TrueCrypt, the free open source full disk encryption program favoured by many security-savvy people, including apparently Edward Snowden, is no more. Its website now redirects to its SourceForge page which starts with this message:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
This statement is so full of problems it is difficult to know where to start.
Is it a canary?
Canaries are warnings by a different method (if a canary died in a mine, the likelihood was that poison gas, otherwise yet undetected, was present). So one suggestion is that this message indicates government interference, and like Levison and Lavabit, it has been shut down to protect the users. (Levison said, “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.”) Some have gone so far as to suggest a more explicit warning in TrueCrypt’s first paragraph: “not secure as”.
But for me the strongest suggestion that this might be a canary warning is the recommendation for Microsoft’s BitLocker. The message says “You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.” It then proceeds to give a step-by-step how-to for migrating to BitLocker.
My problem is two-fold. Firstly, I find it difficult to believe that the developers of open-source cryptography would voluntarily recommend placing faith in a closed-source solution — and one from Microsoft to boot. Secondly, BitLocker gives up the ground won with such difficulty during the First Crypto Wars against Clinton’s Clipper chip and key escrow demands — BitLocker escrows the keys either with the IT department or with Microsoft’s cloud services. From both locations, using the PATRIOT Act, government agencies can retrieve those keys effectively on demand. This recommendation doesn’t make sense from a purely ‘security’ viewpoint.
Against this, however, we should note that ‘David’ (apparently a or the TrueCrypt developer) has told @stevebarnhart that there has been no government contact except one time inquiring about a ‘support contract’; that “BitLocker is ‘good enough’ and Windows was original ‘goal of the project’;” and that “There is no longer interest.” But whether ‘David’ is who he says he is, or whether what he says is true is anyone’s guess.
I find myself conflicted. This time my heart says, don’t think conspiracy; but my head says, this isn’t right.
For whatever reason, TrueCrypt can no longer be trusted. If we take David at face value, he has simply lost interest in the project and bowed out in a most unsatisfactory manner. That would imply that you can carry on using TrueCrypt; but that like XP, any future issues will not be resolved. So it’s probably best not to wait for them.
But if you were savvy enough to install TrueCrypt you will be savvy enough to migrate to an alternative without being persuaded into using BitLocker. BitLocker works with the Trusted Platform Module (TPM), a motherboard chip that to my mind turns Windows 8 into an NSA trojan. (See Is Windows 8 an NSA trojan?) This latest development merely reinforces my opinion.
It would be tempting to say it is time to migrate away from Windows altogether — perhaps to Linux. The reality, however, is that nothing is secure. What can be made by software can be unmade by software; that which can be built by computer power can be demolished by computer power. The unmakers have a thousand times the resources of the makers.
The solution is political, not technological. We the people have to reassert our role over the politicians. They are our servants. We pay them to do our bidding. And we have to make it absolutely clear that government interference and surveillance is unacceptable and must stop.
A common cry in Anonymous circles is ‘Free Jeremy Hammond; Fuck Sabu’. Jeremy Hammond is currently serving a ten-year prison sentence for his involvement in the Stratfor hack. Sabu (real name Hector Xavier Monsegur) will be sentenced tomorrow for his role in Lulzsec and many other hacks. He is expected, on FBI request, to walk free. The judge, in both cases, was and is judge Loretta Preska. Comparing and contrasting the behaviour of Hammond and Monsegur explains the Anonymous cry.
Monsegur was the original founder of the original LulzSec hacking group, (in)famous for its ’50 days of lulz’ during the summer of 2011. Sabu was ‘outed’ and subsequently interviewed by the FBI. He rapidly (by the next day) agreed to cooperate; and has been cooperating ever since. There is some suggestion that the FBI pointed out that his two young nieces, for whom he is a foster parent, would have an uncertain future if he was incarcerated.
The extent of that cooperation is only just becoming clear, although it was always known to be extensive. Some of it borders on illegality, but is certainly immoral. The Stratfor hack was organized by Sabu at the behest of the FBI in order to entrap Jeremy Hammond – a member of Anonymous rather than Lulzsec but high, on the list of the FBI’s most wanted. It worked. It also, incidentally, ensnared Barret Brown who was arrested effectively for publishing a link to stolen Stratfor information; although his charges have now largely been dropped.
Sabu’s cooperation also led to the unmasking and arrest of the other members of LulzSec: 2 in the UK, 2 in Ireland and one in the US. It seems clear that he also tried to implicate and entrap many others; including, for example, Jacob Appelbaum.
He also cooperated with the government, using Hammond, to enable it to hack foreign websites. Hammond’s attorneys wrote to judge Preska last month:
Hammond’s own behaviour has been in direct contrast. After his arrest he decided to fight the charges. Eventually, however, he gave up and accepted a plea deal with the government. Almost exactly one year ago he announced,
Today I pleaded guilty to one count of violating the Computer Fraud and Abuse Act. This was a very difficult decision. I hope this statement will explain my reasoning. I believe in the power of the truth. In keeping with that, I do not want to hide what I did or to shy away from my actions. This non-cooperating plea agreement frees me to tell the world what I did and why, without exposing any tactics or information to the government and without jeopardizing the lives and well-being of other activists on and offline.
Statement from Jeremy Hammond regarding his plea
His reasoning was not that he thought he would lose the case, but that the FBI would simply press similar charges elsewhere. “The process might have repeated indefinitely,” he said.
I have already spent 15 months in prison. For several weeks of that time I have been held in solitary confinement. I have been denied visits and phone calls with my family and friends. This plea agreement spares me, my family, and my community a repeat of this grinding process.
The key sentence in this announcement is, “This non-cooperating plea agreement frees me to tell the world what I did and why, without exposing any tactics or information to the government and without jeopardizing the lives and well-being of other activists on and offline.” So while Sabu cooperated with the FBI and will most likely walk free tomorrow, Hammond refused to cooperate and took a ten-year sentence. That, basically, is why the call is ‘Free Jeremy Hammond; Fuck Sabu.’
Tomorrow, 27th May 2014 at 11 am, Judge Preska will pronounce sentence on Sabu. In theory he faces a sentence of between 259 and 317 months for the crimes he as admitted. But, says the FBI in its pre-sentencing submission to Judge Preska,
Probation recommends a sentence of time served. As set forth in more detail below, Monsegur was an extremely valuable and productive cooperator.
Government’s notice of intent reference sentencing
He has, during the three years of his cooperation with the FBI, served seven months in prison. Judge Preska is expected to follow the FBI request and sentence him to seven months – allowing him to walk free.
We will update this post tomorrow with details of judge Preska’s sentence.
The much delayed sentencing of former LulzSec hacker-turned-FBI informant Hector “Sabu” Monsegur finally took place on Tuesday, when he received time served plus one year of supervised release with computer logging.
It is always a pleasure to see a master at work; and Andrew Weev Auernheimer is not known as a master Troll without good reason. He was arrested, charged with hacking AT&T, sentenced to three years in prison, and eventually released after the case against him was thrown out on appeal. See here for background.
Now he has written to the government and delivered an invoice for the time he spent assisting the FBI. His open letter is full of gems.
His basic argument is that he is entitled to recompense, and that the best way to calculate this would be on his hourly freelance rate. The genius is that while the overall is absurd, the individual elements are all plausible and logical.
I have, over the course of 3 years, been made the victim of a criminal conspiracy by those in the federal government. This was a conspiracy of sedition and treason, perpetrated with violence by a limited number of federal agents to deprive me of my constitutional rights to a fair trial and unlawfully put me in prison.
Each element of that statement is morally if not legally defensible — even the sedition and treason.
Sedition is the charge for crimes which undermine the Constitution with violence. I can assure you that violence was used against me, and the Third Circuit Court of Appeals has already verified that the case against me undermined the Constitution.
Treason is less easily defined, and is not specifically defined by Weev. Nevertheless, it is generally accepted to be an attack against the state by a member of that state — and an attack against the US Constitution can be considered an attack against the state. The appeal court, in dismissing the case, wrote
As we progress technologically, we must remain mindful that cybercrimes do not happen in some metaphysical location that justifies disregarding constitutional limits on venue.
Court of Appeals vacating Weev’s conviction
The implication is that by disregarding the constitutional limits, the FBI attacked the constitution — ergo, treason.
Having made his case, Weev then seeks restitution.
I was taken from my childhood home at gunpoint on January 18th, 2011, and I was not allowed to freely exercise my liberties as a citizen until April 11th, 2014. That’s 1179 days that you used my time that I am now billing you for (I gave you a discount by not including the last day).
The real gem in the whole letter, however, is that he demands payment in bitcoins.
I am owed 28,296 Bitcoins. I do not accept United States dollars, as it is the preferred currency of criminal organizations such as the FBI, DOJ, ATF, and Federal Reserve and I do not assist criminal racketeering enterprises.
This is a masterclass in trolling from a Master Troll. The tragedy for society in the United States is that it is perfectly correct.
Now the government’s answer, or lack of it, will be permanently preserved in the Bitcoin block chain as a matter of public record. PAY ME MY MONEY, YOU LYING SUBHUMAN GARBAGE. You also should resign from your posts, as you’ve shown yourselves to be collective disgraces to rule of law and enemies of the United States Constitution. Those of us who actually love this country should take your places.
A more reasoned argument coming to a similar conclusion was published by Chris Hedges earlier this month:
The government, by ignoring the rights and needs of ordinary citizens, is jeopardizing its legitimacy. This is dangerous. When a citizenry no longer feels that it can find justice within the organs of power, when it feels that the organs of power are the enemies of freedom and economic advancement, it makes war on those organs. Those of us who are condemned as radicals, idealists and dreamers call for basic reforms that, if enacted, will make peaceful reform possible. But corporate capitalists, now unchecked by state power and dismissive of the popular will, do not see the fires they are igniting.
The Post-Constitutional Era
Eric Holder yesterday announced: “Today, we are announcing an indictment against five officers of the Chinese People’s Liberation Army for serious cybersecurity breaches against six American victim entities.”
The five officers are known by the aliases UglyGorilla, Jack Sun, Lao Wen, hzy_1hx and KandyGoo. They are members of the PLA’s military unit 61398 (you may recall that this is the unit accused by Mandiant last year as being the source of the APT1 hacking group). They stand accused of using spearphishing to penetrate six US companies (Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel, the United Steelworkers Union and SolarWorld) to conduct economic espionage.
“This is a tactic that the U.S. government categorically denounces,” said Holder. “As President Obama has said on numerous occasions, we do not collect intelligence to provide a competitive advantage to U.S. companies, or U.S. commercial sectors.” This is from the man who lied to Congress.
It is also inaccurate. The Snowden files have shown that the NSA has bugged trade negotiations; and trade negotiations are quite plainly ‘economic’ – with US industry likely to benefit. And of course the NSA’s hacking of Chinese servers, and excluding Huawei over fears that it might be backdoored while it proceeded to backdoor Cisco equipment has sort of ceded the moral high ground.
I asked FireEye, which now owns Mandiant, if it had supplied any of the information used by the FBI in its indictment. A spokesperson told me, “The US government just used information from the APT1 report which was published. We did not actively provide information. We believe this was a natural escalation after the revelation – the PLA group went quiet but now are very active again so was only a matter of time.”
But there may be another reason for the delay between Mandiant’s initial report and this indictment… Generally speaking, law enforcement needs a victim complaint over intelligence of a crime before it can take action against the suspected criminal; so it has had to wait for the hacked companies to investigate and complain before it could commence the indictment proceedings.
Luis Corrons, technical director at PandaLabs, finds this a frequent problem. “This year I have handed LEA information about 3 different criminal cases; and all 3 of them have real evidence of who is behind them. But if there is no official complaint from the victims, nothing happens. One of the cases is multinational – the local LE tried to convince a Spanish company who was victim to present a complaint, but it didn’t want to. Now the LEA is trying in different countries trying to convince victims to present a complaint.
“But this is not the only problem,” he continued.” Some investigations are really complex, and while for me it can be ‘easy’ to gather evidences, for an LEA to do it in the proper and legal way can take months or even years.”
If that’s the case here, this indictment is actually quite speedy.
But is it wise?
Much of the security industry is in favour of the US action. “This really could be a landmark moment that has the potential to change the way in which we respond to the growing threat presented by digital criminality,” said Martin Sutherland, managing director of BAE Systems Applied Intelligence, in an emailed statement. “This current case is encouraging and sets an interesting precedent for other countries combating digital crime.”
“The US government is toughening up its language against nation-state and industrial cyber-espionage,” said Bob West, chief trust officer at CipherCloud in another email. “We’re calling out the Chinese government for its role fostering theft of American intellectual property and doing it by naming specific hackers with military ties.”
“While I doubt that foreign military commanders who are prosecuted by the Department of Justice will be successfully apprehended and brought to justice,” said Tom Cross, director of security research at Lancope, “these prosecutions do send a clear message regarding what sort of behavior the United States views as unacceptable.”
In each case I asked a few questions. Most pertinent was this:
Is it not pure hypocrisy? We know from the Snowden files that the NSA has hacked Chinese servers. Holder says ‘we do not do it for economic advantage’. Leaving aside any cynicism over such a statement, isn’t it irrelevant? Holder is saying that the accused have broken US laws; but the US breaks Chinese laws. So what is the legal difference?
I have not had a reply. In fairness, it probably has as much to do with trans-Atlantic time zones as a disinclination to respond; and I will update this post with any replies that I get.
However, it is the problem I have with the US action. It is a nation that claims to uphold the rule of law – but only the rule of US law. This action says to the world, you must all abide by our laws, but our laws are the only ones that we need abide by.
Last week the Council of the EU published the EU Human Rights Guidelines on Freedom of Expression Online and Offline. It is really aimed at non-EU states that show little regard for human rights — but the reality is the EU should look closely at its own behaviour.
Consider just three extracts:
1. Free, diverse and independent media are essential in any society to promote and protect freedom of opinion and expression and other human rights. By facilitating the free flow of information and ideas on matters of general interest, and by ensuring transparency and accountability, independent media constitute one of the cornerstones of a democratic society. Without freedom of expression and freedom of the media, an informed, active and engaged citizenry is impossible… Efforts to protect journalists should not be limited to those formally recognised as such, but should also cover support staff and others, such as ”citizen journalists”, bloggers, social media activists and human rights defenders, who use new media to reach a mass audience…
2. Support the adoption of legislation that provides adequate protection for whistleblowers and support reforms to give legal protection to journalists’ right of non-disclosure of sources…
3. The right to seek and receive information
The right to freedom of expression includes freedom to seek and receive information. It is a key component of democratic governance as the promotion of participatory decision-making processes is unattainable without adequate access to information. For example the exposure of human rights violations may, in some circumstances, be assisted by the disclosure of information held by State entities. Ensuring access to information can serve to promote justice and reparation, in particular after periods of grave violations of human rights. The UN Human Rights Council has emphasized that the public and individuals are entitled to have access, to the fullest extent practicable, to information regarding the actions and decision-making processes of their Government…
These are, put simply, ‘a free and independent press, including bloggers’; ‘protection for whistleblowers’; and ‘freedom of information’ — all of which are necessary to and in a democratic society.
The UK seeks to curtail an independent press. It does this through threats (such as using the Leveson proposals against journalists and editors), abuse of the Terrorism Act (just as Obama abuses the Espionage Act), and pure and simple bullying.
Example: When Guido Fawkes’ political blog scooped the mainstream press on the arrests of Max Clifford, Jim Davidson and Rolf Harris, Fawkes wrote,
No judge has ordered reporting restrictions in relation to Rolf Harris, no super-injunctions prevent the reporting of news concerning him, instead his lawyers Harbottle and Lewis are citing the Leveson Inquiry’s report in letters to editors of newspapers – cowing them into silence. The Leveson effect is real and curtailing the freedom of the press through fear.
Leveson Effect: Can You See What It Is Yet?
Example: David Miranda was arrested, detained at Heathrow, and had his computer equipment confiscated when he was merely passing through Heathrow on the way from Berlin to Brazil. To achieve this, the UK government had to classify him as a terrorist for possibly carrying Snowden files.
Example: Government officials insisted on and oversaw the physical destruction of The Guardian’s hard disks that contained Snowden files.
Protection for whistleblowers
The three great whistleblowers of the modern age are Chelsea (Bradley) Manning, Julian Assange, and Edward Snowden. Manning is in prison and likely to stay there for many years to come; Assange has a European Arrest Warrant against him and is effectively imprisoned for life in the Ecuadorean Embassy in London; and the whole of Europe has refused to provide asylum to Snowden.
At the Stockholm Internet Forum set for the end of May, and hosted by the Swedish government,
.SE – the only non-governmental organization among the hosts – made a list of possible candidates. The most important name on it: Edward Snowden. Further names included journalists Glenn Greenwald and Laura Poitras, the two journalists that informed the world about the NSA’s activities, Guardian Editor in Chief Alan Rusbridger as well as hacker Jacob Appelbaum, who found the mobile phone number of German Chancellor Angela Merkel in Snowden’s database. The list of candidates was sent to the Swedish Foreign Ministry for approval.
Swedish Foreign Ministry prevents Snowden’s invitation
In the event, Carl Bildt’s foreign ministry vetoed all except Laura Poitras, who declined the invite because of the blacklist.
If the European Union was serious about protection for whistleblowers, it would provide protection for Assange and Snowden. For the former it is assisting the US attempts at getting him into the USA; and for the latter it is doing nothing to prevent it.
Freedom of information
This, says the EU, is a necessary ingredient for democracy — but denies it to its own people. In April, Dr Helen Wallace of GeneWatch announced
GeneWatch has spent 12 months battling to reveal documents showing extensive government contacts between the Department of Food, Environment and Rural Affairs (Defra) and the GM crop lobby crop the Agricultural Biotechnology Council (ABC).
“These partial documents strongly suggest the Government is colluding with the GM industry to manipulate the media, undermine access to GM-free-fed meat and dairy products and plot the return of GM crops to Britain”, said Dr Helen Wallace, Director of GeneWatch UK, “The public have a right to know what is going on behind closed doors”.
She was complaining about missing and redacted documents from the Department for Environment Food & Rural Affairs (DEFRA). Early in May she commented,
These documents expose Government collusion with the GM industry to agree PR messages and blacklist critical journalists. Scientists have been cherry-picked to push GM industry PR, as it seems the Government has made promises of research funds tied to public-private partnerships with Monsanto or Syngenta dependent on supporting commercial cultivation of RoundUp Ready GM crops in Britain. Disturbingly, the Government has also been kept in the loop over lobbying by GM feed importers behind closed doors to stop supermarkets offering their customers the choice of GM-free-fed meat and dairy products. British consumers have lost out to boost Monsanto’s profits, as more GM RoundUp Ready soya is shipped in for use in feed, harming the environment abroad.
In short, the UK government systematically denies information to the UK people where the democratic process might disturb its autocratic purposes. This is contrary to both the spirit and word of the EU’s freedom of expression guidelines.
The only realistic conclusion that can be drawn from the EU guidelines is that they are nothing other than propaganda designed to make European citizens believe that they live in a democracy. It wants the world to believe that it has high ideals over freedom of expression and access to information, but does little to ensure it within its own borders.
Fresh from its success against HMRC, Privacy International (PI) is now taking on GCHQ. It announced Tuesday that it has “filed a legal complaint demanding an end to the unlawful hacking being carried out by GCHQ which, in partnership with the NSA, is infecting potentially millions of computer and mobile devices around the world with malicious software that gives them the ability to sweep up reams of content, switch on users’ microphones or cameras, listen to their phone calls and track their locations.”
This complaint, however, will be like pissing in the wind.
Since it is a complaint against the intelligence services it has to be raised with the UK’s Investigatory Powers Tribunal. Now, if you think my comment is a bit OTT, I invite you to consider the assessment of the Home Affairs Committee – Seventeenth Report: Counter-terrorism, published just last month. In particular, look at Section 6: Oversight of the security and intelligence agencies. It says,
…we wish to take this opportunity to note that in its latest annual report, the Investigatory Powers Tribunal has failed to disclose how many cases were decided in favour of the complainant. The 2010 (inaugural) annual report of the Investigatory Powers Tribunal was a forty page document. The 2011 report was a three page statistical release. The 2012 annual report was a two paragraph new story on its website… The statistics which have been produced by the Investigatory Powers Tribunal indicate that out of 1468 [complaints] the Tribunal has received it has decided in the favour of ten complainants. None of the ten successful complaints were made against the security service.
So only 0.68% of complaints to the Investigatory Powers Tribunal are upheld – and none of those relate to complaints against the intelligence services despite 30% of the 2010 complaints being leveled against an intelligence agency.
There are two other officers also responsible for oversight of GCHQ: the Interception of Communications Commissioner (Sir Anthony May), and the Intelligence Services Commissioner (Sir Mark Waller). Also last month, on the same day that the ECJ ruled the European Data Retention Directive to be invalid, the Interception Commissioner’s annual report was laid before parliament. He considered at some lengths GCHQ, RIPA and the Snowden files.
It is ultimately a matter of policy whether the interception agencies, duly authorised under RIPA 2000 Part I Chapter I and subject to its safeguards, should continue to be enabled to intercept external communications, so far as they are lawfully and technically able, in order to assist their functions of protecting the nation and its citizens from terrorist attack, cyber attack, serious crime and so forth. If the policy answer to that question is yes (which I personally should have thought was obvious)…
2013 Annual Report of the Interception of Communications Commissioner
He is, then, personally predisposed towards GCHQ’s international hacking habits.
His report also asks, “Do the interception agencies misuse their powers under RIPA 2000 Part I
Chapter I to engage in random mass intrusion into the private affairs of law abiding UK citizens who have no actual or reasonably suspected involvement in terrorism or serious crime?”
And it answers, “The interception agencies do not engage in indiscriminate random mass intrusion by misusing their powers under RIPA 2000 Part I.” Now, since the Tribunal will undoubtedly query the commissioner on whether Privacy International’s complaint is valid, we can begin to see that it’s not going to get very far.
But let it not be said that the overlookers providing oversight on GCHQ are not sufficiently thorough in their overlooking. This is part of the Intelligence Services Commissioner’s testimony, verbatim, to the Home Affairs committee:
Chair: You went down to GCHQ.
Sir Mark Waller: Yes.
Chair: You went to see who there?
Sir Mark Waller: I saw the second head of the agency, in fact.
Chair: How did you satisfy yourself? It seems, from your comment, that what you did was you had a discussion with them, you heard what they had to say and you have accepted what they had to say.
Sir Mark Waller: Certainly.
Chair: Is that it?
Sir Mark Waller: Certainly.
Chair: Just a discussion?
Sir Mark Waller: Certainly.
Chair: Nothing else?
Sir Mark Waller: Certainly.
It’s not as if Privacy International is demanding very much. It is just seeking from the Investigatory Powers Tribunal:
A declaration that the matters set out in the complaint are well founded and GCHQ’s conduct has been unlawful, an injunction restraining any similar future conduct, an order requiring the destruction of any information unlawfully obtained and a public judgment.
But to say that Privacy International’s claim against GCHQ in face of these guardians of the public good is just pissing in the wind is probably an understatement – pissing into a force 8 gale is more accurate. It’s never going to happen.
But there is just one glimmer. Once PI has exhausted all national options it should be able to take the matter to the European Court – the same court that recently struck down the Data Retention Directive and has just ruled against Google.