Please remember that email is not a secure communications medium. Do not say anything in an email that you would not be comfortable seeing on a bathroom wall or on CNN.
There are many packages, products, and offerings that purport to secure email. Unfortunately, however, they don’t work against anything more than basic threat models. That’s a round-about way of saying what I said at the beginning; let me repeat: Do not say anything in an email that you would not be comfortable seeing on a bathroom wall or on CNN.
If you use a system like Protonmail or Signal or whatever, you should assume that the ciphertext of your messages is being collected and carefully stored; if there is ever a vulnerability that allows an offline crack against stored messages, then your communications will be compromised. In fact, you’ve got an even bigger red flag waving above your head because you tried to bypass surveillance. I am not saying those systems are “bad”; it’s more complicated than that.
If you are using a system where there’s a cloud server holding your messages “encrypted while stored” or something like that, here’s a way of thinking about it: if your endpoint device gets lost or wiped and your messages are recoverable, then that means that – somehow – a recovery key is getting stashed someplace. And, if it is, you’re back in “bathroom wall or CNN” territory. Remember those incidents a few years ago where lots of Hollywood starlets’ cell phone selfies leaked out? A lot of that happened because of the recovery process: if someone can get your Apple or whatever-ID and password, and the system would allow you to re-populate a reset phone, then those same credentials would allow a hacker or the FBI to re-populate another phone in your name.
In general, however, you need to know about offline attacks, which are how most code-breaking is done, anyway: you take an encrypted message (a blob of cipher-bits) and hand it to a great big array of custom silicon that tries many many passwords very fast in parallel, and when something that’s statistically similar to language (instead of random noise) pops out the other side, you ring a bell. Very often you’ll see breathless descriptions of key-lengths and “until the end of the universe” but those numbers fall away very quickly if there are any errors in the implementation. And, there almost always are – deliberate or accidental errors.
To secure your communications against a high threat model, you’ll need a complete stack of your own: endpoints, algorithms, applications and physical control. In other postings I’ve outlined roughly how to build a mid-quality secure email service [stderr] and it’s almost pointlessly effortful. For sure, if I were doing IT for a presidential campaign, that’s how I’d do it. And if Anthony Weiner, Donald Trump(s), Hillary Clinton, Ronald Reagan, Michael Podesta, or flippin’ anyone who doesn’t want to see their email on bathroom walls or CNN – that’s how they should do it.
We are currently experiencing a great deal of political turbulence as a result of people not understanding the basics of email security. Namely, that there isn’t any.
I use Protonmail for some stuff. But it’s still stuff I wouldn’t mind seeing on a bathroom wall or CNN.
A rule of thumb for high threat model is that if your system has a password that you know, it’s not good enough. Take a look at how a STU-III (Secure Telephone Unit) works [wiki] the keying material is in a physical, destroyable, key that the user has no control over except to have it in their possession and turn it in the phone. That was a nice piece of work.
If you’re really going for it: do a face-to-face exchange of sampled random data (capture the randomness using frame-sampling from a video camera pointed at a lava lamp, then XOR it with cipher output from a cryptographic hashing function like SHA-1) Make sure you were running the sampling on a system using battery power not plugged into a wall outlet. Oh, and make sure you were below ground, ideally far below ground. In a Faraday cage if you have one. Wearing a tinfoil hat. Then, once you’ve exchanged your data on a thumb-drive, the system(s) you use to encrypt and decrypt are never used for anything else; they live in a safe with the thumb-drive epoxied into the USB port, and epoxy in all the other ports, and over all the case screw-holes. When you generate a message, XOR the plaintext with an incremental offset into the pre-exchanged random bits then embed the resulting ciphertext into the least significant bits of one of a pre-selected set of JPEG images, write it to a blank DVD and upload it to one of a rotating set of facebook accounts. Then microwave the DVD. Do not ever plug a USB device into that laptop again. When you run out of the whatever-many Gb of source random bits, demolish the laptop by putting the whole mess in a barbecue and melting it, then repeat the process. As part of an exercise, a friend of mine and I actually started this procedure, then we realized we were being silly and were painting targets on our backs, so we pulled down our tinfoil hats and went back to using open internet mail.
The technique I describe above is a Vernam Cipher, AKA a “one time pad” which is the only perfectly secure encryption system. However: it trades infinite operational complexity for theoretical perfection. See the one time pad FAQ, which I wrote back in 1995 or so. [otp] The availability of huge amounts of cheap storage (128gb USB stick would be a lifetime of messages if you stick to text) so the key exchange problem is a once-in-a-lifetime challenge. I occasionally daydream about making an OTP device; it’s a simple software layer that’d run atop a raspberry pi system. Basically, it’s a Palantir (except the name has been trademarked I’m sure)..
Lastly, remember, if they can’t break your crypto, they’ll break your teeth. [rubber hose] So don’t make your security perfect.
jrkrideau says
Homing pigeons are beginning to sound good. Reportedly they worked well for the Mamlukes. (Mamluks? My Arabic is just about non-existent.)
Plus I think I can find some squab recipes.
Marcus Ranum says
jrkrideau@#1:
Homing pigeons are beginning to sound good
Well, it’s really a question of threat models. I still use text and email all the time, but that’s because I don’t care. If I cared, things would be much more complicated.
What’s sad is that the people who should care, either don’t care or don’t understand. Perhaps after 2016 they will think a bit more.
Brian English says
And the spooks will start investing in falconry.
Marcus Ranum says
Brian English@#3:
And the spooks will start investing in falconry.
Nononononono! You’ve got it ALL WRONG. The spooks will begin making it easier to get pigeons. Special pigeons. How does one backdoor a pigeon? You can bet that, if people started using them, there’d be an NSA program working on exactly that.
Joking aside, I was talking with a guy I know from IN-Q-TEL back in the early ’00s and said “hey you guys ought to fund a massive free file-sharing service and bury ‘we may read your stuff’ in the terms of service.” And he said, “we have.” I suspect it’s just one of those jokes from the Trenchcoat&Trilby set but it’s hard to tell. You could spin a whole conspiracy theory that that’s why they were going after Kim Dotcom: he’s competition.
Oh, and they always play both sides: they’d sell you pigeons and develop improved falconry.
chigau (違う) says
William Gibson wrote a number of novels which had an underlying notion that it was more secure to transmit a file by giving a printed document to a bicycle courier than to transmit it electronically.
Even when said bicycle couriers were drug-addled and/or psychotic.
Marcus Ranum says
chigau@#5:
Yes, that’s correct. And, what’s best is that Paul Van Riper used that trick (and the presupposition that the opponent would be monitoring communications) to turn Millennium Challenge 2002 into a great big steaming mess: https://en.wikipedia.org/wiki/Millennium_Challenge_2002
Short form: it was a military wargame, in which the ‘red’ forces commanded by Van Riper, used motorcycle and bicycle couriers for their command/control (which they could do since they had internal lines of communication and their forces were mostly geo-located) while assigning a group to keep up simulated “command and control” messages that the US forces were intercepting. Red managed to mouse-trap a carrier task force group and inflicted tremendous damage on it – sinking a carrier and several landing ships full of marines.
The drill was such a mess that they declared the situation invalid, fired Van Riper, hit the Ctrl-Z key, and restarted the scenario according to script.
chigau (違う) says
Marcus
I read the Pffft article and now I would like to buy Van Riper a beer.
Marcus Ranum says
chigau@#7:
I read the Pffft article and now I would like to buy Van Riper a beer.
He’s definitely some kind of hero in the information security/asymmetric warfare field.
Of course he has his detractors, because he made a lot of people look pretty bad and that was a very inconsiderate and naughty thing to do. Tut tut!
Marcus Ranum says
I should probably add around now: Donald Trump appears to be pretty canny in that he doesn’t leave any email traces around, and doesn’t appear to write down what he’s thinking, if he thinks at all.
chigau (違う) says
I would like some evidence that Donald Trump can write.
Something other than his terrifying signature.
Caine says
I’m in the ‘don’t care’ camp. I use mailwasher simply as a way to filter and preview stuff, which is for my convenience. If someone thinks they are going to find all kinds of goodies, as far as information in my email, they are sadly mistaken.
polishsalami says
The biggest threats are from “inside jobs” it seems. When the ATM reminds you to put your hand over the number pad, it’s not to guard against the person standing three paces behind you at the machine (who is probably thinking about what they are having for lunch), but the rogue employee who has access to the security camera vision.
Hackers can only do so much with your information.
Dunc says
Will that actually put the hard drive platter / SSDs beyond any theoretical recovery?
I always thought the best way to render an HDD genuinely irrecoverable would be to sand the magnetic medium off the platter… Good luck reconstructing that.
cartomancer says
I bypass the issue entirely by never doing anything that anyone else has the slightest interest in.
Brian English says
Humblebrag. You decline in a most fetching way. And your conjugation….
johnson catman says
Re MC02 and Van Riper:
It would have well served the powers that be to have congratulated Van Riper and studied his tactics. The fact that he exposed such a gaping hole should have alerted them that they weren’t ready for unconventional methods of engagement. Unconventional is what terrorists and inferior forces will use against a standard and conformist military. That it was so effective should have rang warning bells throughout the US military command structure.
Marcus Ranum says
johnson catman@#16:
It would have well served the powers that be to have congratulated Van Riper and studied his tactics. The fact that he exposed such a gaping hole should have alerted them that they weren’t ready for unconventional methods of engagement.
Yes – that is, after all, the purpose of wargames. Prepare for possible new scenarios and look for flaws in current doctrine, etc. You can tell when a military general staff have ossified when they start shooting the messengers of innovation instead of searching them out.
MC02 did have a major impact, though. There has been considerable thought and attention to asymmetrical warfare – unfortunately – it has resulted in the pentagon’s endless requests for more bodies, “another surge!” and “once more unto the breach!”
Marcus Ranum says
Dunc@#13:
Will that actually put the hard drive platter / SSDs beyond any theoretical recovery?
Signs point to yes. Bringing the platters up to a high enough temperature will degauss them, and the chips in the USB stick will be no good either. When I said “barbecue” I was thinking “barbecue full of coals, with a shop vac blowing on them” – more like a metalsmith’s forge. Although if you want to have fun, go full George Goble:
https://www.youtube.com/watch?v=sab2Ltm1WcM
I always thought the best way to render an HDD genuinely irrecoverable would be to sand the magnetic medium off the platter… Good luck reconstructing that.
That would definitely work but I wouldn’t want to inhale any of that.
Back in the 90s Peter Gutmann did a pretty cool paper at USENIX about wiping hard drives. Most of it no longer applies, but one of the things he discovered was that the NSA’s standard for wiping a hard drive was just good enough to prevent anyone but them from reading it.
PS – thermite is highly overrated. Or, at least the small amounts I’ve made are.
Dunc says
Marcus @#18: I guess it depends what you’re trying to do with the thermite… You do need to get the mix bang on for it to really work – grain size, degree of mixing, and the ration of ingredients all have to be right – but it certainly seemed pretty impressive when my high school chemistry teacher accidentally set fire to his bench with it (through the ceramic crucible it was contained in).
Ieva Skrebele says
To polishsalami @#12
The biggest threats are from “inside jobs” it seems. When the ATM reminds you to put your hand over the number pad, it’s not to guard against the person standing three paces behind you at the machine (who is probably thinking about what they are having for lunch), but the rogue employee who has access to the security camera vision.
Not only. There are pickpockets who specialize with that. See http://bobarno.com/thiefhunters/shoulder-surfing-thief/ The technique is simple. Shoulder-surf to find out the pin code, then follow the victim and steal their wallet. And this is only the low tech option.
Some “more advanced” high tech thieves illegally install skimmers and tiny cameras next to ATM’s to record card info and pin numbers. More on that here https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/#more-38837
By the way, whenever I stand in line waiting to pay for a purchase in a grocery store or wait to use an ATM, I’m always very bored, so I have made it a habit to try to find out the pin number of the person standing in front of me. And I often succeed, because people just don’t bother to block the number pad with their hand. And, no, you don’t have to worry about me actually using those numbers. I don’t have the skills of a pickpocket. Even if I knew your pin, I couldn’t steal your wallet anyway. I always just forget the pin numbers within minutes after discovering them.
Ieva Skrebele says
I use Protonmail for some stuff. But it’s still stuff I wouldn’t mind seeing on a bathroom wall or CNN.
In which situations using Protonmail would be better than using, say, Google e-mail? I’m asking, because I have been wondering about whether it’s worth using it.
I was also curious about passwords (or passphrases to be more exact). The passphrase has to be in some human language, because I’m not going to remember some random string of symbols. Are passphrases in rarely used human languages, like Latvian or Old High German (early German, used around 700 to 1050) better than passphrases in English? And, yes, I actually learned a bit of Old High German in university.
Marcus Ranum says
Ieva Skrebele@#21:
I was also curious about passwords (or passphrases to be more exact). The passphrase has to be in some human language, because I’m not going to remember some random string of symbols.
There’s some stuff [stderr] [stderr]
Short form: you should not use passwords you are capable of remembering for any website or purpose except for stuff that doesn’t matter; set yourself a policy of using complex stuff you don’t store in browsers or devices or complex stuff you store in a device you physically control. Then use a master password vault with a moderate sentence as the main passphrase. Something long and complicated but memorable, e.g: (one of my older ones)
The C0nstipation of O’Brian
FWIW, usually when I post about this, someone says “yeah, but …” which is the story of my life. All I can do is point to all the famous and powerful people whose stuff has cropped up in strange places, and shrug.
Are passphrases in rarely used human languages, like Latvian or Old High German (early German, used around 700 to 1050) better than passphrases in English?
The state of the art in cracking is to use massive dictionaries where they first try words from languages around the target’s area. So, in your case, if you were using Japanese or Arabic, it might help but anything European, no. The main places you get strength are length, unpredictability, and punctuation.
PS- none of the commentariat, so far, have recognized that old passphrase. Which means I am going to have to do some excerpts from a certain book that until then will remain nameless.
Marcus Ranum says
Ieva Skrebele@#21:
In which situations using Protonmail would be better than using, say, Google e-mail? I’m asking, because I have been wondering about whether it’s worth using it.
Your decision should be based only on who you may want to annoy. If you’re using Google, you’re not going to annoy the FBI. I don’t imagine Protonmail is going to resist a request for all my communications, if they get one from the FBI, but it’d make them have to work a tiny bit harder. I still consider Protonmail to be “CNN or bathroom wall” territory.
Ieva Skrebele says
Yes, I am using LastPass already. So my interest was about how to pick a safe master password.
The state of the art in cracking is to use massive dictionaries where they first try words from languages around the target’s area. So, in your case, if you were using Japanese or Arabic, it might help but anything European, no. The main places you get strength are length, unpredictability, and punctuation.
My old password was “manpatikslaistities” (meaning “I like being lazy” in Latvian). I somehow imagined that using a rarely used language could be safer than English. Looks like I’ll have to think of something better then. Does archaic spelling or spelling used in dialects count? Or do I need typos?
Your decision should be based only on who you may want to annoy. If you’re using Google, you’re not going to annoy the FBI. I don’t imagine Protonmail is going to resist a request for all my communications, if they get one from the FBI, but it’d make them have to work a tiny bit harder.
Sounds like there’s little difference in using Protonmail then.
Bruce H says
@22
> “In which situations using Protonmail would be better than using, say, Google e-mail? I’m asking, because I have been wondering about whether it’s worth using it.”
The biggest reason to use Protonmail over Google, for me at least, is to keep Google from reading your email. Maybe Protonmail can read it, maybe not, but they claim they can’t. They’d be in a bit more trouble than Google if it turns out they can, so they can’t monetize that information in the same way that Google does.
For me, it’s the monetization of my private communications that bothers me. I’m far too boring for state actors to bother with.
Marcus Ranum says
Bruce H@#25:
The biggest reason to use Protonmail over Google, for me at least, is to keep Google from reading your email.
Very good point. Protonmail’s agenda is: provide email Google’s agenda is: sell ads. If you want email, you agenda is more closely aligned with Protonmail (or any other secure email service) than Google.
Ieva Skrebele says
@25
The biggest reason to use Protonmail over Google, for me at least, is to keep Google from reading your email. . . For me, it’s the monetization of my private communications that bothers me.
Well, it sort of bothers me too, but I don’t believe I can possibly avoid it. I mean, even if I used some non Google e-mail, Google still would get majority of my messages, because pretty much everybody I communicate with uses Google e-mail. Besides, Google already has my search history, my browsing history, my phone number. They already have a hell lot of data about me, they can already give me targeted ads. Whether Google also gets to read my e-mail isn’t going to significantly influence anything.
Some years ago when Google started asking me my phone number, it annoyed me, because I didn’t want to give it to them. Then in 2015 I finally bought my first smartphone (Android). In order to use the new phone I had to do the obligatory setup, and while doing that I realized that Google already knows my phone number, they got it from my friends’ contacts. So much for trying to keep secrets from Google!
And it’s not just Google. Pretty much everybody gets to find out my personal info from my friends’ contacts.
I really would love to keep online businesses from obtaining data about me. But that would mean not using Internet and not talking with anybody who uses Internet. Which is pretty much impossible.