
Intercepting Predator Video - wglb
http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html
======
stcredzero
_UAVs are flown by airmen sitting at comfortable desks on U.S. military bases,
where key management is simpler. But the video feed is different. It needs to
be available to all sorts of people_

Poppycock! At least encrypt the stream going up to and coming down from the
satellite! If lots of people have to see it, redistribute it _afterwards_. The
uplink/downlink encryption is the _exact_ same key management problem as the
command signal! Hell, why not use the same key. The video signal going up to
and back from the satellite is hanging out there, accessible from the majority
of earth's surface. But encrypt it and beam the encrypted signal to those
"comfortable military bases." Then you can re-encrypt it for distribution, and
_completely change the key management problem_ to suit your needs.
(Essentially make it into two key management problems. Divide and conquer.)

I usually like what Bruce has to say, but this blog post wasn't well thought
out.

EDIT: Upon re-reading, Bruce's point is that it's the NSA's bureaucratic
requirements that make it too cumbersome for an encrypted feed to be easily
made available. So it's just easier for them to leave it unencrypted. I still
say poppycock. If they were really being clever, they could "leave out
encryption," but still obfuscate matters. (Both from the signal standpoint and
from the bureaucratic standpoint.)

Even something like a "new compression algorithm" would probably be enough to
flummox the Russian software program. If it were unique to the drones, then
the sat-download program authors would have no economic incentive to implement
it. (And some "representatives" of our interests could have talks with them
about it if they happen to implement it anyway.) This isn't strong crypto, but
it would at least raise the bar.

EDIT: To those with poor reading comprehension: the tactic is a bit of "divide
and conquer." (Colloquially, not algorithmically.) Divide the "key management"
problem into two: "Sat up/down link" and "distribute to allies." The "Sat
up/down link" is the _exact same_ key management problem as for the control
link. Also, if you solve _that_ key management problem by just using obscure
compression, then you can distribute the video using ordinary website access
controls on establishing streams. Not strong crypto, not uber-secure, but
still better than what's there now.

~~~
pvg
How is the control link key distribution problem the 'exact same' problem? The
control link key is secured in the aircraft and at military bases. There's no
additional need for ad-hoc distribution, you never have to send a key to
someone in a trench somewhere who's too busy shooting to put pants on. The
entire point of the article is that the design decision not to encrypt the
video was likely influenced by the problems of ad-hoc key distribution. To
this reasoned analysis your response is 'hey just do key distribution!'.
Doesn't seem very well thought out at all.

~~~
anigbrowl
'What's the password of the day' is one of the oldest and most basic security
measures in military history. Is it a tough technical challenge in a global
theater? For sure. But I'll warrant that the bulk of military communications
do not take place in clear anyway, so it's a manageable problem.

~~~
notauser
The point from the article is that the NSA doesn't permit 'password of the
day' style encryption - it's all or nothing.

For the operational requirements of the predator, nothing was better than all.
They'd prefer an intermediate option, but it isn't available until procedures
change.

~~~
anigbrowl
I get that. It just seems kind of perverse to transmit in clear because
scheduled encryption has risks of its own. Last time this was posted I
mentioned that while interception of drone video by the Taliban or whoever is
probably not _that_ big of an operational threat, bigger strategic competitors
like Russia and China have probably accrued a good lot of intelligence by
amassing such data in quantity. Perhaps the NSA's thinking is that this is
less critical than exposure of dynamic encryption models to the wild.

------
mixmax
Schneiers argument is that encryption is not a viable option because key
management would be a nightmare. The insurgents get the raw videostream by
intercepting it using some sort of antenna to pick up the signal directly from
the predators. Since, presumably, the military actors that need the
videostream don't actually pull it out of the air themselves but get it
through some kind of military channel (Internet, VPN or whatever they use)
wouldn't the obvious thing to do be to encrypt the raw stream from the
predators to the command post where the signal is picked up by the mlitary and
distributed and send it on to whoever needs it in unencrypted form? That way
the insurgents wouldn't be able to pick the signal out of the air, and
everyone associated with the military who needs it would have access to it. No
key management nightmare needed.

~~~
jacquesm
Read the bit by Jeff Schroeder at the end of the comments, that pretty much
deflates that whole key management argument.

~~~
mixmax
Yes, but it only applies for US troops with security clearance. As he points
out guys on the ground and allies that they don't necessarily want to share
crypto with can't join the game.

~~~
jacquesm
So, you don't want to share crypto with your allies but you do want to share
your data with the enemy ?

~~~
chollida1
Precisly!

Just as I may want to share how much money I have in the bank to a business
asociate to prove I have the assest to make a deal.

I'd do this by showing him/her the bank account information on screen, but I
don't want to give him/her the transit, bank acount number and password to
access said bank account.

------
gills
_Why_ the feeds are unencrypted is irrelevant, as are all the statements about
how easy or hard it should have been to "do it right."

The only relevant issue is "what effect does the compromise have on the
usefulness of the intelligence gathered by the UAV?" For a variety of reasons
I would say this causes only a very small amount of degradation in the
usefulness or lifespan of the intelligence. Do I think it should be fixed?
Yeah. Do I think it's the most life-saving use of engineering resources? No.
Do I think all the arm-waving is going to cost more than the solution?
Definitely.

------
rg
FTA: "The problem is, the world has changed. Today's insurgent adversaries
don't have KGB-level intelligence gathering or cryptanalytic capabilities. At
the same time, computer and network data gathering has become much cheaper and
easier, so they have technical capabilities the Soviets could only dream of.
Defending against these sorts of adversaries doesn't require military-grade
encryption only where it counts; it requires commercial-grade encryption
everywhere possible."

------
motters
Bruce's points against broadcast encryption seem rather weak to me. If it was
possible to distribute secret keys during WW2, surely it's also possible in
2009 - probably a great deal faster and more efficiently.

If a UAV was flying over areas of the world that I know well it's highly
likely that I'd be able to identify the locations that it was looking at, and
send out warnings/orders accordingly. Also I could perform reconnaissance on
the typical flight paths of the UAVs, and plan accordingly.

Probably a major risk in the world of 24 hour news and P2P networks is the
possibility of recording and later re-broadcasting closeup video of what
happens when UAVs misidentify their targets and hit civilian populations. This
could result in some public relations catastrophes for the UAV operators. If
the military are happy for this information to be broadcast unencrypted they
should also prepare themselves for said footage to appear on YouTube or TV
news.

~~~
redcap
Every accessor needs the keys - all relevant field commanders, etc. They also
need security clearances. The keys need to be stored and managed securely.
They should also be updated regularly, which means that all commanders need
new keys at some point. I presume the keys for each UAV would be different.

In WW2 it was only a few top commanders who worked with Ultra (afaik), and it
wasn't anywhere as regular as broadcast video. I guess the main difference
here is the number of users is that much greater and in Schneier's opinion the
value of the information is that much lesser.

------
waivej
Ok, maybe they didn't intend it, but what about the psychological warfare side
of it? Didn't whistling WWII bombs further scare the folks on the ground?

Today's wars are more psychological than ever. The enemy probably watches and
gets scared by video of their locations being watched and blown up. They might
even think twice after seeing things from our perspective.

~~~
fragmede
Or maybe they even did. Video really goes out over an encrypted link, and this
is a setup. Maybe they have a good way to track the hardware needed? Maybe
wait for the insurgents to noticeably use this technique, then midnight UAV
runs with the unencrypted satellite feed disabled can go on unnoticed for
longer. Hell, use this to feed false data so that instead of insurgents
running out of a building just about to be bombed, they run right into a squad
waiting to capture them.

There are also a spook-side theories. This could be a subtle poke in the ribs
to say the insurgents could be doing this, and General Atomics embarrassed
itself into a needed round of funding.

~~~
waivej
Yeah, that's cool. It's like the movie "Sleep Dealer". They looked for someone
watching a feed and dropped a bomb on his house.

------
jacquesm
previous coverage of this subject here:

<http://news.ycombinator.com/item?id=1000464>

and here:

<http://news.ycombinator.com/item?id=1002227>

~~~
eggoa
And the general reaction (on Hacker News and elsewhere) was ridicule and
disbelief. Schneier explains why _he_ thinks this is naive.

~~~
jacquesm
I think Bruce is focusing too much on the technical side of this, I think it
simply never crossed the mind of those that built this thing that the 'enemy'
would be technologically savvy enough to pull this off.

~~~
pvg
I think you're focusing too much on ignoring everything that's been written on
this from the original story to Bruce Schneier's commentary.

Every source has reported that the military has been aware of the possibility
the video feed might be intercepted by an adversary since operations in Bosnia
well over a decade ago. It's basic common sense that the designers must have
considered such a possibility as well - after all, they made the control link
encrypted.

~~~
jacquesm
So far there is no proof that they considered that, if they had they would
have probably evaluated the PR fallout from such a breach of security as well.

Judging by how this is playing out in the media so far that does not seem to
look too good for those that built this system.

~~~
InclinedPlane
I disagree. Often it's easy for insiders to misjudge public reaction. Insiders
have spent a lot of time with a system, they're perception of the system is
colored by extensive debates by experts in the system and the consensus
results of those debates. But outsiders lack the benefit of that debate and
the context of all of the technical details and restrictions the insiders are
aware of. To outsiders all of the technical options are equally trivial and
outsiders don't have the time, context, or access to people with the expertise
to have a serious technical conversation on the subject.

In short, outsiders jump to conclusions based on their, almost certainly
wrong, hasty assumptions. Insiders may not appreciate that their extensive
technically detailed justifications for their current procedures are utterly
useless in the face of ignorant casual public armchair analysis.

Now, whether or not the experts are justified in their position is an entirely
different topic, but it's quite easy to see why they may not have anticipated
the PR fallout from this problem.

