Title: The True Story of the Internet Part II The True Story of the InterNet Part III InfoWar Final Frontier of the Digital Revolution Behind the ElectroMagnetic Curtain by TruthMonger Copyright 1997 Pearl Publishing InfoWar Table of Contents Epilogue I Broke PGP! When ignorance is bliss, it is folly to be wise. Epilogue Discoveries of any great moment in mathematics and other disciplines, once they are discovered, are seen to be extremely simple and obvious, and make everybody, including their discoverer, appear foolish for not having discovered them before. It is all too often forgotten that the ancient symbol for prenascence of the world is a fool, and that foolishness, being a divine state, is not a condition to be either proud or ashamed of. Unfortunately, we find systems of education today that have departed so far from the plain truth that they now teach us to be proud of what we know and ashamed of ignorance. This is doubly corrupt. It is corrupt not only because pride in knowledge is to put an effective barrier against any advance upon what is already known, since it makes one ashamed to look beyond the bounds imposed by one's ignorance. To any person prepared to enter with respect into the realm of his great and universal ignorance, the secrets of being will eventually unfold, and they will do so in a measure according to his freedom from natural and indoctrinated shame in his respect of their revelation. In the face of the strong, and indeed violent, social pressures against it, few people have been prepared to take this simple and satisfying course toward sanity. And in a society where a prominent psychiatrist can advertise that, given the chance, he would have treated Newton to electric shock therapy, who can blame any person for being afraid to do so? To arrive at the simplest truth, as Newton knew and practiced, requires years of contemplation. Not an activity. Not reasoning. Not calculating. Not busy behavior of any kind. Not reading. Not talking. Not making an effort. Not thinking. Simply bearing in mind what it is one needs to know. And yet those with the courage to tread this path to real discovery are not only offered practically no guidance on how to do so, they are actively discouraged and have to set about it in secret, pretending meanwhile to be diligently engaged in the frantic diversions and to conform with the deadening personal opinions that are being continually thrust upon them. In these circumstances, the discoveries that any person is able to undertake represent the places where, in the face of induced psychosis, he has, by his own faltering and unaided efforts, returned to sanity. Painfully, and even dangerously, maybe. But nonetheless returned, however furtively.-G. Spencer Brown.* * The Laws of Form, London: Geo. Allen & Unwin, 1969. "Whatever you do will be insignificant, but it is very important that you do it." -Mahatma Gandhi I Broke PGP! by RTFM How to Protect Public Keys from Tampering In a public key cryptosystem, you don't have to protect public keysfrom exposure. In fact, it's better if they are widely disseminated.But it is important to protect public keys from tampering, to makesure that a public key really belongs to whom it appears to belong to.This may be the most important vulnerability of a public-keycryptosystem. This whole business of protecting public keys from tampering is thesingle most difficult problem in practical public key applications. It is the Achilles' heel of public key cryptography, and a lot ofsoftware complexity is tied up in solving this one problem. You should use a public key only after you are sure that it is a goodpublic key that has not been tampered with, and actually belongs tothe person it claims to. You can be sure of this if you got thispublic key certificate directly from its owner, or if it bears thesignature of someone else that you trust, from whom you already havea good public key. Also, the user ID should have the full name ofthe key's owner, not just her first name. No matter how tempted you are-- and you will be tempted-- never,NEVER give in to expediency and trust a public key you downloadedfrom a bulletin board, unless it is signed by someone you trust. That uncertified public key could have been tampered with by anyone,maybe even by the system administrator of the bulletin board. SECONDS: What is the hysteria to protect children from so-called obscene stuff? GINSBERG: It's a demagogic political issue that can be used to divert attention from deeper corruption's like the S&L scandal or the rape of the planet by the post-industrial nations. Although we conquered literary censorship in books between the years '58 and '62 when, through a series of trials, Henry Miller , Lady Chatterley's Lover by D.H. Lawrence, Naked Lunch and Howl were all cleared and declared to be protected by the Constitution. That same kind of censorship which was used on literature and film now only applies to the main marketplace of ideas, electronic broadcasting. SECONDS: Why do they want to censor things? Why don't they want people to become sexually excited? GINSBERG: As Plato pointed out, "When the mode of music changes, the walls of the city shake." So when you have modern free speech in idiomatic language that people can understand and are interested in, immediately it becomes a political issue. Demagogues want to hush it up because people get to know too much. If you can get people by the balls you control their most deep-seated emotions, which are erotic. Once you control that you control all the other emotions. You take emotional control, blank out the Eros, and substitute a lot of violence. Vulnerabilities =============== No data security system is impenetrable. PGP can be circumvented ina variety of ways. In any data security system, you have to ask yourself if the information you are trying to protect is more valuable to your attacker than the cost of the attack. This should lead you to protecting yourself from the cheapest attacks, while notworrying about the more expensive attacks. Some of the discussion that follows may seem unduly paranoid, butsuch an attitude is appropriate for a reasonable discussion of vulnerability issues. Compromised Pass Phrase and Secret Key Probably the simplest attack is if you leave your pass phrase foryour secret key written down somewhere. If someone gets it and alsogets your secret key file, they can read your messages and make signatures in your name. Don't use obvious passwords that can be easily guessed, such as thenames of your kids or spouse. If you make your pass phrase a singleword, it can be easily guessed by having a computer try all the wordsin the dictionary until it finds your password. That's why a passphrase is so much better than a password. A more sophisticated attacker may have his computer scan a book of famous quotations tofind your pass phrase. An easy to remember but hard to guess passphrase can be easily constructed by some creatively nonsensical sayings or very obscure literary quotes. For further details, see the section "How to Protect Secret Keys fromDisclosure" in the Essential Topics volume of the PGP User's Guide. Public Key Tampering A major vulnerability exists if public keys are tampered with. Thismay be the most crucially important vulnerability of a public keycryptosystem, in part because most novices don't immediatelyrecognize it. The importance of this vulnerability, and appropriate hygienic countermeasures, are detailed in the section "How to ProtectPublic Keys from Tampering" in the Essential Topics volume. To summarize: When you use someone's public key, make certain it hasnot been tampered with. A new public key from someone else should betrusted only if you got it directly from its owner, or if it has beensigned by someone you trust. Make sure no one else can tamper withyour own public key ring. Maintain physical control of both your public key ring and your secret key ring, preferably on your own personal computer rather than on a remote timesharing system. Keep abackup copy of both key rings. "Not Quite Deleted" Files Another potential security problem is caused by how most operating systems delete files. When you encrypt a file and then delete theoriginal plaintext file, the operating system doesn't actually physically erase the data. It merely marks those disk blocks asdeleted, allowing the space to be reused later. It's sort of likediscarding sensitive paper documents in the paper recycling bin instead of the paper shredder. The disk blocks still contain theoriginal sensitive data you wanted to erase, and will probably eventually be overwritten by new data at some point in the future. If an attacker reads these deleted disk blocks soon after they havebeen deallocated, he could recover your plaintext. In fact this could even happen accidentally, if for some reason something went wrong with the disk and some files were accidentally deleted or corrupted. A disk recovery program may be run to recover the damaged files, but this often means some previously deleted filesare resurrected along with everything else. Your confidential filesthat you thought were gone forever could then reappear and be inspected by whomever is attempting to recover your damaged disk. Even while you are creating the original message with a wordprocessor or text editor, the editor may be creating multiple temporary copies of your text on the disk, just because of its internal workings. These temporary copies of your text are deleted by the word processor when it's done, but these sensitive fragments are still on your disk somewhere. Let me tell you a true horror story. I had a friend, married withyoung children, who once had a brief and not very serious affair. She wrote a letter to her lover on her word processor, and deleted the letter after she sent it. Later, after the affair was over, thefloppy disk got damaged somehow and she had to recover it because itcontained other important documents. She asked her husband to salvage the disk, which seemed perfectly safe because she knew shehad deleted the incriminating letter. Her husband ran a commercial disk recovery software package to salvage the files. It recovered the files all right, including the deleted letter. He read it, which set off a tragic chain of events. The only way to prevent the plaintext from reappearing is to somehow cause the deleted plaintext files to be overwritten. Unless you knowfor sure that all the deleted disk blocks will soon be reused, youmust take positive steps to overwrite the plaintext file, and alsoany fragments of it on the disk left by your word processor. You canoverwrite the original plaintext file after encryption by using thePGP -w (wipe) option. You can take care of any fragments of the plaintext left on the disk by using any of the disk utilities available that can overwrite all of the unused blocks on a disk. Forexample, the Norton Utilities for MSDOS can do this. Even if you overwrite the plaintext data on the disk, it may still bepossible for a resourceful and determined attacker to recover thedata. Faint magnetic traces of the original data remain on the diskafter it has been overwritten. Special sophisticated disk recovery hardware can sometimes be used to recover the data. Viruses and Trojan Horses Another attack could involve a specially-tailored hostile computer virus or worm that might infect PGP or your operating system. Thishypothetical virus could be designed to capture your pass phrase orsecret key or deciphered messages, and covertly write the captured information to a file or send it through a network to the virus's owner. Or it might alter PGP's behavior so that signatures are notproperly checked. This attack is cheaper than cryptanalytic attacks. Defending against this falls under the category of defending against viral infection generally. There are some moderately capable anti-viral products commercially available, and there are hygienic procedures to follow that can greatly reduce the chances of viral infection. A complete treatment of anti-viral and anti-wormcountermeasures is beyond the scope of this document. PGP has nodefenses against viruses, and assumes your own personal computer is atrustworthy execution environment. If such a virus or worm actually appeared, hopefully word would soon get around warning everyone. Another similar attack involves someone creating a clever imitation of PGP that behaves like PGP in most respects, but doesn't work theway it's supposed to. For example, it might be deliberately crippled to not check signatures properly, allowing bogus key certificates tobe accepted. This "Trojan horse" version of PGP is not hard for anattacker to create, because PGP source code is widely available, soanyone could modify the source code and produce a lobotomized zombieimitation PGP that looks real but does the bidding of its diabolical master. This Trojan horse version of PGP could then be widely circulated, claiming to be from me. How insidious. You should make an effort to get your copy of PGP from a reliable source, whatever that means. Or perhaps from more than oneindependent source, and compare them with a file comparison utility. There are other ways to check PGP for tampering, using digital signatures. If someone you trust signs the executable version ofPGP, vouching for the fact that it has not been infected or tampered with, you can be reasonably sure that you have a good copy. You could use an earlier trusted version of PGP to check the signature ona later suspect version of PGP. But this will not help at all ifyour operating system is infected, nor will it detect if your original copy of PGP.EXE has been maliciously altered in such a wayas to compromise its own ability to check signatures. This test alsoassumes that you have a good trusted copy of the public key that youuse to check the signature on the PGP executable. I recommend you not trust your copy of PGP unless it was originally distributed by MIT or ViaCrypt, or unless it comes with a digitally signed endorsement from me. Every new version comes with one or moredigital signatures in the distribution package, signed by the originator of that release package. This is usually someonerepresenting MIT or ViaCrypt, or whoever released that version. Check the signatures on the version that you get. I have actually seen several bogus versions of PGP distribution packages, even fromapparently reliable freeware distribution channels such as CD-ROM distributors and CompuServe. Always check the signature when you geta new version. Physical Security Breach A physical security breach may allow someone to physically acquire your plaintext files or printed messages. A determined opponent might accomplish this through burglary, trash-picking, unreasonable search and seizure, or bribery, blackmail or infiltration of your staff. Some of these attacks may be especially feasible against grassroots political organizations that depend on a largely volunteer staff. It has been widely reported in the press that the FBI's COINTELPRO program used burglary, infiltration, and illegal bugging against antiwar and civil rights groups. And look what happened atthe Watergate Hotel. Don't be lulled into a false sense of security just because you havea cryptographic tool. Cryptographic techniques protect data only while it's encrypted-- direct physical security violations can stillcompromise plaintext data or written or spoken information. This kind of attack is cheaper than cryptanalytic attacks on PGP. Tempest Attacks Another kind of attack that has been used by well-equipped opponents involves the remote detection of the electromagnetic signals from your computer. This expensive and somewhat labor-intensive attack isprobably still cheaper than direct cryptanalytic attacks. An appropriately instrumented van can park near your office and remotely pick up all of your keystrokes and messages displayed on your computer video screen. This would compromise all of your passwords, messages, etc. This attack can be thwarted by properly shielding allof your computer equipment and network cabling so that it does notemit these signals. This shielding technology is known as "Tempest", and is used by some Government agencies and defense contractors. There are hardware vendors who supply Tempest shielding commercially, although it may be subject to some kind of Government licensing. Nowwhy do you suppose the Government would restrict access to Tempest shielding? Exposure on Multi-user Systems PGP was originally designed for a single-user MSDOS machine under your direct physical control. I run PGP at home on my own PC, andunless someone breaks into my house or monitors my electromagnetic emissions, they probably can't see my plaintext files or secret keys. But now PGP also runs on multi-user systems such as UNIX and VAX/VMS. On multi-user systems, there are much greater risks of your plaintext or keys or passwords being exposed. The Unix system administrator ora clever intruder can read your plaintext files, or perhaps even usespecial software to covertly monitor your keystrokes or read what's on your screen. On a Unix system, any other user can read your environment information remotely by simply using the Unix "ps" command. Similar problems exist for MSDOS machines connected on alocal area network. The actual security risk is dependent on yourparticular situation. Some multi-user systems may be safe because all the users are trusted, or because they have system security measures that are safe enough to withstand the attacks available tothe intruders, or because there just aren't any sufficientlyinterested intruders. Some Unix systems are safe because they areonly used by one user-- there are even some notebook computers running Unix. It would be unreasonable to simply exclude PGP fromrunning on all Unix systems. PGP is not designed to protect your data while it is in plaintext form on a compromised system. Nor can it prevent an intruder fromusing sophisticated measures to read your secret key while it isbeing used. You will just have to recognize these risks onmulti-user systems, and adjust your expectations and behavior accordingly. Perhaps your situation is such that you should consider running PGP only on an isolated single-user system under your directphysical control. That's what I do, and that's what I recommend. Traffic Analysis Even if the attacker cannot read the contents of your encrypted messages, he may be able to infer at least some useful information byobserving where the messages come from and where they are going, thesize of the messages, and the time of day the messages are sent. This is analogous to the attacker looking at your long distance phonebill to see who you called and when and for how long, even though theactual content of your calls is unknown to the attacker. This iscalled traffic analysis. PGP alone does not protect against traffic analysis. Solving this problem would require specialized communication protocols designed to reduce exposure to traffic analysis in your communication environment, possibly with some cryptographic assistance. Protecting Against Bogus Timestamps A somewhat obscure vulnerability of PGP involves dishonest users creating bogus timestamps on their own public key certificates andsignatures. You can skip over this section if you are a casual userand aren't deeply into obscure public key protocols. There's nothing to stop a dishonest user from altering the date andtime setting of his own system's clock, and generating his own publickey certificates and signatures that appear to have been created at adifferent time. He can make it appear that he signed something earlier or later than he actually did, or that his public/secret keypair was created earlier or later. This may have some legal or financial benefit to him, for example by creating some kind of loophole that might allow him to repudiate a signature. I think this problem of falsified timestamps in digital signatures isno worse than it is already in handwritten signatures. Anyone maywrite a date next to their handwritten signature on a contract withany date they choose, yet no one seems to be alarmed over this stateof affairs. In some cases, an "incorrect" date on a handwrittensignature might not be associated with actual fraud. The timestamp might be when the signator asserts that he signed a document, ormaybe when he wants the signature to go into effect. In situations where it is critical that a signature be trusted tohave the actual correct date, people can simply use notaries to witness and date a handwritten signature. The analog to this indigital signatures is to get a trusted third party to sign asignature certificate, applying a trusted timestamp. No exotic oroverly formal protocols are needed for this. Witnessed signatures have long been recognized as a legitimate way of determining when adocument was signed. A trustworthy Certifying Authority or notary could create notarized signatures with a trustworthy timestamp. This would not necessarily require a centralized authority. Perhaps any trusted introducer ordisinterested party could serve this function, the same way real notary publics do now. When a notary signs other people'ssignatures, it creates a signature certificate of a signature certificate. This would serve as a witness to the signature the sameway real notaries now witness handwritten signatures. The notary could enter the detached signature certificate (without the actual whole document that was signed) into a special log controlled by thenotary. Anyone can read this log. The notary's signature would havea trusted timestamp, which might have greater credibility or more legal significance than the timestamp in the original signature. There is a good treatment of this topic in Denning's 1983 article inIEEE Computer (see references). Future enhancements to PGP might have features to easily manage notarized signatures of signatures, with trusted timestamps. Cryptanalysis An expensive and formidable cryptanalytic attack could possibly bemounted by someone with vast supercomputer resources, such as aGovernment intelligence agency. They might crack your RSA key byusing some new secret factoring breakthrough. Perhaps so, but it isnoteworthy that the US Government trusts the RSA algorithm enough insome cases to use it to protect its own nuclear weapons, according toRon Rivest. And civilian academia has been intensively attacking itwithout success since 1978. Perhaps the Government has some classified methods of cracking theIDEA(TM) conventional encryption algorithm used in PGP. This isevery cryptographer's worst nightmare. There can be no absolute security guarantees in practical cryptographic implementations. Still, some optimism seems justified. The IDEA algorithm's designers are among the best cryptographers in Europe. It has had extensive security analysis and peer review from some of the best cryptanalysts in the unclassified world. It appears to have some design advantages over the DES in withstanding differential and linear cryptanalysis, which have both been used to crack the DES. Besides, even if this algorithm has some subtle unknown weaknesses, PGP compresses the plaintext before encryption, which should greatly reduce those weaknesses. The computational workload to crack it islikely to be much more expensive than the value of the message. If your situation justifies worrying about very formidable attacks ofthis caliber, then perhaps you should contact a data security consultant for some customized data security approaches tailored toyour special needs. Boulder Software Engineering, whose address andphone are given at the end of this document, can provide such services. In summary, without good cryptographic protection of your data communications, it may have been practically effortless and perhaps even routine for an opponent to intercept your messages, especially those sent through a modem or E-mail system. If you use PGP and follow reasonable precautions, the attacker will have to expend farmore effort and expense to violate your privacy. If you protect yourself against the simplest attacks, and you feelconfident that your privacy is not going to be violated by adetermined and highly resourceful attacker, then you'll probably besafe using PGP. PGP gives you Pretty Good Privacy. Copyright Anonymous Son, if you think it appropriate, you might tell your mom: The Aztecs were extremely clean. The Spanish conquistadors were extremely dirty. The Spaniards won. LMBoyd Web Site "The Xenix Chainsaw Massacre" "WebWorld & the Mythical Circle of Eunuchs" "InfoWar (Part III of 'The True Story of the InterNet') Soviet Union Sickle of Eunuchs Secret WebSite