EDIT: it has been brought to my attention that there is a significant likelihood that Private B. Manning is a transgender woman. Taken from a chat log published by Wired magazine between Manning and Adrian Lamo:
“I wouldn’t mind going to prison for the rest of my life, or being executed so much, if it wasn’t for the possibility of having pictures of me… plastered all over the world press… as boy…”
As such, I have removed the photo that was previously included in this article, altered my pronouns and removed all mention of Manning’s name at birth where possible (unfortunately, the permalink can’t be changed). If this turns out to be untrue, I hope people realise that I don’t believe that accusing someone of being transgender is in any way a smear. One can be a saint or an arsehole, and one’s gender has nothing to do with it.
Thanks for reading, it’s important. Anyway, here’s what you came for.
Private Manning, as you’re probably aware, is currently on trial, charged with about fifteen bazillion counts of generalised ‘being inconvenient’. What it comes down to is the fact that the US military believes that while a Private in the US Army, she passed information to WikiLeaks which was subsequently made available to the public. This information allegedly includes a video of a US Apache helicopter attacking civilians, and hundreds of thousands of diplomatic cables ranging from non-classified to top secret status.
I want to make one thing clear: this article is not about Manning’s guilt or innocence, or the rights or wrongs of what she is accused of doing. That’s been covered elsewhere by people more informed than I am; you can form your own opinion on the matter. This article is about some didactically valuable flaws in her attempts to maintain privacy and security, regardless of whether those attempts were in favour of the US military in her role as an analyst, or to cover her tracks as a whistleblower.
Manning made a few crucial errors that allowed the court access to a fairly large base of evidence that would otherwise have been inaccessible, as it would have been encrypted or obliterated. Unlike the UK, the United States has no mandatory key disclosure law, since the Fifth Amendment allows citizens the right to refrain from acting in a manner that might stand to incriminate themselves. As such, if you encrypt something and you choose not to reveal the key, US law provides no mechanism to coerce you into handing it over.
Other than waterboarding and the bore-worms, anyway.
This is about more than just how one person screwed up, though. Look at the Arab Spring – the Internet, and technology in general, was key to those uprisings. The credit goes to the people, of course, rather than Twitter – but without today’s communication technologies, it would have been much more difficult for them to achieve the numbers and degree of organisation required to make a difference.
I’ve taken a lot of this information from the excellent write-ups of the court sessions posted by bradleymanning.org. You can read them yourself if you’re interested in how the case is going – Day 1, Day 2, Day 3, and Day 4.
Alright, I’ll stop wittering and get down to it. After the jump are a few things Manning got wrong, and how to avoid them if you ever need to do something on the quiet.
1. Control your media
The investigation into Manning uncovered a few optical discs, an external hard drive and, crucially, a flash storage card. The investigators found cables on a CD marked ‘secret’, and on the flash storage card an archive of combat events, a self-portrait photograph of Manning taken in a mirror, and a README file that bradleymanning.org describes as -
a text file that described the other files as being from two wars of historical significance. The note specifically stated that steps had been taken to sanitize certain sensitive data, and that there should be a 90-100 day wait before releasing data to best assess how to distribute the information and protect the source. It ended with:
“This is possibly one of the more significant document of our time, removing the fog of war, revealing the true nature of 21st century asymmetric warfare. Have a good day.”
Doesn’t look good. The problem here is that Manning had more media than she could reliably take care of. The data shouldn’t have been left around like that when the consequences of losing control of it stood to be so enormous.
Chances are you have a whole bunch of old CDs and DVDs that you burned months or even years ago hanging around. Maybe even a few external hard disks that you haven’t used for a while. Do you know, are you completely sure, that there’s nothing on them that you wouldn’t want someone to get at?
Yeah, thought not. Shred those optical discs as soon as you can. Consolidate your usage of those external hard disks and properly erase everything on the unused one. At the very least, encrypt them – ideally deniably, especially if you live in a country with a legal power to demand keys. Actually, for that matter…
2. Retain deniability
Let’s go back to that memory card with classified data on it. Putting a self-taken photo of yourself on the same card was a pretty horrendous idea, and while it’s still circumstantial, that evidence is going to be a pain in the arse to refute.
If you’re dealing with something that you don’t want to be connected with by a certain group, don’t put your name to it. Don’t get smart and leave a ‘clever’ signature. Don’t use a pseudonym. Don’t use any identifier that recurs. Set ego aside and stay anonymous, because people like myself know how to look for anything you use to identify or authenticate yourself.
While we’re talking about deniability, this is particularly important in countries like the UK where the powers that be can demand your encryption key, with a significant custodial sentence should you refuse to hand it over. A good way to get around that is TrueCrypt’s deniable containers. These are out of scope for this article, but you can get more detail at the TrueCrypt site. With care, if you use TrueCrypt the right way, there is no way to prove whether you’ve handed over the key for the outer, unimportant layer or the inner, deniable, truly private layer of your encrypted container.
One other interesting fact that came up during the investigation was that Manning 35-pass erased her hard disk (see 5. ‘Deleted’ doesn’t mean ‘gone’) but OS X kept a log of that erase taking place. Circumstantial, but not helpful to her case. Don’t get caught out by the logs of your privacy-enhancing tools themselves!
3. Pluralise your passphrases
You’d think this was an obvious one, but it’s not. I don’t care how strong the encryption you use is, if the passphrase is guessable then you’re wasting your time using it.
In recovering Manning’s laptop, Johnson was also able to gain access to Manning’s private key for decrypting his [sic] PGP emails. However, Johnson did not have the password. In an effort to come up with the password, Johnson tried using the password that they had forensically scraped that allowed a user to log onto [her laptop]. The password for logging onto the computer turned out to be the same as the one for decrypting emails.
Use a passphrase, not a password. Make it a good one. Use a different passphrase everywhere. When not possible, at least use a different passphrase for each resource that could truly compromise you. Don’t save those passphrases anywhere, even what you would otherwise consider protected storage, unless the place you save them is encrypted deniably.
4. Don’t underestimate your ISP
The investigation into Manning’s online activities included tracking connections on a stupidly granular level. You’d expect that from the military, but you might be surprised to hear that the UK government has legal powers to compel an ISP to keep equally granular logs without your knowledge or permission.
Even if you encrypt your communications, you’d be surprised how detailed a picture of your activities can be built up by simple traffic analysis – building patterns of which machines your machine communicates with, and what you’re talking to it.
There are ways around it, of course. Tor is extremely effective if sometimes slow, and a consumer VPN is a good step too (and a much faster and more reliable option than Tor). Hell, use both. Just don’t forget that using these methods of traffic anonymisation don’t remove the need for end-to-end encryption at the same time.
A reminder – I wrote a guide to consumer VPN tunnels, and you also need to watch out for IPv6 talking outside the VPN tunnel.
5. ‘Deleted’ doesn’t mean ‘gone’
Phew. You managed to delete that file with the secret plans to overthrow the Taliban seconds before the secret police broke your door down.
Guess what? You’re still hosed.
When you delete a file, nothing actually gets wiped. There’s a ‘map’ of your hard disk, and when you issue that deletion command all that happens is the space that the file previously lived in is marked as available for use. The data’s still there, and it can be recovered, in full, usually in about an hour. Even if some of it has been overwritten by newly saved data, sometimes traces of the original file are enough to reconstruct parts of it. Your swap file is also a haven for fragments of stuff you’re working on – even stuff you haven’t intentionally saved to disk – as is the Prefetch directory in Windows.
There are tools out there to wipe the free space on your hard disk. You should use them on a regular basis to be safe. That said, if you need to completely kill a file, it’s easier to use a secure erase tool to overwrite the file contents rather than an entire free space wipe after deletion.
35-pass erase with variant data is generally held to be the best out there, but will take a long time to wipe large files and an age to wipe free space. 7-pass erase with variant data is usually what I opt for, because it provides a reasonable amount of security and takes a reasonable amount of time. One pass of zeros, strictly speaking, should be enough at a push – unless your adversaries have access to an electron microscope.
6. Don’t trust terminology
Just because it says that it’s secure and private does not mean that it is. This is especially true for closed-source software, for example Microsoft’s integrated NTFS file encryption. There is a persistent rumour that there’s a law enforcement backdoor key that can decrypt anything encrypted by it, and there’s no way to disprove it.
Opt for open-source tools with a large user community and you’ll generally be safe. It’s not always true, though, so be careful.
An example is Adium, which – you guessed it – caught Manning out. It’s an open-source instant messaging client that supports the widely-used ‘OTR’ (Off The Record) standard for secure conversation. OTR is extremely effective. Trouble is, Adium saves chat logs by default – including OTR chats. If your computer is seized and the hard disk is accessible, all your conversations are ripe for the plucking.
If you use Adium, pop into the logging preferences and either disable it entirely or set the relevant checkbox to avoid logging OTR-enabled chats.
7. ‘Security through obscurity’ is an oxymoron
Manning obfuscated an archive of cables by Base64 encoding it. Now, this would have defeated the casual observer sifting through remnants of deleted files searching for keywords, but more technical tools can detect Base64 encoding and once found, it’s trivial to convert it back into its original form.
Encrypt, don’t hide. Computer forensics are very, very good at what they do – assume your data will be found, and rely on strong encryption rather than a cosy hiding place.
It’s not easy
Proper security and privacy is far from trivial. In fact, it’s downright hard, and the playing field is changing all the time. If you’ve got something that you need to keep very secret, do your research on the best ways to do that before you start working on it. And then research how to clean up after your research.
Best of luck. You’ll probably need it.