This is what it’s really for

New Zealand Used NSA System to Target Officials, Anti-Corruption Campaigner – The Intercept:

Analysts from Government Communications Security Bureau, or GCSB, programmed the Internet spy system XKEYSCORE to intercept documents authored by the closest aides and confidants of the prime minister on the tiny Solomon Islands. The agency also entered keywords into the system so that it would intercept documents containing references to the Solomons’ leading anti-corruption activist, who is known for publishing government leaks on his website.

The CIA Campaign to Steal Apple’s Secrets

The CIA Campaign to Steal Apple’s Secrets:

A few months after Comey’s remarks, Robert Litt, the general counsel for the Office of the Director of National Intelligence, also appeared at Brookings. “One of the many ways in which Snowden’s leaks have damaged our national security is by driving a wedge between the government and providers and technology companies, so that some companies that formerly recognized that protecting our nation was a valuable and important public service now feel compelled to stand in opposition,” Litt said. He appealed to corporations to embrace “a solution that does not compromise the integrity of encryption technology but that enables both encryption to protect privacy and decryption under lawful authority to protect national security.”

(Via The Intercept)

The official line seems to be that it’s ok for the US government to break any law or constitution it pleases as long as the public doesn’t know. It’s not the governments fault for breaking the law, it’s Snowden’s fault for letting us know.

The governments (all of them) tried to drive a wedge between the tech companies and the users but failed, at least a little bit. Litt turns this narrative around and claims that Snowden’s revelations are driving a wedge between the tech companies and the government. No, it’s the act of the governments that is driving a wedge between themselves and the rest of us, tech companies, providers, and the public alike.

The pure gall is breathtaking.

Do read the article. There’s a lot of worrying stuff in there, including the attempt to subvert the XCode tool chain in order to build in malware into other developer’s executables.

Another nail in the privacy coffin

This is another thing the EU is cooking up. This document wasn’t intended for the public, of course. Basically, the EU wants providers (web sites) to provide them with the secret encryption keys for SSL.

Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralized encryption which increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible. The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys). 

How even key escrow won’t work for Cameron

How is Cameron going to ensure that law enforcement can read all communications? One way would be to provide systems with ”back doors”; introducing intentional vulnerabilities. We all know that won’t work. Or rather will work much better than intended, if you get my drift.

Some, including Steve Gibson, maintain that it can in fact be done by having law enforcement maintain a secret, well-guarded, key and mandating that all messages sent are including that encryption target in every message. That would allow LE to decrypt it using a very carefully guarded secret key, if need be. All this without weakening the actual encryption mechanism.

The problem with this is that LE can’t know if everyone is following the law without actually trying to decrypt messages flying by. And to do that on a large scale by necessity implies that the “highly guarded” secret key must be available on a large number of systems, exposing it to compromise.

Even if we stipulate that there is some, hitherto unknown, mechanism that allows LE to verify that messages in fact include the LE destination without having the secret key available, they still can’t know if the encryption is valid until attempted. For instance, the encrypted symmetric key may be intentionally wrong. Or, the encrypted message may contain another encrypted message which does not contain the LE mandated item. And that, in turn, can only be discovered once you perform the actual decryption, which requires the ”highly protected” government key.

In other words, it won’t work.

You cannot trust

Caspar Bowden spoke at the 31c3 conference. Snippets:

I told my technology officers at MicroSoft that if you sell cloud computing services to your own governments, this means that the NSA can do unlimited surveillance on that data. […] two months later they did fire me.

“Technology officers” represent MicroSoft in their respective countries.

On the “FISA Amendment Act of 2008 (Sec 702)”:

This means if you are not American, you cannot trust U.S. software services!!

Exactly.

The US congress was laughing, laughing at the idea that you have privacy rights. That is the climate of the US privacy debate.

“You”, in that sentence, refers to non-US persons outside the US.

FISAAA offers zero protection to foreigner’s data in US clouds. 

US is “exceptionally exceptional”: The number of references in surveillance law that discriminate by citizenship/nationality (NOT geography of communication path), per country:

US: 40, UK: zero, Germany: 1, Canada: 2, New Zeeland: 2, Australia: 2. No others.

On whistleblowers:

We need to give them watertight asylum, and probably some incentives, some rewards. I actually proposed to the parliament [EU parliament] that the whistleblower should get 25% of any fines subsequently exacted.

 Big applause from the audience…

How do people know politicians and officials aren’t influenced by fear of NSA spying in their own private life? […] this is highly corrosive to democracy!

Finally:

The thoughts that Edward Snowden has put in the minds of people cannot now be unthought.

What this all means, in practice, relating back to medical applications, is that we (Europeans) can’t use US software or services, which includes medical records such as EPIC, data analysis services such as IMS Health, data storage such as Amazon, Azure, iCloud, backup solutions (unless encrypted client side), or even US operating systems such as Android, iOS, OSX, Windows, a series of embedded OS, etc. At least not if we care about our patient’s right to privacy.

SRX100 Junos dynamic VPN, Win7, OSX, VPNTracker

(Update March 6, 2014: The Junos “standard” proposal actually includes 3DES in both phase 1 and phase 2, still making it hard for VPNTracker to connect. What we need to do is create a custom proposal for each phase with only AES in it. I updated the text to reflect that.)

(Update November 11, 2014: VPN Tracker 7 failed for me if there were multiple remote networks configured. VPN Tracker 8 works fine with multiple remote networks, though, but you have to switch off the option under “advanced” that says “Establish a separate phase 2 tunnel for each remote network”. That option is new with VPN Tracker 8. I added that step in the text, but I didn’t update the screen shots. They’re all from VPN Tracker 7 still.)

So this is what I needed to accomplish: get one single SRX100 running Junos 12.1X44D20 to have a site-to-site VPN to another SRX100, while also having a dynamic VPN working with both Windows 7 clients and Mac OSX 10.9 clients. And I succeeded, except not for free. I’m not mentioning the site-to-site setup in what follows, since it does not interact with dynamic VPNs.

The SRX100 has a Windows VPN client built in, such that if you connect with a Win7 machine, it lets you log in using a web interface, then offers you a download of the Junos Pulse client, already completely configured for that SRX100. This works like a charm. The problem is that there is no Junos Pulse client for OSX, which I think is really weird. I love Juniper, but man, what’s up with this?

The client everyone recommends for this is VPN Tracker, a pretty expensive piece of very nice software from Equinux. But, of course, even though VPNTracker supports a truckload of firewalls, the SRX series is not among them. The software is very configurable, however, so even though there’s no guide, there’s a way.

First, take the lazy way and fire up the J-Web interface to the SRX100 (yes, I know, I lost all cred by doing this, but having to choose between self-respect and actually having a life, I finally crumbled, left the command line and took to the browser). To my defence, the J-Web interface is actually pretty darn good, at least compared to the Netscreen interface on the SSG5.

From experiments and a lot of searching on the interwebs, it’s clear there is a problem somehow with the DES and/or 3DES algorithms with the SRX100 and/or VPNTracker. They just can’t negotiate a phase 1 proposal, with VPNTracker failing in phase 1. The solution is to set the SRX100 to not use DES or 3DES, by selecting “Standard” in both “IKE Security Level” and “IPSec Security Level”.

The solution is to create a custom phase 1 proposal and phase 2 proposal that does not include DES or 3DES. In the SRX configuration, do:

set security ike proposal ike_prop_aesonly description "reduced proposal for vpntracker"
set security ike proposal ike_prop_aesonly authentication-method pre-shared-keys
set security ike proposal ike_prop_aesonly dh-group group2
set security ike proposal ike_prop_aesonly authentication-algorithm sha1
set security ike proposal ike_prop_aesonly encryption-algorithm aes-128-cbc
set security ike proposal ike_prop_aesonly lifetime-seconds 86400

set security ike policy ike_pol_wizard_dyn_vpn proposals ike_prop_aesonly

Don’t forget to remove the policy-set standard you had from before. The “ike_pol_wizard_dyn_vpn” can have another name on your system, of course.

and…

set security ipsec proposal ipsec_prop_aesonly description "reduced proposal for vpntracker"
set security ipsec proposal ipsec_prop_aesonly protocol esp
set security ipsec proposal ipsec_prop_aesonly authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_prop_aesonly encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec_prop_aesonly lifetime-seconds 3600

set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals ipsec_prop_aesonly

Also, choose group 2 in IPSec Perfect Forward Secrecy (I haven’t experimented with other values here). With these choices, there’s no use of DES or 3DES. Note the IKE Preshared key and Remote Identity values. In the next screen, you choose users and stuff, and I’m not going to show you mine. Nothing there has a bearing on this description anyway.

SafariScreenSnapz028

So, with this set, first try to log in using Win7, download the Junos Pulse client and connect. This should work without anything else but your login credentials that you set in the screen “Remote Users” (that I didn’t show) in the VPN Wizard on the SRX100.

Now, back to VPNTracker. In the “Basic screen” of your connection setup, you enter the following:

VPN Tracker 7ScreenSnapz002

And in the second, “Advanced”, you enter the following:

VPN Tracker 7ScreenSnapz004

Notable items in the first of the two screens (“Basic”) are:

  • Network configuration: “Mode Config”
  • Identifiers, local: “FQDN”, with the “shoehorn” name you entered in the SRX100 VPN Wizard as “Remote Identity”
  • Identifiers, remote: “Don’t verify”

Notable items in the second (“Advanced”) screen, where we take care to only select the algorithms included in the Junos SRX100 “Standard” set, which is AES-128, SHA-1, and DH Group2 in both phase 1 and phase 2, and DH Group2 for PFS in phase 2:

  • Exchange mode: Aggressive
  • Phase 1 encryption: AES-128 only
  • Phase 1 hash: SHA1 only
  • Diffie-Hellman: group 2
  • Phase 2 encryption: AES-128 only
  • In VPN Tracker 8, there is here a checkbox “Establish a separate phase 2 tunnel for each remote network”. This should be off.
  • Authentication: HMAC SHA1 only
  • PFS: DH Group 2

There’s one last, hard to find, little detail: you have to change the ike-user-type on the SRX100 from “shared-ike-id”, as the wizard generated it, to “group-ike-id”, through the commandline on the SRX100, assuming your SRX100 VPN Wizard generated the gateway name to be “gw_wizard_dyn_vpn”, which it probably did, like so:

set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
commit

Interestingly, you don’t have to change your remote identifier in any way, neither in the SRX100 or the VPNTracker. From now on, you can connect.

Now, amazingly, you can connect with VPNTracker from OSX 10.9 while at the same time using the Junos Pulse client from Win7. All you have to do now is cough up $100 or $200 for VPNTracker (depending on version).

The SRX100 comes with a default two simultaneous dynamic VPN connections. You can get five connections with an extra license (SRX-RAC-5-LTU) for around $150, but I don’t know if that leaves you with a total of five or seven simultaneous connections.

Southend Enterprises scam

Just this afternoon I got a call from “iAssist” who wanted to fix my computer, since it had malware, or was out of support or something. It was the regular fare with them taking over my computer to “fix” it for me. So I let him do just that.

While I “doddered” around and “tried” to boot my computer, I opened an old XP I have for experiments under Parallels, booted up my ScreenFlow screen capture, did a system snapshot, and then let him have at it. He’d called me on our home number on a DECT phone, so it took me a while to figure out how to get the sound, but finally I simply held a little Olympus hand recorder next to my ear, and that’s pretty good. Had to make him wait, mumbling something about having a prostate problem or something, while I got out the recorder, located batteries and got it started.

The whole thing is 34 minutes. The first 6 minutes or so are silent, then 2-3 minutes of only my voice (I’d turned the Olympus the wrong way up… duh), then after that it’s pretty clear. Note that the sound is offset by 10-20 seconds, so some places may look weird.

What he was after, once he got me, a “living alone 74 year old man who only uses his son’s old decrepit computer (seven years old computer) every sunday” (really; he asked me twice if I lived alone), hooked up was selling me an extended support for Windows and all my machines for only 3200 SEK for five years. That’s $500 by the way. Once I got to the screen where I had to enter my billing info, I quit the charade. After telling him twice that we were in a virtual machine and I had recorded the whole thing, he just hung up.

In the recording, you’ll see my name, street address, and phone number; that’s what he typed in. The email, I gave him (momo..something at hotmail.com, couldn’t think of anything better at the drop of a hat).

As far as I can figure out, iAssist (and LogMeIn) have nothing to do with this, but Southend Enterprises almost certainly do. That’s the “PCSupport” page I’m supposed to enter my payment data into. I found other people on the net reporting on this shady company.

I posted the whole recording on youtube, if someone wants to see them do this thing and hear this guy’s piercing and ennervating voice. It’s pretty boring, but maybe someone gets a kick out of it.

One really, truly, funny thing is that somewhere along the way, there’s a Parallels dialog box that pops up and says “Parallels tools are installed”, and he just clicks it away. I can’t locate it from the video, and I don’t want to watch it all again. Somebody told me it’s at 26:50 approximately. Also, there’s the “Parallels Shared Folders” icon in the upper left corner of the desktop, and even that didn’t tip him off.

 

So today I got a followup call from Customer Satisfaction at Southend Enterprises. Really. To hear if my machine worked fine today. Turned into two five-minute talks, where it’s pretty clear the guy (not the same guy as yesterday) either really is a fine actor, or (more likely) has no idea what he’s doing. But “persistence” is clearly his middle name.

The audio is even worse than yesterday’s recording. Maybe I should set up a rig to record these “artists” better, if this goes on. Here it is:

An ode to Juniper

I have a Juniper SSG-5 and the school I’m doing the network setup for also got one identical unit on my recommendation. I wanted to set up a fixed VPN between the two but failed miserably, so I logged a support request with Juniper on my machine, which is still in warranty but without any kind of support contract. Oh, boy, do these guys have great service.

After just a day I got an engineer connecting to my system with desktop sharing software and we together went through a number of different configurations. It wasn’t really trivial, since the first config took us nearly three hours. Then I had another question of how to implement more finegrained control over the firewall policies in one direction, but not the other, which had us online another two hours using desktop sharing. The final result was perfect and I’ve learned so much more about the details of autokey VPN tunnels.

I’m totally blown away by the level and quality of support I got for this issue from Juniper. Maybe this particular engineer was exceptionally good and persistent, but I have the impression that it is more of a rule with Juniper. When I bought the SSG-5 I thought it was a little expensive, but after this experience, I’ve totally changed my mind. The support level and quality makes it worth the price hands down.

No, I don’t have shares in Juniper, but after this experience I think I may get some.