3 Important Lessons from a Canadian Border Crossing
By Jeffrey Tucker
Sep 17 2013
<http://lfb.org/today/3-important-lessons-from-a-canadian-border-crossing/>
I was at the Canadian border, headed toward the freedom that exists a few feet beyond the last security check. I was gently waved down a side corridor.
Ninety minutes later, I was let go, but not before something truly alarming happened. I’m pretty sure that the Canadian government captured a mirrored version of my smartphone — which pretty much holds the whole of my life.
I’ll explain precisely how this happened in just a bit — in the hopes that perhaps you can take precautions that I did not. But let’s first establish that this practice is not unusual. According to documents obtained by the American Civil Liberties Union, this has become the standard backdoor method of search used today by governments around the world.
At border crossings, governments have discovered that they can get away with seizing and searching electronic devices from smartphones to laptops to tablets. The reason is that it is standard practice that border officials can ask you anything. Anything at all. You have to answer. They can make you empty the full contents of your brain and check for even the smallest misstatement. You can refuse to answer, but then you can expect detention for untold amounts of time. So of course, you comply.
If this is standard practice, it makes perfect sense that there is not anything they are not entitled to know. This is why they have begun to profile people based on their devices.
Maybe there was nothing I could have done to stop it. Maybe I was somehow fated to be among the 15 that were hit with this. But as I look back, I realize now that I was far too nonchalant in my whole approach. I’ve crossed that border dozens of times and never had any trouble. I expected no trouble this time.
The problem began at passport check. I was coming into Canada just to visit friends, but my dress suggested business. An official later confirmed to me that this was the first point that caused me to be flagged. Then, in stating my traveling route to get to that point, I flubbed a bit on the cities I had been in (some I entered by car and others by plane). I just wasn’t focusing, and I was just a bit too chatty and casual.
As I became increasingly flustered, the agent apparently marked my customs form to indicate that I should undergo a secondary screening. I didn’t know this had happened. As I casually presented my form to the last agent in the line, he signaled for me to follow a different path. I did so. There were no agents around. There were no officials. I just walked and walked until I found myself in a long and nearly empty room.
I realized that I was going to be there for a few minutes at least, and that I was in some kind of lineup. I was, essentially, under arrest. Unguarded, but arrested. There was nowhere to go. I could not go forward nor could I go back. There was no one to protest to.
I asked the people ahead of me how long they had been there. Forty-five minutes. I pulled out my laptop and starting watching an episode of Breaking Bad to pass the time.
After about an hour, I was called up. At first, everything seemed fine. The official wanted some clarification about whom I was visiting. They wanted the phone number in particular — a startling demand, but one never knows for sure when one should comply or refuse. Of course, I didn’t have the number memorized.
This was (I think) when I made my fateful decision. I reached into my pocket. I pulled out my smartphone. I unlocked it. I pulled up the contact information. Instead of reading it out loud, I showed the agent the number. She calmly took the phone — which I thought she was doing so she could see the number better.
In an instant, she was gone. She went to some back room somewhere. I stood there at the counter, completely unguarded. My heart started to race. My palms grew sweaty. I began to fidget. After all, my whole life was suddenly in the hands of a government official. My emails, my phone calls, my Facebook messages, my contacts far and wide, my financial information, my browsing history — even my diet and exercise routines were there.
And incredibly, I had unlocked it all and handed it over.
[snip]
Tag: Privacy
The Ten Most Disturbing Things You Should Know About the FBI Since 9/11 American Civil Liberties Union
Torvalds On Being Asked to Insert a U.S. Government Back Door Into Linux Kernel
Torvalds On Being Asked to Insert a U.S. Government Back Door Into Linux Kernel
Sep 19 2013
<http://www.cryptogon.com/?p=37041>
NSA Backdoor
Torvalds was also asked if he had ever been approached by the U.S. government to insert a backdoor into Linux.
Torvalds responded “no” while shaking his head “yes,” as the audience broke into spontaneous laughter.
So given Torvalds response to the backdoor question, take a look at this item from 2003:
Thwarted Linux backdoor hints at smarter hacks
By Kevin Poulsen, SecurityFocus
2003-11-06
<http://www.securityfocus.com/news/7388>
Software developers on Wednesday detected and thwarted a hacker’s scheme to submerge a slick backdoor in the next version of the Linux kernel, but security experts say the abortive caper proves that extremely subtle source code tampering is more than just the stuff of paranoid speculation.
The backdoor was a two-line addition to a development copy of the Linux kernel’s source code, carefully crafted to look like a harmless error-checking feature added to the wait4() system call — a function that’s available to any program running on the computer, and which, roughly, tells the operating system to pause execution of that program until another program has finished its work.
Under casual inspection, the code appears to check if a program calling wait4() is using a particular invalid combination of two flags, and if the user invoking it is the computer’s all-powerful root account. If both conditions are true, it aborts the call.
But up close, the code doesn’t actually check if the user is root at all. If it sees the flags, it grants the process root privileges, turning wait4() into an instant doorway to complete control of any machine, if the hacker knows the right combinations of flags.
That difference between what the code looks like and what it actually is — that is, between assignment and comparison — is a matter of a single equal sign in the C programming language, making it easy to overlook. If the addition had been detected in a normal code review, the backdoor could even have been mistaken for a programming error — no different from the buffer overflows that wind up in Microsoft products on a routine basis. “It’s indistinguishable from an accidental bug,” says security consultant Ryan Russell. “So unless you have a reason to be suspicious, and go back and find out if it was legitimately checked in, that’s going to be a long trail to follow.”
Investigation Underway
In all, the unknown hacker used exactly the sort of misdirection and semantic trickery that security professionals talk about over beer after a conference, while opining on how clumsy the few discovered source code backdoors have been, and how a real cyber warrior would write one.
[snip]
Stop using NSA-influenced code in our products, RSA tells customers
Firm “strongly recommends” customers stop using RNG reported to contain NSA backdoor.
by Dan Goodin – Sept 19 2013, 7:43pm EDT
Officials from RSA Security are advising customers of the company’s BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that was recently revealed to contain a backdoor engineered by the National Security Agency.
An advisory sent to select RSA customers on Thursday confirms that both products by default use something known as Dual EC_DRBG when creating cryptographic keys. The specification, which was approved in 2006 by the National Institute of Standards and Technology (NIST) and later by the International Organization for Standardization, contains a backdoor that was inserted by the NSA, the New York Times reported last week. RSA’s advisory came 24 hours after Ars asked the company if it intended to warn BSAFE customers about the deliberately crippled pseudo random number generator (PRNG), which is so weak that it undermines the security of most or all cryptography systems that use it.
“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG,” the RSA advisory stated. “Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation” on RSA’s websites.
The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications. The RSA Data Protection Manager is used to manage cryptographic keys. Confirmation that both use the backdoored RNG means that an untold number of third-party products may be bypassed not only by advanced intelligence agencies, but possibly by other adversaries who have the resources to carry out attacks that use specially designed hardware to quickly cycle though possible keys until the correct one is guessed.
McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments, where this FIPS certification has recommended it. The product uses the newer SHA1 PRNG random number generator in all other settings.
The NIST certification page lists dozens of other products that also use the weak RNG. Most of those appear to be one-off products. More significant is the embrace of BSAFE as the default RNG, because the tool has the ability to spawn a large number of derivative crypto systems that are highly susceptible to being broken.
< – >
http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/