Original URL: http://www.theregister.co.uk/2013/08/22/guardian_snowden_advice/

Four ways the Guardian could have protected Snowden – by THE NSA

Spooks' own advice lays out exactly how this crypto wypto hypto thing works

By Chris Williams

Posted in Security, 22nd August 2013 11:38 GMT

Analysis The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online.

And his reporters must fly around the world to hold face-to-face meetings with sources ("Not good for the environment, but increasingly the only way to operate") because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ.

"It would be highly unadvisable for … any journalist … to regard any electronic means of communication as safe," he wrote.

El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance.

(It's quite possible the Graun's able staffers have already thought of all this, and whistleblower Edward Snowden eventually taught his contacts how to use PGP, but allow us to throw it out there anyway for everyone to consider.)

1. Encryption: It's not hard

David Miranda – the boyfriend of Glenn Greenwald, the journalist at the centre of Edward Snowden scoops about the NSA and GCHQ – was held at London Heathrow airport this week during a stopover from Berlin to Brazil. Miranda was carrying encrypted information in a laptop and USB drives, having visited Laura Poitras, the US filmmaker who worked with Greenwald on his NSA scandal stories.

You have to wonder why the Brazilian was being used as a data mule, for want of a better word, when there are other ways to securely transfer leaked documents without triggering the frankly unsettling schedule seven of the UK's Terrorism Act. Although, he may have been stopped even if he was carrying nothing but his phone.

It's reported that journalists, even tech journos, are woefully ill-equipped to deal with encrypted leaks: so let's put a stop to this digital fumbling in the dark, and let the record show that some of us have an idea of how it all works.

First of all, take the NSA's own advice [PDF] and grab a copy of the open-source cryptography toolkit GnuPG. Compile it for your favourite operating system (or trust a pre-built download having checked its integrity), and then generate a private-public key pair: data encrypted using the public key is decrypted using the private key. So your source encrypts her sneaked-out files using your public key, sends you those scrambled bytes and you reconstruct the original using the private key.

Straightforward ... GPG for Mac OS X will do the key-pair generation for you automatically (click to enlarge)

Why use key pairs, otherwise known as asymmetric encryption? Because it saves you having to whisper shared passwords to one another, essentially divulging secrets that if intercepted by an enemy would be catastrophic to your project.

With public-private keys there's no need to reveal pass-phrases or drop off nondescript packages containing password code books, as exciting as that may sound. Instead, you can freely reveal your public key: it's only good for encrypting stuff. (Technically speaking, the data is encrypted using a randomly generated one-off session key and a chosen cipher; asymmetric key encryption is computationally expensive, so a symmetric cipher and the session key is used to do all the heavy lifting. The asymmetric key pairs are used to encrypt the session key.)

Again, following the NSA's own advice, in your chosen PGP software, generate a Diffie-Hellman/DSS (or RSA if you're paranoid) key pair that's 4,096 bits in length, set to expire in one year (or less if you're planning a short whistle-blowing career), using AES-256 as the encryption cipher and SHA-2-512 as the hash function.

Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)

Keep your generated private key somewhere safe and hidden, such as on a TrueCrypt-encrypted thumb drive, rather than at rest on a disk, and whatever you do, don't take it through customs. Use steganography to hide it in a picture of a cat.

Don't put yourself in a position where the police can demand it under the Regulation of Investigatory Powers Act. Don't keep the key, data and the computers you are using anywhere the Powers That Be, having obtained a warrant, expect to physically find them. You need to have transferred the goods before anyone realises.

While David Miranda insists he didn't know anything about the contents of the electronic documents he was carrying, he did hand over the passwords to his equipment to the plod after being threatened with imprisonment.

Thus, one only hopes any sensitive files he was carrying were encrypted using a second secret, one he couldn't possibly divulge because he didn't know it. However, that will not have impressed the cops, who may have thrown him in the cooler for a couple of years or until someone could provide that second key. This has happened in the past.

A good lawyer could get your mule off the hook if the brief argued that your bod didn't know the key nor the contents of the files (and thus was no more complicit in any wrongdoing than a Royal Mail worker delivering brown envelopes of leaked material). In this case, Miranda knew something and eight hours under the spotlight was enough for him.

In short, don't use data mules known to the authorities, and certainly not across guarded borders, unless you've got a bang-up lawyer (and pots of cash to pay for it) and a personal courier willing to spend hours, days or perhaps months detained.

(PS: Handing over account-level passwords, rather than decryption keys, is bad enough, though, for the poor bod intercepted; there is no doubt investigators will try to use this information to inspect email inboxes, instant messaging clients, social network accounts and anything else they could get hold of in search of wrongdoing. More determined operatives could use this sort of access to get a better idea of the chap's friends and associates for follow-up surveillance.)

Your source should also create her own public-private key pair, following the same steps above; this is needed to sign messages, or in other words cryptographically prove that the data hasn't been tampered with in transit and that it was created by the person who claims to have sent it.

Meet the Advanced Encryption Standard

As an aside: the AES-256 cipher, as mandated above, is recommended in the NSA's own advice [PDF]. Uncle Sam's spooks are told to use AES (Advanced Encryption Standard) and 128-bit keys to protect material designated "SECRET". "TOP SECRET" – the highest security level available and usually reserved for compartmentalised information distributed on a strict need-to-know basis – requires 256-bit keys.

The standard – developed in 1998 by Belgians Vincent Rijmen and Joan Daemen – is considered unbreakable and spook-proof by all but the very, very paranoid; decrypting the data without knowing the key will require an infeasible amount of computing power. We're talking more energy required than the universe can give us. There are 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,
457,584,007,913,129,639,936 combinations of keys if you feel like trying to brute-force it.

Serious maths ... the calculations behind AES

It is possible someone could extract unencrypted information, or even the secret crypto keys, using a side-channel attack. This is usually pulled off by precisely timing the calculations performed by the system doing the encryption and recovering the goodies byte by byte.

Such endeavours, so far as we know, have worked against tiny keys (some as small as 32 bits). Then in 2010, three boffins showed they could quickly recover a 128-bit AES key by running unprivileged code that spies on CPU cache access on a Linux server running OpenSSL: on the one hand, yes, you need to be able to run your own malicious software on the machine to snaffle this data, but on the other hand, this will not be difficult for state-backed spooks with loads of private zero-day exploits – so steps need to be taken to defend against this sort of compromise.

Proud tinfoil-hat-wearers among us will point out that these encryption standards may have been molested by the NSA at some point, perhaps to introduce weaknesses that can be exploited to easily crack encrypted data. Putting aside the fact that these algorithms have faced intense public scrutiny before their deployment, if the spooks had nobbled the maths, one wonders why the cops are so keen to extract decryption keys from suspects (or even perfectly innocent people) ... though perhaps that's what they want us to think.

2. Use clean machines

Make sure you're doing all of this on completely clean computers, you and your whistleblower: only ever use them for communicating between you and your contact, and don't contaminate the kit with other stuff or have it in any way associated with your other work. Keep both machines powered down when not in use; don't connect either to your corporate or personal network.

Buy new machines for cash from a shop and harden them against attack: why not (again) take the NSA's own advice and make sure you're using Security-Enhanced Linux, a series of patches for the open-source OS that are now part of Linus Torvalds' official mainline kernel. More seriously, install Grsecurity and use TrueCrypt to protect disk volumes. The spooks have online public guides to securing OSes here.

Essentially, do everything you can to compartmentalise your system. Install a hypervisor (yeah, a good one) on the new computer, and run all of the above software – your PGP tools and other essential utilities – inside a hardened virtual machine. Once that VM is set up, snapshot it and save it off disk on secured removable storage.

Every time you need to look at the leaked encrypted documents (again, stored securely off disk), reload the snapshot and use that environment afresh, so that the VM doesn't have to touch the host machine's disk and also just in case the VM was compromised the last time you used it.

Bear in mind that if an attacker did infiltrate your VM and silently escaped the hypervisor, or otherwise snaffled your private key, it's game over. And state-backed spies will have zero-days to make this possible.

Even the NSA's own advice is to assume you've been compromised and work from there. "We have to build our systems on the assumption that adversaries will get in," the agency's Debora Plunkett told a security conference. "We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly."

In other words, carve your hardware into compartments and protect them from each other, even using an old-fashioned air gap. Be paranoid.

3. How to shift the data securely

It's time for your source to package up the goods to leak: your contact can either use your public key to asymmetrically encrypt the files using PGP or if you've somehow agreed upon a key (typically generated from a pass-phrase) that is utterly secret between you two, then consider symmetric encryption using AES-256.

If this symmetric key falls into the wrong hands, then the jig is up, whereas in asymmetric encryption, you just have to be responsible for your own private key. Having said that, using AES-256 to encrypt your leaked data (once you have it) on removable storage, perhaps steganographically inside a video or TrueCrypt volume, is essential.

Encrypting files, once they've been archived into a zip or tarball for convenience's sake, is just a simple command line away. For symmetric, try:

gpg --output totallyinnocent.txt --symmetric leakedsecrets.pdf

...or for asymmetrically use:

gpg --output totallyinnocent.txt --encrypt --hidden-recipient Friend leakedsecrets.pdf

In the latter case, the source must have added the public key for Friend (that's you) using gpg --import. GnuPG is completely documented.

Of course, you'll need to exchange public keys. To avoid having to rely on encrypted instant messaging systems (such as OTR), publish your public key online, in the open. The first communication you may get from your leaker is an encrypted message from a throwaway email account from a Wi-Fi hotspot, and unfortunately such data is likely to set off triggers within the spooks' internet surveillance systems. The chase will be on immediately.

Once the leaker has encrypted her data, it's time to transfer it. Don't use email. Don't even consider uploading the file to a server across the open web, even if the data is encrypted: with the global internet dragnet in operation, you do not want to accidentally reveal your source by allowing spooks to realise the association between the two of you. (Life is made easier if your source outs himself, like Edward Snowden did, but then life hasn't been easy for him since.)

So consider using Tor, first backed by the US Navy for secure communications and then developed by the Electronic Frontier Foundation (EFF) and others. This is a system that routes connections through a mesh of computers joined up to the Tor network: your connection goes into an entry node, through a randomly selected path, jumping from machine to machine, until it reaches an exit node, which connects to the outside world. The exact path taken is decided by the user's software and cryptographically shielded to prevent someone from tracing you back through the network.

The computer you eventually connect to outside the Tor network will only see a connection from the exit node – and, yes, this node can snaffle your network traffic so that's why we encrypt everything just in case someone compromised it (use a secure VPN if you wish, but that's beyond the scope of this piece).

How Tor works is best described with illustrations, such as the one below from the EFF, which has an excellent guide here.

How Tor works by the EFF

Unfortunately, as noted computer security researcher The Grugq pointed out, the NSA and GCHQ will have all the entry and exit points of Tor covered:

The financial cost of compromising the Tor network is not even a rounding error in a nation state budget. It is the equivalent of a portion of the change found in the couch. Further more, Tor is not new. It isn’t as if nation state level adversaries just woke up last week, “holy shit, this Tor thing! We better get on that!”

The trick, in El Reg's opinion, is to get the data transferred before the spooks put a crack team on you and your mole to swipe the keys or otherwise prevent the leak. So, if you're persevering, set up a hidden service, which allows your source to securely connect to your server across the Tor mesh. See, no need to fly a data mule through Heathrow.

4. Using hidden services

Take a clean, secured new PC and hook it up to the internet far away from your other networks; run an SSL protected web or FTPS server and allow your leaker to anonymously upload files to it, effectively creating your own personal drop box.

Agree on a time and date to do this, and pull the plug once the deed is done. And do this after the source has fled to a country without a US extradition treaty, such as Ecuador.

Then you can transfer the encrypted data, via removable media, to your clean not-networked VM to decrypt with the private key you've kept away from everything. Publish the juicy details before someone can slap an injunction on you, officials turn up and demand some computers are smashed up, or armies of state-sponsored hackers try to raid your setup for all the data you hold.

So that's your air gap. Those are the hoops you need to jump through. You may as well hide some secret encrypted data in a video, put it on a DVD, and post it first class.

And, lest your humble hack hasn't made his point strong enough, you're up against a nation state, not some credit-card stealing hacker; even if you don't believe spies can record conversations in rooms using lasers pointed at windows, they have resources.

As The Grugq concluded after the Snowden scandal broke, you're dealing with plenty of unknowns:

Practicing effective counterintelligence on the internet is an extremely difficult process and requires planning, evaluating options, capital investment in hardware, and a clear goal in mind. If you just want to “stay anonymous from the NSA”, or whomever … good luck with that. My advice? Pick different adversaries.

Speaking of which, let's not forget the tech giants holding all our data for years. The big cloud providers know everything about us, although Google and its fellows insist that staff access to netizens' personal data is highly restricted.

As one UK government security staffer complained to El Reg even before the NSA PRISM firestorm kicked off: "You would not believe the hoops we have to jump through to access an email, all the legal paperwork that needs completing, when Google has everyone on file and no one blinks an eye." ®