back to article If Uncle Sam could quit using insecure .zip files to swap info across the 'net, that would be great, says Silicon Ron Wyden

Influential US Senator Ron Wyden (D-OR) is not happy about Uncle Sam's employees using insecure .zip files and other archive formats to electronically transfer information. The Oregon Democrat today sent a letter [PDF] to Walter Copan, director of America's National Institute of Standards and Technology (NIST), asking that the …

  1. Jou (Mxyzptlk)

    Use 7-zip .7z with AES256

    Programmed be Igor Pavlov. A man USA trusts.

    1. Murphy's Lawyer
      Go

      Re: Use 7-zip .7z with AES256

      Add a slightly more secure transfer method, say a time-limited, personalised download link; and send the unique randomly generated passphrase via OOB, such as a text message, and you're good.

    2. Andrew Yeomans
      Alert

      Re: Use 7-zip .7z with AES256

      Also use a 40+ character randomly generated pass-phrase.

      Otherwise there's no point in using AES-256, the weakest link will be the pass-phrase.

      1. Jamie Jones Silver badge

        Re: Use 7-zip .7z with AES256

        Obligatory xkcd https://xkcd.com/538/

    3. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Use 7-zip .7z with AES256

      WinZip has supported AES-256 encryption since around 2003. The real issue is that it continues to support PKZIP 2.0 which is probably what the average users uses if they encrypt anything at all, and WinZip defaults to no encryption. The WinZip folks simply setting the default on versions going forward to AES-256, and make it take a bunch of mouse clicks to turn if off (thus making it beyond most govt workers abilities or work ethic), would fix most of the problem.

      Maybe one of the open source projects like Veracrypt can make a free "zipper" that only supports strong encryption. Maybe give the files a new extension while their at it.

    4. NATTtrash
      Childcatcher

      Re: Use 7-zip .7z with AES256

      Not sure where that would lead to. Sure though that some won't be happy with really "strong zips". Ever tried to send a password protected .zip in another .zip to a gmail address/ person? Nope, you can't. Hmmm, would that be because Google only wants stuff that it can "look into"?

      And before you go out on a rant... Yes, sure, it's a safety thing. So is:

      tar -cz foo | openssl aes-256-cbc -salt -pbkdf2 -out bar.aes

    5. Captain Scarlet Silver badge
      Mushroom

      Re: Use 7-zip .7z with AES256

      I do think 7Zip is adequate, but then I see a user will send the password IN THE SAME BLOODY EMAIL!

      So yeah time limited links to a hosted service you control is likely the only way to go because users.

      1. GnuTzu
        Mushroom

        Re: Use 7-zip .7z with AES256

        Only over the phone, but I so wish public keys were more commonly in use, particularly among support teams that start a conversation with send me a feedback file--including those of vendors for whom the government is a customer--which are too often just un-encrypted zip files. However, it seems that 7-zip doesn't support public key encryption. I suppose this is among the many reasons public key cryptography was more ubiquitous.

      2. Robert Carnegie Silver badge

        Re: Use 7-zip .7z with AES256

        You want two e-mails to send one zip file?

  2. ThatOne Silver badge
    Trollface

    Strong encryption for the masses? Since when?

    > I write to ask that NIST create and publish guidance describing how individuals and organizations can safely share sensitive documents with others over the internet"

    Hey, don't forget the backdoor: "how individuals and organizations can safely, with a backdoor, share...".

    1. Anonymous Coward
      Anonymous Coward

      Re: Strong encryption for the masses? Since when?

      Sadly, this is probably true. Big agencies have rules mandating that outbound data be checked for leaks of sensitive data.

    2. Mark 85 Silver badge
      Big Brother

      Re: Strong encryption for the masses? Since when?

      Government only wants us citizen (Wyden doesn't bur certain agencies do) to have backdoors. In this case, he's saying the government itself has the problem. Though the reason might be that government uses bad encryption because maybe an agency such as the CIA etc. want to know what the government is doing.

    3. Anonymous Coward
      Anonymous Coward

      Re: Strong encryption for the masses? Since when?

      "If you give the NSA the Web browsing habits of six of the most honest of senators, they will find something in them which will hang them."

      1. Anonymous Coward
        Anonymous Coward

        Re: Strong encryption for the masses? Since when?

        "... they will find something in them which will enable us to blackmail them. Forever."

        TFTFY

      2. It's just me

        Re: Strong encryption for the masses? Since when?

        > ... six of the most honest of senators ...

        Could you find that many?

        1. MachDiamond Silver badge

          Re: Strong encryption for the masses? Since when?

          "Could you find that many?"

          Check the local bars and hot holiday destinations. You will still likely only find their H1B staffers.

  3. Anonymous Coward
    Anonymous Coward

    Hide in plain sight

    The federal workers could send decoy .zip files ofman steghide

    non-sensitive data and send the juicy stuff embedded in pictures with steganography of the last boring office party.

  4. Anonymous Coward
    Anonymous Coward

    Was going to joke about forcing them to use tar, but dammit the suggestion above about 7-zip made too much sense: which is exactly why the PHBs in Government IT will never do it, and Congress will let them get away with it. Best part for them is that the Media is even more clueless and inattentive to detail, so the public will never know.

  5. Sir Runcible Spoon
    Trollface

    Easy way around this

    Just drop the zip file into a word doc and pwd protect that

    1. revenant

      Re: Easy way around this

      I recommend Word 2.0 - it had a very effective encryption strategy.

    2. Anonymous Coward Silver badge
      Joke

      Re: Easy way around this

      No need, they've got a plan to use double-rot13 to ensure that everything they produce is unreadable dross.

    3. Christoph

      Re: Easy way around this

      My encryption method was good enough for Caesar, so it's good enough for me!

  6. Anonymous Coward
    Anonymous Coward

    The algorithm weakness is almost irrelevant

    This is a problem that's personally impacting me at work, I see people exchanging encrypted ZIP file around, because major banks are not interested in using PGP as we do.

    And the password, you ask? Why, it's in the body of the email, of course. Or, best case, in a second email sent right after the first.

    So, really looking forward to a NIST best-practice paper.

    1. Pascal Monett Silver badge

      I was once faced with having to send confidential business data to someone oversees. We agreed that I would send the data via encrypted 7z file, and I would text him the password.

      For a seldom occurring thing, it was fine and it worked, but I don't see myself doing that every day.

    2. iron Silver badge

      Re: The algorithm weakness is almost irrelevant

      UK government departments do this all the time. We receive details of housing payments for vulnerable people from several local authorities every month. Highly sensitive data that includes a lot of PII and they send it in a password protected zip with the password either in the preceding or following email. If the recipient at our end has any problems extracting the data their first solution is to resend the password. *facepalm*

      At least that's better than the council who decided to use Office 365 secure messages. Now we can't get records of their payments at all because it only works if you're an Office 365 customer (we're not) and the users at both ends don't understand why.

    3. katrinab Silver badge

      Re: The algorithm weakness is almost irrelevant

      Or:

      "Your password is your date of birth in the form ddmmyyyy", which gives you a keyspace of about 42,000 possibilities to try, and some are more likely than others, so you would try them first.

      1. dfsmith

        Re: The algorithm weakness is almost irrelevant

        Yup. If the recipient is less than 80 years old, there are fewer than 30,000 days to choose from.

        1. katrinab Silver badge

          Re: The algorithm weakness is almost irrelevant

          And, depending on the type of account, probably over 18. Almost certainly over 12 if it is a UK account. That restricts it further.

  7. Buzzword

    Password ZIP was built-in to Windows XP

    Old habits die hard. Windows XP had built-in functionality to add a password to a zip file; and the recipient was automatically prompted to enter the password to unzip. Teams who regularly exchange data built workflows around this functionality, so unsurprisingly it hasn't gone away.

    The only workable solution is to demand that Microsoft add native AES zip encryption and decryption in Windows 10. If it's not available out-of-the-box, people simply won't use it.

    1. Hans 1
      Windows

      Re: Password ZIP was built-in to Windows XP

      Windows 10 is the lowest common denominator.

      We just have to rid ourselves from that shit, heck, even MS have given up on improving it. Windows 10 is effectively abandonware.

    2. DJO Silver badge

      Re: Password ZIP was built-in to Windows XP

      It's already almost there, Windows has a Cryptology API for various flavours of AES, with or without salting and unusually for MS it's not too badly implemented.

  8. Anonymous Coward
    Anonymous Coward

    If it pisses of the FBI, it must be pretty good privacy

    OneDrive shared link (email) + one time password sent through IMessage?

    1. MrReynolds2U Bronze badge
      Trollface

      Re: If it pisses of the FBI, it must be pretty good privacy

      Pretty sure Phil Zimmermann would have something to say about that ;)

  9. vtcodger Silver badge

    Sounds Easy. Isn't.

    First let's say nice things about Ron Wyden -- a lawmaker who actually understands a complex issue and tries to actually fix things related to it. Boy, could all nations, not just the US, use more like him.

    Second, the problem addressed here is MUCH more difficult than most folks seem to think. The US government is **HUGE**. If we exclude the military and postal service, it has around 2,000,000 employees. And that doesn't count hundreds of thousands of contractors hired to do one time jobs or ten million state and municipal government employees the feds may have to interface with. Or the incredibly awful "free market" healthcare "system" that manages to consume 20% of the country's GDP. There are many millions of computers involved -- many of them second or third generation hand me downs from long defunct projects. Probably there are some AT bus 8086s running WFWG still alive here and there and doing useful work. Did I mention that budgets in that world are always tight?

    And don't forget that in much of rural America, the "Information superhighway" is a rutted muddy track, barely capable of supporting a 32K modem on good days. There are government employees with computers at the ends of some of those information footpaths.

    If you're going to exchange sensitive information in that world, the folks on both ends have to have compatible tools. And they have to know how to use them. BTW, the laws of mathematics pretty much guarantee that the average government computer user has an IQ around 100, and that some have lower IQs.

    All Wyden is suggesting is that the National Institute of Standards and Technology try to come up with standards for government information handling that are a bit better than .ZIP. It's far from clear that can even be done. Or what the time frame for implementing such standards would be.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds Easy. Isn't.

      "...barely capable of supporting a 32K modem on good days."

      Sounds like they need some good old fibre technology Huawei cabinets like we've had in the UK for the past several years.

      ;)

    2. The Mole

      Re: Sounds Easy. Isn't.

      Whilst I agree it isn't easy, I think you are being a bit hard there. What the available network speed is should be irrelevant - if zip files can transfer it then some other properly encrypted archive can also be transferred (possibly with either better compression).

      There are plenty of existing tools available that should solve this problem - many of them small, cross platform, low power and open source. So in theory there shouldn't be any real burden on existing even if old hardware as long as the right choices are made and take these requirements into consideration. Ok that's a big if.

      I think where you do have it right is the fact you are dealing with such a large number of end users with ranging abilities, and likely refusals to put any effort into changing away from something that seems to work. The hard part is making it so the tools are so simple and easy to use that minimal training is needed, and getting it coordinated across such large estates.

      So probably a multi billion government project which will end in failure then..

  10. Roland6 Silver badge

    Missing the obvious...

    >"I write to ask that NIST create and publish guidance describing how individuals and organizations can safely share sensitive documents with others over the internet," Silicon Ron urged. "Government agencies routinely share and receive sensitive data through insecure methods – such as emailing .zip files – because employees are not provided the tools and training to do so safely."

    ...

    "The government must ensure that federal workers have the tools and training they need to safely share sensitive data,"

    From this I take it that the US doesn't have pre-existing guidelines for secure inter-department communications, specifically, they don't go over the public internet except via 256-bit PKI encrypted site-to-site VPNs (which in turn may be over 256-bit PKI encrypted VPN). Perhaps they need to visit the UK - with IR35 (and more debatably BREXIT) there are plenty of well-experienced experts who would be will to advise and oversee the deployment...

    The only issue I can see is where ad-hoc baseline security communications go outside of the government, to contractors/members of the public (if it were higher grade then see note about VPN). As here individual government employees would need to be aware of the need to encrypt the individual attachment, the use of suitable keys/password and then communicate the password/key to the recepient. But then this issue is largely solved by having the receipient create their own government account which they access via HTTPS etc etc.

    I think we are beginning to understand why a (young) teenager in a UK bedroom can so easily gain access to US government systems; they not secure by design.

    Also why they are so scared (sh*tless) about Huawei...

  11. Anonymous Coward
    Anonymous Coward

    Russian Hackers

    I'm sure there are quite a few Russian hackers who could develop a cross-platform encryption tool that the US government could quite easily use. They could probably do it for quite a low cost, too.

  12. juice Silver badge

    People don't want security

    They want a turnkey solution which Just Works.

    And to be fair, the data will generally be flying between non-technical people on a standard (and quite possibly heavily locked down) Windows machine. So if you're asking for something which can't be handled out of the box, it ain't going to happen.

    If if something more secure is mandated, good luck getting it rolled out across the millions (if not hundreds of millions) of machines which are being used by Uncle Sam's civil servants, not least because I'm guessing it's not a homogenous estate, and you'll be dealing with tens of thousands of local IT support teams, many of which will struggle to do the work because they're under-resourced.

    And then you'll have to train all the non-technical people to use the new process.

    So while I appreciate the sentiment, I'm not convinced this is a scenario where you can just thunder "THIS IS BAD" and expect change...

    1. DuncanLarge

      Re: People don't want security

      > (and quite possibly heavily locked down) Windows machine

      Hahahahahaha

      \\<machinename>\c$

      :D

  13. JeffyPoooh
    Pint

    Have to check redacted documents...

    See if they're actually redacted properly. Always half-expecting to find black highlighting.

  14. martinusher Silver badge

    Nothing wrong with ZIP files....

    The mistake this legislator is making is confusing the idea of a compressed tarball -- which is what a ZIP file is in real life -- with an encrypted channel. The built in encryption in these compression programs is OK for everyday use where it really doesn't matter that much if an adversary accesses those files but its wholly inadequate for secure communications. Adding whatever the algorithm-du-jour to the tarball's encryption won't help that much either because people don't crack encrypted data, they go after the key generation and distribution mechanisms. (So your AES-2048 encrypted data isn't going to be very secure if the key's just a hash of "Pa$$w0rd" with it written on a PostIt stuck to your monitor!)

    For now if I want to move ZIP about securely I'll just use PGP. I'm just an ordinary person, not a bank or intelligence agency, so my communications aren't very interesting and don't really need iron clad security -- in fact if anyone wants to crack them have at it.....

    1. el_oscuro

      Re: Nothing wrong with ZIP files....

      Passwords on zip files winword docs, excel spreadsheets and such are all the computer equivalent of those combo locks that idiots use on their luggage. And about as easy to crack. Doesn't really matter the algorithm. Just geed it into jtr with a good wordlist like rockyou.txt and you are done.

      https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/src/zip2john.c

  15. Anonymous Coward
    Anonymous Coward

    Sensitive documents - with NIST?

    Anybody else wondering exactly what sensitive documents NIST would be handling? Knowledge of the accuracy level of a company's most accurate standards would be of limited use, and I'm not sure what else would be sent. Obviously there are other governmental bodies with very sensitive data, but NIST?

    1. It's just me

      Re: Sensitive documents - with NIST?

      NIST stands for National Institute of Standards and Technology and they develop Federal Information Processing Standards that all federal agencies must follow. Among others, their Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems.

      https://www.nist.gov/itl/nist-special-publication-800-series-general-information

  16. Zebo-the-Fat

    Useless

    My company recently installed a large amount of scanning devices for a major UK company, they would scan a document and send it as an email. Part way through the install someone decided we had to set the machines to use encrypted, secure email, this worked fine, except if they needed to send a document to an external user they had to incude the password with the "encrypted" document so making the whole process useless.

  17. Anonymous Coward
    Anonymous Coward

    So...let me see if I understand this correctly....

    ....the Government wants to ensure that Government documents are "properly secured" as these documents traverse the interweb.

    ....and the Government also wants to compromise "end-to-end" encryption so that the Government can read everyone else's documents as they traverse the interweb.

    ....and (in the past, and maybe in the future) people like Phil Zimmerman have been harassed by the Government for developing ciphers which the Government thinks are "too secure" for ordinary people to use.

    .....and "ordinary people" are ending up with less privacy and less security.... and all the while they are paying for "the Government".

    What am I missing here?

    1. Anonymous Coward
      Anonymous Coward

      Re: So...let me see if I understand this correctly....

      George Orwell could probably help you out here...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021