[tor-talk] Games Without Frontiers: Investigating Video Games as a Covert Channel

Jon Tullett jon.tullett at gmail.com
Fri Mar 27 07:13:57 UTC 2015 

Hi Rishab


On 26 March 2015 at 14:37, Rishab Nithyanand <rishabn.uci at gmail.com> wrote:
>
> Please correct me if I'm misunderstanding you. I think you don't buy some
> subset of the following implicit (I believe to be reasonable) assumptions
> that we make:

No, you're entirely correct about that :)


> (1) There is no collusion between application developers and censors.

That right there is a fundamental mistake. There are numerous ways for
that collusion to happen, but I'll offer just three:
- A developer can be legally compelled to comply with surveillance.
The Lavabit saga, versus the many other vendors who _didn't_ say no,
is instructive in this regard.
- A developer can be infiltrated or hacked. See also: Gemalto.
- A developer can be incompetent. Leak keys (hello, pastebin!), leave
admin backdoors, incorrectly configure crypto, etc etc ad nauseam.


> (2) There is a secure application distribution medium that the censors
> cannot "hijack".

...if and only if it is implemented correctly.  That, again, is a
dangerous assumption. It builds on the first assumption, so now we
have assumption^2.

Also, remember that compromised client software trumps perfect crypto.
And remember that it's not just your game client that could be
attacked, it's the entire operating stack: hardware, firmware, OS, and
userspace.

It feels to me like anyone who's already under surveillance would
probably gain nothing at all from this exercise beyond a false sense
of security. Its benefit to anyone else, over and above using the
alternative existing tools, is a question I'd be interested to
explore.


> (3) Crypto attacks against authenticated, encrypted, and integrity
> protected channels are not possible.

...if and only if they are implemented correctly. Another assumption,
so now we're at assumption^3. And vulnerable to the same attack
vectors as your second assumption. Assume Tor is as resistant a comms
channel as we can manufacture today - it didn't save Ross Ulbricht.
Why? Because he made opsec mistakes _separate_ to the secure comms
channel.

I think the mistakes you're making here are broadly twofold:
1) You're assuming technology is implemented in a hypothetically
perfect manner. That's great in an academic thought-experiment, but
not in the real world.
2) You're underestimating both the vulnerable surface area of this
sort of project, and the capabilities of the potential adversaries.

And again, I don't think the paper is useless or uninteresting - I'm
not completely down on it :) I just don't think it's as effective as
you're pitching it to be. If nothing else. the obfuscation may raise
the bar a bit for an attacker. At worst, though, it may lull a user
into a false sense of security. We do, after all, know that the NSA is
attacking game networks, presumably because they have a sense that
their targets are using them to communicate. You're relying on
security through obscurity, but the obscurity is already under attack.

-J

More information about the tor-talk mailing list