Exceptional Access to Encrypted Communications

Bob Barr has recently added his voice to the ongoing call of law enforcement to provide exceptional access to encrypted communications. Here’s why that’s not going to work.

“Exceptional access — as governments propose — is the problem of making a system selectively secure. I can tell you, it’s hard enough to make a secure system. It’s vastly harder to make a system secure except for governments, and only available to governments that consist of ‘democratically elected representatives and [a] judiciary’ as the GCHQ authors imagine.”

—Jon Callas, “The ‘Ghost User’ Ploy to Break Encryption Won’t Work.” DavisVanguard.org. July 24,2019.

Is being able to access the encrypted communications of everyone enough? Between the drone’s Gorgon Stare above, the Ring camera on every other front door for police to access, televisions tracking every show being watched, phones and digital assistants listening in on conversations, fitness trackers as evidence in court cases, Stringray and other technology for phone tracking, license plate readers to track vehicle movement over time, surveillance balloons and so on, it feels to me like the police and military are a little under-powered these days.

I was promised a camera in my television watching my every move, a Room 101 for not sufficiently toeing the line and a boot stomping on a face of humanity forever. Was Uncle Orwell lying to me?

A (Relatively Easy to Understand) Primer on Elliptic Curve Cryptography | Ars Technica

“If you just want the gist, here’s the TL;DR version: [Elliptical Curve Crytography,] ECC is the next generation of public key cryptography, and based on currently understood mathematics, it provides a significantly more secure foundation than first-generation public key cryptography systems like RSA. If you’re worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt. If you’re interested in the details, read on.”

—Nick Sullivan. ” A (relatively easy to understand) primer on elliptic curve cryptography.” Ars Technica. October 24, 2013.

How to Boost Your Data Privacy With a Virtual Private Network

“Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.”

—Eric Jeffrey, “How to Boost Your Data Privacy With a Virtual Private Network.” Security Intelligence. November 2, 2018.

A layman’s explanation of VPNs and why you should be using them. I’ve mentioned VPNs before. If interested in using one, check this website for a comparison of different services.

Click Here to Kill Everybody – Bruce Schneider

“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals’ safe houses would be more secure, but it’s pretty clear that this downside would be worth the tradeoff of protecting everyone’s house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won’t make it impossible for law enforcement to solve crimes; I’ll get to that later in this chapter.) Regardless, it’s worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We’ve got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.”

—Bruce Schneider. “Five-Eyes Intelligence Services Choose Surveillance Over Security.” Schneider.com. September 8, 2018.

WireGuard VPN review: A new type of VPN offers serious advantages | Ars Technica

“WireGuard is a new type of VPN that aims to be simpler to set up and maintain than current VPNs and to offer a higher degree of security. The software is free and open source—it’s licensed GPLv2, the same license as the Linux kernel—which is always a big plus in my book. It’s also designed to be easily portable between operating systems. All of that might lead you to ask: in a world that already has IPSEC, PPTP, L2TP, OpenVPN, and a bewildering array of proprietary SSL VPNs, do we need yet another type of VPN?”

—Jim Salter. “WireGuard VPN review: A new type of VPN offers serious advantages.” Ars Technica. August 26, 2018.

Do we need yet another type of VPN? Why, yes. Yes, we do.

Mutt on OpenBSD & Linux: configuring gpg/gpg2 & ~/.muttrc

Update: August 2019. In August 2017, I wrote this post to document my process for getting gpg2 working on OpenBSD 6.1 after not finding a straight-forward explanation online. In the two years since, I have used these notes to set up mutt on both OpenBSD and several varieties of Linux, such as Debian derivatives, Arch and others. With a little work, I have managed to get mutt working on each of these systems.

In the update, I went through through and cleaned up the post a bit for clarity and fixed some formatting now that WordPress has better options for including code. If you are trying to get gpg/gpg2 working with mutt, hopefully, this will help you too. If you find errors, please feel free to comment below and I’ll try to fix them.

Install mutt and gnupg

[OpenBSD] # pkg_add -i mutt gnupg 

A series of options will display. Pick the current version of mutt-1.8.0v3-gpgme-sasl and gnupg-2.1.15p2.

[Ubuntu/Debian] # sudo apt-get install mutt gnupg

Change to the relevant package manager equivalent if you don’t use apt. You may also need to add cyrus-sasl to your package manager on linuxes without it baked in.

Copy gpg.conf to your home directory

[OpenBSD] $ cp /usr/local/share/gnupg/options.skel ~/.gnupg/gpg.conf
[Ubuntu/Debian]$ cp /usr/share/doc/mutt/examples/gpg.rc ~/.gnupg/gpg.conf

On Ubuntu/Debian, this step might not be necessary. If using gpg2, you’ll need to substitute gpg2 for all the gpg commands in the config file should you need it.

Add text to gpg.conf

# Enable gpg-agent
 use-agent
 pinentry-mode loopback

This step seemed required on OpenBSD. On many varieties of Linux, it does not seem to matter. I’d guess gnome has something that automagically handles this in the background.

Start the gpg-connect-agent daemon

$ gpg-connect-agent

On some linux distros, this step may already be taken care of for you.

Import your secret and public gpg keys

$ gpg2 --decrypt file.sec.gpg | gpg2 --import --batch

If you don’t have gpg keys yet, check out man or the Ubuntu privacy documentation for details about doing it.

Check your gpg keyring

$ gpg2 -K

$ gpg2 -K

Important step. It’s very easy during the import process to type in a key, password, or command wrong and not import your secret keys. I ended up troubleshooting my mutt configuration for a couple of hours before I figured out it wasn’t working because I didn’t have my gpg keys on my keyring. Save yourself this trouble and check.

Create a text file with your email password

set imap_pass = "yourpassword"
set smtp_pass = "yourpassword"

Save this file to ~/.gnupg/email-password.gpg

Encrypt your email-password.gpg file

$ gpg2 --encrypt /home/bedouin/.gnupg/email-password.gpg

Add a .mailcap for HTML

Put the following in your ~/.mailcap file or create one if it doesn’t exist. Install lynx or another text browser of your choice. If different, change lynx to the alternative in the text below.

text/html;  /usr/bin/firefox %s >/dev/null 2>&1; needsterminal
text/html;  lynx -dump %s; nametemplate=%s.html; copiousoutput

Create a ~/.muttrc configuration file

# .muttrc                                                                      
                                                                               
# GPG                                                                          
# gpg.rc is unnecessary on some systems.                            
# On OpenBSD, you're probably going to need it.                              
# OpenBSD: /usr/local/share/examples/mutt/gpg.rc                               
#                                                                              
# source ~/.mutt/gpg.rc                                                        

set pgp_use_gpg_agent = yes                                                    
set pgp_sign_as = 0O0ABCDZ  # replace with your key                            
set pgp_timeout = 7200                                                         
set crypt_autosign = no                                                        
set crypt_replyencrypt = no 

# password: tell mutt where to find your encrypted
# password, depending on what you installed, you 
# may need to change initial command to gpg
source "gpg2 -dq ~/.mutt/email-password.gpg |"                       
                                                                               
# mailbox configuration                                                        
set imap_user           = login@example.net                                    
                                                                               
# Only need the example.net if your root email address is different from server, otherwise just use your login                     
set folder              = imaps://login@example.net@example.com:993            
set spoolfile           = imaps://login@example.net@example.com/INBOX               
set smtp_url            = smtp://login@example.net@example.com:587                  
set postponed           = +Drafts                                              
set record              = +Sent                                                
set trash               = +Trash 
mailboxes               = +INBOX                                               
set hostname            = example.net                                          
set from                = login@example.net                                    
                                                                               
# mutt configuration                                                           
set ssl_starttls        = yes                                                  
set use_from            = yes                                                  
set postpone            = ask-yes                                              
set delete              = ask-yes                                              
set editor              = "emacs -nw" # or vi               
set pager               = lynx                                          
set charset             = "utf-8"                                              
set visual              = "emacs"                                              
set signature           = ~/.mutt/sig.txt
set alias_file          = ~/.mutt/aliases                                      
set mailcap_path        = ~/.mailcap                                           
set fcc_clear                                                                  
set noconfirmappend                                                            
set hidden_host                                                                
                                                                               
auto_view text/html             # auto render html to text                     
alternative_order text/plain text/enriched text/html    # read html last       
                                                                               
# Reduce polling frequency to a sane level                                     
set mail_check=60                                                              
                                                                               
# keep a cache of headers for faster loading (1.5.9+?)                         
set header_cache=~/.hcache                                                     
set edit_headers=yes                                                           
                                                                               
# Display download progress every 10K                                          
set net_inc=10 

The line to decrypt your password activates the gpg-connect-agent daemon and will not ask for you to enter it again for the duration of pgp_timeout specified in the file.

This should get you to a working set-up to read and write email. If you are having trouble logging in, double check your encrypted password file, particularly if your password requires escaping special characters.

Good luck!