Security Corner

June 24, 2013  7:21 PM

Bruce Schneier: “Government Secrets and the Need for Whistleblowers”

Ken Harthun Ken Harthun Profile: Ken Harthun

No need to use much space to introduce you to Mr. Bruce Schneier; his reputation as a security expert is indisputable. I thank him for being gracious enough to let me re-post his article, “Government Secrets and the Need for Whistleblowers,” which I present here in its entirety and which I support 100 percent. There must be safeguards against a government that is out of control.

Government Secrets and the Need for Whistleblowers

Recently, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That’s everything except the voice content: who called who, where they were, how long the call lasted — for millions of people, both Americans and foreigners. This “metadata” allows the government to track the movements of everyone during that period, and a build a detailed picture of who talks to whom. It’s exactly the same data the Justice Department collected about AP journalists.

The “Guardian” delivered this revelation after receiving a copy of a secret memo about this — presumably from a whistleblower. We don’t know if the other phone companies handed data to the NSA too. We don’t know if this was a one-off demand or a continuously renewed demand; the order started a few days after the Boston bombers were captured by police.

We don’t know a lot about how the government spies on us, but we know some things. We know the FBI has issued tens of thousands of ultra-secret National Security Letters to collect all sorts of data on people — we believe on millions of people — and has been abusing them to spy on cloud-computer users. We know it can collect a wide array of personal data from the Internet without a warrant. We also know that the FBI has been intercepting cell-phone data, all but voice content, for the past 20 years without a warrant, and can use the microphone on some powered-off cell phones as a room bug — presumably only with a warrant.

We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime — deliberately using different codenames for similar programs to stymie oversight and conceal what’s really going on. We know that the NSA is building an enormous computer facility in Utah to store all this data, as well as faster computer networks to process it all. We know the U.S. Cyber Command employs 4,000 people.

We know that the DHS is also collecting a massive amount of data on people, and that local police departments are running “fusion centers” to collect and analyze this data, and covering up its failures. This is all part of the militarization of the police.

Remember in 2003, when Congress defunded the decidedly creepy Total Information Awareness program? It didn’t die; it just changed names and split into many smaller programs. We know that corporations are doing an enormous amount of spying on behalf of the government: all parts.

We know all of this not because the government is honest and forthcoming, but mostly through three backchannels — inadvertent hints or outright admissions by government officials in hearings and court cases, information gleaned from government documents received under FOIA, and government whistleblowers.

There’s much more we don’t know, and often what we know is obsolete. We know quite a bit about the NSA’s ECHELON program from a 2000 European investigation, and about the DHS’s plans for Total Information Awareness from 2002, but much less about how these programs have evolved. We can make inferences about the NSA’s Utah facility based on the theoretical amount of data from various sources, the cost of computation, and the power requirements from the facility, but those are rough guesses at best. For a lot of this, we’re completely in the dark.

And that’s wrong.

The U.S. government is on a secrecy binge. It overclassifies more information than ever. And we learn, again and again, that our government regularly classifies things not because they need to be secret, but because their release would be embarrassing.

Knowing how the government spies on us is important. Not only because so much of it is illegal — or, to be as charitable as possible, based on novel interpretations of the law — but because we have a right to know. Democracy requires an informed citizenry in order to function properly, and transparency and accountability are essential parts of that. That means knowing what our government is doing to us, in our name. That means knowing that the government is operating within the constraints of the law. Otherwise, we’re living in a police state.

We need whistleblowers.

Leaking information without getting caught is difficult. It’s almost impossible to maintain privacy in the Internet Age. The WikiLeaks platform seems to have been secure — Bradley Manning was caught not because of a technological flaw, but because someone he trusted betrayed him — but the U.S. government seems to have successfully destroyed it as a platform. None of the spin-offs have risen to become viable yet. The “New Yorker” recently unveiled its Strongbox platform for leaking material, which is still new but looks good. Wired recently gave the best advice on how to leak information to the press via phone, email, or the post office. The National Whistleblowers Center has a page on national-security whistleblowers and their rights.

Leaking information is also very dangerous. The Obama Administration has embarked on a war on whistleblowers, pursuing them — both legally and through intimidation — further than any previous administration has done. Mark Klein, Thomas Drake, and William Binney have all been persecuted for exposing technical details of our surveillance state. Bradley Manning has been treated cruelly and inhumanly — and possibly tortured — for his more-indiscriminate leaking of State Department secrets.

The Obama Administration’s actions against the Associated Press, its persecution of Julian Assange, and its unprecedented prosecution of Manning on charges of “aiding the enemy” demonstrate how far it’s willing to go to intimidate whistleblowers — as well as the journalists who talk to them.

But whistleblowing is vital, even more broadly than in government spying. It’s necessary for good government, and to protect us from abuse of power.

We need details on the full extent of the FBI’s spying capabilities. We don’t know what information it routinely collects on American citizens, what extra information it collects on those on various watch lists, and what legal justifications it invokes for its actions. We don’t know its plans for future data collection. We don’t know what scandals and illegal actions — either past or present — are currently being covered up.

We also need information about what data the NSA gathers, either domestically or internationally. We don’t know how much it collects surreptitiously, and how much it relies on arrangements with various companies. We don’t know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities. We don’t know whether it deliberately inserts backdoors into systems it wants to monitor, either with or without the permission of the communications-system vendors.

And we need details about the sorts of analysis the organizations perform. We don’t know what they quickly cull at the point of collection, and what they store for later analysis — and how long they store it. We don’t know what sort of database profiling they do, how extensive their CCTV and surveillance-drone analysis is, how much they perform behavioral analysis, or how extensively they trace friends of people on their watch lists.

We don’t know how big the U.S. surveillance apparatus is today, either in terms of money and people or in terms of how many people are monitored or how much data is collected. Modern technology makes it possible to monitor vastly more people — the recent NSA revelations demonstrate that they could easily surveil *everyone* — than could ever be done manually.

Whistleblowing is the moral response to immoral activity by those in power. What’s important here are government programs and methods, not data about individuals. I understand I am asking for people to engage in illegal and dangerous behavior. Do it carefully and do it safely, but — and I am talking directly to you, person working on one of these secret and probably illegal programs — do it.

If you see something, say something. There are many people in the U.S. that will appreciate and admire you.

For the rest of us, we can help by protesting this war on whistleblowers. We need to force our politicians not to punish them — to investigate the abuses and not the messengers — and to ensure that those unjustly persecuted can obtain redress.

Our government is putting its own self-interest ahead of the interests of the country. That needs to change.

This essay originally appeared on the “Atlantic.” or

June 14, 2013  1:06 PM

Video: Protection through distraction?

Ken Harthun Ken Harthun Profile: Ken Harthun

Hey, it’s Funny Friday! And I have a very funny video for you (if you consider British dry humour funny – I do). How about distracting hackers from stealing information by titillating them with erotic romance? This was an April Fool’s joke from Sophos in 2010. Watch and enjoy and have a great weekend.

June 6, 2013  1:47 AM

Cipher challenge: The solution

Ken Harthun Ken Harthun Profile: Ken Harthun

encryptionLast week, I posted Cipher challenge: Can you decrypt this? I got one correct response.

The sentence  was: “The quick brown fox jumps over the lazy dog.” It was ciphered using ROT-12, not ROT-13. It was probably too easy. I’ll post another challenge this month and I will make it a bit harder to decipher.

May 31, 2013  1:52 PM

When hackers hack, hack ‘em back?

Ken Harthun Ken Harthun Profile: Ken Harthun

question-markForgive my alliteration; one should avoid alliteration always. But, I came across an interesting report that seems to suggest–though not necessarily advocate–retaliation against suspected copyright abusers. The report, entitled “The Report of the Commission on the Theft of American Intellectual Property,” and published by the US IP Commission. The report is rather sobering as summarized in the Key Findings:

The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion. The exact figure is unknowable, but private and governmental studies tend to understate the impacts due to inadequacies in data or scope. The members of the Commission agree with the assessment by the Commander of the United States Cyber Command and Director of the National Security Agency, General Keith Alexander, that the ongoing theft of IP [Intellectual Property] is “the greatest transfer of wealth in history.”

Where the report really gets interesting is in the concluding Chapters 13 and 14 entitled “Cyber Solutions” and “Potential Future Measures,” respectively. They come right out and suggest the use of what would amount to legally sanctioned ransomware:

Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.
. . .
…software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.

And here is the “hack the hackers” section:

While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

Food for thought…

May 30, 2013  8:41 PM

Internet History, Technology, and Security course at

Ken Harthun Ken Harthun Profile: Ken Harthun

If you aren’t familiar with, you need to get over there right now. I just completed the nine-week course Internet History, Technology, and Security. This is a must for anyone in tech who did not grow up pre-internet and a dance down memory lane for anyone who remembers slide rules, adding machines, and punched cards. The instructor, Dr. Chuck (Charles Severence) from the University of Michigan was engaging, amusing at times and a real pleasure to listen to. I hope to meet him some day.

Even being the security wonk that I am, I learned some new things about security (which is why I’m posting this). If you get the chance to take this course when it is offered again, I highly recommend it. I completed “with distinction.” So, please pat me on the virtual back a bit and stroke my ego <wink>. Here’s my cert:


May 29, 2013  8:02 PM

Is your password “qeadzcwrsfxv1331?”

Ken Harthun Ken Harthun Profile: Ken Harthun

If so, it has been cracked. And rather easily, I might add. How is it that a 16 character password with seemingly random characters could be easily cracked? The answer might surprise you and you’ll definitely rethink the way you create passwords.

An article on Ars Technica (link) discusses how three crackers have achieved a 90% success rate on 16,000+ hashed passwords using some quite sophisticated techniques. These days, before crackers attempt brute force attacks – which can take a very long time to complete – they run a series of hybrid attacks which are a marriage of dictionary and brute-force attacks which greatly expand the word lists while keeping the keyspace manageable.

Another highly effective method is the Markov attack. Here’s a simple explanation from the Ars Technica article:

Where a classic brute-force tries “aaa,” “aab,” “aac,” and so on, a Markov attack makes highly educated guesses. It analyzes plains to determine where certain types of characters are likely to appear in a password. A Markov attack with a length of seven and a threshold of 65 tries all possible seven-character passwords with the 65 most likely characters for each position. It drops the keyspace of a classic brute-force from 957 to 657, a benefit that saves an attacker about four hours. And since passwords show surprising uniformity when it comes to the types of characters used in each position—in general, capital letters come at the beginning, lower-case letters come in the middle, and symbols and numbers come at the end—Markov attacks are able crack almost as many passwords as a straight brute-force.

Are you feeling a bit insecure yet? You should be, if your passwords conform to any of those “standard” practices. I think the discovery of the password in the headline was probably an example of a good, educated guess and I’m sure a password like !!sREkaerb-Eci@@ would prove next to impossible to crack even with sophisticated tools.

But, I could be wrong…

May 27, 2013  1:57 PM

To change or not to change passwords, that is the question.

Ken Harthun Ken Harthun Profile: Ken Harthun

158376_linux_loginDo you change your passwords regularly? Do you as an administrator require users to change passwords? Does your company have a password policy that requires regular changes?

I recently entered into a discussion with my fellow network administrators about their having password change policies and realized that opinions vary greatly on the efficacy of the practice. We had a rather lively discussion and in the end we just agreed to disagree. I am interested in your views on this and would greatly appreciate your feedback in the comments. To get things started, here are my answers to the three questions above and my reasoning for those answers.

  1. I do not change my passwords on a regular basis because there is no need to. I use extremely strong passwords and store them in LastPass. My Yubikey gives me two-factor authentication for LastPass on non-trusted computers. The only time I have changed a password is when I have been forced to by some policy on the network, or in the case of unusual behavior that could indicate a potential compromise. I was recently notified that one of my email addresses was on a list of sites that had been breached, so I changed that account password immediately. So, the simple answer to this question is that I change my passwords only a reactive basis.
  2. On my network, I do not require users to change passwords. I emphasize to users that strong passwords are easy to create and remember and I help them do so. Forcing users to change them pretty much guarantees that they will choose something simple. A strong password is golden.
  3. Since I am the Network Administrator for my company, there is no policy forcing changing of passwords. And for my reasoning on this, I think it’s best communicated by saying I agree with this this article by Bruce Schneier.

What’s your take on the subject?

May 26, 2013  12:12 PM

Cipher challenge: Can you decrypt this?

Ken Harthun Ken Harthun Profile: Ken Harthun

encryptionTime for some crypto fun. If you have been following my posts, you know that I’m a crypto freak. I have loved codes and ciphers since grade school days (and that is quite a long time…). Surely, I was a secret agent or a cryptographer in another life; it’s simply fascinating to me. Anyway, the internet makes simple ciphers and cryptograms trivial to solve, but it still takes some ingenuity to figure out how the ciphertext was generated. So, here’s a challenge for you: Decrypt a simple sentence using any means at your disposal, including tools available on the internet.

It won’t be as easy as you might think. The sentence is very short, and does not contain the standard distribution of vowels and consonants, so you won’t figure it out that way. Moreover, the sentence contains every letter of the alphabet (hint, hint <wink>). And for those of you who think it’s going to be ROT-13, think again – it’s not. I have preserved the spaces to make your job slightly easier.  Here’s the sentence:


Have fun and post your solution in the comments.

May 26, 2013  2:05 AM

Security Now! Illustrated – Episode 17: PPTP and IPSEC VPN Technology

Ken Harthun Ken Harthun Profile: Ken Harthun

I simply love these Ask Mr. Wizard animations and illustrations of Steve Gibson’s Security Now! episodes. Here is the latest post, and it’s a good one. Note: There are several segments to this series and this video will refer you to them at the Ask Mr. Wizard site.

May 25, 2013  4:54 PM

Twitter now has two-factor authentication

Ken Harthun Ken Harthun Profile: Ken Harthun

twitter-bird-white-on-blueFrom SANS News Bites Vol. 15 No. 41:

Twitter has introduced two-factor authentication for account access.
Users who opt in to the feature provide Twitter with a mobile phone
number, and whenever they want to log in to their accounts, they will
be required to provide their regular passwords along with a verification
code which will be sent to the specified phone. The introduction of this
feature comes just weeks after several high-profile Twitter accounts
were compromised and misused.

It’s fairly straightforward to set this up on Twitter. Simply log into your account, go into settings, select Password and you’ll see this message at the top:


Click on the link and follow the instructions to set it up on your mobile phone. Once you do, there is a complete range of settings that allow you to customize text notifications. Do what you want with that. My main interest is in the two-factor authentication.

After you get the preliminaries completed, you’ll have to go into your Account menu and activate the option. Here’s what that looks like:


Once you do this, you should be good to go and Twitter will require a code every time you log in.

Sidenote: Twitter is now more secure than my bank which only asks for username and password. Go figure. But more on that in another post.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: