[tor-talk] Games Without Frontiers: Investigating Video Games as a Covert Channel

Rishab Nithyanand rishabn.uci at gmail.com
Fri Mar 27 13:05:30 UTC 2015


Hey Jon.

I think you do raise some very good points and this is a good debate to
have. But do you see,
however, how living in this pessimistic world where the we give censors
control over everything
(including things on the users computer), will make it impossible to design
"look-like-something"
covert channel protocols?

Why stop there? The same argument can be made for any security and privacy
enhancing tools.
It's important that there is a fundamental amount of trust on existing
things that we are allowed
to leverage and bootstrap security from. Without this, security research
will more often than not
fall on its face, and we'd stop seeing any progress forward.

I still argue that the censor has to go through PR nightmares to do (1),
(2) is incredibly expensive
for them to do, and well (3) has to be assumed for us to ever do anything
useful in the real world.
I think it's important for the community to continue research into new
transport alternatives as long
as (1) and (2) currently hold for the transport in the real world. As I
pointed out, given our current
knowledge about what the NSA has done, (1) and (2) still do hold for video
games in the real world.

In fact (personally), if Castle did result in making them break (1) and (2)
for the 100-1000s of titles,
I think it's a win for us -- we just made them spend a LOT!

I'm not claiming that Castle is the golden bullet that will end all
problems, but I think it does
increase the costs to an adversary significantly, and (for the first time)
brings developers a benefit
in the current arms race (developing a new channel is easier than detecting
it). I absolutely do think
you've brought up a great argument (and it's not personal), but it just
brings tears to my eyes when
someone says I just relied on security through obscurity (and I don't
agree).


On Fri, Mar 27, 2015 at 3:13 AM, Jon Tullett <jon.tullett at gmail.com> wrote:

> Hi Rishab
>
>
> On 26 March 2015 at 14:37, Rishab Nithyanand <rishabn.uci at gmail.com>
> wrote:
> >
> > Please correct me if I'm misunderstanding you. I think you don't buy some
> > subset of the following implicit (I believe to be reasonable) assumptions
> > that we make:
>
> No, you're entirely correct about that :)
>
>
> > (1) There is no collusion between application developers and censors.
>
> That right there is a fundamental mistake. There are numerous ways for
> that collusion to happen, but I'll offer just three:
> - A developer can be legally compelled to comply with surveillance.
> The Lavabit saga, versus the many other vendors who _didn't_ say no,
> is instructive in this regard.
> - A developer can be infiltrated or hacked. See also: Gemalto.
> - A developer can be incompetent. Leak keys (hello, pastebin!), leave
> admin backdoors, incorrectly configure crypto, etc etc ad nauseam.
>
>
> > (2) There is a secure application distribution medium that the censors
> > cannot "hijack".
>
> ...if and only if it is implemented correctly.  That, again, is a
> dangerous assumption. It builds on the first assumption, so now we
> have assumption^2.
>
> Also, remember that compromised client software trumps perfect crypto.
> And remember that it's not just your game client that could be
> attacked, it's the entire operating stack: hardware, firmware, OS, and
> userspace.
>
> It feels to me like anyone who's already under surveillance would
> probably gain nothing at all from this exercise beyond a false sense
> of security. Its benefit to anyone else, over and above using the
> alternative existing tools, is a question I'd be interested to
> explore.
>
>
> > (3) Crypto attacks against authenticated, encrypted, and integrity
> > protected channels are not possible.
>
> ...if and only if they are implemented correctly. Another assumption,
> so now we're at assumption^3. And vulnerable to the same attack
> vectors as your second assumption. Assume Tor is as resistant a comms
> channel as we can manufacture today - it didn't save Ross Ulbricht.
> Why? Because he made opsec mistakes _separate_ to the secure comms
> channel.
>
> I think the mistakes you're making here are broadly twofold:
> 1) You're assuming technology is implemented in a hypothetically
> perfect manner. That's great in an academic thought-experiment, but
> not in the real world.
> 2) You're underestimating both the vulnerable surface area of this
> sort of project, and the capabilities of the potential adversaries.
>
> And again, I don't think the paper is useless or uninteresting - I'm
> not completely down on it :) I just don't think it's as effective as
> you're pitching it to be. If nothing else. the obfuscation may raise
> the bar a bit for an attacker. At worst, though, it may lull a user
> into a false sense of security. We do, after all, know that the NSA is
> attacking game networks, presumably because they have a sense that
> their targets are using them to communicate. You're relying on
> security through obscurity, but the obscurity is already under attack.
>
> -J
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


More information about the tor-talk mailing list