Archive for November 2012
L’affaire du Petraeus: Electronic Communications (ELINT) and Your Privacy
//BEGIN
Afsrtbnfmzndopeezygpmcmvgbcnlstmcgthozr rkmrkmjlskkmgecuvgi
//END
Thoughts On The Politics, Media Frenzy, and Schadenfreude
As you all now know, general Petraeus (aka P4) was caught using a dead drop Gmail acct with his lover (Broadwell) because the lover got jealous over another woman who was perhaps flirting with her down low guy. Many out there have made this all into a Greek tragedy though because of the perceived rights to privacy we all are supposed to enjoy as US citizens and bemoan the whole affair because it was all leaked to the press. Personally I think that it was necessary for the general to step down from the DCI post as well as be outed because he was DCI to start however, generally this thing has become the new digital slow speed chase in a white bronco all over again for me.
Sure, the schadenfreude is fun, and there are many gawkers and rubber necks out there watching with glee but in the end there is much more to this debacle than just getting some on the side within the political sphere. The bigger picture issues are multiple and I will cover them below, but to start lets just sit back and watch the calamitous demolition of those who partook and their hubris.
*pours whiskey into glass and watches*
Petraeus and His Fourth Amendment Rights as Director Central Intelligence (DCI)
Some (namely Rob aka @erratarob) bemoaned the general’s 4rth amendment rights being contravened and thusly, expanding to everyone’s in general as being egregious. My answer to Rob yesterday still stands today for me. As DCI of the CIA the general had no right to privacy in this vein. Why? Because as the leader of the CIA he was the biggest HVT that there ever was for some kind of blackmail scheme so common to the world of spooks. Though the general tried to be cautious, his lover began the downfall with her threatening emails to someone else. Now, usually this type of case would not even be one at all for the FBI were it not for the sordid affair of the SA who Kelley knew and went to to “look into” this matter for her as a favor. This was inappropriate in and of itself and a case never should have been logged never mind any investigation carried out by the SA to start with.
That the FBI agent began looking into the emails and actually tasked the FBI’s lab boys to look into it, well, then it became a case. OPR is looking into it all now and sure, something may come of that investigation (i.e. the SA will be drummed out maybe) it all changed timbre once Petraeus’ name became part of the picture. As DCI P4 held the top most clearance possible as well as the data attendant to that designation. As such, any kind of activity like this would immediately call for an investigation into what was going on as well as what kind of damage may have occurred through compromise of his accounts or his credibility. So, anyone who asks why this is such a big deal and why the FBI did what they did, you need to just look at that one salient fact. The problem isn’t that they investigated, the problem instead is that P4 was doing this in the first place and may have actually given Broadwell more access than he should have to information he had within his possession.
This of course still has to be investigated and reported on and that’s why it all came to pass.
The Expanded Powers of The US Government (LEA’s) To Search Your Emails and the Fourth Amendment
Meanwhile, the civil libertarians are all over this from the perspective that “We the people” have little to no privacy online as the government and LEA’s can just subpoena our email in/outboxes without any oversight. This has been a problem for some time now (post 9/11 really PATRIOT Act) so it should not be new to anyone who’s been paying attention. It is true though, that those powers have been expanded upon since the Patriot Act was passed but overall, the technologies have outstripped the privacy possibilities for the most part in my book. For every countermeasure there’s always another that can be used against it to defeat your means of protection. Add to this that the general populace seems to be asleep at the digital wheel as well and the government has a free hand to do whatever they like and get away with it.
Frankly, if you are ignorant of the technology as well as the laws being passed surrounding it then it is your fault if you get caught by an over-reaching LEA. It’s really that simple. If the general populace is not out there lobbying against these Orwellian maneuvers by law enforcement as well as using any and all technology to communicate securely then it’s their God damned fault really when they get pinched or spied on. It’s all of your jobs out there to know the laws, know what’s going on, and most of all, to know how to protect your communications from easy reading by LEA’s and others. I firmly believe that the laws on the books and the slip-space between where LEA’s and governments are abusing them is egregious but I as one person can do nothing to stop it from happening at a legal level. At a technical level though, that is a completely different story.
Your “Papers and Effects” Digitally…
Now we come to a real sticky bit in this whole debacle. The Founding Fathers listed “Papers and Effects” while today the law and the government seem to think that electronically, neither of these terms apply to your online communications. Last year I sat through a tutorial by the EFF on this very thing and was not completely shocked by what they were saying as much as wondering just how people let this slide. According to the EFF the LEA’s see no relevance to the words papers and effects when it comes to an email inbox or a Dropbox. What this means is that they can just sneak and peek in some cases without a warrant or a subpoena. If you have email or files being hosted anywhere online, not on a system within the confines of your home, then it’s really fair game to them. I also assume the same can be said for any files/emails on any intermediary servers that they may pass through and are cached as well. So really, once you log in and create the email outside of your machine at home (i.e. being logged onto Gmail for example) it’s already not a paper or effect within the confines of your domicile.
Once again, the law is outdated and should be amended to cover discreetly the nature of email, its ownership and the protections that you “think” you have already as it is a paper of yours and thus covered by the Fourth Amendment. Will this happen though? I am not overly optimistic that it will even make the table with or without the likes of the EFF trying to push the issue frankly. The government has it the way they want it as well as their machinations via Patriot Act allow for so much latitude just to make their lives easier to snoop against anyone for fear of terrorism. Face it folks, we are pretty much Borked here when it comes to our online privacy, and not only from the LEA/Gov perspective either. Just take a look at all of the corporate initiatives out there in EULA’s and lobbying such as RIAA or MPAA. Any way you look at it, your data, once out of your local network, is no longer legally yours.
The Only Privacy Today That YOU Have Is That Which YOU Make For Yourselves With Crypto
This brings me to what you can do about all of this today. The only way to really have that privacy you desire is to make it yourself and to insure that it can withstand attacks. By using strong cryptography you can in fact protect your fourth amendment rights online. You have to insure that the crypto is strong, tested, and not back door’d but there are more than a few products out there on the market that will do the job such as PGP/GPG. In fact, Phil Zimmerman got into trouble with the US Government in the first place because PGP, to them, was considered to be a munition! So really, what is stopping you all from using it en mass? Well, i am sure there’s a healthy dose of lazy in that mix but I would have to say for many its the lack of comprehension on how it works and how to manage it that stops the general populace. Of course I have to say that PGP on a Windows box is really really easy to use so, once again we are back to lazy.
Anyway, unless you assiduously apply crypto to your communications, whether it be a PGP encrypted email or a chat session using OTR (Off The Record Messaging) consider yourself open to LEA abuse. The other side of that coin unfortunately is that if you are encrypting all your communications, the LEA’s may get to wondering just what you are up to and force the issue. I guess it’s much better to have them wondering and FORCE them to get a warrant to search your home then to just roll over and allow them to see all your dirty laundry (looking at you P4) because it’s open for the taking on a Gmail server somewhere. I mean, yeesh people, you worry about your second amendment rights all the time, moaning and whining about your need to carry a gun but you don’t do shit about encrypting your traffic?
*sad*
TRADECRAFT and OPSEC Are Important As Well
Another component that the general tried to use and failed so miserably at (which scares the living shit outta me as he was DCI after all) was the old “dead drop” method. The modern twist on this is the use of a Gmail account where you just log into it shared and leave draft emails for the other party. This has been something the AQ guys have been using for a long time and once again, it is futile to stop the LEA’s from seeing it all unless you encrypt it! This was the main failure in the case of P4 and his squeeze. No crypto allowed all the lascivious emails to be read in situ and that was just stupid. They through they were being so smart using a tactic that we have been monitoring AQ on for how long?
*duh*
The second massive failure on the part of both P4 and Broadwell (other than P4’s bad judgement of crazy women) was that neither of them were anonymizing their logon’s to the email properly and consistently. It seems perhaps this may have been more Broadwell than P4 but meh. In the end it was the downfall as the FBI tracked the IP addresses from the Google logons across the country to hotels where she was staying. All they needed to do in the end was match names for each hotel and BING they had her. At the end of the day, OPSEC is king here and both military veterans failed miserably at understanding this which is really frightening frankly. If you want to play the game know the OPSEC and TRADECRAFT and APPLY them properly. The same goes for you all out there who are crying about your privacy. You too will succumb in the same way if you do not pay attention.
Welcome To The Digital Panopticon
Finally, a parting thought. I have said this before and I am saying it again here. “Welcome to the digital Panopticon” No longer are you in a place where there are corners to hide easily. With the governments of the world trying to gain control over the way we communicate electronically we will see increasing measures of privacy stripped in the name of anti-terrorism as well as transparency. Have no doubts that the governments that apply this logic will of course have back doors for their own secrecy but surely not yours. It will remain your problem and your duty to protect yourselves if you are using the infrastructure to communicate to anyone. Know this, say it as a mantra. If you do nothing about it, then you have nothing to complain about.
So I exhort you, learn and use encryption properly. Go to a cryptoparty near you and learn from the cipherpunks! Deny the governments of the world the ability to easily just look in on your lives whenever they feel the need without due process. Until such time as the laws are amended and some fairness put into it, you are just cattle for them to herd and cull.
There’s no excuse…
K.
Offensive Defense: A Really Bad Idea Proposed By Charlatans And Zealots
Eppauvhlkrinfcrbyjhzyuzzrnqpxeihdcgjifdufjxv
Offense: It’s All the rage!
Over the latter half of last week and into this weekend my Twitter feed was filled with talk of “Offensive Defense” talk. What I mean by Offensive Defense is the idea that a company has the right and the legal ability to hack back against those who may have attacked them and or taken their property such as “IP” Since the advent of companies like Crowdstrike, there has been a din of chatter and a dearth of commons sense on this issue. Personally I have determined that as a rule this is a horrible idea filled with epic hubris that if acted upon by companies out there will eventually lead to much more damage to their business than some IP being stolen. I fear that in the end it will unleash a series of cascading events leading to outright lawlessness and vigilantism on the Internet.
So, from the discourse that was had on Twitter with Rafallos to the continuing speculative and vaporwear like cries by Crowdstrike and it’s founders to this blog post, I hope to once and for all set forth that in no uncertain terms that this is a bad idea. This activity should not be an offering by any company as a service and to even float the idea is an exercise is near charlatan like behavior. The new snake oil my friends is the idea that it’s ok to hack back against those you “perceive” as having hacked you.
Attribution Much?
Firstly, lets look at the issues of attribution. I have written about this in the past and thought it was pretty clear. Attribution is never 100% and never will be unless you can prove in a court of law someone did something. Yes, that’s right a court of law kids. The words you are groping for are “Without reasonable doubt” If you cannot make your case in court what makes you really think you are clear to hack/attack some infrastructure because you think they did something? It’s just one of the most stupid and extralegal ideas I have ever heard and I have heard some whoppers in my time believe me.
Let me put it to you simply.. If there is no legal finding of attribution then there is no attribution other than hearsay. It’s as simple as that. You see, if you can prove it in court then you have hopefully had the benefit of proper forensics and findings. What gets everyone’s goat now is that many of these crimes cannot be taken to court because there is no law perhaps against what was done in some cases. In others, it turns out that due to the nature of computing and sometimes the nature of the poorly configured networks out there in use, that there is no evidence to be had to point to anyone doing anything. This is what really sticks in the craws of those who advocate the hacking back. They feel powerless and think that they are some super secret intelligence unit outside of the purview of the law or the government. (looking at you Crowdstrike) *squint* So, a key factor here is attribution that frankly, many times cannot be held up in court. So instead, lets get a kangaroo court instead and just have frontier justice huh?
So what makes you more right than say Anonymous here?
On another level, lets look at the idea that Anonymous has been and is a “vigilante” organization. Their attribution has been less than sparkling over the years here as well. What makes your company any less the vigilante or like Anonymous for acting upon suppositions that you have and hacking another company? For that matter, hacking company A while in fact it was company B who did the hacking in the first place using company A’s assets? It’s a false assumption that you are actually getting back at the culprits when you perform these types of operations and in fact, you may be committing crimes by hacking back at the wrong infrastructure in the first place. Of course there is the idea firstly that hacking in and of itself is a crime right? So if you take part in this, pay for this service, partake at all in it, you have already committed a crime by laws on the books.
*blink*
Do you really think that you are then holding the moral high ground here? What happens when someone hacks your infrastructure because they thought you had hacked them? What recourse do you have then once crossing that threshold into the dark territory of hacking back? The cry from so many companies of late after being hacked by LulzSec and others really is quite pointless if you start taking up the position of deputizing yourselves and others to take the law into your own hands.
You are no better than those who attacked you to start and yes, you have no legal leverage at all once you do so. It’s flawed logic if any logic is being used at all here.
Are there any returns on investment here?
Lets say you have decided to engage hackers or some company of them to hack back against someone you think attacked you. What if anything logically do you hope to gain from this? Your data perhaps? Well, data can be copies numerous times in various places and are you in fact sure you got the only point of exfil from the company to start? If you get the data back how do you know that you are the only ones who have it once its been in the open? You don’t, and thus what gain is there? Oh sure maybe you can gain some intel on your attacker, their modus operandi maybe but really what do you get here?
The same goes for hacking back and destroying infrastructure etc. What is there to gain? Once again are you even sure the systems you are attacking are in fact those of the real attacker or just some proxy who has no idea what the hell is going on? Really, what’s the point? Some might say you will gain intelligence on your attacker. Well sure maybe but its just as likely there will be nothing of worth there as well so where is the ROI here? You will have been paying hackers to do things for I am sure, a lot of money so really do you win if they get into the systems you want them to? Please consider just what its really worth as opposed to what you will lose if things go wrong, and they will, and it all makes the news.
Once again, it’s a losing proposition I think….
Alright, we hacked in and we took the data back but look! They have some tasty data here.. Who’s to know that we took it?
Ok, so we hacked back and we got the data back! YAY! But hey, look, while we were looking we also saw this other data.. It belongs to another company and, well, they are a competitor. Lets just have a look shall we? Now that is a slippery slope huh? Really I think this will happen and it will also be no good. Once again we are on the fast track to bad things and the reality is that it is bound to be something that companies will then justify as “competitive intelligence” ya know, like they do today right? Look at all of the private intelligence firms out there today who not only sweep for bugs in your corporate offices, but also have been known to install them as well in the oppositions as well.
Corporations are now in fact of law “entities or people” according to politics and campaign finance. How is it they aren’t when it comes to spying on other companies or their employees? Just a thought….
How long until we have a pre-emptive strike doctrine for the corporate sector?
This brings me to one of the more scary ideas to come from this whole debacle. All of this really will likely come down to preemptive strikes against other companies or entities because they have heard chatter about an offensive to come. No, I am not being too dark or melodramatic here. This I believe is already taking place within the communities today. Industrial espionage is not only about stealing secrets. It’s also about denying your competition the advantage. In fact there was a story today about how “poor little Coke” was attacked by the nasty China. What does not get told in such stories is that Coke and other megacorps like them also use private intel firms as well to spy on others and perform dirty tricks. So none of them are lilly white here but using this argument of hacking back as “defense” only tries to legitimize the whole thing in the network sphere.
Mark my words, there will be preemptive attacks if there already haven’t been…
False Flags and Merc’s
Lastly, once again I shall trot out the idea of false flags and add the mercenaries angle for the cyberverse. Any companies offering these services (hacking back/Offensive Defense) should be on the look out as to becoming the unwitting pawns in these games. They should also be aware that not only corporations will use them but also “cutout” corporations as well that are in fact fronts for the CIA and others who want plausible deniability. Think on that… Do you want to be a part of this? Would you like to be on the receiving end of the attacks? Talk about APT and your “militias” huh? It’s all just bad idea after bad idea and will amount to nothing good or fruitful at all.
Final Thoughts
All of this tough talk is just that. It’s trying to sell a service and make people feel empowered but in the end it will only serve to muddy the waters. From the perspectives of ethics and morality to law or just right and wrong, all of this smacks of bravado and hubris. The private companies of the world already have their toes in the pool, but advocating it be done through hacking as “defense” is just the cherry on top of a shit sundae.
Everyone just stop. All you offering the services or touting the ideas should just sit back down and shut up. Everyone cries now that the government is encroaching on their rights with regard to privacy and you all want to just push that bar even further out with offensive defense actions?
Morons…
K.
The 2012 INFOSEC NAUGHTY LIST NOMINATIONS
That’s right kids! It’s that time of year again when ol’ Krypt3iaclaus comes out and opens his sack of CYBERCOAL for those of you who have been especially BAD in INFOSEC this year and BOY has there been a lot of “BAD” I am taking nominations! So please surf on down to THIS HERE LINK and put in your ATTRIBUTION FREE nomination for the INFOSEC NAUGHTY LIST 2012!
Yours,
Krypt3ia.
PS: If they’ve uttered CYBER seriously they are likely to not be eligible for the list.
Krypt3ia 