|
||
|
18 July 2011 Lamo-Manning Chat Logs OTR Deniability
Date: Wed, 13 Jul 2011 19:37:37 -0700 (PDT) Recently, Wired published material on their website which are claimed to be logs of instant message conversations between Bradley Manning and Adrian Lamo in that infamous case. [1] I have only casually skimmed them, but did notice the following two lines: (12:24:15 PM) bradass87 has not been authenticated yet. You should authenticate this buddy. (12:24:15 PM) Unverified conversation with bradass87 started. I'm sure most of you will be familiar; this is evidence that a technology known as Off-the-Record Messaging (OTR) [2] was used in the course of these alleged conversations. I apologize if this is off topic or seems trivial, but I think a public discussion of the merits (or lack thereof) of these alleged "logs" from a technical perspective would be interesting. The exact implications of the technology may not be very well known beyond this list. I have carbon copied this message to the defense in the case accordingly. If I understand correctly, OTR provides deniability, which means that these alleged "logs" cannot be proven authentic. In fact, the OTR software is distributed with program code which makes falsifying such "logs" trivial. Is this correct? On a related note, a strange message to Hacker News at about that time [3] seems to now have found a context. Not to mention talk of "compromised" PGP keys: the prosecution witness created a new key pair June 2, 2010 (after 6 months with no keys for that email address -- why precisely then?), and replaced these a day less than one month later -- citing "previous key physically compromised." [4] Note the arrest in the case occurred in between these two events, with encrypted emails purportedly having been received in the meantime: [5] "Lamo told me that Manning first emailed him on May 20 ..." What do you think? First the prosecution witness turns out less than credible, [6] now the key piece of evidence is mathematically provably useless... [1] http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/ [2] http://www.cypherpunks.ca/otr/ [3] http://news.ycombinator.com/item?id=1410158 [4] http://pgp.mit.edu:11371/pks/lookup?search=adrian+lamoop=vindex&fingerprint=on [5] http://www.salon.com/news/opinion/glenn_greenwald/2010/06/18/wikileaks [6] http://www.google.com/search?q=lamo+drugs _______________________________________________
cryptography mailing list http://lists.randombit.net/mailman/listinfo/cryptography
To: Ai Weiwei <freeaiweiwei[at]yahoo.ca>, On 14/07/11 12:37 PM, Ai Weiwei wrote:
> Hello list, I believe it is germane to anyone designing crypto protocols to understand how they actually impact in user-land. This particular one is a running sore for me because of its outrageous claim of deniability.
> The exact implications of the technology may not be very well known
beyond this list. I have carbon copied this message to the defense in the
case accordingly. The *claim made by OTR is to provide technological deniability* as opposed to any non-technological status. Its non-technical deniability is zilch. Unfortunately, outside the technology, it is trivial to prove the logs as authentic. This is confusing for the technologists as they are trying to create a perfect security product, and they believe that technology rules. What they've failed to realise is that real life provides some trivial bypasses, and in this situation, they may very well be creating more harm -- by sucking people into a false sense of security. Design of security systems is tough, it is essential to include the human elements in the protocol, elsewise we end up with elegant but useless features. Sometimes we enter into danger, as is seen with OTR or BitCoin, where a technological elegance causes people to lose their common sense and grasp of reality. > In fact, the OTR software is distributed with program code which makes falsifying such "logs" trivial. Is this correct? Dunno. Could be. Evidence of a false sense of security, to me. > What do you think? .... On the specific legal case: well, nothing we see in open press will really be reliable. You're looking at the USG going for broke against a couple of lonely mixed up people who USG mistakenly let near a TS site. It will be a total mess. Mincemeat, fubar, throw away the key. The case will see all sorts of mud thrown up, with both sides trying their darndest to muddy the waters. From the external pov, there will be no clarity. Nothing really to say or think, except, ... don't make that mistake? Relying on crypto blahblah promises like OTR or PGP when you're about to release a wikileaks treasure trove doesn't sound like rational thinking to me. iang
Date: Thu, 14 Jul 2011 13:32:01 -0400 [I'm not usually on this list, but was pointed to this thread. Warning that we now have two "iang"s on here. ;-) ] This is a common confusion about OTR. OTR aims to provide the same deniability as plaintext, while also providing the same authentication as, say, PGP. You want assurance that the other person is who he says he is, but at the same time, you don't want digital signatures on all of your messages which can be used by a third party (or even the person you were speaking to) later to prove what you said. You can't achieve *more* deniability than plaintext, of course. Just as plaintext chat logs might be trusted because you believe the chain-of-custody, so might OTR logs be. (If the OTR logs are the ciphertexts, of course, you'd also need to log the keys to get anything useful out, but even then, the point is that you could have used the toolkit to modify individual messages, or even forge the whole transcript.) In this case, of course, the plaintexts were logged, so OTR's properties don't even come into it. Here, anyone could simply edit the text file containing the logs. - Ian (the other "iang")
From: Steven Bellovin <smb[at]cs.columbia.edu> The two Ian G's have it correct: while OTR provides (some level of) lack of evidence within the system, it says nothing about external evidence like netflow records, which machine the logs were taken from, etc. To pick one bad example -- bad because I don't know if it fits the facts of this case -- if one party to a purported conversation turned over a log file, and forensic examination of the second party's computer showed the same log, I suspect that most people would believe that those two parties had that conversation. Of course, the authenticity of the log files could be challenged -- did the first party hack into the second party's computer and plant the log file? had someone else hacked into it and used it to talk with the first party? -- but that's also outside the crypto protocol. Put another way, the goal in a trial is not a mathematical proof, it's proof to a certain standard of evidence, based on many different pieces of data. Life isn't a cryptographic protocol. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Date: Fri, 15 Jul 2011 11:45:08 -0500 On 07/14/2011 01:59 PM, Steven Bellovin wrote:
> did the first party hack into the second party's computer and
plant The interesting thing in this case though is that the person providing the plaintext log file is: a) a convicted felon b) working for the investigators/prosecutors (since before the purported log file's creation?) c) himself skilled in hacking I haven't heard anything about any other evidence that may exist, but just a text file by itself (or perhaps even the informant's computer as a whole) doesn't seem particularly credible to me. - Marsh
Date: Fri, 15 Jul 2011 14:19:00 -0400 On Fri, Jul 15, 2011 at 12:45 PM, Marsh Ray <marsh[at]extendedsubset.com> wrote:
> The interesting thing in this case though is that the person providing
the Agreed (I'm glad someone else said it).
> I haven't heard anything about any other evidence that may exist, but
just a I'm not sure we will see any evidence. I would expect this case to stay under the purview of the military, where folks (soldiers?) have fewer rights. Jeff
Date: Fri, 15 Jul 2011 12:03:00 -0500 On 07/13/2011 09:37 PM, Ai Weiwei wrote:
> Hello list, I think so too, if only to understand how the crypto turns out to be largely irrelevant once again. There's very little data available. Is there anything other than what's been published by Wired?
> The exact implications of the technology may not be very well known
beyond this http://news.ycombinator.com/item?id=1410158 That would be consistent with Lamo hinting to his peeps that his computer was taken by investigators. But his advice for others to regenerate their own private keys shows that either he himself doesn't understand the cryptographic properties of these protocols or he believes some other keys have been compromised too.
From: "Meredith L. Patterson" <clonearmy[at]gmail.com> On Fri, Jul 15, 2011 at 6:45 PM, Marsh Ray <marsh[at]extendedsubset.com> wrote: On 07/14/2011 01:59 PM, Steven Bellovin wrote: Those bullet points are far more likely to be brought up at trial than any of the security properties of OTR. Defense counsel has to weigh the benefits of presenting evidence -- will it get some point across, or will it be lost on the judge/jury? I submit that a military judge or a panel of commissioned officers (and maybe some enlisted personnel) is unlikely to appreciate the finer mathematical points, and more likely to fall back on "but there are these logs, right there, and the feds say they're authentic." The defense has plenty of Lamo's own documented actions to use to undermine his credibility. There's much to be said for "baffle them with bullshit" (not that there's necessarily any bullshit even involved), but a jury that doesn't understand an argument is likely to dismiss it as bullshit. Best, --mlp
Date: Sat, 16 Jul 2011 00:21:45 -0400 On Fri, Jul 15, 2011 at 10:52:39PM +0200, Meredith L. Patterson wrote:
> Those bullet points are far more likely to be brought up at trial than
any Just to be clear: there are _no_ OTR-related mathematical points or issues here. The logs were in plain text. OTR has nothing at all to do with their deniability. - Ian
Date: Sat, 16 Jul 2011 18:23:10 -0500 On 07/15/2011 11:21 PM, Ian Goldberg wrote:
> Just to be clear: there are _no_ OTR-related mathematical points
or It's a good bet the entirety of the informant's PC was acquired for computer forensic analysis, as well as every PC Manning is known to have touched. There's a good chance some traffic data was retained from the network where Manning allegedly did the chatting and data transfer. Sure the logs we see are in plain text, but that's almost certainly not all the data in play. Deniability may yet still depend on OTR and its implementation. Note that the logs indicate the parties were unauthenticated and the connection was bouncing. Was this a man-in-the-middle interception? Does the protocol and implementation issue a message to the user when an "unauthenticated" identity changes its key? - Marsh http://www.wired.com/threatlevel/2011/07/manning-lamo-logs#m765
> (01:37:03 AM) bradass87 has signed on.
Date: Sun, 17 Jul 2011 05:13:45 -0400 On Sat, Jul 16, 2011 at 7:23 PM, Marsh Ray <marsh[at]extendedsubset.com> wrote:
> It's a good bet the entirety of the informant's PC was acquired for
computer If you'll notice, Lamo started with leading questions in the previous transcript, so I believe the FBI was already in the loop (and probably gathering evidence directly from Lamo's machine). I suspect the NSA or some other agency caught wind (via spying on the FBI!), and started their own reconnaissance and information gathering in the network. Jeff
Date: Sun, 17 Jul 2011 15:40:26 -0400 Marsh Ray wrote:
> It's a good bet the entirety of the informant's PC was acquired for
I didn't look at the details of this incident/case beyond the discussion on this list. However, it appears that the two questions in the last paragraph below are sufficiently doubt casting for challenging the electronic evidence as a reliable account of a conversation using electronic means. Thus, the OTR protocol (including detection of re-keying exchange) would appear to have the indirect result of reporting tampering-in-the-loop. Maybe not as a specific design goal, but as a consequence of cryptographic processing which makes everything more error-prone. Just my 0.02 cents. - Thierry Moreau
Date: Tue, 19 Jul 2011 09:48:37 +1000 Back in the 1980s, a little thing called public key cryptography gave birth to a metaphor called the "digital signature" which some smart cryptographers thought to be a technological analogue of the human manuscript act of signing. It wasn't, but this didn't stop the world spending vast sums to experiment with it. They still are, in Europe. Oh well, that would have been OK as long as it didn't hurt anyone. But it gets worse. Those same cryptographic dreamers theorised that because their mathematics was so damn elegant, the maths couldn't lie. So, they could promote a "non-repudiable signature" as a technological advance over ink & quill. The maths was undeniable, right? Although these days we know better, that "non-repudiation" is a crock, we still have people running around promoting it, and old text books suggesting it as an important cryptographic feature. Repudiation is a legal right, it's a valuable option within dispute resolution, not a mathematical variable to solve out of the equation. You can't mathematise away legal rights, any more than you can democratise poverty away in the middle east, nor militarise pleasure away in a random war on drugs. OTR makes the same error. It takes a very interesting mathematical property, and extend it into the hard human world, as if the words carry the same meaning. Perhaps, once upon a time, in some TV court room drama, someone got away with lying about a document? From this, OTR suggests that mathematics can help you deny a transcript? It can't. It can certainly muddy the waters, it can certainly give you enough rope to hang yourself, but what it can't do is give some veneer of "it didn't happen." Not in court, not in the hard world of humans. I am reminded of a film _A few good men_ which is somewhat apropos of those two young kids wasting away in some afghan shithole that passes for military justice. It's that well known scene where Cruise traps Nickolson in to undenying his repudiation: Kaffee: *Did you order the Code Red* ? Col. Jessep: *Youre Goddamn right I did* ! http://www.imdb.com/title/tt0104257/quotes That's repudiation, real life version. And that's what happens to it, as summed up by Kafee afterwards: "the witness has rights..." Mathematics has no place there, as is shown by all the other muddy evidence in the case. On 16/07/11 6:52 AM, Meredith L. Patterson wrote: [Omitted]
Date: Mon, 18 Jul 2011 19:53:46 -0400 On Tue, Jul 19, 2011 at 09:48:37AM +1000, Ian G wrote:
> From this, OTR suggests that mathematics can help you deny a OTR makes no claim to use mathematics to help you deny a transcript. That would be crazy. OTR claims to _avoid_ using mathematics that might be construed by some as preventing you from denying a transcript. - Ian
|