The New York Times reported this morning on a Federal government plan to put government-mandated back doors in all communications systems, including all encryption software. The Times said the Obama administration is drafting a law that would impose a new “mandate” that all communications services be “able to intercept and unscramble encrypted messages” — including ordering “[d]evelopers of software that enables peer-to-peer communication [to] redesign their service to allow interception”.

This is from September, 2010, two years and nine months before Snowden’s first leaks. Just change the date, change Skype to iPhone/Android and the NYT’s article could also be dusted off and recycled.

Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013, when EFF started rating companies on whether they used it. Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google’s Safer email transparency report and starttls.info are good resources for checking whether a particular provider does.

Several Standards for Email Encryption

The SMTP protocol, the underpinning of email, was not originally designed with security in mind. But people quickly started using it for everything from shopping lists and love letters to medical advice and investigative reporting, and soon realized their mail needed to be protected from prying eyes. In 1991, Phil Zimmerman implemented PGP, an end-to-end email encryption protocol that is still in use today. Adoption of PGP has been slow because of its highly technical interface and difficult key management. S/MIME, with similar properties as PGP, was developed in 1995. And in 2002, STARTTLS for email was defined by RFC 3207.

While PGP and S/MIME are end-to-end encryption, STARTTLS is server-to-server. That means that the body of an email protected with, e.g. PGP, can only be read by its intended recipient, while email protected with STARTTLS can be read by the owners of the sending server and the recipient server, plus anyone else who hacks or subpoenas access to those servers. However, STARTTLS has three big advantages: First, it protects important metadata (subject lines and To:/From/CC: fields) that PGP and S/MIME do not. Second, mail server operators can implement STARTTLS without requiring users to change their behavior at all. And third, a well-configured email server with STARTTLS can provide Forward Secrecy for emails. The two technologies are entirely compatible and reinforce each other. The most secure and private approach is to use PGP or S/MIME with a mail service that uses STARTTLS for server-to-server communication.

There are several weak points in the STARTTLS protocol, however. The first weakness is that the flag indicating that a server supports STARTTLS is not itself encrypted, and is therefore subject to tampering, which can prevent that server from establishing an encrypted connection. That type of tampering is exactly what we see today. EFF is working on a set of improvements to STARTTLS, called STARTTLS Everywhere, that will make server-to-server encryption more robust by requiring encryption for servers that are already known to support it.

It is important that ISPs immediately stop this unauthorized removal of their customers’ security measures. ISPs act as trusted gateways to the global Internet and it is a violation of that trust to intercept or modify client traffic, regardless of what protocol their customers are using. It is a double violation when such modification disables security measures their customers use to protect themselves.

Remember this? Well, Obama agrees with him. Surprise, surprise.

President Barack Obama said Friday that police and spies should not be locked out of encrypted smartphones and messaging apps, taking his first public stance in a simmering battle over private communications in the digital age.

Apple, Google and Facebook have introduced encrypted products in the past half year that the companies say they could not unscramble, even if faced with a search warrant. That’s prompted vocal complaints from spy chiefs, the Federal Bureau of Investigation and, this week, British Prime Minister David Cameron.

Obama’s comments came after two days of meetings with Cameron, and with the prime minister at his side.

…Obama must now choose between competing priorities: the security of private information, or the ability of law enforcement to gather intelligence, said Christopher Soghoian, principal technologist at the American Civil Liberties Union.

Earlier in his remarks Friday, the president talked about new efforts by Britain and the U.S. to fight hackers attacking private sector companies.

Encryption is a vital technology for all people to maintain their privacy and security. We cannot allow Spain to criminalize the use of basic digital security practices that are relied upon every day by users and corporations alike.
—  Jamie Tomasello, Tech Director at Access

Terrorists, hackers, and journalists. According to a recent Guardian article covering new Snowden documents, British spy agency GCHQ considers all of these individuals threats—various levels of threats, but threats nonetheless. One intelligence report goes so far as to say, “Of specific concern are ‘investigative journalists’ who specialise in defence-related exposés either for profit or what they deem to be of the public interest.”

The newspaper reports that GCHQ, in a test of their surveillance capabilities, vacuumed up emails of top journalists from organizations like BBC, Reuters, the Guardian, the New York Times, and the Washington Post. The spy agency harvested more than 70,000 emails in a ten-minute period through directly tapping a fiber-optic Internet cable. Though the reporters may not have been intentionally targeted, personal emails between journalists were among those collected, stored, and reviewed.

It shouldn’t need to be said, but journalists’ communications need to be safe from government hands. And yet, we see example after example of the British government going after this important check to power. (The US has done its fair share of targeting journalists as well.) The Guardian, for example, was forced by GCHQ to destroy their hard drives containing Snowden documents. That was soon after David Miranda, partner of journalist Glenn Greenwald, was detained and interrogated at Heathrow for nine hours. England has notoriously abused its surveillance laws to spy on journalists, prompting over 100 editors to sign a letter to the British prime minister calling for a stop to the spying and passage of a strong freedom of expression law.

Alongside a push for policy, however, we urge journalists to take up secure communication tools (and we even explain how!) that help thwart the effects of intrusive surveillance. Encrypted emails, chat, phone calls—these are basic steps to protect yourselves and your sources.

Ever used the TOR browser? Protected your e-mails? Been on a site whose URL starts with https ? (psst, you’re on one right now, look up) Well, if you’re in the UK I’ve got some bad news for you. The government wants their internet not just porn free, but encryption free.

Apparently David Cameron thinks privacy from external surveillance is something that only terrorists want and wishes to curtail the use of encryption in online communications. When asked about the idea Mayor of London, Boris Johnson replied:

"I’m not particularly interested in this civil liberties stuff when it comes to these people’s emails and mobile phone conversations." [x]

The problem with this being that you can’t know if someone is one of ‘these people’ until after you’ve rifled through their stuff. The only way they can see it’s encrypted is if they try to read it. 

This harkens back to the days when the NSA tried to have certain kinds of MATH designated as weaponry making it an illegal to talk about it without a license to be an arms dealer and government review.

All in all, it seems that the UK government is more than willing to put millions of people at real risk of identity theft and online fraud just so they can seem ‘tough on terror’. And of course any terrorist cells operating in the jurisdiction will immediately stop using encryption, because they’re very law-abiding folk, those terrorists.

Honan added: “My concern is that we would have politicians and others who don’t understand technology and the implications of the technology, bringing in laws or regulations that would be unenforceable and ineffective against the targets that they’re after.

“If you make certain encryption tools illegal, it’s not going to stop criminals or terrorists from using them. If you introduce backdoors or weaken encryption in certain tools or products, it’s just going to the legitimate tools or products that normal people use - and again the criminals or terrorists will use alternatives that can’t be regulated.”

Honan said: “Maybe part of the problem is that somebody needs to be seen to be doing something.

“If regulations or legislation is introduced to support that policy, then it’s succeeded. If no rules are brought in and an atrocity happens, people can raise up their hands and say ‘you know they used encrypted communications, that’s why this happened’.

From der Spiegel:

The Snowden documents reveal the encryption programs the NSA has succeeded in cracking, but, importantly, also the ones that are still likely to be secure. Although the documents are around two years old, experts consider it unlikely the agency’s digital spies have made much progress in cracking these technologies. “Properly implemented strong crypto systems are one of the few things that you can rely on,” Snowden said in June 2013, after fleeing to Hong Kong.

Truecrypt also apparently gave the NSA some heartache:

The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism — an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple — show that the NSA’s efforts appear to have been thwarted in these cases: “No decrypt available for this OTR message.” This shows that OTR at least sometimes makes communications impossible to read for the NSA.

Encryption Ban

So apparently the prime minister (David Cameron) wants to ban encryption in the UK after he gets re-elected. I think he just went full retard and even though he never was going to get my vote he just made it a lot harder on himself. In a way that works for me but I dread the thought of him staying on. A lot of citizens don’t understand what this means for them. I’m considering a petition if there is not one already. I really hate the UK government thinking they can push their citizens around and spy on them constantly. One nation under CCTV is not wrong.

youtube

FBI, CIA Terrified They Won’t Be Able to Spy on Your New Phone

Redacted Tonight with Lee Camp airs every Friday at 8pm EST on RT America and every episode can also be found on www.YouTube.com/RedactedTonight.