Adam Caudill

Independent Security Researcher & Software Developer

On the Underhanded Crypto Contest

On August 15th of last year I asked if anybody would be interested in a contest for the best, most evil underhanded crypto techniques — the response was clear, and less than a month later I announced the creation of the contest.

Before I go any further, the contest simply wouldn’t have been possible without the huge effort by Taylor Hornby to help organize, coordinate and communicate. I couldn’t have asked for a better co-organizer for this event.

Just over six months after the announcement, yesterday we finally announced the winners (only two months later than planned).

The winners, and really all of those that entered, put an amazing amount of effort into it. The entries were fantastic, and quite honestly a few people found them a bit scary - simple, subtle, effective. This is exactly what we wanted though.

The goal of the contest, and the driving reason that we required the submissions be under an open license, was to provide researchers, developers, and reviewers with better insight into how these flaws can be introduced — and hopefully how to detect them.

Based on the comments we’ve received on the winners, I think this will certainly show how subtle these attacks can be. It’s our hope that this turns into a valuable training resource for the community, and will lead to fewer backdoors — intentional or otherwise.

We are discussing plans for the next Underhanded Crypto Contest now, and we’ll be announcing something soon.

The Evolution of Paranoia

That researchers from Kaspersky Lab uncovered malware that uses hard-drive firmware has now been throughly discussed — perhaps too much for some people. It’s not exactly Earth-shattering news either, the idea has been discussed for years, and has been publicly demonstrated. Brandon Wilson and I were even working proof of concept for SSD controllers to demonstrate this based on our BadUSB work.

This isn’t about that story, exactly. This is about paranoia, and how it has changed over the last few years — and even the last few months.

I was talking to Brandon Wilson about the implications of Kaspersky’s discovery, and how, or even if, you could ever trust your platform. When you could have malicious firmware in key system components — hard drive, USB devices (keyboard, mouse, etc.), USB hub — and possibly others, how about the GPU or the webcam that’s in virtually all laptops, how could you ever feel secure? How would you ever even know about it? Every device that has updatable firmware is a possible target, and far too few of them use any form of effective security to prevent malicious changes.

I pointed out that I buy all of my computers and key hardware from stores, I don’t have any of it delivered. Why? Interdiction.

If it has my name associated with it prior to being in my hands, how do I know that it’s not been tampered with? Prior to Edward Snowden, I would have said that it was paranoid, that taking such precautions was at best a waste of time and at worst a sign of delusion. Today? If you are working in a field where you could have useful information, it seems quite reasonable. Paranoia has evolved, it has changed, what was once unreasonable is now prudent.

It was of course known that such things were possible before Snowden, but the scale was unknown — and of course NSA and the FBI aren’t the only threats, if they are doing something, you can bet they are far from alone. When that Lenovo laptop was shipped from China, do you really think that the Chinese Government wouldn’t take that chance to step in to gather some extra information? Launch-day iPhones have been shipped directly from China, and so many other examples. If NSA can tamper with a shipment, so can any country that has even temporary access to a package; if it’s on their land, they can attack it.

The focus has been on what NSA does, but the information should be used not as a way to attack NSA, but to get an insight to the global threats that everybody that could be of interest faces. It’s important to remember that they don’t just target terrorists.

I recently had a person contact me, concerned that a device she had was compromised — while I could tell her that unless she was attracting attention from a major player she was likely safe, I couldn’t tell her that she actually was safe, or anything she could do to ensure that nothing was infected. As these techniques spread to more common attackers, the risks that average people will be targeted grows dramatically. Attacks not only get better over time, they become more widespread. From repressive regimes that outsource their attacks, to poorly supervised local law enforcement, to common malware — it’s only a matter of time.

Defending against these attacks, without major changes from device manufacturers, is at best a nightmare; at worst, impossible. I have repeatedly called out USB controller manufacturers to secure their devices, as that’s the only way that BadUSB can be truly fixed. The same needs to be said for so many other device types — it’s up to device manufacturers to secure their products.

The Chain of Trust

For any system to be secure, there must be trust at some point, which can then ensure that later layers are correct and untampered. By attacking firmware, the chain is defeated at its first link — attack the hardware at the lowest level, and nothing that comes later, including the operating system, can truly be trusted.

The more important impact though is not technical, but psychological. If a person doesn’t know what they can or can’t trust, they start to fear everything. For NSA, GCHQ, and countless other agencies in the same business, this is good news — if people can’t trust their computers or their phones, they will turn to less secure means of communication. This is also extremely bad for consumers, business, and investors — as these tools can be used not just to go after government selected targets (legitimate or otherwise), but for profit, for blackmail, for revenge, or just for a thrill.

Targets

While the public focus of NSA is to combat terrorists, it’s been well documented that their targets go far beyond that — researchers, IT staff, business executives, you name it. Yet, I’m a citizen of the United States, and as such, I shouldn’t be a potential target for them (give or take being caught up because of people I know in other countries). Is that the end of the risk for me? No, not by a long shot.

While the Five Eyes countries share intelligence, they don’t share restrictions on who they can spy on. For GCHQ, whether I’m a citizen of the United States or of Afghanistan makes no difference, I’m a valid target under their laws. Canada, Germany, Russia, China, Taiwan — I’m not protected under their laws, if they think I could have interesting information, or access to interesting information, on any topic, I could be a target. So could you. What information do you have access to, who do you know, and what information could they have access to?

If you work in security, development, IT, telecom — that could mean that you have access to some information that some country would like to have. Is that paranoia? A few years ago, some would say yes — now that we have a better insight into the scope and scale of intelligence activities, we know it’s simply reality.

Personal Threat Models

I have long encouraged people to have a personal threat model — what are your realistic threats? When talking to others, keep in mind that their threat model may be different than yours, and things you see as being paranoid could be quite prudent for them, due to the different risks they face.

For me, to be honest, I’m not that interesting to a foreign power — if anything, trading emails with Glenn Greenwald and trading tweets with people like the grugq has done more to make me a target than any professional activity. The information I can access because of my job is somewhat interesting, and is certainly of value — but more to the Russian Mob than to a foreign government. I pay attention to who I talk to, to what I make public, to what my accounts have access to, so I know what my risks are.

If you work for a more interesting company, or are engaged in research that could be useful, or even just know people that could be more interesting than you, your threats could be completely different. Of course, also have to factor in locations — if you are outside of the US and work for a company that could have interesting information, then your threats may be far more complex.

Defining the line between reasonable and paranoid is harder than ever, and may vary from person to person.

Religion, Free Speech & Freedom From Offense

When I was a teenager I worked as a photojournalist and through that experience I learned just how important it is that the public, and the press in particular be able to speak openly, freely, and without restriction.

I also learned how important discretion is — I routinely worked events where people died, those people had families and they would see the photographs that documented the end of a life. Photos chosen for publishing had to be carefully picked, making the wrong choice could offend some, and truly hurt others. I saw people break down and cry when seeing photos I took — I saw the results of brash carelessness on families that were already hurting, already devastated.

I once was tasked with documenting a hate crime — a black effigy hung from a tree, followed shortly thereafter by a body found in a river — hands bound, and clearly related. People were scared, the mock hanging was a warning, and the body found proved that the threat was real. What gets shown and what doesn’t in cases like this is a very difficult choice. On one hand you risk offended and inciting fear — maybe even panic, on the other, you withhold useful information, stifle discussion, and risk leaving the truth sitting in a box, hidden from the world.

For all of the bad, there was also good — lives changed, hard questions asked, reforms enacted, true change made. This wasn’t done without stepping on toes though, hard decisions had to be made to find the right balance.

Making people comfortable is easy — give them what they want and no more. To make people think though, requires making them uncomfortable, requires pushing them outside of their comfort zone — and occasionally, offending them.

The attack on Charlie Hebdo

I firmly believe that journalism, legitimate journalism, is among the most critical tasks in a free society. Shining a light on the good and the bad — the eyes and ears of the people, too often the last chance for justice. When questions can’t be asked, when public figures are put beyond satire and debate, when some topics are unquestionably untouchable, then freedom dies. Slowly at first, then the line inches ever forward until the press is nothing but a mouthpiece for their puppet masters and feeding the public little more than entertainment - no challenges, no discomfort, no thought required entertainment.

Charlie Hebdo made a habit of making people uncomfortable — they attacked everyone and everything in power, they left nothing untouched. In doing so they offended almost everyone — some got mad and stomped away; others took it as a chance to reflect, not only on the statement, but their own reactions, feelings, and beliefs; a few though decided that they needed to die for it.

Those at Charlie Hebdo worked despite threats and attacks, they continued in the face of danger. Every issue published was an act of bravery — sometimes tasteless, sometimes wantonly offensive, but still an act of bravery.

In a effort to silence the criticism of their preferred historical figure, a small group following an extreme and radical interpretation of a religion, took it upon themselves to silence journalists and artists by force. The goal though, went far beyond Charlie Hebdo — the attack was meant to send a wave of fear and terror throughout the world and leave journalists too afraid to say anything or risk a similar fate.

In the hours after the attack, there were clear indications that the extremists that sought to censor the world, may have actually achieved that goal. Publications around the world censored the cartoons of Charlie Hebdo, an act I consider to be cowardice, and willing, knowing capitulation. In the face of danger, some will choose to be brave and stand for what they believe — others will abandon what they believe readily when faced with the threat, or even the idea of danger.

Nothing is beyond ridicule, no person above satire — not political leaders, not Muhammad, not Jesus, not Zoroaster, not Zeus, not Ra, not Utu.

#JeSuisCharlie

Robert Graham posted an image on Twitter that immediately gave me mixed feelings; I agreed and disagreed all at the same time. On one hand, the image is the very definition of satire — it’s a strong point on the perception that these religious extremists are leaving many with. On the other hand, it could further inflame the situation, insulting some and adding more energy to those that have shown they will not be subject to rational thought. It was also an act of defiance, a statement that he would not be censored, and a recommendation that others should follow his example and show that the world will not allow a group of extremists to define what’s acceptable.

For those that are offended by this image, I’m sorry that you feel as you do — though I will offer no apology for posting it. Offending for the sake of offense should be avoided — and is an act I disagree with, offending for the sake of making a point though, is sometimes necessary.

The point here is clear — irrational extremists are acting in unimaginable violence against those that they disagree with, and in doing so, branding the religion as one of violence and hate. This is a fact that everyone needs to understand.

Religious Violence

Violence and religion have went hand in hand throughout recorded history. Christianity has mostly moved away from violence and many of its ancient prejudices (though certainly not all) — something Islam is still struggling with, based on the extreme views and actions of not only terrorist organizations, but governments.

While extremists have done much to harm Islam, there seems to be a pervasive penchant for violence among the more ‘conservative’ Islamic countries — this acceptance of violence and frequent perversions of justice have also done much to make the world question the Islamic commitment to peace.

For me, as an atheist, knowing that there are thirteen Islamic countries where I could be put to death for my lack of faith certainly makes me question just how much peace factors into Islamic views.

While most Muslims are peaceful, the large numbers that espouse peace through forced conformity and violence taint the view of the entire religion.

Freedom from Offense

One of the most bizarre and damaging perversions on the innate right to free speech, is that there is an implied inverse right to not be exposed to anything offensive. Yet this fictitious right to not be offended is antithetical to freedom of speech - you can have only one of the two.

A right to not be offended is a personal right that would trump the rights of all others — freedom of speech does not imply that anyone must listen, only that you have the right to speak. A right to not be offended would require others to not speak if you didn’t like what they had to say. Such a right is a logical impossibility — if we accept that there is truly an innate right to free speech, then there is no overriding inverse.

So the reality is simple — there are times to preserve the critical and innate right to free speech, that some will be offended.

One challenge for a journalist is to effectivly get a message across that challenges without offending more than absolutely necessary. I can’t say if Charlie Hebdo crossed that line, but even if they did, they were within their rights.

All Speech Has Value

One final note, inspired by a friend, is that all speech — from the inane and ignorant to true hate speech can have some value. It provides insight, understanding, and perspective that would be missed otherwise.

For those that don’t share perspective with the speaker, such speech that many consider worthless can be a learning experience. You may never agree with them, but at least you can better understand them, and that may lead to clarity.

Embrace the speech that you disagree with and better understand the people behind a perspective that is new to you — it’s a chance to expand you mind, and maybe even bridge a gap and create new understanding.

Utopia Found; Utopia Lost

Sometime in the 1990’s I used a 2400-baud modem and connected to the internet for the first time; I found a new world, a better world. A world where ideas and intellect set people apart, not skin color, or political affiliation, of even the pseudo-scandal of the day (which is probably just a disguise for ignorance and intolerance).

It was a time of invention, in a world where everything was new and the potential was unlimited. It was magic - not the fake Hollywood magic, but real, life changing, nothing can hold you back magic. The only real restriction was your own mind (and maybe your long-distance bill).

Before too long I ran across a short essay that reinforced my view of the internet, and my philosophy towards people in general - The Conscience of a Hacker. While it resonated with me at the time, as it reflected my life so well, it was one small passage that really mattered to me:

We exist without skin color, without nationality, without religious bias… and you call us criminals.

Loyd Blankenship The Conscience of a Hacker

One simple line, yet such a profound statement. The internet I grew to love was a different world — national borders meant nothing, the freedom to speak your mind was simply assumed for all without question. Governments didn’t understand it well enough to care, and so it was ignored. A different kind of society was allowed to evolve — a society that valued people and intelligence greater than political or religious affiliation. A society where anyone, even a poor kid from the middle of nowhere could have a real impact on the world.

There was of course conflict, and egos, and the ever increasing encroachment of money that would change everything; but in general, it was good — better than any nation I was aware of.

Utopia Lost

Today, Solar Designer was commenting on Intel shutting down certain Russian-language content due to a rather horrible Russian law:

Most people and most countries are their own worst enemies…

From the early, government ignored days of the internet, certain rights were assumed for all users — it was never written, but at the time it seemed that the internet was beyond any one government. It belonged to humanity, it was for the people. Of course, looking at the history of the internet, this is somewhat amusing, but it’s the way many felt, and it seems many still do.

Freedom of speech, freedom to speak anonymously, and so many others were granted by the internet to people that in the past had never had them. This great invention, this great network of people, had become the greatest tool of equality ever. Such things seem doomed.

As Solar pointed out - countries are their own worst enemies - in this case a horrible law is not only impacting the freedom of speech, but also to avoid the complications it introduces (and other similar laws recently enacted), companies are pulling out of Russia or disabling functionality for Russian users. So the Russian people lose, the economy is impacted, everybody loses something when such mistakes are made.

Of course, this is far from a unique case — the old internet, the free, open, good for humanity internet is all but dead. It’s been a long time since governments discovered what they had ignored for so long, and that an international bastion of freedom had formed under their noses.

Censorship becomes more pervasive every day, the monitoring by the FIVE EYES countries - and who knows who else - is so pervasive that one has to now assume that anything not (securely) encrypted is being seen and analyzed by many. Malware vendors grow rich, by leveraging the greatest invention in human history as a tool for repression and even death. In Russia, exercising an innate human right can send you to prison, in Syria, it can get you killed.

Complacency, subterfuge, infighting, and carelessness have allowed those with power and money to take more more control than they ever should have. Groups like the MPAA are still busy pushing bad laws, trade treaty negotiations continue to risk further censorship, and anti-terror laws are increasingly being aimed at online speech instead of legitimate threats.

The internet I fell in love with was a bastion of freedom. May it long be defended, even if all that’s left is the memory, and the idea of what it could again become.

2014: Year in Review

Inspired by a post from Scott Arciszewski, I’ve decided to go ahead and publish a year in review post. This is something that I’ve generally avoided in the past, as the tone of these posts is more often than not, just cynicism and negativity. After seeing Scott’s post, it made me think about how such a review can be used to send a positive message — something desperately needed.

Year after year, we see predictions, projections, and sales pitches — and the cynical responses that they always generate. It’s so easy to spend time rolling our eyes at vendors and media, instead of looking forward to ways to improve the situation and make the world a better place — even if only in a tiny way. We may not be able to fix the stupid, but we can at least reduce the damage that it does.

2014 In Review

So, without further ado, a personal look back at 2014.

Security Research & Related

Overall this has been a very busy year, and I’ve not been able to publish as much as I’d like. In total, I requested only a single CVE for the entire year - CVE-2014-2890 (I don’t keep a count of how many security related tickets I open, so no idea how many issues I actually reported).

Most of my time was instead spent on a couple projects - SMIMP and Psychson (BadUSB firmware). I’ll talk more about these later.

I wasn’t able to spend as much time on public application security work as I had intended, but I did get some reports in, some advice given, some progress made.

Speaking

In 2014 I was fortunate to be asked to speak on a few occasions. When preparing for a talk, I always have mixed emotions — on one hand, it’s always been a great experience, a chance to meet new people, share knowledge, and hopefully contribute to the community. On the other hand, it’s a significant amount of time that is lost — and time is without a doubt my most limited resource.

Whether it makes sense or not, I generally don’t give he same talk twice — especially if the event is recorded. So for each talk, it’s a real time & energy commitment. I very much hope that those that have seen my talks appreciated them, and got something out of them.

Here is some information from selected talks:

Personal

Personally, this has been a particularly trying year for me, for various reasons. I have, as I always do, made a real effort to not show what’s going on when things go wrong. So, for all my friends, and everyone else for that matter — if there were times I was distant or difficult, or evasive — I am truly sorry.

With that said, the year could have been far worse, and I’m incredibly grateful for all the friends I have — old and new. It was a busy year, with much going on and never enough time to make everything that needed to happen, actually happen.

Projects

During the year, much of my time was taken up by a couple projects — here is where they stand today:

SMIMP - Without a doubt the most ambitious project I’ve worked on, with a goal no less than replacing email itself. The first public draft was released in late July — and unfortunately remains basically untouched since then.

Shortly before I released the first public draft, a start-up tried to acquire the rights, so they could develop it, and build there own applications around it. By the time that I told them that I was more interested in making the specification public, they had offered me a position as co-founder in exchange for it.

This project took a substantial amount of time to get to a first draft — and really, it isn’t complete yet. Given the original goal of the project, leaving it with open issues really doesn’t bother me — that many more points to talk about.

The original plan for the effort was to spur discussion, to get people talking about how email could be replaced. To be secure, a system must be designed with certain goals and threats in mind - something that didn’t happen with email as we know it today. So to fix email, we need to replace it. SMIMP may not be the answer, but we need to do something.

Overall, though there was some positive feedback, I consider the project to be a failure. I’m proud of the work I did on it, but it didn’t have the desired effect.

Psychson (BadUSB Firmware) - Without a doubt the work that had the most people talking. It was a fun project, we managed to get some code in the hands of those that wanted to extend it.

It’s over, and I’m glad it’s over.

Blog - This blog has also been a bit less active than I hoped — 16 posts with a total of 18,040 words. I’m pretty sure last year I said I’d blog more. Oops.

My First Novel - A couple years ago I started occasionally working on an idea for a novel, this year, I set aside what I had been doing, and started fresh (but still based on the same material). My goal was to finish it this year, by there simply wasn’t enough time.

Writing is something that I have yet to determine if I’m actually good at - or if I just limp along enough for others to tolerate. While I could write a technical book with confidence, writing fiction is something that, quite intentionally, pushes what I’m comfortable with.

Making the time and finding the focus for something like this is certainly more difficult than I had imagined. I’ve come to understand why so many writers drink.

Overall

I have to say, I love the communities that I work with. I love that I get to deal with challenging problems. I love that I get to find solutions and make them work. But most of all, I’m thankfully for so many friends and great people that make this work truly enjoyable.

Looking forward to 2015

I have a number of goals for 2015, a number of projects that need my attention, and ideas to make the world just a little bit better.

  • SMIMP - While I feel that the project generally failed, there doesn’t seem to be much movement in the let’s-kill-email space, so I don’t think it’s dead quite yet. There just might be another chance to get people talking about a real solution.
  • CurveLock - An open source, secure, modern encryption application. This is mainly an experiment - but the goal is to provide high security, in a simple, easy to use application. Hopefully will get a beta out before too long.
  • EncryptingCamera - Prompted by a conversation on Twitter, a few people got together to make a new application that will hopefully protect a few reporters — and others that need to take photos, and secure them from inspection.
  • Blog - Last time that I promised to blog more often, I didn’t post again for months, so I’m hoping that I don’t repeat that this time. But I promise to write more, and do my best to keep the content interesting.
  • Personal Transparency - I’ve always been very concerned with my professional image, and as such tend to keep many details of my life to myself. One personal goal for this year is to be just a bit more open and transparent.
  • Novel - I intend to have either a deal signed with a publisher, or to publish as an ebook on Amazon before the end of 2015. One way or the other, I’ll be done with it by the end of the year.
  • Research - I plan on spending more time evaluation open source applications for security issues. In just a few hours a week, can have a real impact on making applications and users more secure.
  • Open Source Security Tools - I hope to dedicate a reasonable amount of time on new and existing tools to make users more secure, especially when it comes to secure communication. PGP/GPG hasn’t aged well - tools like reop have a lot of technical potential, but usability still needs to be improved.
  • More time outside of the echo chamber - It’s easy to stay inside of the echo chamber, agreeing with ourselves (or disagreeing), but what good does it really do? To have a real impact, we need to spend more time influencing the people that need our help the most.
  • Consume less, create more - In general, consume less and create more — time is a precious and limited resource, should be used to do as much good as possible.

Oh, and one final note for next year - my wife and I are expecting again. Should be an exciting year.