I would like to thank everyone who provided feedback on the Selective
DoS Attacks discussion.
http://www.skuz.net/potatoware/PSKB-035.html
The following is a somewhat more trivial discussion spawned from it.
After spending a lot of time trying to resolve the reliability problems
in anonymous remailers, and having little discernable effect on the
problem, I came to the conclusion that remailer messages are being
deliberately deleted as part of a selective DoS attack.
This naturally leaves the question of how to fix the problem.
I would
like to break in with a little trivia on the subject, and why "adding
more bits" may have little effect.
Contents:
THE BIG LITTLE LOCK
BREAKING THE LOCK
NATIONAL SECURITY
SOLUTIONS
THE BIG LITTLE LOCK
Modern encryption is an interesting tool. It is a tiny lock which
can
be produced from cheap materials; it can be obtained and applied easily
by most individuals.
But this same lock, when faced from the other side, is a very big lock,
requiring very substantial resources and time to break, if it can be
broken at all. In a few seconds a small PC can produce a coded
message
which presumably takes a supercomputer many billions of years to break.
Thus is the individual empowered by encryption, and thus are governments
challenged through its use. As information increasingly becomes
the
basis of change, affecting the flow of information becomes power.
Encryption can be used to both withhold information, and to insure
its
untampered delivery.
BREAKING THE LOCK
Some time ago I introduced a friend of mine (who had just recently begun
using computers in earnest) to the concept of public key cryptography,
and I showed him how PGP works. The next day my friend came to
me and
said he had broken PGP. I allowed him to explain, and he said
it's
simple, "just scan for PGP messages and delete them".
Little did I know he had stumbled upon the very same solution as the
NSA.
The NSA, CIA, and other intelligence-gathering organizations are
genuinely threatened by encryption. It can be argued that with
their
massive computing resources they can break some of it. But they
cannot
do so cheaply, and they cannot do so on a wide scale. If everyone
used
encrypted communication, the eavesdroppers would quickly become
backlogged trying to decrypt it in real time. By the time they
found
the message they were looking for, they'd be very dead of old age.
So imagine a meeting where they get together to discuss this problem.
I
think they came to much the same solution as my friend. They
need to
eliminate or reduce the ability of people to use encryption securely.
This explains their horror when Phil Zimmerman wrote PGP, and their
prolonged legal attack against him.
It is folly to think of the NSA and their ilk as mere code breakers
and
eavesdroppers. That is a very passive personification of organizations
who are very active saboteurs, manipulators, and killers. Consider
some
of their approaches to the problem of encryption. It reveals
their
desperation and how serious they consider the problem.
Sabotaged Software - Again and again we find
that these people are
covertly sabotaging the security of software, both
within their own
countries and overseas. A lot of the people
who spend some time at
the NSA move into the private sector writing crypto
code for
Microsoft, Netscape, etc. This means the NSA
maintains these links
to industry.
Sabotaged OS - Is it an accident that Windows
is so full of security
holes? Are these programmers really this incompetent,
or is this
being done deliberately and under influence?
Consider the NSA key
in Windows - a good speculative example. The
presence of the second
key and the ability to change it renders the CrytpoAPI
very
insecure, regardless of who owns the key.
This aspect of the OS is
effectively crippled.
Sabotaged Hardware - The broken encryption
in cell phones is a good
example. The Processor Serial Number (PSN)
quietly introduced by
Intel in some PII's and Celeron chips, and overtly
introduced in the
PIII, is probably another example of the influence
of these
organizations and their connection to industry.
If you question the
security threat of the PIII, China doesn't.
It has prohibited the
connection of PIII's to the internet.
http://www.bigbrotherinside.com/#help
Sabotaged Connectivity - I am convinced that
the lost mail everyone
is familiar with when using anonymous remailers
involves widespread
sabotage of the network connections between the
remailers. Messages
are deleted at will. This means that only
the very determined can
use them at all, and they are crippled to an extent
where widespread
and highly secure use is unlikely. In more
general terms, if
internet systems fail they create financial losses
and are abandoned
for other systems. By sabotaging connectivity
and reliability these
organizations influence what services survive.
Export Restrictions - Purported as 'national
security requirements',
the anti-export agenda of the NSA directly impedes
domestic
security. It also impedes open development
in civilian
cryptography, making it illegal to share work.
It slows down
development through extended software review procedures,
which also
provides one-on-one contact between the developers
and the agency.
This in turn allows the NSA an inside look at all
the source code
(something even the users are often not granted),
and promotes their
ability to arrange illicit deals. What the
export restrictions are
primarily aimed at doing is preventing the widespread
use of strong
encryption. They don't care as much about
the terrorists, who
already use it, as they do about ensuring that there
is only a
manageable and traceable amount of securely encrypted
traffic.
Military-Industrial-Political Influence -
Eisenhower once said that
the next real threat to the US would not come from
without, but from
the military-industrial complex. The NSA and
CIA have developed
their own systems of organization and control, their
own sources of
income, their own armies. It is certain that
they greatly influence
political decisions (such as the export regulations);
it is certain
they are in a position to greatly influence events
worldwide; it is
very uncertain whether they actually answer to the
American people.
Thus they are a government or terrorist organization
in themselves.
Propaganda and Legal/Media Influence - A favorite
tactic of the CIA,
these people spread disinformation, manipulate the
media, and seek
to treat citizens as cattle. They use the
legal system when it is
convenient to their purposes and abandon it likewise.
A good
example in remailers is so-called "designer abuse".
If the normal
pressures on the remailers is not enough, they can
turn up the heat
by posting illegal material, sending SPAM, mail
bombs, etc., with
impunity. Thus if they don't like the level
of encrypted security,
they reduce it.
NATIONAL SECURITY
When a country engages in sabotage and attacks to insure its security,
it is not merely promoting its own security, but is waging war.
Thus it
can be said that in terms of information, the US and other intelligence
agencies are at war. And their targets are not merely other
intelligence agencies and terrorist organizations, but any form of
liberty which threatens their domination. And as usual in a war,
it is
civilians who pay the greatest prices.
The intelligence agencies are protecting the security of the US in the
same way they use the US legal system when convenient, and bypass it
just as readily. US security is only of interest to them because
they
are living there, not because they are a legal and integrated part
of
it. They are protecting their own interests and tools of power,
and
they are circumventing constitutional routes to do so. They are
insuring that people cannot speak without being traced, that people
cannot receive information of which the NSA does not approve.
In short,
they are attacking the US people as much as any other people.
They are
reducing the security of individuals and businesses, leaving them open
to widespread attack through weakened encryption, through software
and
hardware which only gives the illusion of being secure. Their
real goal
is to ensure that they maintain covert control of systems and people
-
power. And it appears they will stop at nothing to achieve these
goals.
When eavesdropping became insufficient, they turned to sabotage.
They
are using US foreign policy as a puppet, pretending to promote its
interests, while in fact undermining the liberty of people everywhere
in
the world.
They speak of terrorism as the great threat warranting this behavior,
yet they have proven themselves to be the greatest terrorists.
What has
been stolen and destroyed because of their sabotaged software?
What
progress and liberty has been lost, and will be lost, because of their
totalitarian control?
Dear fellows at the NSA, the CIA, the White House, if you think you
are
promoting liberty and freedom through dishonesty, deceit, and
manipulation, you are yourselves sadly deceived.
SOLUTIONS
Obviously designing stronger encryption algorithms and communication
protocols is only a limited solution to a much larger problem.
The
mathematicians at the NSA plod along without realizing how their tools
are being applied. Likewise civilians plod along without realizing
how
ineffective encryption is when it is undermined by insecure hardware,
software, and connectivity. I worked for years on remailer software,
and while I suspected sabotage at times, it took a long time for the
pattern to become definitively clear. I am just as upset by the
time
wasted tracking problems which were deliberately induced as I am by
the
breach of security.
In short, there is no simple solution or algorithm fix to this puzzle.
Only a continuing vigilance against this kind of sabotage, and a better
realization of the true depth of the problem will bring about a more
genuinely open and secure environment.
It is somewhat paradoxical that encryption, which hides information,
is
so pivotal to promoting its open sharing and availability.
Eisenhower's Farewell Warning, January 17, 1961:
In the councils of government, we must guard against
the acquisition
of unwarranted influence, whether sought or unsought,
by the
military-industrial complex. The potential for the
disastrous rise
of misplaced power exists and will persist.
We must never let the weight of this combination
endanger our
liberties or democratic processes. We should take
nothing for
granted. Only an alert and knowledgeable citizenry
can compel the
proper meshing of the huge industrial and military
machinery of
defense with our peaceful methods and goals, so
that security and
liberty may prosper together.
Eisenhower's Farewell Address at
http://www.geocities.com/~newgeneration/ikefw.htm
1999
HOME