This is an ongoing draft that collects important quotes on end-point security an

1. This is an ongoing draft that collects important quotes on end-point security and exploitation.
2.  
3. It attempts to address common misconceptions about the post-Snowden era of mass surveillance and it also attempts to
4. provide sources to back the conjecture: "End-to-end encryption isn't sufficient enough to block mass surveillance."
5.  
6. The important claims that prove this, that need backing up include, but are not limited to:
7. I Software exploits have minimal distribution cost after they have been developed
8. II Subpoenas are used to compel back doors into proprietary software/hardware
9. That way, mass adopted proprietary operating systems can not be secured.
10.  
11.  
12.  
13. Is encrypting data useful against the government?
14.  
15. Mathius1: Is encrypting my email any good at defeating the NSA surveillance?
16. Is my data protected by standard encryption?
17.  
18. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.
19. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." [1]
20.  
21.  
22.  
23. Does NSA practice stealing of encryption keys?
24.  
25. The ACLU’s Soghoian said technology executives are already deeply concerned about the prospect of clandestine
26. agents on the payroll to gain access to highly sensitive data, including encryption keys, that could make the
27. NSA’s work “a lot easier.” “As more and more communications become encrypted, the attraction for intelligence
28. agencies of stealing an encryption key becomes irresistible,” he said. “It’s such a juicy target.” [2]
29.  
30. ---
31.  
32. Edward Snowden:
33. "--encryption works. [The only way to get around that is with super computers that do not exist.]
34. Or you break into the computer and try to steal their keys and bypass the encryption. And that happens today
35. and that happens every day. That happens every day. That is the way around it.
36.  
37. Now, there are still ways to protect encrypted data that no one can break. That is by making sure the keys
38. are never exposed. If the key itself can’t be observed, the key can’t be stolen. And any cryptographer any
39. mathematician in the world will tell you that the math is sound. The only way to get through encryption on a
40. target basis particularly when you start railing encryption, not using one algorithm but every algorithm you
41. are using key slipping you are using all kinds of sophisticated techniques to make sure that no one person,
42. no single point of failure exist there is no way in there is no way around it. That is going to continue to
43. be the case I think until our understanding of mathematics and physics changes fundamentally.
44.  
45. Christopher Soghoian:
46. I will just add that I think Ed’s right. If the government really wants to get into your computer if they
47. want to figure out what you are saying and who you are saying it to they will find a way. But that won’t
48. involve breaking the encryption, that will involve hacking into your device. Whether your phone or your
49. laptop they will take advantage of either vulnerabilities that haven’t been patched or vulnerabilities that
50. no one knows about.
51.  
52. But hacking technologies don’t scale. If you are a target of the NSA it is going to be game over no matter
53. what. Unless you are taking really, really sophisticated steps to protect yourself - but most people that
54. will be beyond their reach. But encryption makes bulk surveillance too expensive. Really the goal here isn’t
55. to blind the NSA. The goal isn’t to stop the government from going after legitimate surveillance targets. The
56. goal here is to make it so that they cannot spy on innocent people because they can. Right now so many of our
57. communications our telephone calls, our text messages, our emails, our instant message are just there for the
58. taking. And if we start using encrypted communication services suddenly it becomes too expensive for the NSA
59. to spy on everyone. Suddenly they will need to actually have a good reason to dedicate those resources to
60. either try and break the encryption or to try and hack into your device. So encryption technology even if
61. imperfect has the potential to raise the cost of surveillance to the point that it no longer becomes
62. economically feasible for the government to to spy on everyone.[9]
63.  
64. Author note:
65. Soghoian does not take into account what The Intercept reported on how
66. the NSA is automating exploitation and exfiltration of encryption keys:
67.  
68. "Top-secret documents reveal that the National Security Agency is dramatically expanding its
69. ability to covertly hack into computers on a mass scale by using automated systems that
70. reduce the level of human oversight in the process.
71.  
72. In some cases the NSA has masqueraded as a fake Facebook server, using the social media site
73. as a launching pad to infect a target’s computer and exfiltrate files from a hard drive.
74.  
75. But the NSA recognized that managing a massive network of implants is too big a job for
76. humans alone. The agency’s solution was TURBINE. Developed as part of TAO unit, it is
77. described in the leaked documents as an “intelligent command and control capability” that
78. enables “industrial-scale exploitation.”" [4]
79.  
80.  
81. Definition of 'mass surveillance' should not be bulk collection from fiber and internet companies,
82. but bulk collection in general; i.e. what can be automated. If current understanding of targeted
83. surveillance can be done in similar scale as mass surveillance, it should be considered to be part of
84. it. Jacob Applebaum said
85.  
86. "Targeted attacks, because they are automated, are not
87. less in scale, it's just different in methodology."[3]
88.  
89.  
90. It's agreeable NSA should not be blinded, but unfortunately the cost of automatable remote
91. exploitation is too low. Once technology that prevents remote exploitation is mitigated, targeted
92. surveillance can still be done through signals intelligence such as TEMPEST / TAWDRYYARD or with
93. side-channel attacks, hidden cameras, HUMINT ops etc.
94.  
95. The problem is, the skill-set and technology of the NSA and LEA in general is underestimated by this
96. talk. There was a time you had to have the LEA officer tap the phone cable outside the building: that
97. can still be the case, and it's the perfect balance between security and privacy.
98.  
99. But nobody is going to waste a precious 0-day vulnerability on average citizen's computer!
100.  
101. "For example, Conficker exploiting the vulnerability CVE-2008-4250 managed to infect approximately 370
102. thousand machines without being detected over more than two months. This example illustrates the
103. effectiveness of zero-day vulnerabilities for conducting stealth cyber attacks." [5]
104.  
105. ---
106.  
107. "What's certain is that criminal hackers copied Duqu's previously unheard-of method for breaking into
108. computers and rolled it into "exploit kits," including one called Blackhole and another called Cool, that
109. were sold to hackers worldwide. Microsoft had by then issued a patch for the vulnerability. Nevertheless,
110. hackers used it last year to attack 16 out of every 1,000 U.S. computers and an even greater proportion in
111. some other countries, according to Finland-based security firm F-Secure."[6]
112.  
113.  
114.  
115. But 0-days are fixed almost immediately after discovery!
116.  
117. The zero-day attacks we identify lasted between 19 days (CVE-2010-0480) and 30 months
118. (CVE-2010-2568), and the average duration of a zero-day attack is 312 days. [5]
119.  
120.  
121.  
122. But surely anti-virus programs will protect me!
123.  
124. Another limitation of our method is that, if the exploit files created for the zero-day vulnerabilities are
125. polymorphic, the file hashes may be different in the anti-virus telemetry in binary reputation data. Most
126. of the zero-day exploits that we could not identify were polymorphic-- [5]
127.  
128.  
129.  
130. But once the window of exposure is closed, that's the end of it. The NSA has to spend more money to get another one!
131.  
132.  
133. 1. Cost of exploits is low for a great power such as the US.
134. The starting rate for a zero-day is around $50,000, some buyers said.[6]
135.  
136. 2. It's already being done at largest scale of any government.
137. Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become
138. the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for
139. breaking into computers.[6]
140.  
141. ---
142.  
143. This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities'
144. from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the
145. Post's Barton Gellman and Ellen Nakashima.[7]
146.  
147.  
148. 3. NSA's doing research on software exploits on it's own.
149. The ANT division doesn't just manufacture surveillance hardware. It also develops software for
150. special tasks. The ANT developers have a clear preference for planting their malicious code in
151. so-called BIOS, software located on a computer's motherboard that is the first thing to load when a
152. computer is turned on.[8]
153.  
154. Related: leaked slide
155. http://leaksource.files.wordpress.com/2013/12/nsa-ant-deitybounce.jpg?w=1208&h=1562
156. Unit Cost: $0
157.  
158.  
159. --------------------------------------------------------
160.  
161. Conclusion
162.  
163. The NSA is in possession of large quantities of 0-day exploits against all types of systems,
164. and is progressing towards compromising end-point devices at massive scale, to exfiltrate
165. plaintexts of interest along with encryption keys and signing keys. These types of attacks
166. render current implementations of end-to-end encrypted systems such as PGP, OTR, ZRTP etc.
167. useless against mass surveillance.
168.  
169.  
170. --------------------------------------------------------
171.  
172. Sources
173.  
174.  
175. [1] Edward Snowden The Guardian (06/17/13)
176.  
177. http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower
178.  
179.  
180.  
181. [2] Glenn Greenwald The Intercept (10/10/14)
182.  
183. https://firstlook.org/theintercept/2014/10/10/core-secrets/
184.  
185.  
186.  
187. [3] Jacob Appelbaum ITWeb Security Summit (05/28/14)
188.  
189. https://www.youtube.com/watch?v=FScSpFZjFf0&t=37m35s
190.  
191.  
192.  
193. [4] Ryan Gallagher & Glenn Greenwald The Intercept (03/12/14)
194.  
195. https://firstlook.org/theintercept/2014/03/12/nsa-plans-infect-millions-computers-malware/
196.  
197.  
198.  
199. [5] Leyla Bilge, Tudor Dumitras Symantec Research Labs (10/16/12)
200.  
201. http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
202.  
203.  
204.  
205. [6] Joseph Menn Reuters (05/10/13)
206.  
207. http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510
208.  
209.  
210.  
211. [7] Brian Fung The Washington Post (08/31/13)
212.  
213. http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/
214.  
215.  
216.  
217. [8] Jacob Appelbaum et al. Spiegel Online (12/29/13)
218.  
219. http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
220.  
221.  
222. [9] Edward Snowden et.al. SXSW Conference ~(03/11/14)
223.  
224. https://www.youtube.com/watch?v=YxPKoXTKDc8#t=48m53s