"But Snowden’s case is actually a kind of reverse dead man’s switch, says John Prados, senior research fellow for the National Security Archive and author of several books on secret wars of the CIA. [...] “In the dead man switch, my positive control is necessary in order to prevent the eventuality [of an explosion],” Prados said. “In Snowden’s information strategy, he distributed sets of the information in such a fashion that if he is taken, then other people will move to release information. In other words, his positive control of the system is not required to make the eventuality happen. In fact, it’s his negative control that applies."
I'm really surprised it was implemented like that, I think using an actual, digital "dead man's switch" would have made more sense. Why not have 100 servers around the world running jobs to email out documents to 100 journalists at all times if an env variable isn't reset every few weeks? Then if he disappears or is killed, a few weeks later the jobs complete and email out the information?
The problem with a positive control system is that he's being watched, intensively. So how do you reset that env variable without someone seeing you do it and thus discovering the server? Once they know the servers, they just need to take them out and the deadman's switch is neutralized.
If he had a way to do one-way broadcasts, like over the radio, where any snoopers could not discover the receivers then it would make more sense to do a positive control system. But there really isn't a mechanism for that on the internet. Even if he posted to usenet, given enough time, a sufficiently motivated nation-state adversary could probably trace through enough usenet servers to figure out what clients were looking for those reset messages.
The server might be watching something else. Maybe he has an account on, say, Slashdot, and the server watches his account login date - if that account doesn't log in for a week, the switch gets tripped. Perhaps there's a series of such websites, and any of the requisite accounts will do? The actual server with the deadman switch doesn't need to be accessed frequently, or perhaps at all.
I think the point is that if the variable isn't being changed, the emails go out.
Maybe a packed Tor client + desktop application that does every action it needs to do for the user, if the master hasn't changed the server variable or if it's not accessible for [insert random number] days, weeks or years.
Right - so why not figure out how to spoof the Snowden-switch-update via MITM attacks thus preventing the release regardless of what happens to Snowden the human.
My take on how this works, in summary:
he distributed something totally unrelated to some people, quite a few of them, not even friends probably, with the instructions to do some non-specified action with that thing if something bad happens to him.
Those non-specified actions on those non-specified things, once done together by a minimum number of different actors, act as the famous dead man switch, which is therefore impossible to intercept via MITM attacks and impossible to beat,even by torture, because every actor could only know his/her specific action.
For what we know he could even have "outsourced" the whole setup to someone who then fleed/changed identity, this way not even him may be able to tell what actually has to happen in order to trigger the release of the documents.
Actually multiple persons in my idea were added just for the sake of redundancy, namely to avoid that the disappearance of someone involved would stop the process as a whole. The system in my opinion will then always work if the minimum number of actors is present.
You pretty much nailed how it's done, good show for off the cuff. Encrypt file with large symmetric key. Slice into n pieces, where n is like 5-10 or more. Distribute a few copies of each slice to reliable people unlikely to directly conspire. Distribute encrypted file widely. Give instructions on how to gather as a group based on some basic trigger. The chance of the gathered group missing every copy of one of the slices is pretty low as long as nobody gets a master list of key holders.
He could use something like Twitter for his reset messages. I don't think there's any way someone could find a PC somewhere listening to Twitter among all the others... Or he could post comments on HN :-)
As someone commented on Schneier's site, US would have an incentive to keep Snowden protected because if any enemy of US would kill Snowden, then the information would become public, and I guess US wouldn't want that. Personally, I haven't invested a lot of thought into this, just wanted to point out an interesting angle. :)
They are not disincentivized from killing him. They merely are not being incentivized by a guarantee that the USA will have lots of sensitive documents released.
It should also be noted that an active dead man's switch opens the possibility that surveillance of Snowden will establish the mechanism of the switch, allowing the CIA to take over the switch and then do away with Snowden with impunity. By contrast the passive distributed key storage he likely has provides no active traffic that current surveillance can trace.
Perhaps the assumption is that the people to whom Snowden distributed the information wouldn't release the information (at least immediately) if Snowden were killed by an enemy of the USA. Of course, that's assuming a lot, including the fact that it would even be clear who killed him and why.
He could also distribute encrypted versions to a bunch of confederates, and have the dead man switch send them the encryption key (but not release it to the public). That way he both has to be dead and the confederates have to be satisfied that the documents ought to be released before they are published.
Let's say he has N friends who have agreed to help. He doesn't want to allow any single individual to have the power to act alone and release information. And, he doesn't want to require all N of them to act together. What if one dies, is arrested, etc.? Could he encrypt the documents with, say, all combinations of three friends' own public keys such that a quorum of three friends would have to cooperate in the release? He would end up publishing N choose 3 bundles.
He doesn't have to make separate encrypted copies - all he needs to do is encrypt it with one master key, and split the master key between his confederates with a secret sharing scheme[0].
Just curious here -- how would a dead man's switch be created?
I'm thinking something like a python script which is scanning for particular words and phrases on google news, like "Snowden killed", or "Snowden captured"? That seems like something I could build easily -- would a kill switch indeed be something as simple as that?
How about a script that watches for such phrases (perhaps using Google Alerts), which sets off a timer for the release of the key. Then Snowden could disable it if there's a false positive.
The only problem is, that complicates the system with a critical point of failure.
> Why not have 100 servers around the world running jobs to email out documents to 100 journalists at all times if an env variable isn't reset every few weeks?
Because if your adversary is monitoring all the telecoms networks and/or is reasonably capable of backdooring your laptop, you can assume that they'll be able to impersonate you to your digital lockers (and/or know where they are, because you are in regular contact with them).
I must be missing something. This is exactly how a dead man's switch works. On a train, if the driver stops actively hitting the switch ("negative control"), the train assumes he's dead and stops.
A positive dead man switch is too sensitive to rubber hose cryptanalysis (also known in Russia as thermorectal cryptanalysis, mediated by a soldering iron).
" ‘Snowden won’t disclose more docs, I have thousands’ – Greenwald"
"Edward Snowden is unlikely to make new revelations since “he doesn’t want to end up in a cage like Bradley Manning”, said The Guardian journalist Glenn Greenwald, adding that he himself decides what to publish from the thousands of leaked documents.
"But Snowden’s case is actually a kind of reverse dead man’s switch, says John Prados, senior research fellow for the National Security Archive and author of several books on secret wars of the CIA. [...] “In the dead man switch, my positive control is necessary in order to prevent the eventuality [of an explosion],” Prados said. “In Snowden’s information strategy, he distributed sets of the information in such a fashion that if he is taken, then other people will move to release information. In other words, his positive control of the system is not required to make the eventuality happen. In fact, it’s his negative control that applies."
I'm really surprised it was implemented like that, I think using an actual, digital "dead man's switch" would have made more sense. Why not have 100 servers around the world running jobs to email out documents to 100 journalists at all times if an env variable isn't reset every few weeks? Then if he disappears or is killed, a few weeks later the jobs complete and email out the information?