Protecting IM From Big Brother

holden writes "Ian Goldberg, leading security researcher, professor at the University of Waterloo, and co-creator of the Off-the-Record Messaging (OTR) protocol recently gave a talk on protecting your IM conversations. He discusses OTR and its importance in today's world of warrant-less wire tapping. OTR users benefit from being able to have truly private conversations over IM by using encryption to obtain authentication, deniability, and perfect forward secrecy, while working within their existing IM infrastructure. With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important. An avi of the talk is available by http as well as by bittorrent and a bunch of other formats."

Encryption

[nurb432 (527695)]

Its time to implement encryption of ALL traffic from ALL applications. Perhaps even IPC encryption incase you have some sort of 'tap' installed on your computer.

Sure, it eats resources, but do you want others reading your information? I dont. Not even when its "we are out of milk, please pick some up on the way home", as its NONE OF THEIR BUSINESS.

Re:Encryption

[rainman_bc (735332)]

Check out SiMP-Lite [secway.fr]

It's a fantastic product, I just wish it was multi-platform... Really nice for Windows though...

Re:

[AnyoneEB (574727)]

Although OTR and gaim-encryption (now pidgin-encryption) were originally for AIM (as far as I can tell), if you are using pidgin, I see no reason other than possibly some quirks in the plug-in why you could not use them on MSN or any other protocol. I think I have used pidgin-encryption on Jabber.

Re:

[jmcnaught (915264)]

I regularly use OTR in Pidgin with MSN and Jabber (Gmail chat) and have never had a problem. Adium X on the Mac also includes OTR support out of the box.

I try to use OTR as much as possible, all of the time. I figure if I only protect the stuff that needs to be secret, it sticks out like a sore thumb. And the more encrypted traffic on the internet in general, the harder it is for them to break it all even if they do have magic quantum computers.

Trying to get more people to use PGP/GPG with me over emai

Software freedom gets you software you can trust.

[jbn-o (555068)]

Except that it's completely untrustworthy because it's non-free software. If a major feature of the software is that you can trust it to keep your secrets or protect your privacy, you should be able to trust that it's only going to do what you want it to do. Non-free software inherently doesn't work this way, so none of it is useful for encryption. This program disallows modification, so if you discover that it doesn't do what you want you have no permission to make it do what you want. Forget about hel

Re:Software freedom gets you software you can trus

[Brian Gordon (987471)]

From the readme [cypherpunks.ca]:

This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as published by the Free Software Foundation.

??

Re:

[by Anonymous Coward]

Honey, is that you? We are out of milk, please pick some up on the way home.

Re:

[shikadi (1100921)]

It's not just about encryption, it's about privacy too. Do you want instant messaging to be used as evidence against you in the future? The reason it is called OTR is because it really is off the record. Recording of conversations is not evidence that a conversation ever occurred, since it purposely lets anyone forge messages after the conversation is over. If the person you were talking to decides to record everything you say to them, it doesn't matter, since you can easily show that what you said could

Re:

[nurb432 (527695)]

Encrypting by default still doesn't prove the *log* is legit and only prevents a 3rd party from secretly watching along the way, so i don't see me encrypting everything effecting that..

And I do agree i have to trust the person at the other end not to divulge/record/forge that i need to get milk.

Re:Encryption

[Kadin2048 (468275)]

Encrypting by default still doesn't prove the *log* is legit and only prevents a 3rd party from secretly watching along the way, so i don't see me encrypting everything effecting that.

Huh? OTR is specifically designed not to prove that the log is legit. It goes to a lot of work, actually, to ensure that there's a trivial way to fake messages after the fact, just not when a conversation is occurring.

That means that when you're having a chat with someone, you know that what they're saying to you is their actual words, but that the same cryptography that's giving you privacy can't (theoretically) be used to hang you later, by proving absolutely that you said certain things.

OTR's logs are designed to be easily forgeable. This is a major difference in its design from many corporate IM clients (e.g. Sametime), which offer encryption but also create authoritative logs that can be referred back to later.

The point of OTR Messaging is to allow you to have the equivalent of a face-to-face, "off the record" conversation, in the digital, computer-mediated world. Just like when you have an in-person conversation, there's nothing stopping the other person from walking back to their car and blabbing about the whole thing to anyone who'll listen, the encryption itself tries to not serve as authentication after the fact as to what was said.

Re:Encryption

[QuantumG (50515)]

Blah, that's a load of shit. It's an academic answer to how to fix the problem of people logging your conversation with them.

When the log is presented in court the person who logged it will be asked "is this log an accurate representation of the conversation you had with the accused?" and they say "yes, it is" and the defense then has to show not that it is possible that the log was doctored but that person who has just sworn, under penalty of perjury, is lying. They typically do this by showing instances in the past where the person has submitted false evidence to a court, or they can try to show that the person has something to gain by changing the log and that they had the skills (if any special skills are required, which they wouldn't be). It would be a very tough sell and a jury is more likely to believe that the log is accurate because what kind of idiot would lie in court when the punishment is so severe.

Consider that email is so trivial to fake and yet emails are considered official correspondence in many many many court cases. It's not about the technology, it's about the people making the claims.

Re:

[xiphoris (839465)]

Email isn't trivial to fake in such a way that it would stand up to any kind of scrutiny whatsoever. Already there are simple authentication protocols that are becoming widespread enough to secure the average user. If the receiving domain has any kind of proper configuration, it will be able to validate whether a mail was sent properly using one of SPF records, PTR, DomainKeys, or any reputation system.

Try to fake an email that looks like it authentically came from Amazon.com to a Yahoo account -- even fr

Re:

[QuantumG (50515)]

The typical email trail presented in a court case is completely intra-domain.

Ya know, "the boss sent me an email saying we should fire all workers who had signed the latest union agreement".

Re:Encryption

[thegrassyknowl (762218)]

The beauty of OTR messaging is that it claims to guarantee perfect forward secrecy. In other words, if you lose control of your private keys no previous conversation is compromised. This is a big plus, because even if they force you to turn over the keys they can't see the previous conversations.

It works (as I understand) by using your key pair to derive and exchange public session keys. The session keys then are used to do actual encryption and are changed frequently. The private key at each end is only ever stored in RAM and is discarded when the session ends or after a timeout.

It's neat because even listening in to the whole session and obtaining the public session keys isn't enough to compromise the session. Of course, having the public keys and obtaining the master private key may go a long way to helping with a mathematical attack of the algorithm.

Encrypted RAM and HDD Storage

[EmagGeek (574360)]

You can't have perfect secrecy unless your RAM contents are also encrypted. Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case? If your RAM is unencrypted, then your IM conversation is stored in plain text SOMEWHERE, even if it is encrypted on the network stack. Of course, having encrypted RAM would be a HUMONGOUS performance hit, but it could be done. Hmmm..

Off to the patent office I go..

Re:Encrypted RAM and HDD Storage

[Cracked Pottery (947450)]

Fine, let me get those chips out for you. Bring the back after you get the information off of them.

Re:

[MichaelSmith (789609)]

Off to the patent office I go..

Have fun proving that you had the idea before Theo [wikipedia.org].

Re:

[EmagGeek (574360)]

Well, the idea of encrypting RAM would be obvious to the person skilled in the state of the art, and therefore on its face not patentable. However, there are invariable many novel ways to solve obvious problems that would be patentable. Whether or not I could obtain a patent on the method and apparatus would depend upon the novelty of said method and apparatus.

Re:

[Ash-Fox (726320)]

Wasn't there some case recently where the RAM contents of some server were subpoenaed in a court case?

Yes, but it didn't help them at all.

Re:

[uofitorn (804157)]

Exactly. But you can take steps to limit the lifetime of sensitive data in memory.

See Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation http://www.stanford.edu/~blp/papers/shredding.pdf [stanford.edu]

Re:

[Cheesey (70139)]

Encrypted RAM would be very secure, but it would need hardware support. The key would be stored within a CPU register, having been generated from random noise on bootup. Hitting reset/power should be all the security you need. We effectively have this now in free software with encrypted swap space, and I think the TCPA spec says that bus encryption keys need to be negotiated using public key algorithms. The curious thing is that there doesn't need to be much access time overhead, because you do all the decr

Encryption is only part of the solution

[compumike (454538)]

This is a good step, and I wish that more people would use encrypted messaging systems. This includes IM, e-mail, and voice.

However, while encryption can protect against "big brother", you can never eliminate the risk from the other end of the line. What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.

--
Educational microcontroller kits for the digital generation -- great gift! [nerdkits.com]

Re:

[caluml (551744)]

Jabber + PSI + SSL + GPG = Safe in transit, at least. However, there's no way you can be sure someone isn't logging everything at their end. It's the whole DRM problem, but just with messages, instead of videos/music.

Thank you, Captain Obvious

[Logic and Reason (952833)]

However, while encryption can protect against "big brother", you can never eliminate the risk from the other end of the line. What happens if the person you are talking to has a rootkit, or prints out the conversation, or otherwise compromises the data? There's no real way to protect your entire conversation.

Uh, no shit? Obviously you're screwed if the other party is untrustworthy, since the whole point of the communication in question is to transmit your sensitive information to that party. Keep in mind,

In the meantime...

[ceeam (39911)]

... I hate to say it, but the most practical secure kind of IM right here right now is probably Skype. Well - you read that story about German police and Skype's chat traffic (like other kinds) is carried over the same encrypted p2p transport as its voice traffic.

Re:

[Cheesey (70139)]

Skype isn't very trustworthy. My favourite link about Skype security [blackhat.com]. You can't necessarily trust a closed source app with confidential information.

If you need a "ghetto" works-almost-anywhere free secure instant messenger to talk to Alice or Bob, create an account for your friend on your Linux machine and let them SSH in using PuTTY. Then use "write" to talk to each other, or if you're really fancy, use "talk". SSH is great for this because it (a) uses strong crypto, (b) lets you check for man-in-the-middl

AIM encryption

[br00tus (528477)]

We use AIM for communication at my company. One problem is half the people use GAIM, the other half use Trillian, and each have separate standard encryption plug-ins which are incompatible. Of course it is free software and I could jump in and work on this but I am too busy. The main reason we had encrypted conversations was to send passwords to one another.

What's the problem?

[Junta (36770)]

I use Gaim OTR, and my buddy used Trillian OTR (without him even realizing it incidently). There was a Gaim encryption plugin before the OTR plugin, but I don't know anyone using that anymore.

The real problem is U.S. government corruption.

[Futurepower(R) (558542)]

Quote: "With the recent NSA wiretapping activities and increasing Big Brother presence, security and OTR are increasingly important."

The real problem is U.S. government corruption. See this example from Cooperative Research, a complete 911 Timeline of 3962 events: U.S. Government corruption TimeLines [cooperativeresearch.org].

The government should serve the people, not spy on them.

1984

[dotancohen (1015143)]

I find it fitting that someone named Goldberg is warning us about Big Brother.

Re:

[garbletext (669861)]

I find it ill-fitting that someone named Ian is not teaching us about Debian.

Re:1984

[saibot834 (1061528)]

The person you are talking about was actually Emmanuel Goldstein [wikipedia.org]

Pfft. Don't talk to me, I log all my IM sessions

[NotQuiteReal (608241)]

They are sitting in plain text on my HDD.

Anyone who is IM'ing with super-secret encoding and hoping that they are safe better not be IM'ing me, or someone like me who checks the "log" button...

Sorry, sometimes I like to refer back to them, and that is the way they are kept. I am too lazy to do anything about it.

I always assume I am just part of the noise in the s/n ratio that "they" are listening to.

What's the opposite of tin-foil hat?

Re:Pfft. Don't talk to me, I log all my IM session

[the_brobdingnagian (917699)]

I log all my IM messages too. But you can not prove those messages are written by some specific person. They are plaintext and everyone can edit them. The "problem" with most encryption protocols is signing. If I write a message to you and I sign it, you can prove I wrote it. OTR provides encryption and authentication that can't be used to prove to anyone else you wrote it. I suggest you watch the video for more information.

Semi-random (webcam of the CSC office)

[pigscanfly.ca (664381)]

The organization that is serving the talk has a <a href="http://csclub.uwaterloo.ca/office/webcam.html">wecbcam ( http://csclub.uwaterloo.ca/office/webcam.html )</a> in there office. Despite serving an avi file linked directly from the slashdot page, there doesn't seem to be fire :P

how to boil a frog

[CranberryKing (776846)]

Isn't EVERYONE very upset that we need these types of applications these days? Why does it seem reasonable that EVERYONE needs to hide their communications from their own governments? Shouldn't we be more upset that things have gotten so out of hand?

HR 1955

[CranberryKing (776846)]

If this bill [govtrack.us] passes, you won't be able to use OTR without being carted off. Call your senator and tell them to vote NO.

Re:

[iminplaya (723125)]

`The Congress finds the following: ...

The Internet has aided in facilitating violent radicalization, ideologically based violence, and the homegrown terrorism process in the United States by providing access to broad and constant streams of terrorist-related propaganda to United States citizens.

Uuuh huh.

Nearly all ssh clients have built-in SSH proxy

[blumpy (84889)]

Putty and openssh clients can act as a SOCKS proxy server.

Simply ssh to your machine at home... direct Pidgin / GAIM / MSN (or any SOCKS capable app) to use your new local proxy server and your traffic is hidden from corporate big brother.

Once traffic leaves your machine to the internet, it's goes out unencrypted as usual... only useful to not let the boss know you've got to pick up milk on the way home.

Also, careful this doesn't hide DNS traffic.

Why does it use a separate keyring?

[Grendel Drago (41496)]

I have four sets of keys on my machine--keys for SSH, for PGP, for WASTE and for OTR. Why does every app using encryption insist on using its own wrappers for public keys? What's wrong with the infrastructure already present in the OpenPGP standards?

Re:

[Goaway (82658)]

Deniability is based on the revelation of information, not hiding. How do you hack something so that it is becomes no longer known?

Re:Deniability may sound fine

[99BottlesOfBeerInMyF (813746)]

"I do not recall." If it's good enough for the administration to use and get away with, it's good enough for me.

Unless you're in the administration, that will get you tossed in jail. Normal citizens require plausible deniability. For hard drive encryption, this can be accomplished by saving dummy data accessible with a second password. For IM, perhaps we need something similar. If an IM client were to give a user the option of using a dummy password which would still initiate encrypted messages, but with a warning flag to the user on the other end, we might have parity.

Encryption technologies that provide plausible deniability are possible, but I doubt they will enter widespread use (or even encryption in general) until the big players champion them. Why one of the major IM providers has not jumped on this as a differentiating feature is beyond me. I guess I see why Google would not include it in GTalk, seeing as they want to use the data to target ads (ditto yahoo and MS), but why isn't it built into ichat yet?

Re:

[pigscanfly.ca (664381)]

OTR actually has deniability built in to it. Once the conversation is finished it impossible to prove what the conversation text was. Its really cool. It even has a built in tool to help you forge the logs :)

Re:

[99BottlesOfBeerInMyF (813746)]

OTR actually has deniability built in to it. Once the conversation is finished it impossible to prove what the conversation text was.

Which is pretty decent. The only item lacking is if the feds demand your password so they can impersonate you talking to someone else. A nice dummy password that will allow them to do that, but presage the first message with a warning that the channel is compromised.

Re:

[Logic and Reason (952833)]

Unless you're in the administration, that will get you tossed in jail. Normal citizens require plausible deniability.

I don't know about where you're from, but here in the U.S. we still (for now, at least) have something called the Fifth Amendment. You just have to change your answer from "I do not recall" to "on the advice of my counsel, I respectfully decline to answer the question based on the protection afforded to me under the Fifth Amendment of the United States Constitution."

Re:

[99BottlesOfBeerInMyF (813746)]

I don't know about where you're from, but here in the U.S. we still (for now, at least) have something called the Fifth Amendment.

The 5th amendment only applies if you in particular are charged with a crime. If you are subpoenaed or being sued and the court orders you to reveal the password, you will go to jail for contempt of court if you refuse to submit it. Even when charged with a criminal offense, not being testimony as to your actions, it may well hold up in court to charge you. Finally, in many parts of the world legislation requiring this has already been passed and at least three bills in congress have specifically required

Re:

[sethawoolley (1005201)]

d41d8cd98f00b204e9800998ecf8427e

Re:

[pigscanfly.ca (664381)]

I don't know about you, but I find a lot of people use it. That could be because I'm at the University where Professor Goldberg is from :P.
Continuing your thought however, I think OTR, and other encryption programs like it, could receive a substantial boost in usage if we could get popular distributions like Ubuntu to include and enable them by default. You and I may think about the security of our conversations, but the majority of people probably do not bother. I can't see much of a good reason to not mak

Re:

[the_brobdingnagian (917699)]

Most crypto will sign your messages. So now the government can take your friend's computer and mathematically prove you signed the messages talking about conspiracies. OTR provides encryption and authentication without the ability to prove to anyone else what you wrote. And talking about government conspiracies: I would not trust closed source crypto if I where you.

Re:

[Jason Pollock (45537)]

Jabber is only encrypted on the wire, not end to end. Google can read and archive the conversation. However, using this, or other plugins, it's encrypted from your machine to the destination, man-in-the-middle attacks are prevented.

For a reason why, google "hushmail subpoena"