The NSA invents perpetual motion

| Comments (5) | DRM
From the NYT article on Obama's e-mail:
After all, Gov. Sarah Palin of Alaska found her e-mail account broken into and her messages posted online last year when she was running for vice president. Imagine a president's e-mail put on display for the whole world to see -- or perhaps just for the head of a hostile foreign intelligence service.

To minimize the risk, the government technology gurus have made it impossible to forward e-mail messages from the president or to send him attachments, people informed about the precautions say. His address is likely to be changed regularly as well. And the president's friends and staff members are being lectured about security.

So, it's trivial to stop people from sending him attachments. Your average email filtering system can do this no problem. Lecturing people about security is easy too (though probably futile). However, as far as anyone in the public computer security field knows, from forwarding e-mail that was sent to me is basically impossible. Once the email is available on a computer you control, you can do pretty much anything you want with it, including foward it. The only real exception to this if the computer isn't really under your control, but is running software controlled by the government, which isn't really scalable. Even that's not enough: the government would need to replace your hardware with something that they control because otherwise you can modify the software to allow forwarding. That isn't to say one couldn't label mail with some "no forwarding" tag, it's just that your mail client wouldn't be required to obey it. Indeed, as far as I know there's no widely accepted tag like this, even for advisory purposes.

Even if it were possible to prevent you from forwarding emails from the president, it's not clear how this would prevent the threat described in the first paragraph. OK, so you can't forward the message, but nothing stops you from just whipping out your camera and taking a picture of the screen and sending that to the New York Times, foreign intelligence service, etc. Remember that that's just digital information too, so it's pretty much equally easy to forward. Even if we imagine that a digital photo is problematic for some reason [technical note: sometimes people propose schemes designed to make it difficult to photograph or videotape movies, etc. Generally the idea is to exploit some misfeature of the recording sensor, that isn't an issue in ordinary recording scenarios.] there's nothing stopping you from having a second computer which you use to—and this might be too sophisticated for some attackers—retype the entire message and send it to someone else.

Neither you or I is ever likely to receive an email from the president, to this isn't a very cosmic issue. However, a very similar delusion, namely that you can stop people from making copies of the music and videos you sell them, has been the cause of a very large amount of inconvenience for users, so it's not trivial to get this right either. I suspect that pretty much any computer security person (Alex Halderman, call your office) the reporters had talked to would have dumped cold water on this claim, but I also suspect that they didn't even know enough about computers or think about the threat model enough to be suspicious; they just wrote it down. I wonder what would have happened if someone had told these reporters that in the future Air Force One would be powered by perpetual motion machines?

5 Comments

well, what if he can *only* receive? That is, not send?

The only "reasonable" way you could accomplish non-forwardable email is with some kind of platform-locking DRM technology. Now, if you came to me and said "I really want non-forwardable email from the president", I'd probably hack up something where the emails you get are nothing more than notifications to go log into a suitably secure presidential web site where the actual email lives. At that point, you can use whatever cool authentication mechanisms you want (SecurID? Telephone call from an NSA employee who knows your voice? Hey, scalability isn't an issue here), and then it's just a regular web page.

Nothing's to stop you from scraping the screen or retyping the message. But the engineering goal of the system is mostly to prevent Obama's email address itself from getting out (assuming that address is effectively an open capability, and you know they'd be replacing it on a regular basis).

On the other hand, since you've got a whitelist of people allowed to email Obama, and everybody else is forbidden, you could just require that all correspondence be digitally signed by somebody on the whitelist. At that point, forwarding something has no meaningful effect. On the flip side, where's my GPG plugin for the iPhone?

A couple quick points:

When I first read this I understood it as saying it would prevent forwarding email from the president's email account. I agree this is probably not what was meant but it still does make sense. This way if Obama walks out of the room for 5 minutes and leaves his blackberry on the table someone can't forward a bunch of messages to themselves.

As far as preventing his email contacts from forwarding the message this isn't about preventing someone determined to leak the contents to the New York Times from doing so. It's about preventing his *friends* and *family* from doing something stupid and forwarding an email without thinking. I mean suppose Obama sends some funny email or slightly offcolor joke to one of his daughters. If she could forward the email she might forget that her dad is now the president and pass it along to one of her friends creating a PR nightmare. But if it requires any effort to bypass she isn't going to do so.

Think of it more of a system to encourage proper email discipline among his friends and associates rather than a true security measure.

I'm also very curious about the security threat that will be countered by constantly changing his email address. Not to mention the terrible hassle.

I really hope that it's the NYT reporter (and editor?) who is stupid, and that these are not actual ideas.
They should just switch to a "no email for the president" model and be done with it...

My impression is that the key here is how limited the circle of people allowed to email him is. I believe the government does have control over the software and hardware that they use (I believe it's immediate family and top-level cabinet/staff people), so the government can provide their own email client, and even their own secure hardware, for communicating with the president.

Which doesn't stop the camera attacks, etc, but it's a far simpler system to secure than trying to enforce these restrictions on a random person's email account interacting with other random people.

Leave a comment