Slashdot Mirror
Thank Goodness For the NSA — A Fable
davecb writes "Slaw was kind enough to post my fable on how to not have a problem with the NSA, Thank Goodness for the NSA, and a link to the more technical MAC paper. My challenge to the Slashdot community: what's the first big step to making this all come true?"
The actual title should be "thank goodness $SECURITY_THREAT made use realize our security was worse than crap".
`echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
The Article:
If it weren't for the U.S. National Security Agency's trying to spy on everyone in the world, Bleeker Street Law would have been a cooked goose.
Back in 2013, we had a group of clients from a particular country applying for refugee status here in Canada. Because the NSA spying was in the news, we did a forensic audit of our computers, just to be safe. We promptly discovered that we had been hacked. Not by our clients' former national security service, or by the NSA, but by a for-profit organization. A set of aspiring criminals had broken our security and were making everything they stole available by subscription on Silk Road. Several foreign firms and at least one government had subscribed to us. . . .
The country in question had a revolution, Silk Road doesn't exist any more, and we now have a much simpler but more secure computer system, mostly on tablets and phones.
What we do differently
We used to worry about privileged communications with our clients, because we did all too much communicating with ordinary unencrypted email. Now we have encryption programs for our pads and phones, and encrypted email to boot. Older machines storing files get them already encrypted, so crooks can't just subscribe to “every updated file”.
One new machine keeps the keys. We guard it like the cabinet of office keys, and it in turn is locked in the law librarian's office and not connected to networks.
What's on the pads?
Pads are very popular, and both Apple and Android have “end to end” encryption programs on them. This allows us to “label” files with encryption keys, so only the right people can decrypt them.
Personal information is labeled with the person's name, which in effect means it is encrypted with the person's personal key. Business information is labeled with both Bleeker Street's name and the name of the person whose pad or phone it is on. It is therefore encrypted with a per-person business key.
Only little bits of data are in memory and unencrypted at any time, and because it's labeled, it's re-encrypted when it's written back to disk..
Clients can download a free app and have secure email labeled “From client, for Bleeker Street”. We have the for-pay version and can talk to them and to each other, using keys that live in the locked machine.
What's in the keystore?
Our keys, starting with a private key for each of us, then a collection of public keys from our staff and clients, and finally a collection of keys, each of which is for the combination of Bleeker Street and an individual staff member or client. We also have some signatures for software we use (we have a secure subscription), certificates for web pages and the like.
A legitimate investigator can get a court order to get individual keys, but they won't get all the keys and therefore individual lawyers and clients aren't at risk from them.
Where's the risk now?
Stealing data while it's in use is the big risk, followed by people shoulder-surfing for passwords when they're typed. The labeling of accounts keeps most data safe from anyone other than its owner, but if someone subverts the machine itself, they can get data from memory and tiptoe away with it.
It's not perfect security, but we're not an attractive nuisance any more. Criminals used to target us because we had lots of valuable information in one place. No longer: now they have to attack individuals.
They still do, mind you: someone tried to claim they were a partner's daughter in a foreign jail last week; but they can't just break into a file server and take the company's crown jewels. If they do that now, all they'll get is encrypted files, which are about as valuable as zircons.
E. Nothing to do with the NSA, and not a fable. His company's security sucked, they got hacked, the improved their security. That's TFA.
So, what these articles are both calling for is Capability Based Security, in which you feed a list of resources to the OS when you run a program. This has the pleasant and reasonable effect of limiting the side effects a program can do, and protects the user, the operating system, and everyone else on the internet.
The trusted systems of the 1980s required the Administrator to supply these lists... it could reasonably be done by users these days, because we're all system administrators of our own machines, when it comes down to brass tacks. It doesn't even have to look much different than what we're used to seeing. A capability based version of Word would ask the system to get a file... which would do so via a "powerbox" (a secure way of picking files which side-steps the application doing it directly).
I applaud this fellow traveler who seeks the same sane approach I've been shouting about for years. 8)
Thank the person that brought these security breaches to light, not the people who have been illegally performing them.
Well, yay for corporate censorship combined with misleading headlines, then.
Having worked with some law offices (lawyers individually too), and seen their complete blase attitude to the information that they hold in their files, this surprises me not at all.
Too many attorneys think that because the law says their information is private that it is so, and are absolutely shocked when the other side produces confidential conversations that went through gmail or some other source.
Truly astounding.
Try to convince yourself that you didn't just get tricked into reading an article.
Politics; n. : A religion whereby man is god.
Except for this little bit in the italics below the main article text:
All of the capabilities mentioned are real as of 2013, and have some degree of availability. No-one has a product that provides them all as yet. Full disclosure: I once proposed this to a device manufacturer, who thought no-one would ever need it.
Sorry, it still is a fable.
Er... if the keys are kept on an airgapped machine, how do they decrypt/encrypt the messages?
Or do they mean that they have personal and master keys, and the master key is kept airgapped, while the personal keys are kept on the devices (individual can encrypt/decrypt their own data, but only airgapped master keys can decrypt ALL corporate data)?
Also, this does nothing to prevent phishing for account details. I also notice that the fable refers to local encryption/decryption and passwords, but also keys. Wouldn't they do better to use two factor authentication, and for sensitive documents, require the key of a partner as well as whatever employee is encrypting/decrypting the data? This could be done via SMS challenge/response, where the partner's key is never made public.
Interestingly, the other item that he missed was DLP -- software is smart enough now to automatically encrypt data with the correct key based on content and metadata. THIS should be the default.
If it weren't for our own inept network security implementation, all are eggs would have been in one basket.
Hitler, the Black Death, Attila the Hun, Toba, the Chicxulub asteroid, whatever caused the Great Dying and so on. That we survived despite (at a very high cost) them don't mean that we must be grateful for what they did, even if that meant that had a role on the changes that ended with us right how we are now.
It mainly is an emphasis on going with endpoint security... something which should have been done well before the NSA came to be a boogeyman.
Of course, the article glosses over the biggest gotcha of endpoint encryption... key management. eDiscovery is a major part of business these days, and having a way to recover documents is often mandated by some regulation.
For a small law firm, this isn't a big deal. You get all employees to send stuff out that has the firm's ADK (additional decryption key) attached, and the private part of the ADK is printed out, stored somewhere very secure [1], and that takes care of eDiscovery requirements.
For a bigger company, key management becomes a lot more hairy. If one wants to trade some security for recoverability, S/MIME is usable and fairly easy to get set up on Android, iOS, it is a lot tougher but doable (AFIAK, requires Exchange as a backend.)
[1]: In a previous life, one company I worked for had a holding corporation. This secondary company had a small, unmarked office at a busy office building. The office was protected by an alarm with two codes (normal disarm, disarm + silent alarm), and in the back was a large TL30 x 6 safe with a Mas-Hamilton X-08 (they are up to X-09 now) lock. The safe was used for storing tapes, and a locked compartment similar to a safe deposit box held printed private keys as well as copies burned to optical media. Not 100%, but it did the job of keeping things secure. Of course, said office ended up becoming the company man cave until the business folded.
E. Nothing to do with the NSA, and not a fable. His company's security sucked, they got hacked, the improved their security. That's TFA.
Actually, it does derive directly from the NSA. Specifically, it comes from the NSA's research on Mandatory Access Control, which is the theory underlying all that discussion of "labels". MAC doesn't necessarily use encryption; in its original design it was intended that the operating system enforce the access controls, but it actually matches quite neatly with the capabilities of labels which correspond to private keys.
So the fable (I agree that it's not a fable) is about using NSA-developed ideas to secure your data. All of the security technologies used in the story also had their roots in NSA work -- and in the past that meant that it was almost certainly good work, in fact among the best in the world. It's only recently that the NSA has apparently forgotten the part of their mission statement that involves keeping US security technologies strong.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The one machine that has all the keys is in a locked office, not connected to the Net.
Lessee, 1) do they *also* have an offsite backup of that info in a safe deposit box somewhere?
2) if not, and there's a fire, what happens to their company?
3) Who installed the lock on the door? Does the building engineer have a key? How does
he protect that?
4) Who cleans the room? And when they do, do they shove the electric motorted floor cleaner
up against the system?
5) What happens if the h/d fails?
mark "I *know* y'all can come up with more reasons"
Aha! That sounds interesting, but as a search term, I get everything ever written about data loss protection (;-))
davecb@spamcop.net
This is a Canadian law firm. The NSA is supposed to be weakening their security so they have data to trade with Canada's 4 letter agencies for data on Americans. This way everyone can legally spy without breaking those pesky Constitution things.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Alas, it is a fable: the story is set some years into the future, when such capabilities can be bought off the shelf.
davecb@spamcop.net