Conspiracy Theories

A few years ago, if you had said “The CIA is using my TV to spy on me,” you probably would have been sent to the loony bin for observation. But thanks to Wikileaks, we know it’s true! The Internet loves a good conspiracy theory, so I’ll throw one out there:

Also because of Wikileaks, we now know the intelligence community has the ability to hack systems and leave a Russian or Chinese “signature” on an attack. I’m thinking this probably just involves leaving some Russian or Chinese language root kit laying around, but maybe it’s more sophisticated than that. I haven’t read the documents first hand yet.

It was always in Barack Obama’s personal best interests for Hillary Clinton to not be the next President of the United States. Had Hillary won, Obama would have been forced to take a back seat, and the Clintons would then be firmly at the helm of the party. If Obama was to retain control of the Democratic Party, Hillary had to lose. But Obama couldn’t be seen to be deliberately sabotaging her campaign. So what’s the conspiracy theory? The whole “Russians! Under My Bed!” scare is a cover. Obama used Weeping Angel to sabotage Hillary’s campaign and had the intel community leave evidence to ensure it would get blamed on the Russians. Now his plants in the intel community are using the cover to sabotage Trump, and hopefully draw attention away from the hit on Hillary. Crazy? Absolutely! But so was the idea that the CIA would use people’s TVs to spy on them a decade ago.

I’m just messing around here, but at this point it wouldn’t surprise me. How long before people are putting on tin foil hats because it really does keep the CIA from reading your thoughts?

UPDATE: Along the same lines, this is the beginning of the end for encryption as we currently know it.

13 thoughts on “Conspiracy Theories”

  1. “At rest” encryption, anyway. “In-flight” encryption using one-time pads should still be OK, assuming you can safely exchange the pads. (Big IF there.)

    Until some boffin figures out how to use quantum computing to encrypt (and recover using shared secret) in a way that’s computationally cheaper than the decryption of unknown ciphertext. Thermodynamics says encryption is cheaper than decryption. Encrypt is adding entropy, decrypt is subtracting it, and as far as I know, quantum computing doesn’t modify the laws of Thermo in that way.

    1. As far as OTP’s go, exchanging the pads isn’t that difficult. It’s like giving someone a pack of cigarettes, which would be enough paper pads to last a *LONG* time.

      Why paper?

      Because computers are inherently insecure. They don’t need to break your encryption if they manage to put a keylogger on your machine remotely. Plus, when you destroy a paper pad after use, it’s truly gone. The crumbled ashes of a paper pad page burnt after use have no data remanence issues.

      The random generation of the key material manually is rather simple and secure: You use a handful of 10-sided dice to generate the random numbers, and you use an old manual (not electric!) typewriter to type them on to two-part carbonless forms. Like this:

      That’s an experiment I did using a two-part statement book as a proof-of-concept, because it was a lot cheaper than ordering a whole box of blank carbonless forms.

      Key generation is tedious, but not unpleasant, and you can do it while watching TV (hopefully you don’t have a “smart” TV). It seems inconvenient, but when you realize that if you really need OTP’s to communicate, the inconvenience pales in comparison to the inconvenience spending the rest of your life in prison, or dead.

      Over the years, as a former SIGINT specialist and a current programmer/analyst, I’ve come to the conclusion that no computerized communications are secure, because no computer or computerized device can be absolutely secured.

        1. Yes, they probably are. Especially quality sharp-edged dice like those from GameScience:

          The idea that OTP’s have to be perfectly random is not strictly true: For example, during the 1950’s the managed to capture a number of Soviet one time pads from agents. They analyzed them to see if they were any statistical anomalies they could exploit. They noticed that the number of alternating left-right numbers on a keyboard were much higher than they should be, and the number of triplets, quadruplets, and higher (like 33333) was far below what they would expect if they were being generated by a truly random process. They were able to figure out that they were being typed by typists who were told to type random numbers. Being human, they couldn’t actually generate truly random numbers

          But it didn’t matter: The numbers were non-deterministic. You couldn’t tell what the 500th number in a pad was going to be by examining the 499 numbers that came before it.

          Dice, even noticeably “unfair” dice, would be largely the same. Each roll is unique enough that you can’t accurately predict the results of the 500th roll based upon the previous rolls, and you *NEED* to be able to do that to produce any kind of an actual decryption.

          This is the important thing: OTP’s as a practical pen and paper system don’t have to be 100% provably random in order to offer complete security. Even *INSANE* amounts of traffic sent would be safe forever because you simply can’t predict how the dice rolled at any given time based upon how they rolled previous (which you almost certainly don’t know either).

          But if it bothers you, you can purchase dice from different manufacturers and different batches (as best you can) and mix them all up together. That will spread the non-randomness around quite a bit.

          I’ve experimented with other methods that are actually provably random, like pulling the random static off of my HF radio into the sound card of my computer and using that to generate random numbers, but while that is random and is *MUCH* quicker, it suffers from the same issues as all computer-based OTP systems: Data remanence, and side-channel attacks. Unless you can completely isolate that computer (and the printer!) from the outside world *AND* you destroy them completely after you are done, you can’t guarantee that those pads are forever secure.

  2. “But thanks to Wikileaks, we know it’s true!

    Who’s this “we?” I don’t know anything.

    Coincidentally I’ve had cause to retell this story more than once in the past couple days, and that was before the Wikileaks story broke.

    Many years ago I worked on ultra-high security defense programs. On some of those programs, every year there would be an all-hands dog-and-pony show in which our government customer would give a detailed run-down on the capabilities of the system. Probably not a single one of us had a need-to-know the overall system capabilities, but everyone down to the cleared janitors was briefed on them, in fine detail.

    I eventually concluded that what we were being given was disinformation, that some percentage of us could be counted on to spread around. With dozens of contractors spread across the country, probably hundreds of people with loose lips passed along the beguiling and amazing information. To this day I can’t say for a certainty to what degree it was true; it was technically plausible, but that’s as much as I can say.

    These Wikileak “revelations” have very much the smell of that. But, to what extent do any of us want to risk that the information is not true? When you think of it, just believing it may me true has a chilling effect on our behaviors, as great or even greater than if we knew for a certainty that it was true.

      1. Sorry if I missed any satire or ironic intent. I can be like that sometimes.

        But I would add too, that Wikileaks played too well with the Russians during the election season, at the same time they demonstrated they had an agenda of their own, above and beyond just objectively leaking things that governments might prefer we not know. By doing so they squandered their credibility forever.

        1. I am making a bit of joke there. But I do think hijacking a television is probably a real capability. A lot of IoT devices have firmware that’s really atrociously written. It’s not hard to find exploits.

          1. There is, allegedly, at least one “smart” door lock that would accept OTA firmware updates that were unsigned…

    1. That absolutely could be the case. But I can easily see how a smart TV could be hacked to use for surveillance. It has a speaker and a mic, and a lot of them for voice activation send the voice sample to “cloud” computers for processing. Siri does this too. It would just be a matter of finding an exploit, and then changing the IP the samples get sent to. As long as you pass them on in the end, the user would be none the wiser. It’s well within the capabilities of someone with some reasonable skills and enough time.

  3. Quantum computing will hurt, but it won’t kill cryptography. Symmetric encryption algorithms like AES are already resistant (effectively, only have halved key length) under known quantum algorithms, and there’s a pretty sizable number of asymmetric alternatives that would work even if they’re not implemented yet. The big disadvantage to McEliece encoding, the long key size, for example, is much less concerning as bandwidth availability has skyrocketed.

    The CIA stuff is concerning, but it’s not that impressive. They hacked a Smart TV… by sticking a thumb drive in, and pressing the remote. Which isn’t trivial, and in addition to obvious stuff like an always-on microphone also lets them probe everything else on a typical network. But it’s a pretty targeted attack, and not one that should be surprise folk they’d considered.

    They could get data from a phone running Signal… by pwning the underlying OS, and grabbing the data before encryption occurred. The over-the-air sandbox escapes mean that’s theoretically usable, but the ones listed in the documents are not easy to deploy on a mass scale, or even against hardened individual targets. Many of them had been discovered by outsiders, or even public researchers.

    That’s not to downplay the sorta concern they could implement, but folk are playing this like it’s a lot bigger a change from the already-existing horror story that is the Internet of Things On Fire.

Comments are closed.