Crypto Crisis: Fear over Freedom

Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors.

Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here:

Tell me, ‘friend’, when did the United States abandon reason for madness?!

Cryptography is critical is every aspect of modern life – from shopping to protecting national secrets, from medical devices to the phones that diplomats use, from your home router to the infrastructure that powers global communication. Cryptography is ubiquitous and essential to keep everything from foreign powers to bored teenagers from wreaking unimaginable havoc. And world leaders are proposing that we replace real security with a TSA-style show that looks secure, but isn’t actually effective (beyond providing a false sense of security).

Mr. President

In one simple statement, he made his position perfectly clear:

[T]here has to be some concession to the need to be able get into that information somehow.

This is, quite honestly, a binary issue, a backdoor is present or it isn’t – there’s no partial backdoor, there is no technology that only allows access to the backdoor if there’s a court order, there’s no technology to ensure that the backdoor isn’t abused. You have a backdoor, or you don’t. That simple.

He did acknowledge some of the issues here:

So we’re concerned about privacy. We don’t want government to be looking through everybody’s phones willy-nilly, without any kind of oversight or probable cause or a clear sense that it’s targeted who might be a wrongdoer.

What makes it even more complicated is that we also want really strong encryption. Because part of us preventing terrorism or preventing people from disrupting the financial system or our air traffic control system or a whole other set of systems that are increasingly digitalized is that hackers, state or non-state, can just get in there and mess them up.

It’s good that he understands that strong cryptography is critical, but that doesn’t stop him from saying that backdoors must be added. Like so many that aren’t familiar with how these technologies actually work, he is hoping that some new value between True and False will be found – that you can somehow have a backdoor, but control it. Unfortunately for him, or perhaps for everyone if he gets his way, there is no ItDepends value sitting between those two.

There is some sign that he has heard the reality of the situation, and states it fairly clearly:

Now, what folks who are on the encryption side will argue, is that any key, whatsoever, even if it starts off as just being directed at one device, could end up being used on every device. That’s just the nature of these systems. That is a technical question. I am not a software engineer. It is, I think, technically true […]

This should have been the end of the discussion, if you add a backdoor, it can be abused. But it wasn’t. He acknowledges that the kind of magical backdoor that the government wants isn’t possible, and then goes on to repeat that there has to be compromise, there has to be a way for the government to access data, there has to be backdoors:

My conclusions so far is that you cannot take an absolutist view on this. So if your argument is “strong encryption no matter what, and we can and should in fact create black boxes,” that, I think, does not strike the kind of balance that we have lived with for 200, 300 years. And it’s fetishizing our phones above every other value. And that can’t be the right answer.

Looking forward…

Let us assume for a moment that the US Government gets what it wants, what does that mean, how does that impact the US and the rest of the world?

We are being watched.

From the beginning of the case, officials from other governments have chimed in to support the FBI – it’s clear that governments around the globe are waiting to see what happens here. Apple has offices in several countries, it is not only possible, but likely that they would serve Apple with sealed orders to provide them with access to the backdoor, for their own use.

Based on the same decision, Microsoft could be forced to add a backdoor to BitLocker, to allow government access to encrypted desktops and laptops. If you want to actually encrypt your device, there’s always VeraCrypt (they are based in France, so maybe not). This also raises serious questions around things like LUKS – could US-based developers even be allowed to contribute to it?

Economic impact.

If backdoors are mandated, it would become impossible to recommend any product made by a company with offices in the US – to do so would be unethical, as the security would be known to be compromised. For any organization that is interested in the security of their systems, the logical option would be to look for solutions in other parts of the world, avoiding anything coming from the US. This leads to a very unfortunate outcome – to remain competitive globally, it would be in the best interest of US-based technology companies to move their offices out of the country.

Unknown threats.

There aren’t many people who are able to build effective backdoors; the crypto community is fairly small, and only a small percentage of that group is capable of building a backdoor that wouldn’t be an immediate disaster (though still likely a disaster in the long-term). This leads to two possible outcomes:

  • Backdoors are built by people who don’t know what they are doing, and open systems immediately to attackers.
  • Backdoors are contracted out to a very small number of consulting firms, making them a huge target for attacks.

Either way, what you have is a situation where you, as a consumer, or a corporate buyer, a consultant, etc. have no idea about any of these:

  • How well was the backdoor designed? Is it only obscurity that protects it? Will it be broken once reviewed by the crypto community?
  • How is access to the backdoor restricted?
  • How many people have access? The developers could have maintained copies, an employee could have walked out with a copy before being fired, an attacker could have targeted the developers to steal a copy – this goes on and on.
  • How many organizations have access? If a consultant was brought in to develop the backdoor, did they keep a copy?
  • How many governments have access? The reasonable assumption would have to be that every country that the company has offices in, has requested a copy.

I suspect that the answer is going to come down to how do we create a system where the encryption is as strong as possible. The key is as secure as possible. It is accessible by the smallest number of people possible for a subset of issues that we agree are important.

Secure as possible, except against the unknown list of people and various governments that have access to the backdoor. That isn’t security, and isn’t in the long-term interest of anyone.

PL/SQL Developer: Nonexistent Encryption

PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go.

For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments. Instead of using something that provides some actual security like DPAPI (which itself is far from perfect, as we saw with the UPEK fiasco), they opted to use a proprietary “encryption” algorithm to protect these passwords – making it trivial to recover the passwords for any attacker that can access the preferences file(s).

Some time ago I asked the vendor about the security of the password storage – they are aware of the lack of security, but don’t make it clear to their customers.

The fact that they are aware that it isn’t secure, yet this issue has existed for years – nor made it clear to users what they are risking by activating the option is extremely disappointing. Vendors have a responsibility to protect customer information, and broken features like this completely ignore that.

The Algorithm

The encryption algorithm is quite simple, primarily consisting of a bit shift and xor – let’s take a closer look at how it works. The ciphertext produced looks like this:

273645624572423045763066456443024120413041724566408044424900...

The first group of four digits (2736) is the key – it’s generated based on the system uptime, producing an integer between 0 and 999, then 2,000 is added. This means that the key is has 1,000 possible values, or just under 10 bits. Of course, when you store the key with the encrypted data – key size really doesn’t matter.

After the key at the beginning, each group of four digits represents one byte – this simple code is all that’s needed to encrypt:

When you encrypt the string [email protected], here’s what the encrypted data breaks down to:

  • 2736 = Key
  • 4562 = u
  • 4572 = s
  • 4230 = e
  • 4576 = r
  • 3066 = /
  • 4564 = p
  • 4302 = a
  • 4120 = s
  • 4130 = s
  • 4172 = w
  • 4566 = o
  • 4080 = r
  • 4442 = d
  • 4900 = @
  • 4190 = s
  • 4328 = e
  • 4194 = r
  • 4076 = v
  • 4390 = e
  • 4160 = r

The Data

The login information is stored in an INI-like file called user.prefs – under the headings of [LogonHistory] and [CurrentConnections]; storage of passwords is an option that is turned off by default, though storage of history is turned on by default. All data stored in these sections is encrypted using this method, so the presence of data in these sections does not necessarily mean that passwords are present.

These files can be stored in a number of locations (the latter are more common with older versions of the application):

  • C:\Users\<username>\AppData\Roaming\PLSQL Developer\Preferences\<username>\
  • C:\Program Files\PLSQL Developer\Preferences\<username>\
  • C:\Program Files (x86)\PLSQL Developer\Preferences\<username>\

The data format for the two sections is somewhat different, in [LogonHistory], the data is in the following format:

<username>/<password>@<server>

In [CurrentConnections], the format is <username>,<password>,<server>,,,; the login can also be stored in C:\Users\<username>\AppData\Roaming\PLSQL Developer\PLS-Recovery\*.cfg, in this same format.

This encryption method is also used in other files, though in less predictable locations.

The Proof of Concept

We have released a proof of concept tool to decrypt these logins, and as is typical, it’s open source. Simply run the executable from the command line, and it will search for the preference files and print any information it’s able to retrieve.

You can also pass in the name of a remote machine, and it will attempt to use the administrative (c$) share.

Credit

Special thanks to my frequent research partner, Brandon Wilson, for his help with this project.

Rance, Goodbye Friend

If you never had the oppertunity to meet Rance, known as David Jones to some, you don’t know what a friend you missed. Today, you lost the chance to find out.

He was truly something special – one of the most genuine, kind, and caring people I’ve ever met. I met him at the first security conference I ever attended – while I had always been somewhat involved with security work, I really wasn’t a member of the community, I was an outsider, and every word I said, I was painfully aware of that. Rance knew I was an outsider, and he did everything he could to make me feel welcome – within a couple days I had been introduced to everyone, and he treated me like an old friend.

Had it not been for Rance, for his kindness to a stranger, I’m not sure I would have become so active in the community.

There are a thousand other stories like this, of him going above and beyond at every opportunity – anyone you talk to that knew him has something similar to say. He was truly something special, a one of kind person that made the community better for all.

Of all that has been said about him, this, I think, is the most important:

“New Atheism” & The Philosophy of Atheism

A recent (very) public fracas between Richard Dawkins and Glenn Greenwald (both people who I respect, though for rather different reasons) left me thinking about the direction that the “New Atheism” movement is taking, and where atheism itself should be going. Religion is a difficult topic to discuss, as it evokes such passion that you often move past logic into purely emotional discussions. Some atheists, unfortunately, are just as zealous that they too lose sight of logical discourse.

Dawkins is unquestionably brilliant, his book, The God Delusion, had a profound impact on me – I was taught as a child that I should believe in a god, at age 5 I began asking hard questions and was told to just accept what I was told. Further, I was told that even thinking of such questions was a sin, much less actually asking them. I kept my mouth shut and my questions to myself; for years, while being prepared to become a minister, I said nothing. I was always an atheist, though I didn’t have the courage to say it. Reading The God Delusion didn’t change my views, but it did help me find the courage to admit the truth to myself.

New Atheism & Islamophobia

I couldn’t even began to catalog all of the instances where the leaders of the New Atheism movement have been questioned on their anti-Muslim statements, and there are a goldmine of quotes that illustrate why:

“The idea that Islam is a ‘peaceful religion hijacked by extremists’ is a fantasy, and is now a particularly dangerous fantasy for Muslims to indulge”

Sam Harris, a founding member of the movement, has been especially outspoken on Islam; he has of course been critical of Christianity and other major religions, though his disdain for Islam and Muslims is clear:

“While the other major world religions have been fertile sources of intolerance, it is clear that the doctrine of Islam poses unique problems for the emergence of a global civilization.”

another gem:

“It should be of particular concern to us that the beliefs of devout Muslims pose a special problem for nuclear deterrence.”

What we see here is that one religion is being singled out, attacked with greater intensity, and its adherents being criticized in a far more direct and vicious way. There are countless examples, these were simply the first ones I came across; with a few minutes of searching, you can find some truly shocking statements from these leaders of what should be a purely intellectual movement.

How Harris defends such attacks is even more disappointing – when faced with legitimate criticism, a clear, logical, honest response should be the reaction. What we see from Harris is instead an attack, a distraction from the issue:

“There is no such thing as ‘Islamophobia.’ This is a term of propaganda designed to protect Islam from the forces of secularism by conflating all criticism of it with racism and xenophobia. And it is doing its job, because people like you have been taken in by it.”

I wish I could say this is ignorance, but I can’t – it’s dishonest at best, no one could look at the world truly believe this statement. In the United States, the fear of Muslims is palpable, attacks, overt threats, and blatant racism are all becoming normal. In such a toxic atmosphere, there is no question that it is very real, and is ongoing. To feed such irrational fear is truly abhorrent.

Emotionalism vs. Intellectualism

Atheism, as a philosophy, is purely intellectual – it is applying the scientific method, evidence based analysis, to one’s world view. It is rejecting the emotionalism that is so common with religion and focusing instead on logic. To do otherwise, is to reject the core tenet that lead to atheism – the factual analysis of existence.

New Atheism, on the other hand, has a zealous component that borders on the religious itself.

Dawkins has been criticized for this, for creating a religion of intellectual elitism; a religion that promotes the same zeal for conversion that drives the Evangelical Christians. The world view he, and the other founders of the New Atheism movement promote is simple:

All religion is evil.

That view though, is at best naïve, and at worst intentionally dishonest. Attempting to reduce the world to good or bad is a mistake that is common in religion – and their movement makes the same mistake. New Atheism assumes all religious people are evil, just as many religions have taught that all atheists were evil. At least the religious have started to correct this error; the Pope himself acknowledged that atheists can do good in the world.

I can say, with no uncertainty, that classifying all religious people, including the most devout, as evil (or ignorant, or naïve, etc.) is intellectually dishonest. If there is one sin in atheism, it’s intellectual dishonesty.

The world is not so simple as to allow this clean and clear division of good and bad – some atheists are bad, many religious people are good. Anything that inspires hate or intolerance should be treated and viewed with suspicion – over the last thousand years, both Christianity and Islam have inspired unspeakable hate and violence. Despite the harm done in the name of religion, it’s unfair to universally condemn the religious.

Religion & Hate

It is hard to think of any group that has been exempt from religious violence; racism, sexism, ethnocentrism, supremacism, and even nationalism have ties to religion – countless innocent people have died because they didn’t fit into a religious group’s view of what’s right. Sexual orientation to skin color, there is no shortage of reasons that some religious people use to justify their hate – many religious leaders fuel such hate as part of their recruiting process.

All of the major Abrahamic religions include hate and violence in their founding texts; there is an undeniable history of violence against outsiders. In Christianity for example, there is a great amount of hate and violence in the Old Testament; the New Testament teaches peace instead – though it is the Old Testament that is often used to justify violence. This ancient penchant for violence still haunts the world today.

There is good reason to believe that we should teach science, logic, and peace instead of religion – and I firmly believe that’s what we should do. When children are taught to look at a challenge with logic instead of fear, you move away from the emotional basis that leads to such hate and violence in the first place. There are those that naturally argue that religion teaches peace and love – but it also teaches vengeance, hate, and intolerance – primal emotions that are difficult to control and too often exploited.

Hijacking Atheism

As I have said, atheism is intellectual; there is no room for hate, for intolerance, for racism, for sexism – in an honest, fact-based, analysis, this type of discrimination is instantly seen for the wrong that it is. People are judged for their actions, for their deeds, for the impact they have – not which sex they are attracted to, not the color of their skin or eyes or hair, not the anatomical components they do or don’t have. Critically, especially to this discussion, the same thing applies to titles – it is entirely unfair to judge a person based on them being called a Christian, Muslim, Jew, or any other religious designation.

“New Atheism” does just this, it attacks religion, and those that hold religious beliefs – this is a violation of fact-based analysis, it is intellectually dishonest, it is morally wrong.

I disagree with religion, but I have many religious friends – we have very open discussions on religion, we debate on legitimate points of philosophy and morality. I do not attack them because they hold religious views – I may attack the religion and illogical things that it teaches, but I never attack them.

The movement that is called “New Atheism” – is, I believe, a religion itself, it has no deity, but is still a religion. It has coopted the term atheist to serve its own purposes. It has diverged from the roots of atheism to pursue a course of political and religious zealotry.

I respect Richard Dawkins, but I do not respect all of his beliefs.

Philosophy & Atheism

Modern atheism was born of the scientific method, of fact-based analysis; it eschewed the dogma of religion for the philosophy of secular humanism.

I am an atheist, I wear it on my sleeve – literally. A symbol of atheism is tattooed on my arm for the world to see, it is a public statement that I reject religion and all the negative it inspires. I also do my best to be a good person; I expect no reward, I do not believe in heaven, what I do believe that we all have a duty to leave the world a better place than we found it. When I die, I hope that I will be remembered for doing more good than ill.

Promoting hate, promoting intolerance of any sort is entirely incompatible with that goal – why should I fight religious people who aren’t doing harm? It simply isn’t logical. I will fight those that do harm, I will (and do, and have) fought those that espouse hate, for they are making the world worse for all. It is quite clear, there are some that operate under the banner of atheism that espouse hate, and they should be fought as well.

As an atheist, I believe in making the world a better place, I believe in being a good person that does good things. I believe in making up for the mistakes of the past, I believe in promoting peace as the most important need of humanity. I am not perfect, but I do try.

I respect Glenn Greenwald, and I do not agree with all of his beliefs – but it is clear that he was right to call out those that have coopted atheism and have allowed themselves to be consumed by emotionalism and hate.

We should promote peace, not hate.

2015: Year In Review

For the second year I am publishing a year-in-review – something I had generally avoided in the past, as the tone of these posts is typically just cynicism and negativity. Looking back at 2015, it wasn’t all positive (what year is?), but there was certainly some good, and there are great things to look forward to.

In a season filled with empty marketing pitches, worthless predictions, and pointless projections – it’s important to look at the good and avoid the cynicism overload that is all too common. As a community, there is a great deal of good that we can do, changes that can be made, lessons taught, and minds opened – it is critical that we focus on the good we can do, not all the negative that we encounter on the way.

2015 In Review

A brief, personal, and not entirely positive look back at 2015. It was a complicated year with a lot going on; some goals were exceeded, others missed completely. Lessons were learned, and progress was made.

Security Research & Related

Last you I said I would spend more time on research:

Research – I plan on spending more time evaluation open source applications for security issues. In just a few hours a week, can have a real impact on making applications and users more secure.

How did I do? Well, I added only one CVE to my list (CVE-2015-8267) – so publicly, I didn’t publish much, though I did more privately. This work likely didn’t have as much of an impact as I had hoped, though there were some small quiet wins.

Speaking

I spent more time speaking, especially to developers. I spent quite a bit of time talking to developers about cryptography – it’s a topic that is complicated, hard to grasp, and has too little good documentation that tells developers what they need to do. A lot of time was put into this effort, but I truly believe that it made a real difference.

Security conferences, while important to me personally for the interaction with others that I don’t get to see often, took a backseat as I focused on developers. I still spoke at a couple, but less than last year.

A major accomplishment was BSides Knoxville; had a great team, exceptional speakers, and an excellent team of volunteers that made it happen. Organizing a security conference is quite a bit of work, but is, without question, one of the things I am most proud of.

Personal

This year was certainly less trying than last year; from finances to stress levels, the year was better. In May, my wife and I had a daughter – Ava Marie:

There were issues though; in October, my wife and I separated after being married for seven years – we have remained friends, though she and our kids moved closer to her family, several hours away. While life has been less trying, other things have been quite difficult.

One of my goals for last year was to be more transparent:

Personal Transparency – I’ve always been very concerned with my professional image, and as such tend to keep many details of my life to myself. One personal goal for this year is to be just a bit more open and transparent.

There are some people who are very good at this; they can share intimate details of their life, I am not one of those people. I’ve attempted to share more, to be a more open person – I think I’ve failed at this. For example, a bit over a week ago I was in the hospital – a fact that very few people were aware of. It may just not be in me to be less guarded.

Projects

Various projects took up much of my available time this year; here’s a quick update on them:

SMIMP

The SMIMP project was a response to the failures of email security – trying to bolt security on to a protocol that has no concept of secrecy or privacy will never work. It was an interesting attempt at designing a from-scratch replacement to email, I enjoyed the effort. At this point, it’s a failed project and I don’t anticipate spending more time on it. There simply isn’t meaningful movement (in any direction) on finding a real fix for email.

I still have hope that something will happen, but we simply aren’t there yet.

CurveLock

CurveLock was an experimental high-security message and file encryption application for Windows. Simple, easy to use, and designed to be a bit paranoid when it comes to security level. A stable version was released; at this point the project is stable and usable.

EncryptingCamera

EncryptingCamera is an effort to create camera applications for popular mobile devices, that perform seamless encryption – ensuring that if a device is later stolen or seized, the photos on it can’t be accessed.

The idea was solid, but unfortunately due to limited time, the project has advanced little over the last year, though hopefully it still has a chance.

Blog

Blog – Last time that I promised to blog more often, I didn’t post again for months, so I’m hoping that I don’t repeat that this time. But I promise to write more, and do my best to keep the content interesting.

Last year I published 16 articles with 18,040 words – this year it was only 14,104 words. This is largely due to one issue: I published nothing between May and November. During this time, I didn’t get much writing done, my open source projects fell behind, as a matter of fact, with competing priorities, most things lost. I’ve been working hard to turn this around.

In 2012 I moved to Octopress, I really liked that it was a static site and extremely fast (withstood being at the top of hacker news with less than 10% CPU) – what I didn’t like was the workflow. As time went on, it became more of a hinderance to writing than an aid. A few weeks ago, I switched back to WordPress – it may not be perfect, but the workflow is better. It’s far easier to write and update, especially when on a mobile device. Based on recently productivity, I think this change is working; more writing, and more updates to published content.

The Novel

Novel – I intend to have either a deal signed with a publisher, or to publish as an ebook on Amazon before the end of 2015. One way or the other, I’ll be done with it by the end of the year.

Nope. Completely missed that goal.

The novel is still a work in progress, I still haven’t talked to any publishers, but it’s making progress (as I find time). Writing fiction is certainly a challenge, but a rewarding one.

Looking forward to 2016

  • Blog – I’m trying to spend more time writing about current events, but only in cases where I can add real value to a topic. It’s easy to find high-level summaries of an event, such as the Juniper incident, so in that case I tried to provide useful insight. If I can’t add something over what you’d get at your average news site, I just won’t say anything.
  • Novel – I don’t know when it’ll be done, but I’m hoping to see it published sometime in 2016. Fingers crossed.
  • Research – Performing publishable research is important to me – it takes time, which is in limited supply, but still deserves the time it takes. I’m going to do my best to identify and report more issues (that can be publicly documented).
  • EncryptingCamera – There is still real value to this project, and I’m hoping to jumpstart it so we can get it released.
  • Escaping The Echo Chamber – One of my goals for 2015 was to spend time outside of the echo chamber; I think I did that and it made a difference. I plan on continuing this trend.
  • Open Source – Except for the time when I wasn’t getting anything done, I did more work on my projects, and others. Hopefully I can spend more time working on these projects next year.

Overall, the year was less productive than I had hoped, but it was a good year, and 2016 will be something special.