The NSA Wants Its Own Smartphone

Art Vanderlay writes "Troy Lange might work for one of the more secretive spy agencies in the United States, but he is happy to talk about his work. He is the NSA's mobility mission manager and he has been tasked with creating a smartphone that is secure enough to allow government personnel who deal with highly sensitive information to take their work on the road. At present, the U.S. Government has secure cellphones; they use the government's Secret Internet Protocol Router Network. The problem is that they can only communicate with other devices that are plugged into the network and their use is restricted to top-secret level communications. Lange wants a smartphone that is inter-operable and presumably trusted to deal with even more sensitive information. Lange said that he wanted to see his secure smartphone reach beyond the NSA – ultimately to reach every 'every employee in the Defense Department, intelligence community, and across government.'"

Good enough for them, but not for us huh?

[elrous0]

Oh, so your boys get the privacy protections that you've spent the last 10 years undermining for all the rest of us plebs, huh? I tell you what, I'll be cool with your special phones if, in exchange, the President and NSA Director will issue a public directive to all NSA employees reaffirming the pre-911 NSA policy of not to spying on the phone calls or emails of any American citizen without a court order. You know that policy, right? It's the one we put into law in 1978--the law that you ignored just because the President said so.

I'll hold my breath.

Re:Good enough for them, but not for us huh?

[Securityemo]

Who's saying that the employees conversations on these phones won't be tracked?

Re:Good enough for them, but not for us huh?

Assuming you have the right skills, there's nobody stopping you from buying a Nexus One, Nexus S or Nokia 900/N9 and rolling your own ROM with all the protections you envision. That's essentially what the NSA would be doing.
Perhaps a little nice project there for some XDA developers to develop a "Privacy ROM" for the masses. I'd venture to say however that there wouldn't be much of an audience for such a project.

Re:Good enough for them, but not for us huh?

Good luck rolling your own radios. Or verifying that snooping tech isn't built into the hardware itself for that matter.

Re:Good enough for them, but not for us huh?

Exactly. I'd assume that extensive control, monitoring and accountability of communications through these devices is near the top of the priorities list. Right after hardening from external compromise.

Re:Good enough for them, but not for us huh?

[Jeffrey_Walsh+VA]

I agree it would be better if "policy" was for them to not spy on us, but I don't believe that ever stopped them. It just limited what they could do with the information.

Re:Good enough for them, but not for us huh?

[FatLittleMonkey]

Who's saying that the employees conversations on these phones won't be tracked?

Yeah, but securely tracked.

Re:Good enough for them, but not for us huh?

[bsDaemon]

I would be willing to bet that the people who will have this phone issued to them will have even less personal privacy on the device than normal cell phone users. After all, what good is securing the device from evesdropping by foreign intelligence if you can't catch people who are spying from the inside? State security and personal privacy aren't the same thing, not that the difference justifies fucking us, as citizens, over in the name of stopping turrerism.

Re:Good enough for them, but not for us huh?

[kevinNCSU]

What are you rambling on about? You can 100% guarantee that a phone given to you by the NSA capable of accessing classified information is going to be heavily and regularly monitored by the government without court orders required. There would be 0% expectation of privacy with such a phone.

Re:Good enough for them, but not for us huh?

Please do. Blue is your color and Darwin is calling.

Re:Good enough for them, but not for us huh?

[malevolentjelly]

An Android-based phone? You really don't know much about how this security stuff works, do you?

If a phone that needs to pass any level of non-casual security certifications is to be linux-based, it's going to imprisoned behind an extremely restrictive hypervisor. If the only thing separating the interface from the hardware is linux, it will never pass the requisite security certifications. No device like that has and none ever will lest Linux cease being Linux.

Re:Good enough for them, but not for us huh?

And then someone leaves the prototype in a bar...

Re:Good enough for them, but not for us huh?

[erroneus]

The thing is, they KNOW how bad it is with governments forcing businesses to share information with them. This is true for seemingly all governments and all businesses. But because that sword cuts both ways, they have essentially created a situation where the technologies and devices are no long trustworthy. So now, they have to create their OWN stuff and not depend so much on contractors (read: cronies).

I can't say I didn't see this coming, but I can say I'm surprised it has taken them this long to realize it.

Re:Good enough for them, but not for us huh?

[Anthony+Mouse]

Yeah, the NSA has a different security model than Apple.

For one thing, if the thing is really secure, it shouldn't matter that nefarious people get access to one -- that is one of the main things you need it to be secure against.

Of course, the way you do this is pretty obvious. You put plenty of memory in it but only read-only permanent storage which holds the OS and the device's unique private key, and store all other data "in the cloud" (i.e. on the NSA's secure server). You put a hardware AES engine on the CPU and have it encrypt everything in RAM. You have it establish an encrypted tunnel at all times to a secure building in spy central somewhere and send all other communications through that. Then you use two or three factor authentication to unlock the phone, which authenticates against the central server, and when the phone is locked the encryption key to decrypt most of memory is stored in the central location rather than on the phone. If the phone gets lost you disable its account on the server and it's instantly bricked because it can't even read its own memory, and it doesn't contain any sensitive data in permanent storage.

Re:Good enough for them, but not for us huh?

[Ouchie]

The NSA/DOD listening is not as simple as you think. It isn't a bunch of analysts sitting around listening to everyone's phone calls to Pakistan. Computers listen passively to international phone calls looking for keywords and codewords. They score hits based on these usages and push it up for further analysis such as voice identification and stress pattern analysis.

The analysis is multi-level relying on computers for the first few levels until the computer ranks you high enough to warrant an analyst attention.

The likelihood of you being snooped on is slim, unless you do make regular phone calls to a phone number previously flagged. Like a payphone down the street from a known safe house.

Oddly enough they get around the search warrant thing by primarily listening to phone calls that leave and enter the United States. Your long distance calls fall under their charter as Foreign Intelligence because your phone calls are most likely bounced off a satellite owned by a Canadian, or other foreign subsidiary.

Re:Good enough for them, but not for us huh?

[elucido]

What are you rambling on about? You can 100% guarantee that a phone given to you by the NSA capable of accessing classified information is going to be heavily and regularly monitored by the government without court orders required. There would be 0% expectation of privacy with such a phone.

It's not the phone you'd have to monitor, it's the entire environment itself that the phone is in that you have to monitor.

Re:Good enough for them, but not for us huh?

[nabsltd]

What are you rambling on about? You can 100% guarantee that a phone given to you by the NSA capable of accessing classified information is going to be heavily and regularly monitored by the government without court orders required. There would be 0% expectation of privacy with such a phone.

Except for the fact that there won't be many people who are cleared to hear all the secure phones, so the personnel required might make monitoring impossible, and for phones held by people with exceptionally high clearance, it's possible that nobody but the phone holder would be cleared for everything he might talk about.

Add to that the fact that many truly "this didn't happen" operations need guarantees that nobody else knows means that routine monitoring of these sorts of phones is probably unlikely.

Re:Good enough for them, but not for us huh?

Computers listen passively to international phone calls looking for keywords and codewords. They score hits based on these usages and push it up for further analysis such as voice identification and stress pattern analysis

This is myth, not fact. It has been claimed since the 1970s, at which time the necessary technology simply did not exist. Even today voice recognition is barely capable of that kind of thing -- computers still have difficulty just identifying what language is being spoken! It is highly implausible that anyone is performing keyword recognition on all your phone calls.

Oddly enough they get around the search warrant thing by primarily listening to phone calls that leave and enter the United States. Your long distance calls fall under their charter as Foreign Intelligence

That is not actually true. If NSA has any reason whatsoever to believe that someone is a US citizen, regardless of where they are in the world or who owns the telecommunications equipment, they cannot spy on them without a court order (unless e.g. they are actively working on behalf of a foreign government). It is assumed that anyone physically located within the USA qualifies for this protection unless a court decides otherwise. Look up USSID SP00018; there are some redacted versions floating around the public domain that give a pretty good idea of the strict regulations in place in reality, rather than tinfoil-fantasy-land.

(If you have any actual evidence that NSA is doing what you have asserted, then congratulations, you have uncovered a terrible crime that federal authorities will take very seriously.)

Re:Good enough for them, but not for us huh?

You really think the NSA listened to the 1978 law in the first place? The entire purpose of the NSA has always been domestic spying and they have a long history of ignoring Congress. For much of their existance members of congreess didnt even know they existed.

Re:Good enough for them, but not for us huh?

[Synerg1y]

What if a government employee loses one? :)

Will cyanogen and XDA support it? :P

kinda like..
http://www.engadget.com/2011/07/14/international-atrix-unlocked-bootloader-uncovered-hackers-aroun/

Re:Good enough for them, but not for us huh?

I'll be cool with your special phones if, in exchange, the President and NSA Director will issue a public directive to all NSA employees reaffirming the pre-911 NSA policy of not to spying on the phone calls or emails of any American citizen without a court order. You know that policy, right?

Yes, it's the one that is actively enforced. It is regularly drummed into the head of every NSA analyst. It is audited. It is taken seriously.

But you don't believe that, do you? And there is literally nothing that would convince you. If President Obama and General Alexander did exactly what you just demanded, you would just decide that what they said in public was irrelevant because how could you know that they were actually implementing that policy. Even if you were invited into NSA and shown exactly what procedures are followed and given personal access to all the auditing data and allowed to examine everything to your heart's content, you would just assume that the real trampling of the 4th Amendment goes on in some beyond-top-secret facility that you hadn't been given access to. Even if NSA was closed down today and the buildings were demolished and every single analyst ended up begging on the fucking streets, you would just assume that it was all for show and the spying was still going on clandestinely.

Can you deny that? Can you really honestly say that if the President turned round and said "it's super-duper-double-official, you are not allowed to do that thing I already said you are not allowed to do", you would suddenly go "oh, right, I guess they aren't doing it then"?

Seriously, NSA does not give a fuck about you, and indeed expends considerable effort and money doing everything possible to avoid wasting their time spying on your insignificant life. They do not care if you donate to EFF, or read Schneier's blog, or google for your porn over HTTPS, or use TrueCrypt to hide whatever the fuck it is people who don't have anything worth hiding use TrueCrypt to hide. I really don't get why you are so determined to believe otherwise. Get over yourself. NSA does not give a fuck about you and is not spying on you.

Re:Good enough for them, but not for us huh?

[Plunky]

Computers listen passively to international phone calls looking for keywords and codewords. They score hits based on these usages and push it up for further analysis such as voice identification and stress pattern analysis

This is myth, not fact.

I believe the GP, since there was even a proof of concept trojan for Android that would listen to your calls and detect you speaking credit card information..

Thats why I always wear a tinfoil hat

Re:Good enough for them, but not for us huh?

Did you read the recent article by Stallman about Android phones? You are naive if you believe there exists any phone with modern specs that you can fully control and trust.

Re:Good enough for them, but not for us huh?

[nsaspook]

NSA does not give a fuck about you and is not spying on you.

Thank you, who has time for local chatter when the hot stuff of a high level honey trap video feed needs to be reviewed frame by frame to extract the best blackmail pictures.

Re:Good enough for them, but not for us huh?

[muckracer]

> There would be 0% expectation of privacy with such a phone.

As opposed to....?

There already is one, the sectera

It's from General Dynamics:

http://www.gdc4s.com/content/detail.cfm?item=32640fd9-0213-4330-a742-55106fbaff32

Blackberry is very good, it currently holds many certifications (but not top secret):

http://us.blackberry.com/ataglance/security/certifications.jsp

Fundamentally, there is a problem with mobile access for top secret communications - you don't know who is looking over the shoulder of the authorized user. Or if someone is pointing a gun at the head of an authorized user. These problems are reduced when you make the user come in to the office.

Re:There already is one, the sectera

[markbark]

SME-PED will bring SIPRNet to your hip, but the thing's a brick (35 mm thick and weighs half a kilo!) ....and don't get me started on the two hour battery life.

Re:There already is one, the sectera

[Securityemo]

Maybe you could program a stealthy mechanism to have the phone send a "help, my user is having a gun to his head" message, like entering and leaving a set of menus in a certain order?

More likely it'l be forgotten or stolen, ovbiously, but if it contains no information but a password-encrypted VPN or authentication key by itself and the password is of proper length it should be practically safe anyway? And the data it has access to is presumably really, really limited and segregated?

Re:There already is one, the sectera

Doesn't the military already deploy mobile Siprnet-capable devices? How do they handle these issues?

Re:There already is one, the sectera

Bingo.

Top Secret/secure compartmentalized information is traditionally read in SCIFs--special, leak-proof rooms designed just for reading/reviewing/discussing this sort of super super double top secret stuff.

The specs for SCIFs are pretty tough. Unused communications wires have to be bonded to ground. If a voice evacuation system speaker is required in the SCIF, it has to be self-amplified, since anyone who's ever attended a K-12 school knows that a PA speaker can be flipped into a microphone.

So what happens when an NSA employee on official travel is in their non-SCIFfed hotel room reading their Super Duper Secure Smartphone?

Re:There already is one, the sectera

[markbark]

Well... the forgotten or stolen problem is solved by the fact that you can do a remote wipe with a few keystrokes at the admin console.

Re:There already is one, the sectera

[elucido]

It's from General Dynamics:

http://www.gdc4s.com/content/detail.cfm?item=32640fd9-0213-4330-a742-55106fbaff32

Blackberry is very good, it currently holds many certifications (but not top secret):

http://us.blackberry.com/ataglance/security/certifications.jsp

Fundamentally, there is a problem with mobile access for top secret communications - you don't know who is looking over the shoulder of the authorized user. Or if someone is pointing a gun at the head of an authorized user. These problems are reduced when you make the user come in to the office.

That's just one problem and possibly the main problem. But you also don't know for sure the person reading it is the person authorized. Looking over their shoulder isn't the only problem, as most authentication schemes can be faked.

When an individual has access to classified information it's best to monitor their every move. This is why it's best if they access it from an environment where their every move is seen. This would have to be a completely secured location.

Mobile phones create insecurity because now there is no way to guarantee the location is a secure location or that the individual is the authorized individual.

Re:There already is one, the sectera

[elucido]

Maybe you could program a stealthy mechanism to have the phone send a "help, my user is having a gun to his head" message, like entering and leaving a set of menus in a certain order?

  More likely it'l be forgotten or stolen, ovbiously, but if it contains no information but a password-encrypted VPN or authentication key by itself and the password is of proper length it should be practically safe anyway? And the data it has access to is presumably really, really limited and segregated?

None of that would work because they could simply pick off the emissions the phone produces and get information that way. Unless of course the phone doesn't produce any but 99% of phones will and do, and also you have to worry about securing the user of the phone itself. The whole idea is technologically impossible at this time.

Anything password encrypted will be broken. Anything authenticated by fingerprint, eyes or whatever can and will be broken as well. And if the user isn't safe everything is broken.

Re:There already is one, the sectera

[elucido]

Bingo.

Top Secret/secure compartmentalized information is traditionally read in SCIFs--special, leak-proof rooms designed just for reading/reviewing/discussing this sort of super super double top secret stuff.

The specs for SCIFs are pretty tough. Unused communications wires have to be bonded to ground. If a voice evacuation system speaker is required in the SCIF, it has to be self-amplified, since anyone who's ever attended a K-12 school knows that a PA speaker can be flipped into a microphone.

So what happens when an NSA employee on official travel is in their non-SCIFfed hotel room reading their Super Duper Secure Smartphone?

Exactly what I was thinking. I don't understand why they haven't thought of that or why they would think this is a good idea. Using smartphones for top secret, secret, or even just sensitive information might not be a good idea. I guess if the information is just sensitive or not very secret it wont make a difference but why use the NSA phone? Why not just let the NSA create a certification standard and let commercial phones design for that standard?

Re:There already is one, the sectera

[Securityemo]

Exactly my point; as long as you can delay cracking the password on the auth key to well beyond the time required to remove access privileges from the key the system should be safe in a practical sense. A remote wipe wouldn't be neccessary since it would be obviously unsafe for the phone to store or cache information - you could defeat remote wipe by putting the phone in a signal-proof container and taking it somewhere safe to view the data on it.

Re:There already is one, the sectera

We find out why Allen Dulles ordered the assassination of Kennedy.

Re:There already is one, the sectera

[Securityemo]

Okay, actually reading the feature list of the sectera it looks like it manages stuff that's not "secret" as well, like mailing lists and contacts and such and that's stored with "type 1 encryption" which wikipedia defines as being the designation for protection of "classified" data.

Re:There already is one, the sectera

[fluffy99]

The Sectera is the one mentioned, that uses VOIP over SIPR. It's still quite large, poor battery life, and you have to treat the unit as classified at all times. The Blackberry is not authorized for classified at all, just sensitive but unclass.

What they really want is the cell phone equivalent of the STU/STE deskphones with the size and battery life of a current modern cell phone.

Re:There already is one, the sectera

[Securityemo]

I know of TEMPEST and such, and the wikipedia article lists some designations used by NATO and the US; it seems like they thought of the problem. I always thought that the only practical attack like that was being able to roughly read the images off of monochrome screens from a distance?

Re:There already is one, the sectera

[MobileTatsu-NJG]

General Dynamics? With Fargo in charge at least we know that the top minds are on the case.

Re:There already is one, the sectera

I don't think they'll ever authorize 'top secret' communications for mobile access for exactly the reason you state.
Secret communications are while certainly harmful if they get out they aren't exactly the end of the world (see wikileaks stuff)
Top Secret stuff is quite a different beast... think war plans or the designs for the latest spy device....
I mean if you ever needed an example of the different. Secret can actually be sent through the US mail system where as top secret has to hand carried by a certified currier with top secret clearance himself.

Re:There already is one, the sectera

[GameboyRMH]

Well since feds were never big on fashion I don't think they'll care about the size or weight. The battery life's obviously a problem, and the other problem I see is that you apparently have to choose whether you want a cell modem or a wifi adapter installed, but that's not even a huge problem.

So is that 2 hours of active use or 2 hours of standby? Even my N900 will get 3-4 hours of active use if I really abuse it (say, playing a movie with a non-GPU-accelerated codec). I'd say an N900 has about the minimum battery life that's acceptable in a phone (10-14 hours with average use) so if it can match that it should be good enough.

Re:There already is one, the sectera

[RobertLTux]

and if signal blocking is that much of a problem you have a Auto-Redaction Circuit with its own battery that redacts the phone (thermite charge or similar)) if it loses signal for more than 5 minutes and is not tethered to an authorized repair terminal.

Re:There already is one, the sectera

"Help, my user has a gun to his head" messages are an already-existing technology, and it doesn't have to come near the complexity of a "set of menus in a certain order".

We all know that TrueCrypt allows for "duress keys", where, if you are forced at gunpoint to decrypt something, a second key reveals something other than the actual protected data. It wouldn't be that hard for a secure smartphone to have a duress password that would send out a call for help and simultaneously connect to what appears to be the Top Secret repository, while it's really a decoy repository.

Burglar alarms have this feature too. Disarm your system with the duress code, and the system will pretend to disarm normally, while your monitoring station is calling your local police about a hostage situation.

Re:There already is one, the sectera

[GameboyRMH]

The bad guys (or should I say other guys? ;) ) have Faraday bags for that. You need some kind of dead man's switch. Don't enter a password every 12 hours and it wipes itself and then maybe overvolts itself. Have a special "coercion password" that will self-re-image the phone and then unlock it, giving the bad guys a working but useless phone.

Re:There already is one, the sectera

[GameboyRMH]

Huh didn't know Truecrypt had that feature, interesting...

Re:There already is one, the sectera

[GameboyRMH]

Why not just let the NSA create a certification standard and let commercial phones design for that standard?

Because that's little more than a gentleman's agreement. Oh Foxconn promises they won't let the Chinese government put any firmware backdoors in the NSAphone, pinky promise!

Re:There already is one, the sectera

[markbark]

That's two hours active use. But when you're going secure in the field it's because the shit has hit the fan and you need to weigh getting the mission done vs. possible leaks. Dunno why these things eat batteries. Maybe the crypto ASICs are particularly hungry?

Secure right up until...

[shoppa]

And the information will remain highly secure - right up until someone takes a non-secure camera and points it at the secure smartphone so they can get their job done.

Re:Secure right up until...

[maxwell+demon]

The solution to this is of course to have the phone only show encrypted information, and installing a crypto chip into the visual cortex of NSA agents for decryption. ;-)

Re:Secure right up until...

[GameboyRMH]

I think the use of a privacy screen-type coating on the phone would be a given...

That makes no sense

[js3]

wouldn't the value of security be gone if it is allowed to communicate with other phones? Don't these people learn anything?

Re:That makes no sense

[EdZ]

Yeah, I'm wondering how adding a few hundred thousand links between the public network and SIPRnet is meant to be a good idea..

Re:That makes no sense

No it wouldn't, just like adding a can opener at the other end of a beer opener will still allow you to open beer.

Re:That makes no sense

Yes, it would. No, they don't.

Re:That makes no sense

RIM announced plans for a phone "VM" platform ages ago - you get a physical device, it has two OS's one for personal use, one for work. Or make it dual-boot... Or use VPN. We have a million ways to achieve this for PC's, why not smartphones?

Re:That makes no sense

[mlts]

The ARM platform supports protections on the instruction level between subsets or "worlds". This was originally meant for DRM, but I'm sure a well written hypervisor can use this to keep work and home content separated, even if one VM got compromised somehow.

Re:That makes no sense

[JATMON]

RIM announced plans for a phone "VM" platform ages ago - you get a physical device, it has two OS's one for personal use, one for work. Or make it dual-boot... Or use VPN. We have a million ways to achieve this for PC's, why not smartphones?

Do you mean something like this? http://communities.vmware.com/community/vmtn/cto/emerging/blog/2010/12/08/vmw-partners-with-lg-to-bring-virtualization-to-smartphones

meanwhile... somewhere in a bar in California

hey look! someone left their phone.

Re:meanwhile... somewhere in a bar in California

[Thud457]

Obviously these would be hard-paired to the person's bio-chip so the phone would notify them if they moved too far out of range. sheeesh!

Official phone of Obama: Windows CE device

http://www.pcmag.com/article2/0,2817,2339444,00.asp

Re:Official phone of Obama: Windows CE device

[Shompol]

President Obama... if he wants to do secret government business he'll need one of two Windows CE smartphones

Because Windows CE is the most secure Windows CE on the planet! No so much when compared to other platforms, but hey, it's the Government so it has to come from Microsoft!

contradiction per se

[kubitus]

on the one hand they want to spy on each and everything

on the other hand they want to keep their turf secret

Does one have to be schizophrenic to work there?

if not mandatory, it sure would help!

Re:contradiction per se

[kevinNCSU]

I don't think there's anything inherently contradictory about wanting to keep the enemy's knowledge of you to a minimum while maximizing your knowledge of the enemy. Both stem from the idea that knowledge/information is power, and in the information battle, just like the physical battle, you're not interested in a level playing field.

Re:contradiction per se

[denis-The-menace]

schizophrenic ? No.

Hypocrite? YES

Re:contradiction per se

[CanHasDIY]

I don't think there's anything inherently contradictory about wanting to keep the enemy's knowledge of you to a minimum while maximizing your knowledge of the enemy.

So, ordinary Americans are 'the enemy,' at least in the eyes of our own government? What a perfectly terrifying prospect...

Re:contradiction per se

[kevinNCSU]

Are you saying ordinary Americans are trying to break encryption on NSA smart phones in order to intercept their communiques? Neither my post nor GP's mention ordinary Americans btw.

Re:contradiction per se

[tqk]

I don't think there's anything inherently contradictory about wanting to keep the enemy's knowledge of you to a minimum while maximizing your knowledge of the enemy.

So, ordinary Americans are 'the enemy,' at least in the eyes of our own government?

Nah, that's overstating it. Instead, think of your least appreciated manager, the idiot who was always sticking his nose into your business when least wanted, the guy who never should have had the job (due to absence of skills) and never would understand what you were being paid to do for the employer. That's the "ordinary American" you're talking about. "Gahddamned Constitution, rasafrackin', jiggafriggen, ... kroshnit!"

I agree with the poster above: Nokia N900. Lange is re-inventing the wheel.

Re:contradiction per se

[BJ_Covert_Action]

So, ordinary Americans are 'the enemy,' at least in the eyes of our own government?

I figure there are probably some folk in agencies like the NSA that have a skewed enough world view that they figure most people are criminals and, therefore, most Americans are, indeed, the enemy. That may not be the common mindest, but, yet, some folks in the NSA probably do see Americans as the enemy.

Re:contradiction per se

[Bob9113]

on the one hand they want to spy on each and everything
on the other hand they want to keep their turf secret

Does one have to be schizophrenic to work there?

I believe a more apt term would be megalomaniacal; believing oneself to have absolute moral superiority -- in this case, over a craven race of incipient terrorists, pedophiles, and copyright infringers.

Re:contradiction per se

The American people is "the enemy" now?

Re:contradiction per se

[GameboyRMH]

Ignoring the fact that the N900 is out of production and assuming the NSA would make their own software to allow for full-disk encryption etc, the N900 has no case intrusion detection and would be susceptible to a cold boot attack, which is a real possibility considering the resources that will be available to those who would like to break into this phone.

Re:contradiction per se

[kubitus]

the contradiction lies in :

.

on one side developing secure technology

and on the other hand you want to eavesdrop

.

you ain't need to explain that the NSA wants to eat the cake and keep it too!

and I'll bet that the ideas, if not the whole technology will land in the hands of those the NSA wants to spy on.

Re:contradiction per se

[petermgreen]

It's a simple rule of intelligence, the more people know something and the less well vetted those people are the greater the chance that one of those people is working for either a current enemy or at least a potential future enemy.

Re:contradiction per se

[tqk]

Ignoring the fact that the N900 is out of production ...

Easily fixed.

... and assuming the NSA would make their own software to allow for full-disk encryption ...

Linux distros routinely offer full disk encryption installs. You want better crypto than Linux offers? There's the source.

... the N900 has no case intrusion detection and would be susceptible to a cold boot attack ...

Oh, come on. Physical access has always meant vulnerable. Nothing new there. So don't store info locally if it's that important. It's a networked cell-phone, FFS!

Pedestrians.

It isn't hidden in a shoe but

[sgt+scrub]

This should be perfect

mmm fat consulting $$$$ (that's four dollar signs)

[Thud457]

The Android equivalent of SELinux and properly locked down phones?

yeah, because...

[FudRucker]

AT&T and the mass media propaganda machine spys on everyone's cellphones as it is now, (kind of makes that cell blocked 800MHz scanner thing a red herring)

No

Lange said that he wanted to see his secure smartphone reach beyond the NSA – ultimately to reach every 'every employee in the Defense Department, intelligence community and across government.

Yeah, so the NSA has a backdoor into every government worker's phone. No thanks.

Re:No

[said213]

"Yeah, so the NSA has a backdoor into every phone? thanks!" -FTFY

Re:No

[tqk]

Lange said that he wanted to see his secure smartphone reach beyond the NSA â" ultimately to reach every 'every employee in the Defense Department, intelligence community and across government.

Yeah, so the NSA has a backdoor into every government worker's phone.

I have no problem with that. That's already the situation in the private sector. You want privacy, buy your own phone/computer/...

Secure spying

[vvaduva]

There has to be a way for the Patriot Act spying to go mobile...you can't just have people spying on Americans from a cubicle somewhere when they can do it from the privacy of their own government-owned car...

Wow...

what a load of crap. There are no TS data of any kind on or connected to SIPR. The current slate of smart phones that can carry classified comms do NOT connect to SIPR (they are point to point only and use PKI or Shared Secret keys to stand up a P2P secure channel). This article is regarding the Fort's effort to come up with a TS SMEPED as they're known.

Re:Wow...

[said213]

Ignoring the notion that contractors such as Akamai have monitoring access to these devices is a dangerous misconception to have. There are avenues available for even this highly secured information to leak... nothing about this new device changes the NSA's outsourcing policies.

Don't leave it in a bar!

Hopefully the NSA won't be leaving their new super secret smartphone in a bar as Apple has done TWICE now!

Re:Don't leave it in a bar!

[MobileTatsu-NJG]

Hopefully the NSA won't $RECENTAPPLEHEADLINE.

Gah

[lightknight]

*facepalms*

How can they ask for something like this after doing everything in their power to ensure something like this can't be created?

Well, sure Mr. NSA, we can cobble together a secure phone for you...we'll just throw in an encryption / decryption chip and a process that prompts for a password every 5 minutes. And your agents will hate it, it will become compromised (journalists are so irresponsible), and it will become a waste of tax-payer money.

Did I mention it won't be secure? But don't worry; someone will tell you it can be done, and you'll pay them a lot of money, only to realize they lied.

Re:Gah

[dkleinsc]

How can they ask for something like this after doing everything in their power to ensure something like this can't be created?

This all makes perfect sense when you consider what the NSA's desired state of affairs is:
* The NSA, and only the NSA, are technically capable of spying on everybody and anybody at the drop of a hat.
* Nobody can spy on US government officials, and especially nobody can spy on the NSA.

It's worth pointing out that both of these activities are very much within the stated mission of the NSA.

Re:Gah

[elucido]

How can they ask for something like this after doing everything in their power to ensure something like this can't be created?

This all makes perfect sense when you consider what the NSA's desired state of affairs is:
* The NSA, and only the NSA, are technically capable of spying on everybody and anybody at the drop of a hat.
* Nobody can spy on US government officials, and especially nobody can spy on the NSA.

It's worth pointing out that both of these activities are very much within the stated mission of the NSA.

While it is true that the NSA can technically spy on anyone and everyone, it's not technically or practically true that nobody can spy on US government officials.

The NSA cracks codes and spies on everyone and this device wont help so I don't understand why its being created.

Small article error that changes the context a lot

"Secret Internet Protocol Router Network"

  "use is restricted to top-secret level communications"
This article contradicts it self, SIPR is only up to secret.

Been there, done that.

[markbark]

http://www.gdc4s.com/content/detail.cfm?item=32640fd9-0213-4330-a742-55106fbaff32

Looks like a Blackberry, but it's about an inch and a half thick and weighs about a pound.
Never before have I seen such hatred heaped upon an inanimate object by its user base.

Wireless, secure, cheap, reliable -- pick two.

Correction

[kevin_conaway]

SIPRNet only allows SECRET information and below. You need to be on JWICS to access Top Secret information.

Re:Correction

[elucido]

SIPRNet only allows SECRET information and below. You need to be on JWICS to access Top Secret information.

That doesn't make it any better. It's still a bad idea.

Re:Correction

[zerotorr]

If it's encrypted at the phone, then the information can be sent over unclassified lines. Once it's encrypted, it can be treated as unclassified assuming the encryption is approved.

A colossally bad idea

[RandCraw]

First of all, in order to take classified data out of a secure area, you have to seal it in an approved manner -- triple wrap it, stow it in a lockable opaque container, sign for it, and basically chain it to your body until it reaches its next secure location. That's been the rule in the DoD for over 50 years. Obviously a cell phone, even one with a password, doesn't meet any of these criteria.

Second, how are you going to access this device while maintaining secure surroundings? Based on the way people must use STU III phones (encrypted mil-spec) you must be in a locked room which is acceptably 'sound proof'. To read or write classified documents, you must be in a locked room with no windows (or that are shuttered).

Who is going to use a classified smartphone ONLY within a locked shielded room? And if the room is secure, who is going to get a 3G/4G signal inside a shielded SCIF?

This idea is not only completely unworkable, it's dumbass to the bone.

Re:A colossally bad idea

Actually, if the password meets the criteria for safe combos, and the device has enough anti-tamper to be considered as secure as a safe, you don't need all the wrapping.

Look at the GD Sectera Wireline Terminal as an example - unclassified "high value government asset" (e.g. always keep it locked when not in use, and it's inventoried every year) when locked, classified when the PIN is entered to unlock it.

Re:A colossally bad idea

[kevinNCSU]

First of all, in order to take classified data out of a secure area, you have to seal it in an approved manner -- triple wrap it, stow it in a lockable opaque container, sign for it, and basically chain it to your body until it reaches its next secure location. That's been the rule in the DoD for over 50 years

You know for Secret level stuff you can simply mail it right? As in regular post office right next to your post card to Aunt Jenny.

Re:A colossally bad idea

[Runaway1956]

You are exaggerating just a little. Yes, there are some rather tedious steps involved in removing classified documents from a secure area. But, the procedure you describe would be enforced on things one level above top secret. Mere Top Secret can be shoved into a standard, lockable briefcase, and toted to a car, and driven between bases. The shackles are totally unnecessary. Levels below top secret are handled much more casually, in my experience. Ship's movement schedules, for instance, are routinely classified as confidential, unless some factor demands that it be secret or top secret. Days later, those confidential ship's movement plans are common knowledge across the base, and beyond. Of course, those same confidential movement plans are often only that - plans. Only one of 6 tours of duty actually went as planned. Things came up to change the ship's schedule, like a war in Beruit City, or some other frivolous thing.

Re:A colossally bad idea

[mr.mctibbs]

He's exaggerating a little bit, and you're mostly right. Mailing secret requires double wrapping, not triple wrapping, and if it's digitally-stored information it of course ought to be encrypted, but it is thereafter pretty simple to transport.

Uh, wut?????

[luis_a_espinal]

"Troy Lange might work for one of the more secretive spy agencies in the United States, but he is happy to talk about his work. He is the NSA's mobility mission manager and he has been tasked with creating a smartphone that is secure enough to allow government personnel who deal with highly sensitive information to take their work on the road. At present, the U.S. Government has secure cellphones, they use the government's Secret Internet Protocol Router Network. The problem is that they can only communicate with other devices that are plugged into the network and their use is restricted to top-secret level communications. Lange wants a smartphone that is inter-operable and presumably trusted to deal with even more sensitive information. Lange said that he wanted to see his secure smartphone reach beyond the NSA – ultimately to reach every 'every employee in the Defense Department, intelligence community and across government.'"

More sensitive than TS? Maybe the article is poorly referring to handling of less sensitive data at the secret level, or beyond that, configuration of the device to handle (or refuse to handle) information transfer at a particular security clearance according to context (keys, location, clearance at each end point, whatever) as opposed to just TS-level information.

Or maybe the article is trying (again poorly) to refer to compartmentalization. That is, the device not only has a notion of TS, but also of compartments (and can handle/refuse to handle information according to applicable compartments at the TS level.)

Unless I'm missing something here, as presented in the article, that sentence makes no sense.

Great idea

[malraid]

And they should name the device the telescreen!!

Buy WebOS!

Maybe they should buy webOS from HP, and have there own OS. Bet HP would sell it cheap. hehe

governments should not have secrets

governments should not have secrets

Re:governments should not have secrets

Complete and utter bullshit. Only a moron would make such a statement. Or do you live in some fantasy land where, despite all of human history proving otherwise. everyone in the entire world magically just gets along and there is never a disagreement over anything? How do you negotiate with someone when your entire position is known? How do you protect yourself when all of your weaknesses (as well as strengths) are known?

Re:governments should not have secrets

[elucido]

Governments without secrets cannot exist at all.

Re:governments should not have secrets

[maxwell+demon]

So you think they should have continuously broadcasted their information about where Osama was hiding?
Well, I guess Osama would have liked it. :-)

Not comforting

[OhHellWithIt]

I've always suspected that my supposedly secure Blackberry has some kind of NSA or FBI back door, and this only serves to confirm my suspicion.

Re:Not comforting

[GameboyRMH]

Do you think the US and Canadian governments, at the very least, can't get access to any data that passes through RIM's servers not using a custom user-generated key?

Re:Not comforting

[icebraining]

What for? Blackberry devices, at least those not using a private BES, use the same key for every device. You don't need a back door, just sniff it the message and decrypt it with the key present in any phone.

PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging sensitive messages. Although PIN-to-PIN messages are encrypted using Triple-DES, the key used is a global cryptographic âoekeyâ that is common to every BlackBerry device all over the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the âoeBlackBerry Solution Security Technical Overviewâ [1] document published by RIM specifically advises users to âoeconsider PIN messages as scrambled, not encryptedâ.

http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/itsb57b-eng.html

I thought they had end-to-end encryption, PGP-like. But no, they're less secure than sending an email to a GMail account (at least they use TLS). What a joke

Re:Not comforting

[OhHellWithIt]

Sheez! I didn't know that. They might as well use ROT-13!

Re:Not comforting

[OhHellWithIt]

No. For starters, there's the law passed in the 1990s (or before) mandating that telcos provide wiretapping capability for cell phones. But I'm really disgusted by icebraining's revelation that it's technically possible for anyone else with a Blackberry to sniff my phone's communications. (At least they would die of boredom if they did!)

Putting weapons in the hand of terrorist

[renzhi]

Hmm, are you trying to put weapons in the hand of everyone, and especially terrorists? I don't think so. Have you forgotten that encryption technologies are considered as weapons by your own government?

Re:mmm fat consulting $$$$ (that's four dollar sig

[LucidBeast]

And made in china components...

Confirmation bias + Dunning–Kruger effect

[luis_a_espinal]

*facepalms*

How can they ask for something like this after doing everything in their power to ensure something like this can't be created?.

Uh, there is nothing preventing a US citizen or legal resident from creating a device that can handle information at different security levels, even TS. You are prevented (and rightly so) from having one already created *for them*, or to create a device that circumvent *their* information handling. But there is nothing that prevents you from creating one from scratch, even a more powerful (though it would be unlikely that you can market one of such from-scratch devices to them after building it outside of their specs.)

Long story short: any technical preventions by NSA are for those not in the NSA.

Well, sure Mr. NSA, we can cobble together a secure phone for you...we'll just throw in an encryption / decryption chip and a process that prompts for a password every 5 minutes. And your agents will hate it, it will become compromised (journalists are so irresponsible), and it will become a waste of tax-payer money.

That's a bit of a non-sequitur as building such a device takes a little bit more than just cobbling an encryption/decryption chip. I'm not necessarily sure where you are going with this (beyond mere rhetoric.)

Did I mention it won't be secure? But don't worry; someone will tell you it can be done, and you'll pay them a lot of money, only to realize they lied.

Uh, again, overt simplification of how these things are commissioned and built. No one can just go and say "it can be done" as such high-risk projects will be first assessed for viability by someone like MITRE for example. I mean, the NSA has an army of Ph.Ds in Mathematics, Computer Science and Computer/Electrical engineering with work experience in cryptanalysis, algorithms, VLSI, SoC and network hardware and communication protocols (both practical and theoretical) as well as defense contractors that build things like f* missiles, radar systems, jammers, and other incredibly complex shit like that.

I could be wrong, but I could bet just surely that you are over estimating your understanding on this issue (and under estimating theirs.) Don't let that stop your rhetoric, though ;)

Re:Confirmation bias + Dunning–Kruger effect

Say that to TRON - oh wait, he's dead. R.I.P.

Re:Confirmation bias + Dunning–Kruger effect

[aaaaaaargh!]

Uh, there is nothing preventing a US citizen or legal resident from creating a device that can handle information at different security levels, even TS.

I wouldn't be so sure about that. Officially, yes, you may by now create a phone that does secure voice encryption without any backdoor or key escrow. Some data-channel apps out there claim to do that. But if you implement such an app on your own, I wouldn't be surprised if somebody had a long talk with you...

Don't forget that there is the PATRIOT act -- as long as it is in place no US-made encryption device can be considered secure.

Re:Confirmation bias + Dunning–Kruger effect

[luis_a_espinal]

Uh, there is nothing preventing a US citizen or legal resident from creating a device that can handle information at different security levels, even TS.

I wouldn't be so sure about that. Officially, yes, you may by now create a phone that does secure voice encryption without any backdoor or key escrow. Some data-channel apps out there claim to do that. But if you implement such an app on your own, I wouldn't be surprised if somebody had a long talk with you...

Don't forget that there is the PATRIOT act -- as long as it is in place no US-made encryption device can be considered secure.

Can you quote the precise piece of the PATRIOT act that deals specifically with this, and that will get the MiB to show to my house if I'm building such a device? I'm not a fan of the act, but I think you are attributing an interpretation to it that simply does not follow even in the paranoid sense.

Re:Confirmation bias + Dunning–Kruger effect

[aaaaaaargh!]

Can you quote the precise piece of the PATRIOT act that deals specifically with this, and that will get the MiB to show to my house if I'm building such a device? I'm not a fan of the act, but I think you are attributing an interpretation to it that simply does not follow even in the paranoid sense.

*Specific* passages? -- Have you *ever* read any law? There are barely ever any *specific* passages in laws...

Anyway, Patriot Act Title II, sections 201, 202, 204, 209, 210, 211 are the relevant passages.

I'm not saying that the issue is crystal-clear or that the "MiB" could use the PATRIOT act to *rightfully and constitutionally* force you to implement a backdoor. I've just said that someone might have a long talk with you as the implementor of a voice encryption device, not that the threats you will hear in this talk are water-proof up til the Supreme Court. The legal issues are complicated, they e.g. depend on whether the maker of the secure communications device is also classified as a communications provider.

Re:Confirmation bias + Dunning–Kruger effect

[luis_a_espinal]

Can you quote the precise piece of the PATRIOT act that deals specifically with this, and that will get the MiB to show to my house if I'm building such a device? I'm not a fan of the act, but I think you are attributing an interpretation to it that simply does not follow even in the paranoid sense.

*Specific* passages? -- Have you *ever* read any law? There are barely ever any *specific* passages in laws...

Anyway, Patriot Act Title II, sections 201, 202, 204, 209, 210, 211 are the relevant passages.

Section 201 deals with the government powers for intercepting communication related to terrorism. Section 202 deals with similar powers but in the context of computer fraud. How do section 201 and 202 that prevent me from building a TS-capable communication device? How are these two sections relevant to the discussion at hand?

Section 204 deals with limitations on communication interceptions (including electronic communication) by a party other than authorized government agencies. This is no way precludes me from building a TS-capable communication device. It precludes me from using such a device for intercepting electronic communication, and in fact the capacity to handle a TS-level communication does not imply a capacity to intercept at that level or at any level. Communication != interception. So please explain to me how this section prevents from building a TS-capable communication device? How is this section relevant to the discussion at hand?

Same questions regarding section 209, 210 and 211. According to you maybe I haven't read the memo (and by following your post line of logic, you have). So please illuminate me on how these sections prevent me from building the artifact in question.

Just because you copy/paste section numbers do not magically turn your hand-waving into a fact. Maybe you are right and my interpretation is wrong, but so far, you have done a poor job in presenting facts (facts, not opinions) that either demonstrate your point, or at least provide reasonable premises from which to deduce your point as a logical conclusion.

I'm not saying that the issue is crystal-clear or that the "MiB" could use the PATRIOT act to *rightfully and constitutionally* force you to implement a backdoor. I've just said that someone might have a long talk with you as the implementor of a voice encryption device, not that the threats you will hear in this talk are water-proof up til the Supreme Court. The legal issues are complicated, they e.g. depend on whether the maker of the secure communications device is also classified as a communications provider.

Re:Confirmation bias + Dunning–Kruger effect

[aaaaaaargh!]

Can you quote the precise piece of the PATRIOT act that deals specifically with this, and that will get the MiB to show to my house if I'm building such a device? I'm not a fan of the act, but I think you are attributing an interpretation to it that simply does not follow even in the paranoid sense.

*Specific* passages? -- Have you *ever* read any law? There are barely ever any *specific* passages in laws...

Anyway, Patriot Act Title II, sections 201, 202, 204, 209, 210, 211 are the relevant passages.

Section 201 deals with the government powers for intercepting communication related to terrorism. Section 202 deals with similar powers but in the context of computer fraud. How do section 201 and 202 that prevent me from building a TS-capable communication device? How are these two sections relevant to the discussion at hand?

"deals with...." could you be a tad bit more unspecific??

First: I didn't say anywhere that these sections of the PATRIOT Act prevent you from building a voice encryption device that does not have any backdoor. I said that nowhere. Learn how to read. Really. I said the PATRIOT Act provides all the means to scare developers into implementing such a backdoor (be that ultimately lawful or not) and I wouldn't be surprised if it were used for that purpose. (And nobody might ever know because of so-called gag orders.)

Second, you have to take the act in combination with other laws in place such as the CALEA act from 1994: "The Act obliges telecommunications companies to make it possible for law enforcement agencies to tap any phone conversations carried out over its networks, as well as making call detail records available. The act stipulates that it must not be possible for a person to detect that his or her conversation is being monitored by the respective government agency." [wikipedia]

In other words, nobody prevents you from building such a device, as you rightly said, as long you are not providing the means for anyone to actually use it. Once you offer a service for encrypted voice communication or otherwise qualify as a communication provider you can be forced by CALEA to implement a backdoor and you can be required by the PATRIOT Act (and actually a whole bunch of other laws that might apply) not to inform anyone of it.

Now before you continue by paraphrasing the CALEA Act in the vaguest way possible ("deals with...") to try to disprove me, please just let it be. Security is a matter of trust. If you trust security of crypto products from a country with CALEA and Patriot Act in place, that's your problem and I really don't care.

Simple solution.

[LWATCDR]

1. Create a nation wide LTE network using IPv6.
2. Use end to end encryption on all devices and only use VOIP for voice.
3. Allow the rest of the nation to use the network in the same way.
4. Place highly accurate time bases in all LTE towers so where you have tower overlap you can get extremely precise locations even indoors.
5. When overlap is not available use the LTE tower in the aGPS mode to provide the ephemeris data almanac as well as improved location based on differential GPS with the LTE tower as a base reference.
Then charge all the carriers to use this network and allow the consumer real choice in carriers. The carriers would in effect become nothing but dumb pipe suppliers and VOIP suppliers.

Where Could You Use This

[theManInTheYellowHat]

So lets say that you have this super secret network smartphone and you had a super secret topic that you wanted to talk about with another super secret person. Where could you have this discussion and should you even be talking out loud? Wouldn't you need to be in a building somewhere that has sound insulation, or some other mechanism to keep your voice from being picked up from some other microphone than the one on your super secret smart phone? Or is it a fancy camera phone and not meant for voice? I hope that the camera is better than the one on my smartphone.....

Re:Where Could You Use This

[Chris+Mattern]

Where could you have this discussion and should you even be talking out loud? Wouldn't you need to be in a building somewhere that has sound insulation, or some other mechanism to keep your voice from being picked up from some other microphone than the one on your super secret smart phone?

That's what the Cone of Silence is for!

Re:Where Could You Use This

[GameboyRMH]

If they use IM instead, they just have to make sure nobody can see the thumb keyboard or do a TEMPEST-type attack on the phone (easy to shield against, if it's possible at all).

Export control ?

And of course, they won't be allowed to use it outside the USA, because it won't get an export license due to the encryption.

So just what do you need a secure encrypted

Re:Export control ?

[blueg3]

For one, the NSA probably doesn't plan on exporting it.

For another, there are plenty of standard encryption libraries that are already approved for export from the US and implement Top-Secret-level encryption. That's probably because we don't significantly restrict export of cryptography any more.

No problem!

[Lumpy]

Several china manufacturers will gladly make you these phones.

Re:No problem!

In Communist China, Top Secret Phone encrypts YOU!

Re:No problem!

I was gonna say the same thing but you said it more humorously. It doesn't matter how they securely design this phone if all the components are sourced from who knows what Chinese factory owned by unknown "capitalist entrepreneurs."

LOL

[rhyvun]

This sounds like an absolutely terrible idea.
Has history not proved that if it exists it can be broken, eventually?

What is at stake if his "secure" smartphone is broken? If I were the NSA I would be looking for a new communications expert... one with a stronger background in history, and info sec.

For what it's worth, the NSA DOES own its own fab

[jpstanle]

They certainly don't have the capacity to mass produce a smartphone, but they make plenty of silicon in-house

Why don't they just use Red Phone?

http://www.whispersys.com/
They could just expand the App to work with data too. Or fix the encryption for our current network, but then they would actually have to get jurisdiction to listen to our calls, instead of just doing it anyways.

Re:Small article error that changes the context a

mod parent up. summary doesn't seem to know what he's actually dealing with here.

It's a bad idea and not good enough.

[elucido]

It's a really bad, in fact, it's a stupid idea to try to use a mobile toy smartphone for something like this.

It's not about the encryption either. Every single component in that smartphone will have to be made by the right people and in such a way so that there isn't a hardware backdoor. Every piece of software would have to be audited, And even then I still think it's a bad idea to do this.

The encryption part is easy. It's easy to create schemes which are perfectly secure. It's difficult to defend against user error, against the phone being lost or being operated by someone other than the owner.

How would they even do authentication? If it's a password then that will be easily defeated. If it's 2 factor authentication that could still be easily defeated. I just cannot see how this is a good idea, and I'd think it would be silly use smart phones to handle classified information.

Re:It's a bad idea and not good enough.

[gorzek]

Indeed. This has "multi-billion-dollar boondoggle" written all over it.

Re:It's a bad idea and not good enough.

[GameboyRMH]

Encrypted partitions + well-secured lock screen with anti-bruteforce + case intrusion detection systems (to prevent cold boot attack) + self-destruct systems (remote wipe + dead man's switch) = really fucking good security.

Re:It's a bad idea and not good enough.

[Ouchie]

Most likely they will spend millions on a new data standard and building a proprietary network to protect the data in transit but completely forget about the physical safeguards mentioned above. This will facilitate multiple intelligence leaks caused by Congressmen leaving their phones at strip clubs and brothels.

Re:It's a bad idea and not good enough.

[elucido]

Encrypted partitions + well-secured lock screen with anti-bruteforce + case intrusion detection systems (to prevent cold boot attack) + self-destruct systems (remote wipe + dead man's switch) = really fucking good security.

Not at all. When you type in your password it creates sound frequencies, perhaps indicating what keys were pressed and what the password is. This makes you encrypted partition useless since you wont be able to log into it without leaking sound frequencies which could help hackers reconstruct the password. Since there as so many emissions, some which we might not know anything about or not know they even exist, it's not safe to enter in a password or handle a device like that in an uncontrolled environment.

Re:It's a bad idea and not good enough.

[GameboyRMH]

Then use an on-screen keyboard with a randomized layout for password entry. Assuming a layer of rubber padding behind the keyboard circuit isn't good enough.

Re:It's a bad idea and not good enough.

[bberens]

Good luck with that. Let me design and build your CPU, I appreciate you wasting battery/cpu by encrypting all your data... it stops my customers from getting your data from anyone but me.

Re:It's a bad idea and not good enough.

[GameboyRMH]

You realize that many off-the-shelf phones you can buy right now support and commonly use full-"disk" encryption? WP7 forces it on microSD storage.

Re:It's a bad idea and not good enough.

[elucido]

Then use an on-screen keyboard with a randomized layout for password entry. Assuming a layer of rubber padding behind the keyboard circuit isn't good enough.

The smartphone emits radiation, because of the electricity flowing through the screen. It emits light from the screen which can be detected by a human or a non human. It emits sound as the human presses on the on screen keyboard, but also the electrical signal is going to change depending on where their fingers are and this will emit signals which can be reconstructed.

What I'm saying is information is going to leak through any emission from that device. The enemy simply has to know what to look for, and build devices to detect the emissions. Not every emission is stuff the general public believes can be detected, but when there's enough research and enough money, any leak can be reconstructed even if its stuff people never thought about or don't know about.

For this reason it's not ever going to be safe enough for classified information. It's smarter to build top secret phone booths with a phone in there than to use a smart phone in an open field.

Re:It's a bad idea and not good enough.

Randomized layout, per entry is what he meant. Sure you could reconstruct given enough data on a single layout, but if you force the layout to change every minute (or every keypress if you're really paranoid), you're petty much okay from any super-device than can detect extremely feint signals.

They are worried about Bradley Manning?

[elucido]

How can they claim to be worried about situations presented in the Bradley Manning case if they want to simultaneously bring SIPRNet to your hip? Just the concept of trying to have mobility and security seems a bit naive.

Really?

That person over there has a strange phone oh that's right, that is a spy phone so ....... They are a spy!

Re:Small article error that changes the context a

[maxwell+demon]

"Secret Internet Protocol Router Network"

  "use is restricted to top-secret level communications"
This article contradicts it self, SIPR is only up to secret.

Ah, that explains the statement "Lange wants a smartphone that is inter-operable and presumably trusted to deal with even more sensitive information." I already wondered what information would be more sensitive than top secret.

on second thought

SCREW EM hackity hack hack
lets give it right back at them.

This...

will certainly end in tears. Secure (classified) information on a mobile device? What could possibly go wrong here?

Tracked by the Russian FIS/SVR? Of course.

[elucido]

To think that these employees aren't going to be tracked by foreign intelligence is impetuous in itself when the mission of many of these foreign intelligence agencies is to extract secrets from the US government.

Employees who carry this phone are going to be targeted. And it's not the US spies they'll have to worry about.

Emission leaks.

[elucido]

It still does not change the fact that using a cellphone leaks emissions. Those emissions can be deciphered because of a human being can read the screen and decipher it, a non human can detect the emissions and decipher the signals to read the same screen.

So most importantly would be finding a secure location to use the phone in such a way that nothing can leak. Light, sound, radiation, no emission whatsoever must leak from the secure room, and if you have to be in a special room to use these phones then it defeats the purpose of having them because why not just use a desktop computer in that special room?

Re:Emission leaks.

[Anthony+Mouse]

Scenario: Your operative is in an unsecured location preparing for a mission. There is no SCIF in his vicinity. You learn new information which is relevant and must be communicated to him immediately.

It seems obvious that having a communications device which is as secure as practicable under those conditions is preferable to e.g. sending a completely unencrypted text message to his COTS cell phone.

Re:Emission leaks.

[elucido]

Scenario: Your operative is in an unsecured location preparing for a mission. There is no SCIF in his vicinity. You learn new information which is relevant and must be communicated to him immediately.

It seems obvious that having a communications device which is as secure as practicable under those conditions is preferable to e.g. sending a completely unencrypted text message to his COTS cell phone.

I disagree. If there is no SCIF in his vicinity he should not communicate classified information. Classified information should never be communicated over an unclassified channel. If there is even a slim chance that the enemy can detect and
intercept a signal or emission which can lead to the reconstruction of classified information then it's not worth the risk.

Honestly, the operative would be more secure using a radio cold war style than to use a smart phone. If you look at the history of radio transmissions you'll see that typically foreign intelligence immediately detects the transmissions, and through triangulation they can locate the individual making the transmission. Foreign intelligence also intercepts cellphone calls, because cellphone signals are easy to intercept and listen in on. There is no way to secure the emissions of a smartphone, it's not technically possible. There will always be a leak where the classified information can be reconstructed. Because of this it's important to never allow classified information to be emitted anywhere where there isn't absolute complete control over the environment.

No amount of encryption will change this. No amount of apps will change this. An text message isn't secure because it has to be typed. So the emission is the keystrokes themselves and that will be intercepted. And in the case of the display, the light, radiation and flow of electricity will be detected and the information reconstructed based on that.

Re:Emission leaks.

[icebike]

No amount of encryption will change this. No amount of apps will change this. An text message isn't secure because it has to be typed. So the emission is the keystrokes themselves and that will be intercepted. And in the case of the display, the light, radiation and flow of electricity will be detected and the information reconstructed based on that.

Someone has been watching too many spy movies.

Look, this isn't about deep cover missions inside Iran or China.
(Where merely having a cell phone of unusual manufacture puts you under suspicious).

Its about use in casual every day situations in urban areas where cell phones are common, and you can speak and listen to a conversation without attracting a great deal of suspicion. A street in New York, A bar in Paris, a market in Algeria. 200 people in the same cell triangle on the phone at the same time.

Almost all they need is voice/data encryption and device wipe. Data encryption is already available on consumer devices, as is remote wipe. But voice has to be encrypted end to end, because it almost always ends up going across commercial circuits somewhere in its travel.

In short, the NSA is looking for protection from people like, well, the NSA. They are not worried about someone out of a movie script sitting in a white van parked 6 blocks away listening to their keystrokes, because in real life, that does not work, and it certainly doesn't work in a crowd.

Re:Emission leaks.

[Smallpond]

You are talking about the Tempest standards which have been around since before 1980 (not sure how long before - it's existence was classified then).

Re:Emission leaks.

[elucido]

Someone has been watching too many spy movies

Or someone knows something about information security that you don't. Try and keep up because this isn't the movies it's real life.

Look, this isn't about deep cover missions inside Iran or China.

Iran and China have cyberwarfare spending. They have trained hackers specifically to attack government employees, and government infrasturcture. Cuba has been tapping phones in the USA for years.

(Where merely having a cell phone of unusual manufacture puts you under suspicious).Its about use in casual every day situations in urban areas where cell phones are common, and you can speak and listen to a conversation without attracting a great deal of suspicion.

If you work for the federal government you are going to be one of the main targets. If you work for the federal government and you have one of these cellphones you and that cellphone are going to be an even bigger target. An urban area where there are lots of people provides the opportune cover for exactly the sort of threats we have to be concerned about. That has to be the worst environment possible to handle classified information.

A street in New York, A bar in Paris, a market in Algeria. 200 people in the same cell triangle on the phone at the same time.

Security through obscurity? Are you saying classified information would be protected by this?

Almost all they need is voice/data encryption and device wipe. Data encryption is already available on consumer devices, as is remote wipe.

So you and your buddy walk into a bar with one of these phones. Little do you know, there are sensors in this bar designed to pick up the signals and emissions of cellphones. What I'm saying is you don't know the security level of the bar, you assume that obscurity means security. You assume that the people using these phones are perfectly secure. I don't assume any of that. I assume they will be targets and that carrying these phones will put the information in greater risk and that the risk in this instance does not outweigh the benefits.

But voice has to be encrypted end to end, because it almost always ends up going across commercial circuits somewhere in its travel.

In short, the NSA is looking for protection from people like, well, the NSA. They are not worried about someone out of a movie script sitting in a white van parked 6 blocks away listening to their keystrokes, because in real life, that does not work, and it certainly doesn't work in a crowd.

The NSA should be worried about all threats. Not just obvious threats but not so obvious threats and of course potential future threats. Just because the enemy isn't utilizing white vans to monitor keystrokes at this time, if you leave a security hole open, by giving out cellphones like these, it's only a matter of time before a scenario like this happens. Will the government be checking every van the parks next to the bars? I honestly don't think it's going to be so easy.

And real life isn't scripted like a movie, it's completely unpredictable. What these mobile devices do is add a new layer of uncertainty for a negligible benefit. That uncertainty is opportunity for the adversary.

Technology itself is uncertainty. You cannot predict what technology the adversary will come up with to counter this technology. We know only the research that has been done, and the research already shows that cellphones can easily be tapped, that emissions can easily be captured, and whether it takes a van or briefcase or something smaller depends entirely on the sophistication of the technology, and that is unpredictable. So you're assuming it's always going to be this way, that the adversary will never develop a counter technology, or counter measures, that something like this could only happen in a movie. But guess what? These smartphones are also som

Re:Small article error that changes the context a

hence the entire article is crap. You also cannot take it seriously that the use of the phone is unrestricted according to location. You simply cannot talk any classification level out in the open.

Re:Small article error that changes the context a

[RobertLTux]

i think above TS you get into "special access" things where there is an actual list of who has a copy of the data (with sometimes even the NAME of the project can get you SHOT).

I Do Not Currently Hold Top Secret Clearance (but do have dogtags).

Inherently doomed

[Beryllium+Sphere(tm)]

Phones get lost and stolen All The Time. Then the bad guy has unfettered physical access to the device. Normally that means Game Over. Suppose they try to make it tamperproof, ignoring the lessons of history. A targeted pickpocket will deliver it into the hands of a national intelligence agency.

You'd have to have a design that makes local storage impossible, which would make for a very strange smartphone.

Re:Inherently doomed

[GameboyRMH]

You'd have to have a design that makes local storage impossible, which would make for a very strange smartphone.

There's nothing wrong with that if you just need to access some plaintext. The only limitation to remote storage is bandwidth.

Thales did this for the french gov.t one year ago

[Herve5]

all is in the title, indeed... capable of working both the normal GSM way and with various levels of encryption...
Various evolutions and models since then, like for instance
http://www.thalesgroup.com/Press_Releases/Markets/Security/2011/Thales_launches_Every_Talk,_the_first_ruggedized_high-speed_smartphone_for_security_forces/?pid=15928

doable

mission: to allow senator halfwit to export 10,000 american jobs to mexico without getting caught.
tech: an encrypted cellphone that talks with a central server that decrypts the call and sends it on to the recipient. No risk of radio intercept on your end or a spy in the telco listening in. So long as the other end has the same you're good to go.

Re:Small article error that changes the context a

The SME-PED does SIPR data communications. Voice runs over the normal telephone network and can go up to the TS level.

their own security is good

[KingAlanI]

whatever you say about security theater and such, the government does seem serious about securing its own stuff.

Re:their own security is good

[Smallpond]

Are you joking?
http://www.tgdaily.com/security-features/51469-dhs-fails-cyber-security-audit

The NSA may know something about security, but the government as a whole certainly doesn't.

Not for talking

[mr.mctibbs]

These are not intended for voice communications involving the discussion of classified material. These are only for EMAIL and for getting access to classified web sites. Additionally, they are probably talking about a JWICS-compatible phone. We already have phones that talk to SIPR, they're called SME-PEDs and they're big ugly PoS's. Personally, I think they're a terrible idea. Not because there's any realistic threat of shoulder surfing, but because it brings us down to the level of all the other corporate plebs who have to answer their email wherever they are. And these phones aren't cheap. No sir.

Re:Not for talking

[PPH]

So, no BlueTooth?

Not China, and it will cost

[DragonHawk]

The current STE (Secure Terminal Equipment, the rename of the STU (Secure Telephone Unit) series) costs around $3500 for the basic model. The technology in it is rather inferior my contemporary geek standards. One of the big reasons it costs so much is all the critical technology is sourced within the US from trusted sources. (Well, that's the theory, anyway.)

The NSA goes to considerable lengths and expense to protect their supply chain. (It's easy to spare no expense when you're spending others' money.)

The NSA is smarter than you think

[DragonHawk]

But don't worry; someone will tell you it can be done, and you'll pay them a lot of money, only to realize they lied.

The NSA employs more mathematicians than any other organization in the world. I don't know you from Adam, but it's still a near-certainty that they have people much smarter than either of us working for them. They often fab their own silicon, build their own hardware, write their own software -- all from the ground up.

Whether or not this particular project will be a success is an open question -- the NSA is hardly immune to the Dilbert-style failings of any large bureaucracy, and "National Stupidity Agency" is a common-enough expansion -- but don't assume they'll fail just because you disagree with their mission and/or policies.

I object to that remark!

[DragonHawk]

I believe a more apt term would be megalomaniacal; believing oneself to have absolute moral superiority -- in this case, over a craven race of incipient terrorists, pedophiles, and copyright infringers.

Hey now! Do you have any evidence at all that any copyright infringement is going on?

Y.O.U.

[muckracer]

So what about us normal and decent folks? What options exist for us to end-to-end encrypt calls and messages (at minimum)? Anything open-source out there, that let's you do that?

Re:Small article error that changes the context a

"Secret Internet Protocol Router Network"

  "use is restricted to top-secret level communications"
This article contradicts it self, SIPR is only up to secret.

Right on, thanks for posting it for me. Also would like to point out the human factor that will take place. Someone WILL lose their phone, whether it be on accident or an outside entity.

Contact Troy

I believe there are some really good ideas here, and that we can put them together in a comprehensive way and lend Mr. Lange a hand. Anyone know how to contact him?