, shot at in Lebanon, kidnapped in Yemen and deported from Kenya.” when he wasn’t painting or doing art history. - http://en.wikipedia.org/wiki/J._Bowyer_Bell 

  2. It is no mistake that Barton Whaley was a magician. 

  3. According to the slide deck the author is the “Head of Human Science, NSTS" 

  4. Bell’s earlier work was on the IRA and it is what he is most known for, so it is possible that he is more widely read in British intelligence circles than US. 

SHAKE: or On Naming a NIST Standard.

http://www.flickr.com/photos/beglen/5500030995/sizes/z/

Back in 2012 I was involved in a discussion on the NIST SHA3 discussion list about possible names for the standard. It might seem obvious that SHA3 should be called SHA3, but SHA3 has several output sizes: 224, 256, 384, and 512 bits.

One proposal, which was suggested, and evidently adopted as the official name, was SHA3-[output size]. I objected to this naming convention on the following grounds:

  1. Meaning: SHA3 is not necessary more secure that SHA2. We may discover a critical break in SHA3 and will need to communicate the idea that SHA3 is not better than SHA2. Higher numbers imply better, names are value neutral.

  2. Uniqueness: SHA3 is not an unambiguous search string. There is a hash function named SHA-384 which is likely to be referred to in code as SHA384 (hyphens are forbidden in functions names in python see 5). This name collision will cause problems with ‘find and replace’ code changes.

  3. Readability: SHA3 may become something that you don’t want in your code base due to a successful attack. Programmers may use various aliases for SHA3 (SHA3_encryptor, SHA3512, SHA512_3, etc). Doing string searches to audit code bases for uses of SHA3 is complicated by it’s similarity with SHA2. More importantly attempting to read code to understand what hash function is being used would be helped by a very distinctive name.

  4. Typos: Having different hash functions that are only one or two characters away from each other will almost certainly result in security failures as a result of typos. For example in the past we saw a typo cause the ’The Debian OpenSSL Disaster’.

  5. Hyphens are bad: There is a whole class of interesting failure modes when ever you use a hyphen in name read by a computer:

    • many word processing programs will collapse two hyphens into an extra long hyphen that is not visually distinguishable from a hyphen,
    • hyphens often acts as a 'does not contain’ character in search engines,
    • hyphens are used as the subtract operator in many programming languages (hyphens named variables do not play well with ruby or python). What does a programmer do when they can’t name a variable SHA-3-512? Do they use SHA3512? See objection 2.

  6. Regex matching: Many programmers will match these strings using regex. They shouldn’t. but they will because Ruby and perl-like languages make it too easy to pass up. The composition of letters, hyphen, numbers is likely to result in interesting bugs as hyphens are a special character in regex and need to be escaped.

I proposed that we should choose a string which is: unique, easily searchable, and unlikely to be confused by autocomplete or a code search tool. While creating a fool-proof hash name is impossible, we should try to make it fool-resistant.

I proposed four rules:

  1. There should always be a “typo difference” of at least two characters between each name.

  2. Truncation from one name to another should never result in a valid name (avoiding regex, find-and-replace, accidental backspace and copy-paste bugs).

  3. A simple transposition of two characters within the name should not result in another valid name. One of the most common typos and one that human pattern recognition is terrible at finding.

  4. The names when read aloud should have a distinctive unique and obvious pronunciation to avoid confusion in voice conversations.

Since at this point KECCAK had been announced as the winner of the SHA3 contest, I proposed the following name: SHAKE[output bits], so SHAKE224, SHAKE256, SHAKE284, SHAKE512.

It received some interest on the mailing list but I didn’t think much was going to come of it. SHA3-x was the most obvious name and despite my objections had a number of advantages. I was certainly, and pleasantly surprised when John Kelsey of NIST announced that SHA3 would be two algorithms. One would be a drop in replacement for SHA2 and named SHA3 and the other would allow secure output truncation and be called SHAKE256 and SHAKE512.

For the record I see nothing that officially credits me with this name and it is obvious enough that someone could have independently discovered it, but searching the NIST mailing list I am the first and only person to have suggested this name, so I think it is likely that I have named a NIST standard.

Defending an Unowned Internet: Dissecting the Question of the Social Good of Communication Security.

http://commons.wikimedia.org/wiki/File:%27Calvin_and_Hobbes%27-style_snowmen_1a.JPG

As today is a snow day I’ve decided to write up a thought I had from the recent discussion at the Berkman Center about “Defending an Unowned Internet”. A good summary of the discussion can be found at “#recap: Defending an Unowned Internet”. A video of the event will be posted in the next few days here.

I will be focusing on a question that the moderator, Johnathan Zittrain, asked:

If an engineer were to burst into your office smiling and announce that they had invented a communication technology in which any number of parties could communicate secretly; that no third party other than the communicating parties could see or interfere with the communication. Would you be happy? Do you think this would be a good thing? 1

The panelists took this question to mean, if the internet was unpolicable or ungovernable would that be a good thing or a bad thing.

Bruce Schneier took the position that it wouldn’t be that bad, and that we know what such a scenario would look like because it was the scenario we had in the early days of the internet before the government got savvy. He used the example of the Secret Service raiding Steve Jackson Games because the Secret Service couldn’t tell the difference between games about hacking and actual crimes that involved hacking.

The other panelists generally argued points along a continuum of shades of grey. That you’d never want a perfectly secure communication medium because there is value to policing, governance and authority.

Benjamin Wittes took the most authority friendly position2. He made the distinction between governance and authority and argued that he didn’t just want governance but a strong state that can actively punish people3. Ebele Okobi, brought up issues of corporate responsibility, human rights, and harassment. Yochai Benkler represented a balance of power position, neither perfect privacy nor perfect surveillance/enforcement. A sort of “Concert of routers” argument 4.

I would like to go in a different direction and amend Jonathan Zittrain question5. I would like to dissect Zittrain’s magical communication technology into two technologies:

  1. The VFP (the Very Free Press): An anonymous uncensorable publication medium. Anyone can publish anything anonymously and it is visible to everyone who wishes to look. The VFP is very much what the panelists were imagining when thinking about the internet as an ungoverned space.

  2. Ansible: A secure and private communications system. Any two parties can communicate, such that the contents of the communication are not readable by anyone other than the two parties, and that the fact that the two parties are communicating is known only to the two parties. The Ansible is actually much more in line with Zittrain’s question.

The VFP has many of the downsides that Ebele Okobi brought up such as harassment, child pornography, and violations of human rights. It would also be the most likely to have direct impacts on social movements as the VFP would allow people to express themselves via broadcast to many people they do not directly know. The effect would probably be to reduce the overall privacy of the world, since once private data was published to the VFP it would be impossible to censor6.

The second technology is unlikely to result in an increase in harassment, as communicating parties can configure their client to drop communications from unknown identities or from identities that refuse to identify themselves7. Many social networks already offer this a feature8. Some harassment would occur but it would be no worse than email is today. The Ansible would likely increase the overall privacy of the world, producing a safe space for individuals to communicate. A potential source of harm would be that governments, criminals, terrorists and militaries could use it to issue secret orders which could later be denied. For instance Serbian war criminals were often presented with communication intercepts showing that they issued orders to commit atrocities, such evidence would become much more difficult to collect. Technologies with similar capabilities already exist in the form of burst transmitted encrypted messages and to a lesser extent encrypted instant messages.

If you had a wish granting school bus, which of these technologies would you ask for? One, both, neither? @Ethan_Heilman

  1. As a video of the event has not yet been posted, this quote and all further quotes will be from memory, notes and tweets. 

  3. Throughout the talk he waved the flag of Thomas Hobbes including beginning his remarks with the statement “"Let me speak on behalf of the Leviathan …”. 

  5. It would not be an exaggeration to say that Jonathan Zittrain was the best moderator I’ve ever seen. Even if you have no interest in the issues under discussion, the event was an example of a great moderator can offer to a discussion. 

  6. We already see this happening with private data being posted to pastebin or cryptome as happened with the Guccifer archives. 

  7. One could imagine stretching a reputation system or web of trust over the Ansible network. People could always communicate anonymously ala chatroulette. but for most communications people want authentication and identification from the sending party. 

  8. Which is not to say they have fixed the problem. Much more work needs to be done. 

New Paper: One Weird Trick to Stop Selfish Miners: Fresh Bitcoins, A Solution for the Honest Miner.

http://www.flickr.com/photos/therealbrute/4375582453/sizes/z/

I read Eyal and Sirer ‘Majority is not Enough: Bitcoin Mining is Vulnerable’ analyzing Selfish Mining on the day it was published. Since then I’ve been working on solutions to selfish mining. Today I’m posting a draft of my work in which I propose a novel solution using unforgeable timestamps and random beacons. I improve on the current best result increasing the minimum size of mining pool which can selfishly mine from 25% to 32%.

You can read the paper here: One Weird Trick to Stop Selfish Miners: Fresh Bitcoins, A Solution for the Honest Miner.

What is Selfish Mining?

For an gentle introduction read to Selfish Mining read 'Bitcoin is Broken’ or 'The best way to take control of Bitcoin? Rally other greedy “selfish miners”’ .

tl;dr A Bitcoin mining pool which is big enough can behave selfishly and win more than their fair share of mining rewards. This is bad and could result in a Tragedy of the Commons as selfishness would become incentivized.

Abstract:

A recent result in Bitcoin is the selfish mining strategy in which a selfish cartel withholds blocks they mine to gain an advantage. This strategy is both incentive-compatible and harmful to Bitcoin. In this paper we introduce a new defense against selfish mining that improves on the previous best result, we raise the threshold of mining power necessary to profitably selfishly mine from 25% to 32% under all propagation advantages. While the security of our system uses unforgeable timestamps, it is robust to their compromise. Additionally, we discuss the difficulty a mining conspiracy would face attempting to keep the compromise of our scheme secret and we analyze incentives for getting miners to adopt these changes.

Suggestions welcome on twitter: @Ethan_Heilman or email Ethan.R.Heilman@gmail.com