CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email

from the are-they-that-clueless? dept

It's no secret that FBI Director James Comey is somewhat clueless about encryption -- to the point that he doesn't even realize that stronger encryption will actually better protect Americans. But it seems to go beyond that. Apparently he's so clueless about encryption that he doesn't realize that it will help protect FBI agents. Lorenzo Franceschi-Bicchierai has a great story over at Vice Motherboard concerning key parts of our government that should understand the importance of keeping emails secret, that have failed to take the most basic steps in securing email communications. And the FBI is one of the agencies that has not done so. Ditto with the CIA. Or most branches of the military (the Air Force -- which used to run the US cybersecurity efforts -- is the one exception).

Specifically, the article focuses on the use of STARTTLS, which is used to encrypt emails in transit between service providers (it's not nearly as secure as doing full end-to-end encryption of the messages like PGP -- in which case the email providers can't read your email -- but it's a key tool for at least protecting your messages in transit between those providers). Most email systems use STARTTLS these days. Gmail has offered it since it launched over a decade ago. And for STARTTLS to work, both sides of the email provider chain need to be using it. Google has published stats on how much of the emails sent via Gmail are able to be sent with STARTTLS for a little while now and it keeps going up, such that these days, it's pretty rare for email providers not to offer STARTTLS -- with 80% of outbound mail and 61% of inbound mail using it. Yet the US military, the CIA and the FBI don't use it (the NSA does, because they're no dummies about encryption). Google and others in the tech industry have been begging email providers to use STARTTLS for a while, but apparently the US government, including agencies that you'd figure would want to protect secrets, apparently still hasn't figured this out.

When Franceschi-Bicchierai asked the Defense Department why most of the military doesn't support it, he got a nonsensical answer:
In a statement emailed to Motherboard, a spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies, said the DISA's DOD Enterprise Email (DEE) does not support STARTTLS.

“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” the spokesperson wrote. “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”

The spokesperson did not respond to several follow-ups, asking to clarify the statement. Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, said that DISA’s explanation is “an unacceptable and technically inept answer,” and criticized the Pentagon for not taking security seriously and implementing STARTTLS.

“I can’t think of a single technical reason why they wouldn’t use it,” he told Motherboard in a phone interview. “It’s absurd.”
That opening sentence of the statement from the DOD reads like someone who is just discovering the technical details of email. It's stating something that is (1) meaningless to the question and (2) stated in a manner different than any knowledgeable person would say things. Someone who deals with this stuff would just say POP3 and IMAP rather than spell them out -- and again, that's totally unrelated to the question of STARTTLS. So is the use of PKI (public key infrastructure) for emails.

In the past, I'd mainly assumed that when the FBI spoke out against encryption, it was mainly a smokescreen to try to get more backdoors to make its own life easier. But could it actually be that the FBI (and the CIA and the DOD) don't even realize how important encryption is to protect their own information?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 21 Sep 2015 @ 5:10am

    "Trust us, we know how to keep you safe."

    Keep in mind, this is the same government that has been pushing, hard at times, for private companies to let the government 'help' with their security, and 'share' data with the government for this purpose.

    If they can't even be bothered with the most basic security on their own communications, the idea that companies should trust them to help secure their systems is a bad joke. If anything, government 'assistance' would likely take any security previously in place and shoot it full of so many holes as to be non-existent.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2015 @ 6:23am

      Re: "Trust us, we know how to keep you safe."

      If anything, government 'assistance' would likely take any security previously in place and shoot it full of so many holes as to be non-existent.

      That does seem to be the agenda of some parts of the government. As long as they can gather whatever information they want whenever they want, they are happy, and do not care who else can gather the data; at least so long as it is not Joe public.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 6:25am

    So who's in position to tap and exploit it? Even if have, takes huge correlation.

    Not worth bothering about low-level comms. So much noise, some of it intentional, that as you say about NSA's getting every bit, to have it is likely worse than just a skimming of high-value. Knowing WHO and linkage is more important than any particular message...

    You're worrying more over emails than the everyday actuality of Israeli-owned (and therefore, the state of Israel) Amdocs having nearly all American phone meta-data and thereby able to find high-value targets:
    https://en.wikipedia.org/wiki/Amdocs

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 6:31am

    surely the reason is obvious, isn't it? the security forces want to be able to spy fully on us with a view to law suits and matching punishments if they cash us doing anything wrong. as they will 'only be doing their job', so no punishments for them. that means those security forces will fight like hell to be able to spy continuously on us!
    on the other side though, those same security forces dont expect anyone to spy on them, because of the definite punishments dished out if anyone is caught.
    in other words, they can do what the hell they like, but think no one else should!

    reply to this | link to this | view in chronology ]

  • identicon
    skippy, 21 Sep 2015 @ 6:59am

    STARTTLS is not the only encryption solution

    STARTTLS allows for establishing a connection on an insecure protocol and then negotiating encryption. IMAP, POP3, and SMTP all also support encrypted-only versions.

    While IMAP uses TCP port 143 for plaintext and STARTTLS connections, IMAPS runs on TCP port 993 and *only* accepts encrypted connections.

    I'm no government apologist, but railing against the lack of STARTTLLS is a little much.

    reply to this | link to this | view in chronology ]

    • identicon
      That Other Guy, 21 Sep 2015 @ 7:15am

      Re: STARTTLS is not the only encryption solution

      It is not so much that they are railing against the lack of STARTTLLS, but the fact that they are not doing the basic stuff much less the more advanced methods of encrypting just email. Who knows how much other unencrypted stuff is getting by because they don't understand.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Sep 2015 @ 9:13am

        Re: Re: STARTTLS is not the only encryption solution

        Here's the worst part. (Alright, all the parts are bad.)

        Using IMAPS (port 993), POP3S (port 995) and SMTPS (port 465) is just not that hard given any of the usual MTAs, e.g., sendmail, postfix, etc. and any of the usual packages like UW-IMAP (or Panda IMAP), Dovecot, etc. So even if your internal mail system doesn't support these -- because the codebase hasn't been updated since 1992 -- you can easily set up gateways that sit between that internal mail system and the outside world and implement these. ("perdition" is one choice of many for IMAPS and POP3S gatewaying.)

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 7:03am

    In the wrong way of thinking

    People would be well advised of not mistaking any of the 3 letter agencies as protecting citizens.

    They protect the Government! If a situation came up where the federal government had to take a hit or a whole lot of citizens were going to die... we all know what will happen?

    That is right, a whole lot of citizens are going to die. Yes the government has a vested interest in keep citizens alive, but that is only in the context that a functional population keeps the infrastructure funded but beyond that, they believe they need to rule over us and protect us even from ourselves, so these guys no longer even live in the same world we do.

    They see threats day in and day out so they no longer have the benefit of being objective. They jump like scared little girls every time a spider pops its head our or a mouse squeaks! The invention of the DHS & TSA are nothing more than icing on the cake of the CIA/NSA. With the revelations brought by Snowden... enough said.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 7:22am

    And everyone wonders why Hillary Clinton Didn't use their system.
    Maybe, just maybe she was smarter than the rest of them.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 21 Sep 2015 @ 12:27pm

      Re:

      And everyone wonders why Hillary Clinton Didn't use their system.

      I would think if that was why, it would have been among the three or four explanations she's offered for the situation.

      reply to this | link to this | view in chronology ]

    • identicon
      Michael Price, 20 Oct 2015 @ 2:54pm

      Is there any evidence her system was better?

      If she was concerned about security you'd think that she'd worried about the guy at the other end being compromised.

      reply to this | link to this | view in chronology ]

  • identicon
    Jigsy, 21 Sep 2015 @ 7:28am

    Of course not; encryption aids terrorism, don'tcha know.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 21 Sep 2015 @ 7:31am

    Spin this one, Antidirt!

    I already have the corn popping. Should make a good show and sink your reputation even further (if that is even conceivable, never mind possible...)

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 21 Sep 2015 @ 7:34am

    Leading by Example?

    The CIA, FBI and much of US Military are leading by example.

    Do not use encryption on your emails. Only the terrorists would do that. If you're not doing anything wrong, you've got nothing to hide.

    reply to this | link to this | view in chronology ]

  • icon
    Chris-Mouse (profile), 21 Sep 2015 @ 8:20am

    If the FBI and CIA forced their employees to use encrypted email, how would they ever know what those employees are up to?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 8:22am

    Encryption not necessary on governmental e-mail

    It's at least one, probably several overlapping, types of crime to snoop sensitive governmental e-mail even when they make it trivially easy to do so. When a three letter agency is involved, you can bet the U.S. Attorney's office would fall all over itself rushing to punish suspected snooping. Thus, why bother protecting it beforehand when you can spend way more resources punishing anyone who dares benefit from your sloppiness?

    reply to this | link to this | view in chronology ]

  • icon
    Blackfiredragon13 (profile), 21 Sep 2015 @ 10:32am

    I give up; let trump become president.

    Because as terrible as having him in office will be, given the incompetence of the rest of the government, we can't get much worse.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 21 Sep 2015 @ 12:02pm

    And this is how the US got involved in WWI

    Seriously. And even then British intelligence had to get a little clever to decode it.

    Obviously, the Germans learned their lesson by WWII. (Despite some sharp Pollacks getting one up on them.)

    So not only can our agents security, they cant history either.

    Do you think they'll need a similar embarrassment before they start taking encryption seriously?

    reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 21 Sep 2015 @ 2:07pm

    Incompetency

    How many times have after-the-fact reports made the claim that incompentency was the single greatest reason for some U.S. tragedy?

    DHS (a boondoggle in itself) was born out of the fact that upper officials didn't believe field agents reports that eventually proved true on 9/11. One of many examples where senior government officials were not able to make competent decisions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 9:54pm

    Only a terrorist would expose something like this. All good and loyal American citizens know that in order to stay safe they have to blindly and deafly obey whatever they are told simply because they were told to believe that.

    Terrorism equals thinking for yourself when it comes to fascists.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2015 @ 10:27pm

    PKI has to do with authentication. STARTTLS has to do with encrypting the transport links. POP3 and IMAP are the protocols clients use to communicate with the email server.

    The only sense I can make of the Defense Information Systems Agency spokesperson's statement. Is that the Defense Information Systems Agency seems to be using completely different email technology than the rest of the world?

    If they're not using POP3 or IMAP. That only leaves Microsoft Exchange email Server using the MAPI protocol.


    Email protocols: POP, IMAP and MAPI. What are these?

    http://it.med.miami.edu/x1111.xml

    reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 24 Sep 2015 @ 12:14am

    OK, let's insert some sanity here.

    Just because they don't use STARTTLS doesn't mean they are not encrypted.

    STARTTLS is used when the client initially establishes an insecure, un-encrypted connection to the mail server. The mail server then says "hey, let's encrypt this session with TLS, here's my public key" and whatnot, they then negotiate .

    HOWEVER, if are already you do the initial connection using TLS at the network/protocol layer (TLS is more commonly called SSL - as SSL was revised and enhanced and newer versions release, it's name changed from SSL to TLS. Therefore strictly speaking SSL refers to SSL 1.0 to 3.0. SSL 3+ was renamed TLS, and TLS1.0 is basically SSL 4.0, etc)

    reply to this | link to this | view in chronology ]

    • icon
      Eldakka (profile), 24 Sep 2015 @ 12:45am

      Re:

      oops hit post instead of preview...

      If you are already encrypted using TLS/SSL before you perform application level connection between the client software and the mail server software i.e. at the protocal or transport layer, VPN or already SSL'ed, they you don't need STARTTLS.

      And that's what having a PKI infrastructure usually means. Users usually have their own user certificate, the server has a server certificate, and encryption is performed by the PKI system in place instead of relying on the mail server and mail client to support STARTTLS. Basically, think of it as using a propriety encryption layer instead of using the open standard STARTTLS which is only necessary if you don't have your own encryption layer on top already.

      Take where I work for example. We have multiple offices around the country and the world. We don't use STARTTLS between our internal email clients and our internal mail server because we use a thick client on our desktop that has encryption built-in (outside STARTTLS) for the mail server from the same vendor. Sure, our 'thick clients' do support STARTTLS, but it only uses that if I decide to point my client at a 3rd-part, non-vendor supplied mail server.

      And our mail servers when connecting to the mail servers of our offices and partners also doesn't use STARTTLS or SSL/TLS for encryption. Nor does out client encrypt our emails. Why? Because out network infrastructure has VPN routers with pre-shared-keys in it, as does every one of our offices and our partners. When we communicate bewteen any of these, the core routers do NOT forward the connections to the border routers, they forward the connection to the VPN routers that establish a VPN - an encrypted pipe - with our partner/office, and send the data down that already encrypted pipe, therefore no STARTTLS, no SSL, no TLS, no email encryption is necessary as the LINK is encrypted between the locations and if encryption fails, the route to the office/partner fails until the VPN is re-established.

      Therefore the users of the mail client or browser connecting to a partner do not have to take any steps, don't even have to know about, encryption. The software doesn't have to implement, support or even know about encryption. It's all handled transparently for them at the network infrastructure layer.

      Of course, this is a 2-edged sword. Since the users are "dumb users" who have no idea, if they have to send sensitive information (which is against policy, and could be a sackable offense) to someone who isn't in a branch office or partner organisation, they have no idea about encryption/message security. Hell, there have been cases where someone has sent sensitive email to a partner, but also put a non-partner (I think it also cc'ed to a home account of someone who was on already getting the email via their work email) on the cc list, the emails to the partners all went down the encrypted pipes, but the email to fred@someisp.com went through normal, unencrypted public internet. The user to this day still doesn't understand what they did wrong, because all they did was add someone to the cc list.

      But this is the type of system these agencies ARE using. They don't need to 'do' STARTTLS because they don't need the application software to set up their encryption because they are already encrypted before the application software is even aware that someone wants to connect to it. Probably with a much higher level of encryption in their encryption layer than that used by STARTTLS. Hell, STARTTLS is vulnerable to man-in-the-middle (MIM/MITM) attacks since it has to negotiate key exchanges and so on. With network layer security this is not possible if using pre-shared-keys. This also has the added side-benefit of simplifying software that doesn't have to have encryption built into the software (the network takes care of that) and when encryption changes, the entire network's encryption can be updated by patching some vendor-specific hardware devices and a single client piece of software on the PC that enables connection to the encrypted network, rather than the dozens, hundreds of individual different pieces of software that have to be patched because they have encryption builtin...

      reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 24 Sep 2015 @ 6:55am

        Re: Re:

        That is all well, but shouldn't they still use STARTTLS for mail that leaves their systems?

        reply to this | link to this | view in chronology ]

        • icon
          Eldakka (profile), 25 Sep 2015 @ 4:05am

          Re: Re: Re:

          why? if they set up an SSL link first (i.e. SMTPS or IMAPS) you don't need STARTTLS.

          STARTTLS is a fallback, something you use when you don't support proper link encryption. If you support SMTPS or IMAPS (which is equivalent to HTTPS), you don't need STARTTLS.

          STARTTLS is at the bottom of the food chain for encryption of email connections. I very much doubt we are talking about them not using encryption, they just don't use STARTTLS. STARTTLS is what you use when you (as an admin) coulnd't be FireTrucked to set up SMTPS/IMAPS. STARTTLS has more vulnerabilities than SMTPS/IMAPS:
          Because the initial handshake takes place in plain text using opportunistic encryption, an actor in control of the network can strip the STARTTLS from the network, silently forcing a user's emails to be sent in plain text in a STRIPTLS attack. In September 2014, major email providers in Thailand were subject to such large scale attacks. In October 2014 Cricket Wireless, then a subsidiary of VPN provider Golden Frog was found to be doing this using Cisco devices on their network in an attempt to inspect emails and block spam

          reply to this | link to this | view in chronology ]

          • icon
            nasch (profile), 25 Sep 2015 @ 7:22am

            Re: Re: Re: Re:

            why? if they set up an SSL link first (i.e. SMTPS or IMAPS) you don't need STARTTLS.

            An SSL link with who? If you're sending an email to some random address, which I assume government employees need to do sometimes, how do you do that over SSL? Isn't the point of STARTTLS to allow the message to be passed along securely without opening an encrypted link directly to the destination server?

            STARTTLS is a fallback, something you use when you don't support proper link encryption.

            That doesn't seem to jibe with what I'm reading about it. If SMPTS/IMAPS is the gold standard for all situations, why did they come up with STARTTLS later?

            reply to this | link to this | view in chronology ]

  • identicon
    Edossa Kenea, 23 Oct 2015 @ 9:28am

    /* A CIA block request J.F Kennedy assassinet conspiracy theories is at list how we can an independent like a DNI and do our mission fruit full in life, but it must not run for mortality! "Alemimmi aleqesechii talallaqi Meriwochuhani madani aqatattii!" taken from a holy bible on time being! Tango down https://www.DNI.gov/#anonyoums! Ussssssssssss An Amara nation an abstract tirrorism an about An Oromo nation! A close an end! The Oromo liberation front jejjebe perfect order you must scape from myself! "LWMMBGKFA" Usssss an Israel too! A standard general an origin a language communicate!A God mission continue in an equity diversity! */

    reply to this | link to this | view in chronology ]

  • identicon
    Edossa Kenea, 23 Oct 2015 @ 9:28am

    /* A CIA block request J.F Kennedy assassinet conspiracy theories is at list how we can an independent like a DNI and do our mission fruit full in life, but it must not run for mortality! "Alemimmi aleqesechii talallaqi Meriwochuhani madani aqatattii!" taken from a holy bible on time being! Tango down https://www.DNI.gov/#anonyoums! Ussssssssssss An Amara nation an abstract tirrorism an about An Oromo nation! A close an end! The Oromo liberation front jejjebe perfect order you must scape from myself! "LWMMBGKFA" Usssss an Israel too! A standard a glob general an origin a language communicate!A God mission continue in an equity diversity! */

    reply to this | link to this | view in chronology ]

  • icon
    hacker66 (profile), 13 Apr 2016 @ 6:45am

    why would they do that and did this country become a dictatorship i had no choice but to get Obama care

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.