This article is more than 1 year old
Four ways the Guardian could have protected Snowden – by THE NSA
Spooks' own advice lays out exactly how this crypto wypto hypto thing works
Analysis The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online.
And his reporters must fly around the world to hold face-to-face meetings with sources ("Not good for the environment, but increasingly the only way to operate") because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ.
"It would be highly unadvisable for … any journalist … to regard any electronic means of communication as safe," he wrote.
El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance.
(It's quite possible the Graun's able staffers have already thought of all this, and whistleblower Edward Snowden eventually taught his contacts how to use PGP, but allow us to throw it out there anyway for everyone to consider.)
1. Encryption: It's not hard
David Miranda – the boyfriend of Glenn Greenwald, the journalist at the centre of Edward Snowden scoops about the NSA and GCHQ – was held at London Heathrow airport this week during a stopover from Berlin to Brazil. Miranda was carrying encrypted information in a laptop and USB drives, having visited Laura Poitras, the US filmmaker who worked with Greenwald on his NSA scandal stories.
You have to wonder why the Brazilian was being used as a data mule, for want of a better word, when there are other ways to securely transfer leaked documents without triggering the frankly unsettling schedule seven of the UK's Terrorism Act. Although, he may have been stopped even if he was carrying nothing but his phone.
It's reported that journalists, even tech journos, are woefully ill-equipped to deal with encrypted leaks: so let's put a stop to this digital fumbling in the dark, and let the record show that some of us have an idea of how it all works.
First of all, take the NSA's own advice [PDF] and grab a copy of the open-source cryptography toolkit GnuPG. Compile it for your favourite operating system (or trust a pre-built download having checked its integrity), and then generate a private-public key pair: data encrypted using the public key is decrypted using the private key. So your source encrypts her sneaked-out files using your public key, sends you those scrambled bytes and you reconstruct the original using the private key.
Straightforward ... GPG for Mac OS X will do the key-pair generation for you automatically (click to enlarge)
Why use key pairs, otherwise known as asymmetric encryption? Because it saves you having to whisper shared passwords to one another, essentially divulging secrets that if intercepted by an enemy would be catastrophic to your project.
With public-private keys there's no need to reveal pass-phrases or drop off nondescript packages containing password code books, as exciting as that may sound. Instead, you can freely reveal your public key: it's only good for encrypting stuff. (Technically speaking, the data is encrypted using a randomly generated one-off session key and a chosen cipher; asymmetric key encryption is computationally expensive, so a symmetric cipher and the session key is used to do all the heavy lifting. The asymmetric key pairs are used to encrypt the session key.)
Again, following the NSA's own advice, in your chosen PGP software, generate a Diffie-Hellman/DSS (or RSA if you're paranoid) key pair that's 4,096 bits in length, set to expire in one year (or less if you're planning a short whistle-blowing career), using AES-256 as the encryption cipher and SHA-2-512 as the hash function.
Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
Keep your generated private key somewhere safe and hidden, such as on a TrueCrypt-encrypted thumb drive, rather than at rest on a disk, and whatever you do, don't take it through customs. Use steganography to hide it in a picture of a cat.
Don't put yourself in a position where the police can demand it under the Regulation of Investigatory Powers Act. Don't keep the key, data and the computers you are using anywhere the Powers That Be, having obtained a warrant, expect to physically find them. You need to have transferred the goods before anyone realises.
While David Miranda insists he didn't know anything about the contents of the electronic documents he was carrying, he did hand over the passwords to his equipment to the plod after being threatened with imprisonment.
Thus, one only hopes any sensitive files he was carrying were encrypted using a second secret, one he couldn't possibly divulge because he didn't know it. However, that will not have impressed the cops, who may have thrown him in the cooler for a couple of years or until someone could provide that second key. This has happened in the past.
A good lawyer could get your mule off the hook if the brief argued that your bod didn't know the key nor the contents of the files (and thus was no more complicit in any wrongdoing than a Royal Mail worker delivering brown envelopes of leaked material). In this case, Miranda knew something and eight hours under the spotlight was enough for him.
In short, don't use data mules known to the authorities, and certainly not across guarded borders, unless you've got a bang-up lawyer (and pots of cash to pay for it) and a personal courier willing to spend hours, days or perhaps months detained.
(PS: Handing over account-level passwords, rather than decryption keys, is bad enough, though, for the poor bod intercepted; there is no doubt investigators will try to use this information to inspect email inboxes, instant messaging clients, social network accounts and anything else they could get hold of in search of wrongdoing. More determined operatives could use this sort of access to get a better idea of the chap's friends and associates for follow-up surveillance.)
Your source should also create her own public-private key pair, following the same steps above; this is needed to sign messages, or in other words cryptographically prove that the data hasn't been tampered with in transit and that it was created by the person who claims to have sent it.
Meet the Advanced Encryption Standard
As an aside: the AES-256 cipher, as mandated above, is recommended in the NSA's own advice [PDF]. Uncle Sam's spooks are told to use AES (Advanced Encryption Standard) and 128-bit keys to protect material designated "SECRET". "TOP SECRET" – the highest security level available and usually reserved for compartmentalised information distributed on a strict need-to-know basis – requires 256-bit keys.
The standard – developed in 1998 by Belgians Vincent Rijmen and Joan Daemen – is considered unbreakable and spook-proof by all but the very, very paranoid; decrypting the data without knowing the key will require an infeasible amount of computing power. We're talking more energy required than the universe can give us. There are 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,
457,584,007,913,129,639,936 combinations of keys if you feel like trying to brute-force it.
Serious maths ... the calculations behind AES
It is possible someone could extract unencrypted information, or even the secret crypto keys, using a side-channel attack. This is usually pulled off by precisely timing the calculations performed by the system doing the encryption and recovering the goodies byte by byte.
Such endeavours, so far as we know, have worked against tiny keys (some as small as 32 bits). Then in 2010, three boffins showed they could quickly recover a 128-bit AES key by running unprivileged code that spies on CPU cache access on a Linux server running OpenSSL: on the one hand, yes, you need to be able to run your own malicious software on the machine to snaffle this data, but on the other hand, this will not be difficult for state-backed spooks with loads of private zero-day exploits – so steps need to be taken to defend against this sort of compromise.
Proud tinfoil-hat-wearers among us will point out that these encryption standards may have been molested by the NSA at some point, perhaps to introduce weaknesses that can be exploited to easily crack encrypted data. Putting aside the fact that these algorithms have faced intense public scrutiny before their deployment, if the spooks had nobbled the maths, one wonders why the cops are so keen to extract decryption keys from suspects (or even perfectly innocent people) ... though perhaps that's what they want us to think.
2. Use clean machines
Make sure you're doing all of this on completely clean computers, you and your whistleblower: only ever use them for communicating between you and your contact, and don't contaminate the kit with other stuff or have it in any way associated with your other work. Keep both machines powered down when not in use; don't connect either to your corporate or personal network.
Buy new machines for cash from a shop and harden them against attack: why not (again) take the NSA's own advice and make sure you're using Security-Enhanced Linux, a series of patches for the open-source OS that are now part of Linus Torvalds' official mainline kernel. More seriously, install Grsecurity and use TrueCrypt to protect disk volumes. The spooks have online public guides to securing OSes here.
Essentially, do everything you can to compartmentalise your system. Install a hypervisor (yeah, a good one) on the new computer, and run all of the above software – your PGP tools and other essential utilities – inside a hardened virtual machine. Once that VM is set up, snapshot it and save it off disk on secured removable storage.
Every time you need to look at the leaked encrypted documents (again, stored securely off disk), reload the snapshot and use that environment afresh, so that the VM doesn't have to touch the host machine's disk and also just in case the VM was compromised the last time you used it.
Bear in mind that if an attacker did infiltrate your VM and silently escaped the hypervisor, or otherwise snaffled your private key, it's game over. And state-backed spies will have zero-days to make this possible.
Even the NSA's own advice is to assume you've been compromised and work from there. "We have to build our systems on the assumption that adversaries will get in," the agency's Debora Plunkett told a security conference. "We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly."
In other words, carve your hardware into compartments and protect them from each other, even using an old-fashioned air gap. Be paranoid.