A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
The recent discovery of ‘back door’ code and hard coded passwords in Juniper routers has come at a useful time. We don’t know where the code came from or how it got into Juniper’s supply chain, but none of the possibilities are particularly appetizing:
Insiders at Juniper, possibly posing an ongoing threat
Nation state actors, with either inside help or penetration of Juniper’s networks
Criminal actors, again with someone on the inside and/or access to Juniper’s network
All of this is happening as the debate about providing intelligence services with ‘back doors’ to allow them to defeat encryption in their efforts to prevent terrorism. To me, this incident is a great example of why this is a bad idea. Any back doors added to code will eventually be discovered by someone other than the person/organization that they were meant for, putting their capabilities at the service of repressive regimes, terrorists, criminals and other undesirables.
Now that the details of the Juniper issue are out in the world, I am hearing reports of many companies being scanned for vulnerable internet connected devices. Juniper users world-wide have to get their networking staff working on identifying vulnerable devices and testing and applying the patches to them. This process takes more time, effort and cost than the average non networking person would think. To top it all off, many shops are short staffed at this time of year. Whoever was responsible for this may have put a large number of totally innocent organizations at risk (as well as the private data of their customers).
Law enforcement and intelligence agencies have lots of more targeted tools that they could use to specifically target those with larceny or violence in their hearts. Be creative, guys! Work to compromise the endpoints of your targets – roll up your sleeves and infect them with malware, scoop data from their mobile devices and do some old fashioned HUMINT.
If it turns out that the perpetrators of this were non state actors, my level of concern would be even greater as this would mark a significant advance in cyber criminals’ capabilities.
In the end, while terrorists may use encrypted means to communicate, they also must leave trails in the real world – purchases and other suspicious activities come to mind.
To play devil’s advocate for a moment… Is my “you’ll have to pry crypto out of my cold, dead hands” stance so different from the loonies who think everyone from age 12 and up (including people on the no fly list and with mental issues) needs an AR-15 to protect them from the guvnment and ISIS terrorists lurking under their beds? It seems to me that strong crypto is different from AR-15s… It has legitimate uses that protect us all from damage from all sorts of entities (guvnment and criminal). Terrorists use all sorts of dual use tools (duct tape, timers, box cutters, etc) in furtherance of their muderous plots. We aren’t banning all of these items because the risk/reward ratio is pretty clear. I would not feel any safer if everyone were to be banned from buying, say, ball bearings (potential bomb shrapnel) or renting trucks (potential VBIEDs). If we really want to save lives, ban smoking, cars, high fat foods, sugar and about a zillion other things. But we aren’t doing away with these things which would save many more lives than taking away crypto’s secrecy ever could.
Compromising the privacy and safety of everyone on the Internet is not a proportional response to a threat from a relatively small population.