Posts tagged ·



Linus: Hash function as identifier vs. crypto security

Comments Off

Linus had an interesting observation last week, after it was announced that collisions could be found for the SHA1 hash algorithm. On the “Shattered” page, they declare that everything is broken, from cryptographic signatures to backup systems, and git. Linus however, refutes this, noting that the use of SHA1 in git is not for security, but rather as an identifier for the commit.

In fact, as is pointed out in the comments section of Linus’ post, git could probably have gone with a CRC 160-bit function (the default SHA1 is 160 bits). Or, if there was no need to relate the ID directly to the submitted code, an UUID would also have been fine.

The point it, security does not exist for itself, but rather as a reaction or mitigation to a threat. If the threat is cosmic rays or disk corruption, assuming no other intentional attack, and all that is required is to detect when there is a bit-flip, CRC, MD5, SHA1 are all fine alternatives. However, for dealing with encrypted messages, keys and signatures, other algorithms are needed. As for git, the biggest threat there is not bit-flips, accidental or malicious. Rather, it is the incorrect behaviour and functioning of the code in the repository. And for that, the solution is not hash functions, but unit tests. As Linus points out, you will definitely notice if characters and code is flipped around.

Comments Off

Expanding police and surveillance powers across Europe

Comments Off

In January, two interesting and thorough reports on expanding police and surveillance powers across Europe were published: Amnesty International published a 70 page report which summarizes its research into expanding police laws across EU and the troubling consequences to innocent citizens. It was followed up by an opinion piece in The Guardian by one of its authors, John Dalhuisen.

The second report was by Privacy International (original), and analysed the expanded surveillance and data retention powers in UK, Germany and France.

Each report paints a grim picture of the state of human rights and privacy across the EU. Overall a somber picture emerges: The liberty and freedom we have enjoyed over the last quarter of a century is eroding. Add to that the sweeping wind of right-wing nationalist politics across the continent, and the alarm bells should be ringing.

Too often, the counter-argument in this debate is “if you’ve got nothing to hide, you’ve got nothing to fear”, or the corollary “I’m too boring for the state to be interested in”. Glenn Greenwald does a good job of dispelling that argument in his book “No Place to Hide”. He points out that surveillance stifles self-expression, creativity and experimentation. On a state level, its very purpose is to hinder deviant and radical thought and action. As such, surveillance and lack of privacy is an obstacle to political and cultural progress.

Given that mass state surveillance harms us all, our individual relation with the state authority, and whether we personally feel we have anything to hide or not, is nonessential to the debate. It is irrelevant if you yourself is involved in politics, opposition groups, and protests. Surveillance harms everybody, depriving us of freedom, and hindering political, cultural, and human progress. It makes us complacent, unable or unwilling to question authority.

Dangerously disproportionate

In their report, titled “Dangerously disproportionate”, Amnesty International analyses events and laws passed in 2015 and 2016 in multiple EU member countries, including UK, Germany, France, Holland, Spain, Poland, Hungary and Austria. They look at new emergency powers; legality of laws and powers; the right to privacy; freedom of expression; right to liberty; freedom of movement; and stripping of nationality. In each section, Amnesty International specifically calls on EU member states to respect established Human Rights and the rule of law. They provide multiple examples from the various states where it is questionable whether the police and the executive branches have acted legally, against their countries laws or against basic human rights.

The report is well written, and comes with several insightful and well placed warnings. Amnesty International is ringing the alarm bells, and points out that the governments of Europe are now the biggest threats to their own nations and freedom of their people:

“Ultimately, however, the threat to the life of a nation – to social cohesion, to the functioning of democratic institutions, to respect for human rights and the rule of law – does not come from the isolated acts of a violent criminal fringe (…), but from governments and societies that are prepared to abandon their own values in confronting them.”

Terms like “the enemy” and “terrorism” have always been deliberately vague. This is now causing real problems when such vague and undefined terms are used as part of laws:

Because there is no universally agreed definition of “terrorism” under international law, states and international bodies have created their own. In that process, over the years, definitions of terrorism have become ever more vague and overly broad. This lack of clarity in many counter-terrorism laws has led, in turn, to a lack of certainty regarding what precisely constitutes an act of terrorism. If people can’t tell whether their conduct would amount to a crime, they cannot adjust their behaviour to avoid criminality. The consequences can be significant, ranging from the profiling of members of certain groups thought to be more inclined toward “radicalization”, “extremism”, or criminality based on stereotypes – i.e. guilt by association – to the outright misuse by states of laws that define terrorism loosely to deliberately target political opponents, human rights defenders, journalists, environmental activists, artists, and labour leaders.

Mass surveillance is still illegal and against Human Rights:

Any communications surveillance measure used must be strictly necessary and, to the extent that it interferes with people’s rights, must be proportionate in the particular circumstances of each case. The cornerstone of lawful communications surveillance is that it is individualized and based on reasonable suspicion of wrongdoing.

Indiscriminate mass surveillance, in effect a fishing expedition and “just-in-case” retention of people’s communications and data, is the antithesis of this. States may refer to indiscriminate mass surveillance practices by other names – “bulk” rather than “mass”, “collection” or “interception” rather than “surveillance” – but linguistic gymnastics do not make the practices conform to human rights standards.

When laws are vaguely defined and the state can monitor everybody all the time, this is causing a chilling effect on freedom of speech, thought and expression. Simply clicking on the wrong link can be enough to land somebody in trouble. The report points out how musicians and other artists have already been the target of discrimination and “terrorist” laws.

The right to freedom of expression has been under direct and sustained assault across Europe in recent years. Measures that seek to curb speech and other forms of expression, taken cumulatively, reflect a landscape where freedom to access information, offer opinions, exchange ideas, and engage in robust and challenging debate – publicly or online – is in rapid decline. The risk that a person could be labelled a security threat or “extremist” has had very real consequences for some people as the examples below illustrate, while the “chilling effect” that such measures creates has left the public space for free expression smaller and more impoverished than it has been in decades.

Finally, the report discusses freedom of movement, and the dangerous trend towards “preventive measures” and “pre-crime” initiatives without the rule of law:

Indeed the extent of the remove can be seen from the fact that states are criminalizing not just the preparatory act of travelling abroad with the purpose of committing a terrorist offence, but also acts preparatory to the preparatory act of travelling abroad with this purpose. The problem here is that acts such as browsing “extremist” websites and looking up the price of flights to Istanbul can all render people liable to prosecution, long before individuals may have made up their minds to commit a terrorist offence, or without their ever even having contemplated it in the first place.

Mass Surveillance in Europe

The Privacy International report is shorter, but just as interesting and worrying. It covers the British “Snoopers Charter” or Investigatory Powers Act (IPA); the German Communications Intelligence Gathering Act (“Ausland-Fernmeldeaufklärung des Bundes-nachrichtendienstes”); and the French International Electronic Communications Law (“mesures de surveillance des communications électroniques internationales”). For each law, the authorized powers, oversight, and power over privileged communication is examined.

Although the terrorist attacks in these countries over the last years are driving forces, many of the laws being passed now seems to have at least some relation to the EU Data Retention Directive, issued a decade ago, in 2006. Although that was annulled by the EU Court of Justice in 2014 for “violating fundamental rights”. Still, similar and broader laws are now in place in many EU member states.

The report concludes:

The leaders of Germany, France and the UK are setting a dangerous precedent which echoes within the European Community and far beyond it: Mass surveillance by governments has become the new normal.

No sanctuary in Switzerland

Upon till recently, Switzerland was a sanctuary of privacy and secrecy of private information and financial information. The latter was shattered a few years back, when the US threatened to throw out the Swiss banks if they did not disclose account details on what US citizens held. The former came under attack in 2015 and 2016 when two separate data retention and surveillance laws were enacted and passed. The BÜPF – “Überwachung des Post und Fernmeldeverkehrs” (“Monitoring of post and telecommunications”) and the NDG – “Nachrichtendienstgesetz”, an extension to the existing national intelligence law. There’s an discussion of both here, and more details by ProtonMail.

The laws calls for all communication channels and services to retain certain metadata about the communication for a year, which includes any open wifi hotspots; IRC chat rooms; email and chat services; message boards and so on. Again, similar laws which were declared illegal for violating fundamental rights by EU Court of Justice in 2014 have become national law. Furthermore, the laws makes state hacking and wiretapping legal.

Even though Switzerland is neutral, they maintain close ties to the US, including data sharing agreements through the Privacy Shield Framework, like the other EU countries. (The double-speak has really gone far when “privacy shield” is a name for business and government information sharing). Furthermore, regarding financial details, Switzerland is taking part in the Automatic exchange of information (AEOI) program, under the guise of detecting tax evasion.

An interesting note about the “Nachrichtendienstgesetz” extension is that it meet strong resistance, and ProtonMail were amongst activists who gathered enough signatures for the 2015 proposal to go through a national referendum, as is required in Switzerland. The only problem: they lost. On 25 September 2016, the vast majority at 65.5% voted in favour of the law. Although only about 43% of eligible voters cast their vote, the outcome was similar across all cantons, and therefore we must assume representative of the opinion of the population as a whole. It goes to show, that even in Switzerland when the choice stands between privacy and security, people will give up their privacy.

Comments Off

NSA survailance violations – a brief summary

Comments Off

A summary of the latest news and NSA revelations.

Thanks to Snowden, we now know the NSA:

  • Had James Clapper lie under oath to us – on camera – to Congress to hide the domestic spying programs Occured in March, revealed in June.
  • Warrantlessly accesses records of every phone call that routes through the US thousands of times a day JuneSeptember
  • Steals your private data from every major web company (Facebook, Google, Apple, Microsoft, et al) via PRISMJune and pays them millions for it August
  • Pays major US telecommunications providers (AT&T, Verizon, et al) between $278,000,000-$394,000,000 annually to provide secret access to all US fiber and cellular networks (in violation of the 4th amendment). August
  • Intentionally weakened the encryption standards we rely on, put backdoors into critical software, and break the crypto on our private communications September
  • NSA employees use these powers to spy on their US citizen lovers via “LOVEINT”, and only get caught if they self-confess. Though this is a felony, none were ever been charged with a crime. August
  • Lied to us again just ten days ago, claiming they never perform economic espionage (whoops!) before a new leak revealed that they do all the time. September
  • Made over fifteen thousand false certifications to the secret FISA court, leading a judge to rule they “frequently and systemically violated” court orders in a manner “directly contrary to the sworn attestations of several executive branch officials,” that 90% of their searches were unlawful, and that they “repeatedly misled the court.” September September
  • Has programs that collect data on US Supreme Court Justices and elected officials, and they secretly provide it to Israel regulated only by an honor system. September


Comments Off

NSA surveillance – business as usual

1 comment

This week saw two interesting, and supposedly shocking, stories about the scale of the US government’s Internet surveillance. Starting Thursday with the news that the phone operator Verizon had been ordered to hand over all meta-data on its customers’ communications to the NSA. The following day, a different program was revealed, leaked by the means of a terribly amateurishly looking PowerPoint slide deck, which showed that the NSA had direct access to all customer data and content from all the major Internet service providers, including Google, Facebook, Microsoft, and more.

The reaction to the first story is interesting in that it involves only meta-data. The same type of data collection was enacted in law by the EU in the 2006 Data Retention Directive. This directive was no secret at the time, and the scrimmage in individual member countries which started to implement it a few years back was mostly around who would pay for it; the Internet and phone providers or the government. At any rate, by now any EU citizen should expect this kind of system to be in place. It is therefore somewhat ironic when the US press pretends that there are stronger privacy protections in place on their side. The last decade has for the most shown the opposite to be true.

The second story, around the full content access, should be no big surprise either. A similar story broke seven years ago, although it was and still is considered “warrantless”. Another example from the post-911 area is the Information Awareness Office, which despite heavy criticisms in 2002, still lives on. And even before that, it has always been speculated that the US government, through CIA, NSA, FBI or other TLAs, was listening in on phone and Internet communication. Take for example the ECHELON project, which probably has been around since the cold war area. It was investigated by a committee of the European Parliament, which amongst other things concluded: “the existence of a global system for intercepting communications, operating by means of cooperation proportionate to their capabilities among the USA, the UK, Canada, Australia and New Zealand under the UKUSA Agreement, is no longer in doubt”.

So why the outrage just now? We don’t have to look further than The Guardian’s summary: “Obama defends secret NSA surveillance programs – Insists surveillance is essential for national security.” In that light, it no longer seems like a coincidence that two completely separate NSA programs were leaked on two consecutive days. As a political cheap shot, it seems to have worked very well. What’s more, Obama took the bait, and swallowed it hook, line and sinker.

So even though these stories are akin to declaring water wet, from a privacy and security point of view, it is useful that more people are made aware of and start to ponder the risks of the information systems we surround ourselves with. We just have to make sure that the outrage is directed towards the right institutions, and that any change is implemented where users need it. Voting, joining a political party, and working for change within that system is definitely a noble goal, however, it will unfortunately not protect your data any time soon. Asking the various ISP and service providers to improve their security, encrypt our data, and not hand it over to the government is also appropriate. It’s just that they are required by law to hand over data, so we cannot trust that to not happen.

The only way to make sure your own data is secure from government hands, and be aware of any requests that might be made against it, is to store it yourself. If you are storing something they are after, that will of course not stop them from knocking on your door, but at the very least you will know.

The right response to these stories is not blind rage, resignation, or declaring defeat. Rather it should be to decentralize: Avoid large scale, single point of failure, services. Build and maintain your own systems, based on free and open source software, so you can be confident that no warrantless access is granted. Make sure data is encrypted, communication is encrypted and signed, and nothing flies in plain-text over the Internet. If you are dealing with sensitive information, maybe as a lawyer, as a doctor, or a secret business deal, anything else is simply incompetent, or possibly gross neglect.

Police “decrypts” your phone

Comments Off

CNET has an interesting article about how warrants to access suspects mobile phones are handled by two of the big mobile OS providers; Apple and Google. Focusing on Apple, the article mentions cases where the police has to wait for Apple to perform the unlocking, while Google “resets the password and further provides the reset password to law enforcement”.

From a technical perspective, it is not clear what kind of unlocking is performed; whether it is the SIM code, screen lock, or account password. It is interesting that the article mentions decryption, but it is probably a misunderstanding, or wrong wording: Android phones do not use encrypted storage by default, and in fact, if you have a model with a removable memory card, you can read that in any SD card reader. Accessing the embedded phone storage is also easy if it already unlocked (using fastboot / adb). iPhones does not use encrypted storage by default either, to be best of my knowledge. The article does indeed state that “It’s not clear whether that means Apple has created a backdoor for police [...] , or whether it simply is more skilled at using the same procedures available to the government.”.

From a privacy and security point of view, it is clear that it is irrelevant what the default security setting is. It can simply not be trusted to perform the task a user would expect. Rather, one should use take matters into own hands, and use software that has been proven to not contain backdoors for police or others. The only option is free and open source software, which has been vetted by security experts and the community.

Comments Off


Comments Off

This week was not a good one for “cloud security”. No less than three major web sites had their password databases stolen, with LinkedIn as one of the biggest hits. Since they did not “salt” their password hashes, there is now a trove of easily crackable password hashes for everybody to go through.

Not exactly my cup of tea, but what I found interesting was this tool which lets you check whether a passwords was included on the list of 6.5 million. Now, I wouldn’t advice anybody to type their real password in there, no matter how much that web sites claims they are the “good guys”. However, it’s fun to see what other “clever” passwords people come up with. Here’s some of the ones I’ve found (minimum length at LinkedIn was 6 characters).

The obvious: password, 123456, qwerty

The keyboard layout: qazwsx, zse4xdr5, 0987654321, mnbvcxz.
Well, virtually every “clever” layout combination I can come up with. Including “super clever” ones like: zse456, 890okm, !QAZ”WSX.

The names: harry1, harry2, harry3, harry4, harry5, harry6, harry7, harry8, harry25, harry26, anna25, john30.

The famous: rambo1, gaga12, posh10, clinton, billgates, hilton

The pets: puppy1, puppy2, bonzo1, pluto1.

The cities: london, newyork, berlin, oslo11, tokyo1, zurich

The obscene: Actually, I’d rather not have my blog black-listed by iterating them here. You go ahead and try yourself. There’s many of them. If the word doesn’t make up six letters, append 1 or 10.

Ok, that’s enough fun for now. I’m thinking this would make a great game! A twist on the old hang-man. Or maybe more time-based: Guess 10 LinkedIn passwords in 20 seconds. Well, looking at the examples above, that’s possibly too easy.

Comments Off