Quote of the day—Bruce Schneier

I have recently come to the conclusion that e-mail is fundamentally unsecurable. The things we want out of e-mail, and an e-mail system, are not readily compatible with encryption.

Bruce Schneier
November 12, 2015
Testing the Usability of PGP Encryption Tools
[Interesting observation. I tried to do encrypted email with some other people for a while and it didn’t last long. Things like searching for an old email was impossible. And the subject of the email was never encrypted so you would either leak a lot of information with the subject or you could decrypt just the one email you wanted to look at again.—Joe]

Share

27 thoughts on “Quote of the day—Bruce Schneier

  1. I used PGP which was poorly supported on my Mac, and Symantec purchased PGP and it went to zero. I knew the QA guy who worked in the Bay Area who was the product manager for Symantec and he could not help me. The Whole Disk Encryption (WDE) was the only part of the suite that was rock-solid.

    When Apple came out with FileVault, there was no reason to continue to deal with PGP email encryption, so I instead went with GPG Tools (https://gpgtools.org) for email, used with the Apple Mail client that comes pre-loaded with OS X.

    The only issue I had was with an update to OS X that caused GPG Tools to stop working (it took about 3 weeks for the updated GPG Tools to be updated to overcome the issue with the OS X update).

    Indexing in the Apple Mail client is fairly good. Subject line, and To/From continue to be indexed fully, but the encrypted MIME attachments (where the clear text resides) is not indexed for encrypted emails. I do not view this as a bug, but rather a security feature, but it does make it more challenging to exhume an email long ago using the search tool built into Apple Mail.

    The GPG tools work with little fuss.

    I can not speak to GPG Tools for Windows.

  2. 70 years since the Brits took Colossus apart, and he’s just now concluding that sending messages across an interceptable medium is inherently insecure? That’s not the Bruce Schneier I have come to appreciate.

    If you don’t want people to read your telegrams, don’t send telegrams; if you have things to say to someone that must not be overheard, don’t say them on the telephone — or near a telephone. And so on.

    Two people can keep a secret — if one of them is dead.

  3. Travis, if someone with sufficient hardware wants to read your mail, they will. Don’t get into a war of electronic encryption with an entity that buys computing power by the acre.

    We live in a day and age when the use of encrypted e-mail is suspicious in and of itself.

    Mao. Fish. Water. Message ends.

    • You are correct, and also raise a couple of good points.

      1) Why should one encrypt email and call attention to themselves? The presumption (on the part of the government) is that you must have “something to hide,” and
      2) Besides, the government has the resources to decrypt public key encryption, so why bother?

      Since Joe is an I.T. guy, his post was calling attention to the difficulty of use of the email encryption products from a user’s perspective (those who may not be an I.T /guru/).

      The GPG Tools I use are comparatively user friendly, and my intent was to call attention to my experience with them – that’s all.

      I became aware of public key cryptography when I read the “The Mathematics of Public Key Cryptography” in the August 1979 edition of /Scientific American/, and have tracked the evolution of their use as the internet has evolved, and public key encryption has become the basis for /so-called/ secure commerce on the internet.

      The difficulty in using PGP is two fold:
      1) The ease of use of the software, and public key management, and
      2) Both parties need to use it in order to correspond.

      To the two points you raise, I think that the decision to encrypt your email is a personal and private decision.

      I don’t surf the dark internet, I don’t engage in illegal activity, I pay all of my taxes, I don’t traffic in drugs or weapons; I’m not a terrorist (except according to Hillary – I’m an NRA member, so there is that) so why would I want to encrypt my email?

      I recall the leader of the US Senate stating on the floor of the Senate stating that Billionaire Mitt Romney had not paid his taxes in 10 years. The only way he could have authoritatively known is if he had a source illegally leaking information from the IRS, or elsewhere.

      It also comes to light that the IRS has been leaking private tax information on conservative taxpayers to /Progressive Left/ organizations.

      It also is apparent the current administration has no problem with taking license with the law to allow illegal immigrants to avoid deportation. Also, the lady down in Texas who tried to get a tax exemption for the voter integrity organization “True the Vote” was deliberately stonewalled for years, and during the process was visited by several government agencies, including the BATFE.

      It occurs to me that perhaps the Organs of State security could be abused by politicians to collect information on people who are identified as “suspicious.” Information, that if leaked, could be selectively used to “paint” a narrative against any citizen for any political purpose.

      So, how might that apply in the case of email encryption?

      Hypothetically,

      If you are Joe, and you are planning boomershot, it is best to keep all email related to the planning, organization, and execution of this event clear, open, and using the strictest of professionalism, taking care to write in such a manner that nothing could be misconstrued or used selectively out of context. This also assuages authorities who might be reading correspondence, and are kept in the know about everything related to this legal and fun activity.

      Hypothetically,

      For less formal email communication, have you ever written anything by email that, if leaked, might be embarrassing? Ever write something that was not extremely professional, use pejoratives, expletives, or treaded on political subject matter of the day? Ever drunk blogged.

      I have.

      Could quickly written email you sent (or received) be selectively used to paint you in a negative light, given to your employer to call attention to you, or leaked to the always ethically operated newspapers (I know, I know – an oxymoron) in relation to an unrelated story?

      The FBI and Secret Service are currently investigating reports that the personal AOL account of CIA Director John Brennan may have been hacked by a teenager (AOL, /really/?). I don’t get to have the FBI and Secret Service investigate breaches of my email.

      One option is to follow Snowden’s recent advice and start writing letters, sending them through the post, and avail ourselves of the traditional protections that require warrants of US law enforcement agencies, and stop using email altogether.

      I hate to have to think that these untoward things could come to pass. But the more I see and hear, the more I do not trust email.

      Other things to consider:

      The NSA generally keeps email intercepts for five years (1).

      The US DoJ and FBI hold that no warrant is required for email or Facebook chats (2), but curiously in 2013 Attorney General Eric Holder stated a warrant is required for collection of “cloud-stored” email (3).

      The Snowden leaks also disclosed the NSA can use technical means to ‘brute force’ public key encryption, and are storing encrypted email indefinitely (4)(5).

      (1) http://www.theguardian.com/world/2013/jun/20/fisa-court-nsa-without-warrant
      (2) http://www.cnet.com/news/doj-we-dont-need-warrants-for-e-mail-facebook-chats/
      (3) https://www.techdirt.com/articles/20140930/16110328684/absolutely-disgusting-eric-holder-cynically-attacks-phone-encryption-using-bogus-protect-children-argument.shtml
      (4) http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/
      (5) http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto-could-increase-chances-that-nsa-keeps-your-data/

      • There’s an opposing view. If you encrypt a lot of your stuff, or best case, all of it, then the presumption “you have something to hide” won’t hold water. Especially if lots of people do so.

        This is why John Gilmore funded the FreeS/WAN project to implement IPSec on Linux: the goal was to allow it to do “opportunistic encryption”, i.e., turn on encryption whenever two nodes that both run this software happen to communicate. In the end, that did not work out, I think, but the goal made sense.

        • No. Look, if there is information you don’t want people to know, if it is embarrassing or dangerous if exposed, DON’T PUT IT IN VENUES WHERE YOU CANNOT CONTROL IT.

          Encryption is worse than useless — it lets people think they are secure when they are not.

          Stop building the Maginot line.

          The rest of the argument is ultimately nonproductive. (And that’s harshly edited to remove even more dismissiveness.)

          • Roberta, it would really be good if you would stop making claims about a discipline of science that you clearly do not know.
            Alternatively, you may supply evidence that the outlandish claims you’re making are valid. You have not done so, and from everything I know — and I’ve been working on and off in this field since the early 1980s — your statements are not based on reality.
            For example “encryption is worse than useless” is clearly not true.

  4. Saying that e-mail is unfriendly to encryption is like saying that kangaroos make poor cavalry mounts. The whole Internet was designed for free and open exchange of information between trusting and trustworthy people.

  5. Bruce is talking nonsense.

    I’ve been using the GPG plugin for Mac Mail for years now. It gets used at least once a week, and often several times daily — I use it for secure communication with a subcontractor. It hasn’t let me down once, the key management is straightforward (and the original concept is brilliant), and the UI is quite reasonable.

    One might argue about the choices made. Email has a plaintext envelope. Some of that has to be (the addressee); some doesn’t (the subject). You’re of course free to leave the subject blank, and supply the real subject inside the encrypted content.

    As for searching: that seems to be a deliberate choice. If you receive encrypted email, there are two possible approaches: decrypt it and save the decrypted copy locally, or save the encrypted copy. The former enables searching but means the email is now vulnerable (to breakage of your system). The latter prevents searching but keeps the email secure. The GPG plugin does the latter. I have (through some manual magic) taken a bunch of my saved encrypted email and decrypted it to another folder, thereby taking the first choice. That wasn’t a built-in feature; I suppose it should be.

    As for “the internet was designed for wide open communication” — not true at all, especially not early on. In fact the Internet is neutral on this. It makes no assumptions and places no restrictions on content. Whether the content is secure or not is entirely an endpoint choice. It does leave it up to the endpoints; the network itself provides no confidentiality. And that is the right answer: I don’t trust telecom providers to do this; they aren’t qualified (this has been very clearly proven), nor can they be trusted.

    There are some infrastructure issues. The routing tables are not currently secured, and that allows some attacks; the WSJ had an article about this recently. The naming system (DNS) is slowly getting secured, but that took quite a while. Neither is directly related to the end to end security; if you use that, those other issues at worst will be “denial of service”.

    Roberta, there are a number of people who claim that modern high end encryption is crackable by the bad guys with lots of money. There never has been any credible support underlying that claim, and the design goals of the current standard (AES) specifically include protection against opponents of that class. Note that AES was designed in Belgium, and vetted by the top people all around the world. Now if you want to posit a working large scale quantum computer, there *might* be an issue, but there is no reason to believe such machines exist or will anytime soon. And research is underway to “quantum resistant ciphers”.

    • “Top people?” Nonsense. NSA is reading it right now.

      I find it hard to believe you guys are even adults. There. Is. No. Secure. Encryption. Period.

      • A statement like that, based on no evidence whatsoever, isn’t going to get you very far. Especially when you thrown in gratuitous insults.
        It’s clear you aren’t familiar with cryptography, or you would know that “there is no secure encryption” is provably false. There is in fact an unconditionally secure encryption: one time pad.
        That’s not directly relevant to this discussion, however. But to dismiss my description of the likes of Adi Shamir, Alex Biryukov, and the many others who have worked on the current generation of ciphers as “top people” with the glib “nonsense” is absurd, especially since that too is unaccompanied either by evidence or by any reason to believe you understand the subject.

        • The metasubject is, you cannot keep information secure and it doesn’t matter how 1337 your math skills are when they’re waterboarding the secret location of your one-time pads from you.

          Now, you can probably protect your financial stuff and kissy-face with your illicit lover just about well enough, most of the time, but if it’s for-real burn-before-reading and the Other Side wants to read it, if your last name isn’t .mil or .gov, they will. This is a reality of your world.

          If things ever go harsh, the feckless will die in droves.

          • Just because they can get the information if they really want it doesn’t mean you shouldn’t try to keep it encrypted. Those who would use rubber hose cryptography on you are a much smaller set than those who would and could obtain the plaintext without your immediate knowledge.

          • Um, that’s a bit like arguing you should not own guns just because your neighbor is a gun ban nut.

          • Roberta, you just changed the topic from cryptanalysis to torture. Sure, crypto won’t protect you from torture. For that, you need firearms.
            Torture would allow someone to recover the plaintext of a message — if I still remember it. It might also get them the one time pad keys that I have NOT used yet. It won’t give them the keys for messages I have already encrypted, because one time pad procedure includes burning the key after using it to encrypt. That’s why Russian spies received their pads on flash paper.
            BTW, for anyone even slightly interested in this stuff, if you don’t have Schneier’s “Applied Cryptography”, you should get it and read it. Fairly technical but still intelligible without a degree in math.

  6. Joe, I agree with Bruce about 50% on this one. The current email protocols are insufficient to produce a secure system. We can’t have both security and interoperability with existing protocols. We need new protocols designed with security in mind, and we will need to accept some limitations on what we can do compared to what we can do today. But I do not think it is impossible to do it.

  7. To elaborate a little…

    To defeat the argument that use of encryption is suspicious, encryption must become an automated part of the email protocol itself. It must be effectively impossible to send an unencrypted email.

    To defeat the secret NSA pressure on email providers attack, the encryption must take place on the user’s computer, the tools for using email must be open source, and “email servers” must cease to store email for long periods of time. They cannot become high-value targets where compromising, say, google gives you half the world’s email traffic.

    To defeat the $5 wrench decryption attack is probably impossible without support from the legal system, but they have to know who to hit with the wrench first. When everyone uses encryption by default, it will be much harder to make someone look bad because they encrypted their email. (“I did what? I just used the email program like everyone else.”)

    Do all that, and you still have holes, but they are much harder to exploit. The biggest hole will be adoption, though. Since you can’t trust the people running the servers, you have to come up with something that works by default that a user can install easily.

    • But you can’t automatically encrypt stuff unless you have keys. Encryption is very easy; key management is the only hard part. PGP does a good job of secure key management. S/MIME uses a much more complex scheme that relies on trusting central authorities, but if you’re willing to do so then it too is workable.
      As I mentioned, I use GPG with a particular subcontractor all the time. I just had to load a few keys when we first started the project; after that, the whole thing is automatic. The GPG plugin for Mail then automatically defaults to encrypted.

      • Paul: I agree, that’s part of what I am getting at when I say it needs to be baked into the protocols. Part of the protocol needs to be a way of discovering the public encryption key of someone you intend to communicate with automatically and securely. (I don’t think perfect secret is possible here unless you talk to the person in person — but you can automatically discover a key and use it, and notice if it suddenly changes, and probably notice whether the key you are given matches the one the recipient thinks is his, and so on).

        • There IS no way to do keying completely automatically. It is straightforward to build a hierarchy of trusted keys starting from one, but the first key MUST be set manually, out of band. You can hide this, as browsers do — they have a whole pile of “first keys”, in the trusted certification authority list. Whenever you use https in your browser, you are implicitly assuming that the persons who created that list are honest, that all the CAs listed in that list are honest and competent, and that the list has not been tampered with.
          PGP does not do this; it doesn’t place its trust in any central authority and does not come “out of the box” with any predefined trusted key list. Instead, you create your own, on whatever basis you like. This forces you to face the bootstrapping of the key hierarchy explicitly. It also ensures that the whole hierarchy is based on YOUR judgment, not that of faceless others of unknown skill and integrity.
          You can fetch keys from a PGP key server. If you want to trust those servers, you can just accept the keys without checking. If you don’t, you either don’t use those keys, or only trust those which are vouched for by pre-existing keys in your own “web of trust”.
          Don’t be confused by “key exchange” protocols, like Diffie-Hellman or Quantum Key Distribution. These establish a secret value known only to the two endpoints — but they do not authenticate the endpoints. With these mechanisms by themselves, you can have a confidential conversation, but with an unknown party. (And that party may be a “man in the middle”.) Authentication requires pre-existing signing keys, bootstrapped from a starting point distributed by a trusted manual process.

          • Paul, I don’t necessarily disagree with any of what you said. I just think that it’s possible to do it a lot better than it is done now by default, which will improve security for a lot of people in their every day communications if successful. If we can solve the problem for the use case of 95% of people, so that their communications are all encrypted and (loosely, yes) authenticated by default, then we’re back to the case where the government needs to spend time and effort breaking into a specific person’s communications rather than operating a giant internet vacuum.

            I tend to follow Roberta’s argument for anything you really want to keep secret, but there are a lot of disadvantages to that approach, and most people don’t have anything they want to keep secret that much.

          • A real time communication can be encrypted without authentication — just do the diffie-hellman handshake and take it from there. SSL can easily do this, and IPSec is working on it as well. That will prevent “passive attack” — listening — but not active attack — “man in the middle”.
            Email is different. You’re not actually communicating with the endpoint at the time you construct the message. So you can’t agree on a key. The only thing you could do is to look in a PGP key server to see if there seems to be a key. But that requires the other party creating the key and downloading it to the server.
            That doesn’t seem all that hard, actually. It just isn’t what PGP does today.

          • Paul, none of it is technically hard, but the pieces have never been put together in a way that allows it to happen seamlessly, and the PGP key server in your scenario represents the centralized point of attack. Each domain needs to be responsible for signing user-generated keys to authenticate an address as a legitimate user of the domain. (How each domain authenticates its users is up to that domain, but senders can cache addresses to notice changes and the public keys are public, meaning the owner of the address can verify that the public key he generated is being served to those requesting it). Making the public keys of valid users visible without allowing an attacker to retrieve a list of valid users is tricky. Making this user friendly and addressing (if not claiming to solve, at least to improve) the spam issue at the same time complicates matters, too.

          • Actually, key servers are not a point of attack, that’s the whole point of public key crypto. More precisely, the only attack you can perform at a key server is a denial of service attack.
            That applies if you have signed keys and the key users check the signatures. It doesn’t apply if you use unsigned keys or fail to check; if so, then you get the email equivalent of the man in the middle vulnerability.

  8. All the talk about computerized encryption is senseless. Even if you use encryption they can’t break, if your computer is hooked up to the Internet, they can pull the plaintext off of your computer. This is the biggest lesson we learned from the Snowden revelations: The only secure computerized device is the one that is isolated from every other computer.

    Even then, it’s entirely likely that they could access the thing physically and pull the data from it (especially if they suspect you of something).

    Better to do all the encrypting/decrypting on paper, where it can be much more easily and permanently destroyed.

    • Unfortunately no paper-based encryption has adequate security. I suppose you could do AES on paper; that would work but it would also take an excessively long time.
      As for “they can just pull it off your computer” — yes, if your computer is insecure. Most are because of the OS they run, but a minority runs a decent OS that has good properties. Also, you can use a firewall. If the traffic can’t get to your computer it can’t be attacked.

Comments are closed.