Return to site

Encryption... or Self-Destruct

It's time for members of the Information Security community to stop hyper-ventilating over the election of Donald Trump and get back to work.

broken image


It's time for members of the Information Security community to stop hyper-ventilating over the election of Donald Trump and get back to work. 

Many in the tech community, academics and journalists are quite liberal. Since the election they have engaged in speculation that borders on the inhalation of paint fumes over what the new President will do with the powers accumulated under the Obama administration. Instead of hysteria, the best thing to do is reflect on the flaws of past policy and try to guide the new Trump administration into some painful but obvious conclusions.

First, it is well worth noting that the current power set under Obama was started many decades ago by the Clinton administration. 

Those powers grew from the early Clipper chip fiasco through the Bush administration with its mighty Patriot Act legislative over-reaction to the 9/11 attack. 

Despite promises made by Obama, the latest White House office holder increased his grip on surveillance without legislation through his pen and phone. Along the way we have had some real disasters.

First and foremost is the Juniper hack. The hack of Juniper communications equipment clearly started with the NSA under Obama. 

Their intentions were good... because by inserting a back-door into major commercial grade communications devices, the NSA could monitor financial transaction involving terrorist groups and nations such as Iran and North Korea. The hack was high-grade octane in the world of coding - a carefully inserted thumb on the roulette wheel that creates the random numbers making secret encryption codes.

The result, much like the roulette scene in Casablanca, was that the NSA could predict the secret code numbers and read all traffic going over these super-fast communications devices that linked banks around the world. The problem is: back-doors can't tell the difference between good guys and bad guys. 

Someone else discovered the NSA back-door and they changed the lock.

The Juniper exploit started out as only something a nation-state could use because only nation-states have the capacity to monitor all the billions of messages over main networks every day. 

The morphed version created by the bad guys did not have that little problem. 

Not only did they change the lock with a new set of keys, they also introduced a way of actually logging into a specific network with the back door installed. 

This master lock enabled them to monitor traffic from a specific network, without having the expensive satellite, wire taps and under-sea cable plants that the US government used. They could change data and erase their tracks on the way out. They could steal billions, create fake transfers and disrupt the global financial network with a few key strokes.

The story gets worse. 

The Juniper devices were also installed in the global stock markets, the communications grid, the electric grid, major defense contractors, the US government, law enforcement agencies - even inside the NSA itself. 

One has to wonder how many flash crashes were created, how many secrets were compromised, and how many people may have died because of an unseen hand clicking away in some distant land.

The Juniper back door became the cyber-equivalent of an extinction event. 

The hackers had so much power they could have brought America to its knees in a few hours. The hackers could shut down the US stock market, the banking system, the power grid and bring the government to a halt. They may not have even known of their super-powers since the hacked code managed to slip its way into the Department of Homeland Security, Lockheed, all the major banks and the NY Stock exchange.

If anyone in government ever tells you that they can keep back doors safe from bad guys just say two words to them: Edward Snowden. 

If Snowden could walk out of NSA HQ with the crown jewels, an even more evil future Snowden could walk out with the keys to the entire nation. 

While we do not know if the Juniper back door was compromised in this way - or simply discovered by accident in the millions of lines of source code - the point is very clear. One mole and we're all sunk.

Lesson one for President Trump: Back doors are a suicide note. Reject them, because a bad guy will use them against us.

The Obama administration also engaged in so many over-reaching violations that this humble blog post could not cover them all. However, there are a couple of real doozies starting with the Lavabit affair and the All Writs Act on Apple.

The Lavabit prosecution was what we in the technical community call a cluster ****. 

Ladar Levison founded a company called Lavabit that allowed users to exchange encrypted - secure - emails. 

Lavabit had about 410,000 users and offered free and paid accounts. 

In July 2013 the federal government obtained a search warrant demanding that Lavabit give up the keys to all Lavabit users. Levison decided to close business instead of complying with the US government demands. However, the Lavabit story does not end here. 

The FBI objected to Levison closing his business and told him that if he did - he could be prosecuted. 

The Obama administration stated that he could be arrested for closing the site instead of releasing the secret codes for every customer. 

Levison noted that the federal prosecutor's office sent his lawyer an e-mail to that effect. Worse still, they threatened with a gag order under national security laws so he would not tell anyone about this.

The other example of leaving the free world and descending into an Orwellian hell-hole is the Apple All Writs Act horror story. 

The FBI demanded that Apple create special tools to defeat the security of a customer’s phone. 

This particular action by the Obama administration is very very dangerous. The writ was presented to Apple in the form of a "do my bidding or die" demand. 

The point being that not only is this same writ presentable to any other encryption maker; it is also presentable in altered forms to other industries or even individuals.

In short, the Obama administration over-stepped the bounds of law using the All Writs Act to "conscript" US citizens to do something they did not want to. Even draftees can become objectors, but under the Obama All Writs Act - you can be drafted and forced to do anything. 

If you refuse you go to jail.

Lesson two for President Trump: Respect the Constitution. 

The founding fathers gave us the rights of individuals in written form like God gave Moses the 10 Commandments on a stone tablet. Violators will be prosecuted.

The final song in this chorus of major screw ups comes neither from a President’s pen nor the NSA hacker code vault. Instead, it starts with an unprotected email server sitting in a New York basement. 

The Clinton server became the target of nation-states and the subject that changed the election. 

We still to this day do not know the full extent of the damage to US National Security having only been provided with thousands of blacked-out emails and many more gone missing.

The follow-on hacks of the DNC computers and the emails of John Podesta filled the Internet with clear insight on the inner-workings of the Clinton campaign and the corruption of a major US political party.

If the state-of-the-art in Democrat information security was Podesta's password "runner4567", then it did not take the Kremlin to hack them. 

The massive daily tidal waves of Podesta emails from Wikileaks capsized the Clinton campaign and sent a waterfall of information cascading down upon her party to reveal the dirty tricks, bad deals, collusion with the press and distain for the common folk. 

It changed the world and helped elect Donald Trump to the White House.

All of these events need not have happened. 

If Hillary had used encryption. If Podesta had used encryption. If the DNC had elected to require encrypted security software and hardware. If.. If... If.

The final lesson for President Trump: Choose encryption or self-destruct.