Monday, March 16, 2015

Think

Encryption


Imagine my surprise the other day on reading that Hillary Clinton had some views on encryption and that the Washinton Post published an article on it.  Here it is:


The positions she takes are similar to what Republicans have and make me wonder if she has any where near enough knowledge and skill to say anything at all about the subject.  I disagree with her about Edward Snowden since I appreciate what he reveals.  I would disagree with Edward Snowden on certain things like complaining about Amazon not using https (PK enciphered) full time when they have an even bigger glaring hole in storing your credit card number without your consent.  What is there to prevent a hacker from stealing it.  Just a year or so ago, every time I ordered something from Amazon the email account associated with it all of sudden would receive a large amount of spam.  But somebody with the pen name LeisureGuy summed up what Hillary Clinton believes about encryption with this statement:

"It's pretty simple in concept: the encryption used must be able to detect the character of the person(s) trying to break the encryption. If they are "good", then the encryption allows them to break the encryption and read the contents; if they are "bad", then the encryption refuses to break.

That's what Clinton wants, and like many who are wealthy and powerful, she cannot understand why, if she wants something very much, it could possibly be something not available. The Dunning-Kruger effect also applies, I imagine: she knows so little of the technical aspects of encryption and cybersecurity that she doesn't understand the depth of her ignorance, so she trusts her "gut feeling" that whatever she *really* wants must be possible."

Dunning Kruger Effect (Wikipedia)

It wasn't just her that had that deep of ignorance.  Others had it too.  So let me look at two recent (within less than a month) things that may change her ideas on encryption and soften her stance towards Edward Snowden.

FREAK Attack
The FREAK attack is because a too soft cipher was mandated to all companies by the NSA and other agencies of the United States government.  Here is a write up on it:

FREAK Attack (Washington Post)

You can test your browser side (there is also a server side to this) here:

https://freakattack.com/

Be sure to run the FREAK test named "FREAK Client Test Tool (clienttest.html).  Just remeber that  this weakness was introduced the same way that she purports should be done - a middle way.  My statement on that was that you make encryption as strong as possible and hope it doesn't break.  What happened here?  It broke.  It also shows that Snowden's PowerPoint presentations were correct.  The NSA could crack iPhones.

Gemalto Sim Ki Heist
Here are the first two good articles on this from FirstLook on this:

Gemalto Sim Ki Heist (Breaking In)
Gemalto Sim Ki Heist (In The Dark)

What baffles me is why Gemalto would say none of the Kis were stolen when we have proof from Edward Snowden and other sources that the NSA and GCHQ were actually exploiting cell phones.  We have Angela Merkel whose phone conversations were recorded among other things.  No matter what anybody says, something like this makes other people mad, especially when they are proceding on good faith and not doing anywhere near the same thing.  Okay I will sum up with some points.

Point 1:  There are a lot of people in the United States and other countries that are mad as hell that they are being spied upon.  I can already hear the excuse.  Oh, they are just looking at the metadata.  They throw everything away except for the terrorists that they are after.  Oh really?  Is that why the NSA contract analysts gave porn style pictures and videos to each other as gifts?  They are looking at a lot of text files and pictures solely in the pursuit of voyeurism.  That is strange metadata.  The sad thing is that this Democratic administration is coming dangerously close to doing what the Nazis did and there are many Republicans that will assist in reauthorzing both the metadata collection of phone records and the Patriot act wrongly believing that it will make them safer.  It will not make them safer and the Supreme Court of the United States stands by and favors stripping the American public of their constitutional rights.

Point 2.  You may think we are saying no to a middle way on encryption just based on our feelings.  I don't know about the others but I do know about me.  I have vetted the entire GnuPG code many times and cannot see a way of putting in what Hillary Clinton is requesting.  Others say you can but it would weaken the encryption to dangerous levels.  My observation after studying hackers for years is that if you can put it in that they will eventually learn how to exploit it.  Sometimes it is pure luck but it is always happening.  I still don't see how it is even remotely technically possible.  It is just the way that public-key encryption works.  In case you are wondering, yes, I have the book The Little Book Of BIG Primes by Paulo Ribenboim.  It used to cost $100.  It is a little bit more reasonable now but indicates we are not in Kansas any more.

Point 3:  In all of this most people probably think of enciphering to be the same as encryption and deciphering to be the same as decryption.  You usually just say that encryption involves one of the four activities: enciphering, deciphering, signing, and verifying.  About all I do with OpenPGP encryption is sign and hope that others use it to verify.  Here are two folders on my server where the signed files are at:

Downloads
Hosts File Changes

Where you will know I am signing you will see for a file named something like "hosts.txt" there will also be a file named "hosts.txt.sig".  The file with a ".sig" on the end of it is called a detached signature file.  Using OpenPGP you test the file with the ".sig" on the end of it and it searches for the file without the ".sig" and uses Digest algorithms and their copy of your key (the public side) to verify that "sig" file which was created with your copy of the key (the secret side) says the base file really did come from you.  What do I do this for?  To make hackers lives more difficult if they try to change the base file.  If the hackers change even so much as just one little teensy bit in the file, the verify fails.  So far, so good.

But that same key that is used for signing and verifying is also used for enciphering and deciphering.  You use the secret side of your key to sign and to decipher.  You use the public side of the other person's key to verify and encipher.  But since it is all bound up and used together there is a possibiliry that if there is a middle way that the CIA, FBI, Federal Marshall's, GCHQ, or the NSA could get some sort of nasty file and sign it with my key.  But surely they wouldn't do that would they?  Do you want to make a bet on that one?  If I did the same thing to Gemalto and was caught I would probably go to jail for at least 40 years.  I am showing just the latest of these things they have done that may be illegal and are immoral.  Do I trust them.  NO!  And there is more to it than I am revealing.


EMail

This is a strange one.  Hillary sets up the domain ClintonEmail.com for her email account.  Then a supposed security expert says that it is strange that he sees a construction page.  That is normal for most IWSPs (Internet Web Service Providers) for somebody that doesn't have a web presence yet.  Some IWSPs will even allow you to redirect to another existing web service from these parked host names:

http://www.securemecca.biz

Then I find out she has secured a mail service from MXLogic.com.

The AV Product
At first I thought that the AV package MXLogic.com used was the only thing that McAfee recently purchased.  I thought that McAfee would integrate the heuristics of it into their McAfee-GW-Edition product.  That may have been done but then I learn that McAfee bought the whole company.  That could still be just for MxLogic's one AV product but only time will tell.  But it has never been at VirusTotal, now run by Google that allows you to contrast multiple AV packages to determine if something is safe.  Here is one of my email borne malware I have scheduled to rescan:

VirusTotal Malware Scan

It is much better now than it used to be.  When I got it only two AV packages detected it.  They were Ikarus and Kaspersky.  Here was the scan back then:

Original Malware Scan

But overall, for most email borne malware Sophos is one of the first that detects them.  Kaspersky is also good for email-borne malware as are a few others.  I really would not use what Hillary used if I had a Windows system.  I would want Sophos for the scanner on the email server.  But maybe all Hillary uses is her iPhone.  If so then maybe another AV product that scans for phish would be more appropriate.

What AV do the government email servers use?  I don't know but I can only assume it is much more robust than what she was using.  But they know that they have to defend Windows machines as well as iPhones.

The Anti-Spam Product
At first I thought Hillary had a lot of problems with spam with that number in her user name.  E.g. were there user names with different numbers in them that she abandoned as the spam took over and she created new user names to run away from the spam?  Only the government email people will know the answer to that one since any email received by others on the government email system will have any and all user names that she used.  I stopped looking into this the moment I saw all the problems people were having in getting email into an MXLogic email server.  I suspect you may even need to white-list everybody you want to allow in.  That is how bad some of the people commenting about it found it to be.  Suffice it to say that I think the spam protection is probably one of the better ones out there.  You just have to tune it to get email in and out.  Since the base product is Microsoft Exchange for the SMTP server I of course hate it.  After qmail's nice headers everything else except maybe postfix are sub-standard SMTP servers in my mind.

Who Has Emails?
This one is where it becomes really problematical.  If the government email system only backs up what is received then it will only backup what she sends to others that are on the government email servers.  But if they backup both what is received and sent then they will have copies of the email that is sent both from her and to her from another user that is using the government email system.  Either way, any emails sent to somebody else that is at a company in the United States that are compliant with the law should have backups.  But email sent to or received from another email system like hers or to a web-mail account will only have what those users keep.

This is more of a transparency issue than anything else.  The idea of saving the records goes back to the 1950s when the first rules were made about saving these government communications.  Only slight modifications were made to update the regulations. I don't know if they are binding laws or not.  I do feel that from this time on that except for extremely extenuating circumstances the government email systems should be used.  All classifed email should of course use a separate, much  more secure system.  One thing that disturbed me is that Hillary didn't have the certs to do the transmissions through her email server using TLS encryption for the first two months of having her email server.  If she sent classified information this way it is traveling in clear text!  That may be fine for her personal email communiques.  But it is not good enough for Secretary of State email messages whether the messages are classifed or not.  That is why I think this needs to shift over to the government email servers where security professionals handle things.  Anything done outside that channel for email needs to be rare or not at all for government email communications from this time forward.  But it should not be done with anything other than with TLS securing the transmission of the messages.  Additional enciphering will be needed for messages with classified material in them.

Update 2015-04-13.  I must add this information even though all of you know by now what has transpired.  Hillary Clinton's aides printed out what they thought people wanted, not realizing that most of the header is not preserved in that process.  But others asked that the whole file be preserved and delivered to them.  Was it?  No.  She had the mail server's disk drive erased.  Okay, let me show you what is in an email's header which usually only people like me see.  This one was created by qmail, the best SMTP engine.  Here it is:

Sample Email Header

Despite the folder name I no longer preserve their spam but only their malware.  This may be from another group other than PerniciousMalware (nee PeskySpammer).  The original group gave me nothing but boomerangs by using fake user names at my domain.  It took me the longest time to educate mail admins everywhere to not boomerang the messages since they didn't come from my or other people's domains but directly from a special purpose send-only SMTP server dropped onto a hacked machine running Microsoft Windows.  But I didn't see that until they made the stupid mistake of adding all their fake from addresses into their to lists.  When that happens you can see that in the email header.  Unlike Microsoft Exchange, qmail does something really nice.  They give you a line with the label X-Originating-IP. Its value for this message is 93.72.55.105.  This is the actual WAN IP of the bot sending me the malware.  I no longer do anything with the spam other than delete.  All I keep is the messages with malware.  I have had three separate days where that has numbered over a thousand email messages each of which had malware attached.  Each of those days it has always boiled down to any where from five to just over a dozen different malware despite all the different names.  So what can I tell by looking at 93.72.55.105?  Well, it is in Kiev Ukraine.  Not only that but it is in the UA-VOLIA-20080404 network belonging to Kyivski Telekomunikatsiyni Merezhi LLC.  More importantly vis-a-vis Hillary Clinton's situation the header preserves all of the dates.  By having the disk drive probably wiped at DoD specifications all of this information that was asked for is gone forever.  If Hillary Clinton was running this as a real business she would have violated the law since all people in the email business are bound by law to keep all emails for a specified time on the server and are supposed to have backups of it on other media that must be kept for much longer periods of time.  At least now you can see the data that is hidden from most of you in your emails.  I see it all the time.  I don't give the AV companies a print-out of the email.  I give them the entire email message saved AS-IS!  There may be other data in it besides the MIME encapsulated zip files that the AV companies need.  By preserviing all of it for them there are no loose ends.


Summing Up

Hillary Clinton is reminding me of the energizer bunny.  She has a fully charged battery and blasts into meeting after meeting without even taking a pause on what she is doing.  This is not a man versus woman thing either.  I know plenty of women who have high order rational thinking.  Two of them are Senators Boxer and Feinstein.  I hear they called her to say things are going horribly wrong.  I strongly suggest that Hillary call and talk to them and others in the days come.  Just remember these other people are very busy and have lots of demands on their time.  But she needs to give serious consideration that she is too old.  What she did with these two issues may show an age related problem.  All I know is that I see one person after another going into the presidency.  They go in bright eyed and bushy tailed.  They come out the tail end with gray hair, worry lines, and aged considerably.  I estimate they age everybody else's four years for each year in office.  That means they effectively age sixteen years for just one term of four years in office.  Ronald Reagan who was famous for doing as little as possible is maybe the only exception but even he aged a lot.  Aren't there any other Democrats that want the position of President of the United States?  I don't want to see Chris Christie in the oval office.  Isn't stopping all the traffic on a major bridge or Interstate an action that a Governor can be impeached for?  It should be.  I will check back for errors later but other than that I consider this post closed.  Post note, I did make some significant changes, most notably to show others just how bad new malware is at not being detected (2015-03-25).  You have a PDF file now to SEE just how bad it is.

Update 2015-04-13.  See the two paragraphs preceding Summing Up added on 2015-04-13. I use 24 hour UTC time (Zulu) for all my computer related activities.  All I can say is that if Hillary ran even a modestly sized business that by expunging all the data on her email server by erasing the hard disk drive with no backups, she just violated the law.  Evidently she believes there should be a separate standard for her and Edward Snowden.  If she cannot see the difference in intent she is blind.  As any good email admin will tell you, you need to make backups of all the email messages and keep them for a long time.  If you don't very bad things can happen to you.  I am afraid Hillary Clinton could never have counted on any Republicans switching sides.  After her actions that is now etched in granite.  Independents like me that advised my state's electoral votes be given to Obama were of course ignored in Utah.  But that isn't what disturbed me.  It was that the Democratic party didn't give us an inkling that somebody else other than Hillary was even considering running.    So I sat down and wrote a snail mail letter that will be sent to the Utah Democratic headquarters.  Basically I was concerned that they were being too quiet about other potential President hopefuls.  When I saw only 100 or so replies in the Guardian on the last announcement I knew she was toast.  The letter will be sent shortly but I discovered on Saturday (2015-04-11) that the Rhode Island governor was considering entering the race.  I encourage the Democratic party to never do this again.  By having nobody but one person the foregone conclusion is that is their only candidate.  It makes it look like the fix is in.  Next time even if they have just a few other people considering don't allow it to seem like there is just one candidate the party will have.  Will the way they did it kill them this time?  I don't know.  I know I go based on the best information at the time of the general election.  I wished I was actually voting for the President directly.  We needed to replace the electoral college system with a direct vote at least a hundred years ago.  It has stifled this country with two parties that for now at least, both parties want to kill Edward Snowden.  He is not a traitor nor is he my hero.  But I do thank him for exposing the corruption and law breaking of the NSA, CIA, FBI, and from the looks of it even now the Federal Marshall's office.  As usual, I hope to add nothing more to this blog entry.

No comments: