Shostack + Friends Blog Archive


Information Security Needs

The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years.

However, a computer was seized, sources were roughed up and possibly jailed or killed:

Since then it has become clear that intelligence agents copied data from our computers, notebooks and cellphones and have tracked down contacts and acquaintances in Quetta.

All the people I interviewed were subsequently visited by intelligence agents, and local journalists who helped me were later questioned by Pakistan’s intelligence service, the Inter-Services Intelligence.

Come on. You don’t have crypto? You’ve never heard of PGP (to name the obvious famous one)? That’s so easy to find I won’t even paste in the link.
I hope when you get a new laptop you’ll consider protecting your sources.

6 comments on "Information Security Needs"

  • Adam says:

    Does PGP include rubber-hose resistance yet? Steganographic note concealment? Deniable encryption?

  • Orv says:

    I wonder if it even would have helped. Would a country that has no qualms about harassing a journalist in that way have any qualms about jailing him or beating him with a rubber hose until he gave up his encryption passphrase?

  • Jon Callas says:

    Hi, Adam.
    I’ll answer your questions.
    No, PGP does not have steganography, deniable encryption, or other such features. We’ve considered them and they are not out of the question. It’s not as easy to do as many people think. From its very start, PGP has emphasized that cryptography alone is not is not magic. That’s a big reason why the first two letters in PGP are what they are.
    PGP is quasi-open-source. I consider it open source, but we don’t release it under any of the usual open source licenses. Nonetheless, we publish our source code. A steganographic or information hiding system with published source is like making doormats with little holders for your key. It assumes that the guys with the rubber hoses will never think to look there.
    Additionally, I have my own doubts about the efficacy of information hiding. Niels Provos has done work on finding stego. Shamir and Van Someren did work on finding Microsoft’s keys within its software. I don’t believe that it’s possible to make an unfindable / deniable container. Yes, I know that TrueCrypt has one. I don’t think it works against a sophisticated attacker, especially one that has the source.
    Lastly, I fear that information hiding is only effective against civilized opponents. Suppose the soldiers who take your laptop start beating you up for your key. You give them the first one, the innocent one, they open it up , find nothing there, so they beat you up some more. How can you ever convince them that they have the last one? Worse — suppose you’re just a dweeb who uses encryption for your business records. How do you convince a crazy, violent person that you have no contraband? I worry that deniable encryption puts everyone at risk, and even the reporter is better off saying, “I’m a reporter for the New York Times, and yes, you can kill me just like you killed Daniel Pearl, but no, I’m not giving you any information about my sources. If I do, I’m worse than dead, I am dishonored.”
    In short, my reasons for not having stego and not having deniable encryption are:
    * I am not convinced that it is possible.
    * I am especially not convinced that it is possible with published source.
    * I believe that its existence endangers those who are not using it as they can never prove they don’t have something to hide.
    Nonetheless, I would love to be convinced otherwise. It would be an interesting, cool project to put it into PGP, so I would be happy for someone to explain how it’s both possible and would work in the face of an attacker who isn’t afraid to keep beating you up until they’re convinced you have cracked. I can be emailed by sending to my given name at the obvious domain.

    Jon Callas
    CTO, CSO
    PGP Corporation         
    3460 West Bayshore      
    Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
    USA                                 28b6 52bf 5a46 bc98 e63d

  • albatross says:

    Isn’t the obvious solution here to store the data remotely, with some kind of server outside the country imposing limits like 3 bad passwords and your account is locked up, or after a certain number of days your information is locked, or there’s a duress password which overtly, visibly locks the thing up? This has the nice property that at some point, there’s no future value to beating you anymore. (It has the downside that at that point, you’re an eyewitness to the evil operation of some police state types, and they may not want you around to tell anyone about it).

  • Chris says:

    Speaking as a reader of EC, I wanted to thank you for that great comment.

  • Jon Callas says:

    To albatross:
    I don’t know about *obvious*, but your solution isn’t bad. I can think of an obvious drawback that it requires you to have a network connection, which means that it doesn’t work as well when there isn’t a net.
    It’s true that PGP doesn’t solve this problem. But human rights organizations, reporters, and other people have used PGP as part of their security system. For example, you could take notes and then encrypt those notes to a public key that you don’t have with you.
    This is a good solution for an investigator, as the investigator can then no longer open up the report. It’s less good for a reporter who will talk to many people and then examine their notes. The reporter has to then retreat to a safe area to examine their notes. It does nothing against an attacker who captures the reporter and then does progressive torture.
    I think that the Times is justified in outrage because we like to think of Pakistan as an allied country, and thus would follow standards of behavior we expect, rather than what we’d expect from places like the Sudan. You don’t expect to need sophisticated opsec in the EU. On the other hand, a standard opsec that included encrypted virtual disks and whole disks give a layered defense no matter where you are, and they really ought to do that even in the first world.

Comments are closed.