Information Security For Lawyers

An Architecture For An Adversarial World

Public interest law firms such as the American Civil Liberties Union, the National Lawyers Guild, the Partnership for Civil Justice Fund, the Conservation Law Foundation, and others all do vital work on a daily basis to combat government and corporate power. Their work exposes government secrets, advocates for dissidents, fights for civil rights, and helps safeguard the environment. Many independent attorneys around the world also take on powerful opponents and gross injustice, often at great personal risk.

These lawyers are targets.

Companies like Fin Fisher sell digital intrusion and surveillance technology to governments and companies who want tools to target their opponents, such as activist lawyers in Bahrain. The U.S. National Security Agency has targeted prominent American civil rights attorneys and activists. Small public interest law firms and independent attorneys rarely have the kind of resources that larger law firms regularly commit to digital security, and yet these smaller firms often confront immensely capable adversaries: multinational corporations and state actors.

What follows is an outline for a security-focused office infrastructure for small and medium-sized law practices. The design includes hardened client machines based on Gentoo Linux, a server architecture based on Core OS, resilient data redundancy via TAHOE-LAFS, and a robust network design featuring an “forced on” VPN, and LDAP two-factor network authentication. Client machines also deploy standard tools for end-to-end secure communication inside and outside the secure network, such as GPG encrypted mail and OTR instant messaging over a locally hosted jabber server.

This infrastructure model could conceivably serve any group of people who need to conduct traditional workplace collaboration tasks using a standard suite of office tools with a high degree of security, redundancy, and reliability. This system would also serve the needs of most news organizations, some activist organizations, and most health care providers.

It would be great to get peer review feedback on this, so if you have any suggestions or criticisms, please let me know on twitter (@praxisjournal) or email me if you prefer (praxisjournal@riseup.net).

I. Why is information security important for legal practice?

An adversarial justice system, like any game,1 is a constructed arena in which players agree to be bound by certain rules, but seek the best possible advantage against their opponent within that arena. Certain information is public, such as court filings, while other information is private, such as attorney work product and attorney-client communications. A third sphere of information is contested; adversaries compete to convince the court that certain discovery requests are over-broad, that certain deposition questions are unjustified, etc. This contested information may eventually become public in the course of litigation, but it is important that, like other clearly privileged information, it remain private until the attorney in question can no longer convince the court that it aught to remain so.

Some privileged information, if revealed, may be damaging to a player’s position in the game, but that player nonetheless retains the prerogative to keep it secret. The players compete in relation to the rules (the law), which nominally form a causal pyramid from antecedent first principles. The law itself is iteratively challenged and changed over time through a similar competition of arguments, in which players attempt to challenge or validate a law based on its arguable congruence or incongruence with relevant antecedent principles. This is the common law system as we know it. It requires public law, mandatory sharing of certain information between adversaries, and privileged secrecy for attorneys’ research, plans, and communications with their clients.

A major problem that law firms face today is that their digital infrastructure often does not adequately reify these foundational principles. Today, a powerful adversary such as a state actor or a multinational corporation- routine opponents for a public interest law firm- has the capability to act outside of the legal arena and compromise their opponent’s digital infrastructure. Since it is often practical to mount such an attack without detection, many governments and corporations enjoy the ability to steal privileged information from their legal opponent without fearing that the court will ever become aware of their activities.

This threat is complicated by the recent proliferation of secret law and secret interpretations of laws granting unknown authority to elements of the Executive branch in any matter the Executive believes is connected to “terrorism” (defined by the whim of the Executive branch). Elements of the Executive branch that are named as defendants in a suit brought by a public interest law firm may not only possess the technical capability, but may believe that they have the legal authority to target the privileged communications of their legal adversary, even if this authority is secret and therefore beyond judicial review.

Since public interest law firms may represent individuals the government openly or secretly considers to be connected to “terrorism,” this ambiguity of secret authority poses an advanced persistent threat to the confidentiality of attorneys’ privileged work product and client communications when confronting state adversaries in the court system. Some parts of the security state even may act outside of their already expansive secret authority against anyone they view as an opponent seeking to challenge their authority. The recent revelation that the CIA compromised the Senate Intelligence Committee’s computers, in order to monitor the Senate’s investigation of the CIA’s torture and rendition program, is a reminder of the lengths to which powerful actors will go to insulate themselves from accountability.

The threat of an attack on attorneys’ digital infrastructure is not just bad for the law firm victimized by their adversary, although such an attack would undoubtedly compromise that firm’s ability to effectively represent their client. More fundamentally, the imbalance of power in technical capability between certain litigants and their opponents threatens to corrode the integrity and relative social effectiveness of the adversarial civil court system as an equalizing arena, by amplifying the existing structural advantage of some litigants over others. Without robust information security for lawyers, the civil court system will cease to be a nominally more equitable arena for resolving social conflict and will instead become a contemporary Star Chamber that merely multiplies the prerogatives of the powerful.

Cryptography, like litigation, is an effective weapon of the weak; when implemented properly it has the potential to defeat the brute force of a powerful opponent. Code, like law, reflects and enforces social norms. Lawyers’ digital infrastructure must reflect and enforce their historic right to protect their clients’ information; otherwise, that right itself will be effaced and delegitimized by the present social norm of weak information security common at most law firms. Like any right, attorneys’ right to keep privileged information confidential must be exercised, or it will be lost.

II. Threat Model

a.) Defining Adversaries, Their Capabilities, & Levels of Motivation:

Adversary Law Firms:

• possess minimal offensive technical capabilities (an exception would be the Department of Justice; see: State Actors)
• are constrained by their responsibilities as officers of the court; generally speaking, we may say that the risks of professional censure, loss of license, and legal liability significantly constrain this actor’s willingness to risk attacking the defender firm’s infrastructure

Opportunistic Attackers:

• possess some offensive technical capabilities
• are less likely to be specifically motivated to systematically attack the defender firm’s infrastructure
• may conduct opportunistic attacks on the defender’s client machines or servers that may make those machines more vulnerable to a dedicated attacker

Multinational Corporate Actors:

• possess significant offensive technical capabilities, either internally or via hiring a private contractor with such capabilities
• possess a high level of motivation; the corporate actor may be in litigation with the defender firm or may be interested in a competitor’s trade secrets that may be entrusted to the defender firm in unrelated litigation
• willingness to attack may be constrained by a fear of civil or criminal liability, if discovered

State Actors:

• possess immense offensive technical capabilities
• may have secret legal authority to target the associates of individuals considered to be “terrorists,” including such persons’ attorneys
• due to their advanced capability to conduct “clandestine” or undetectable attacks, this actor has fewer disincentives to compromise a law firm’s infrastructure. In addition, the intelligence community is politically insulated from accountability, and so is less likely to fear civil or criminal penalties for an attack. This actor is extremely difficult to defend against effectively.

b.) Defining Implicit Assumptions:

• All information stored on the defender firm’s system is considered privileged unless it is explicitly given to the adversary in the form of discovery, a court filing exhibit, etc.
• Employees of the defender law firm must act in good faith. For example, if an attorney were to willingly give privileged information to an adversary, that would be considered unreasonable and outside of the scope of the threat model. Employees of the defender firm are implicitly trusted.
• Ordinary users can: copy firm files to which they have access, delete firm files to which they have access
• The system administrator can: copy any/all firm files, delete any/all firm files, delete or modify all system backups, delete (but not read) users’ master offline private key backups, read all multi-party emails, read all employees’ internet browsing activity not sent over Tor
• The network administrator can: revoke any or all users’ access to the network, authorize anyone to access the network, see the location of all employees connected to the network
• It is assumed that employees of the defender law firm will not be coerced through threats of violence, blackmail, or other such means to compromise the defender firm’s infrastructure. Direct coercion of employees is outside of the scope of the threat model. Attempts to legally compel employees of the defender firm to give up passwords, keys, or data, for example via a grand jury subpoena, are excluded from the model. It is implicitly assumed that the principle of attorney client privilege will be respected in open court.
• Hardware is implicitly trusted. Given the threat of hardware interdiction, it may be reasonable to obscure the true purchaser of procured hardware. However, if these precautions are taken, the hardware is assumed to be trustworthy. Physical intrusions onto the premises of the law firm to compromise the defender’s hardware is outside of the scope of the threat model (but can be addressed by deploying the server and network infrastructure as a Tor hidden service, see: Conclusion)
• Since all deployed software and network protocols are free software, it is assumed that software and network protocols do not contain deliberate attempts to weaken their security (backdoors).
• All software is assumed to contain vulnerabilities. To mitigate the risk posed by unknown vulnerability exploits (“zero days”), the principles of code correctness, least authority permissions, write-protection, and compartmentalization will be emphasized in software selection and infrastructure design.

III. Capabilities: What should the system do?

Users must be able to:

• use a full suite of office software: document, spreadsheet, presentation, & PDF creation/editing
• backup all files, securely and automatically
• perform open source research without alerting an adversary who is conducting open source research on them; i.e. users need anonymous browsing
• send and receive single recipient and multi-party messages whose confidentiality, integrity, and authenticity are insured and verified at client endpoints
• send and receive single recipient and multi-party instant message chats whose confidentiality, forward secrecy, integrity, and authenticity are insured and verified at client endpoints
• print documents
• work remotely
• work offline
• communicate securely with clients

The system administrator must be able to:

• assure regular, automated, and redundant backups of all files
• backup all versions of all files created on the system, including deleted files
• push updates to client machines
• grant and revoke access to accounts

The network administrator must be able to:

• grant and revoke access to the network
• authenticate authorized users to the network
• prevent network contamination via compromised devices with strict network compartmentalization

IV. Security Architecture Philosophy:

• Minimize attack surfaces.
• Contain exploit damage via compartmentalization.
• Build redundancy and resiliency.

V. High Level Infrastructure Overview

a.) Client Endpoints: Client machines are stateless thin clients running a live version of hardened Gentoo, which boots via USB. The system is not a “pure” thin client, since applications are processed locally and files may be modified and saved while the user is offline. However, the client is “stateless” insofar as it is possible for the user to lose or destroy their workstation without any loss of data (provided that the client machine has had a chance to sync with the network before destruction, see below: Network). Persistent user local data and settings (such as local files, emails, IMAP and jabber account settings) are saved in a LUKS container on the live USB. Client machines have no hard drives. Client machines may not install software (users do not have root). Any changes made to the client user environment (other than local files, email, IMAP settings, and jabber settings) will be lost at system reboot. Client machines do not have access to Portage, Gentoo’s package management system. Client machines run identical copies of Gentoo and receive “atomic” comprehensive updates every six weeks (users are provided with a new USB containing the updated ISO, pre-configured with all their email, chat, printer, and document sync settings). Client machines will run fallback Gnome 3 as a desktop environment.

Client endpoint software attack surfaces are minimized by root write protection, the simplicity of a minimal Gentoo installation, and the vulnerability containment features of hardened Gentoo, such as grsecurity and PaX.

Client hardware is a Thinkpad x60 laptop. The hardrive, microphone, bluetooth antenna, and web camera are removed from the machine. The boot chip is removed and replaced with a larger, write protected boot chip flashed with Core Boot (coreboot.org), an open source BIOS.

In addition, the use of “stateless” client end points facilitates secure international travel for attorneys. An attorney may safely board an airplane with their laptop and a blank live USB pre-configured with their settings (but containing no files or emails). In order to authenticate to the firm network to download files and emails after passing through customs, the attorney will need their OTP USB, their username, and their passphrase (see below: Network). The OTP USB may be securely mailed to the attorney’s destination, since without the attorney’s passphrase it is useless. If the attorney is stopped at the airport, it will be impossible to compel them to turn over client information, since they do not have physical possession of their OTP USB. Even if they give up their password, their adversary will still have access to nothing.

b.) Network: Client machines are connected to the office server via a “always on” VPN. Client machines are not allowed to connect to the public internet through any means other than the law firm’s VPN. Client machines only ever connect to the law firm network. The only devices connected to the law firm network are client machines and law firm servers. All other devices, such as employee’s personal devices, which employees may want to be able to connect to the internet while in the office, may be connected through a separate “insecure” network. These networks are never contaminated; only the network administrator is capable of connecting new devices to the secure network. Users authenticate to the secure network at login using two-factor authentication handled by LDAP. Users authenticate via username + password + one time code. The one time code is generated by a hardened USB (yubico.com).

c.) Server: Server infrastructure is built on Core OS, “an open source lightweight operating system based on the Linux kernel and designed for providing infrastructure to clustered deployments, while focusing on automation, ease of applications deployment, security, reliability and scalability. As an operating system, Core OS provides only the minimal functionality required for deploying applications inside software containers, together with built- in mechanisms for service discovery and configuration sharing.”2

This server infrastructure, like the client machines, is stateless and based on a minimal Gentoo installation. Applications and processes are compartmentalized from one another, running in separate “dockers.” As a result, server applications and processes can be effortlessly shifted from one machine to another; servers can be run on-site or on a remote infrastructure such as Amazon EC2. Since Core OS instances are identical, stateless, and receive “atomic” comprehensive updates every six weeks, they are process, application, and hardware agnostic. This makes servers completely interchangeable and significantly reduces the burden of system administration. The ability to securely run remote infrastructure with minimal system administration means that it would be feasible for a small law firm to deploy this system without the overhead typically associated with such a system. A federated organization of networked law firms, such as the ACLU, would greatly benefit from this structure, since each regional firm would be able to run identical interoperable infrastructure without centralizing sensitive client information. Thus, client information would be kept compartmentalized on a “need to know” basis, without fragmenting network infrastructure into incompatible islands. Offices with the available overhead would be able to perform remote cluster system administration for smaller offices with minimal effort and expense. Additionally, larger ACLU offices would be able to host services for smaller offices, thereby taking advantage of the economies of scale of running a large cluster, without requiring the smaller ACLU offices to disclose the content of their documents and communications to their larger, sister ACLU office.

Data redundancy and resiliency are handled by a TAHOE-LAFS installation; each firm runs its own LAFS client and gateway on its Core OS infrastructure and sends multiple blind backups to offsite infrastructure, such as Amazon EC2.

d.) User Services:

Files: Users access work files via an Own Cloud (owncloud.org) instance, run via a firm controlled server. Own Cloud is open source software for deploying a file synchronization service on a server of the end user’s choice. File security and authentication is handled via TLS; the server’s SSL cert is manually installed on client endpoints as a .pem file. The user’s “shared” Own Cloud folder is stored on the LUKS container on their live USB; this folder will automatically sync with the firm server whenever the client machine is connected to the network. This allows the user to work offline while syncing seamlessly and automatically.

Email: Users access the firm’s mail server through the firm’s VPN. Authentication with the server is handled via TLS; the server’s SSL cert is manually installed on client endpoints as a .pem file. Each user has an offline master GPG key pair, with three operational sub-keys. Offline master keys are encrypted with AES-256 using a 40+ character passphrase of the user’s choosing and is backed up on a USB and on paper. The system administrator keeps all backups of users’ offline master and sub key pairs, but does not have access to user’s private keys, since only end-users know their passphrase. In addition, a firm-wide key pair is distributed to all users; people from outside of the firm can send messages addressed to the firm as a whole with this key. A second firm-wide key pair is distributed to all users for insuring the confidentiality of multiparty messages sent within the firm. This key will be changed whenever any employee leaves the firm. All internal emails are signed and encrypted by default. All firm-to-external communications (excluding client communications, see below) are signed by default and only encrypted if the user specifies a public key for the recipient.

All of the firm’s (human) clients will be provided with a Gentoo hardened live USB and a GPG key pair for sending/receiving documents and communicating with the firm. Clients, obviously, are not given access to the firm’s secure network. If clients require location anonymity they may be provided with a Tails live USB instead of a Gentoo hardened live USB. If a client requires that the fact that they are even communicating with the firm be deniable, the client and the relevant case managing attorney may be supplied with Tails USBs running Pond (pond.imperialviolet.net) for deniable secure communications outside of the firm’s secure network.

Chat: Users are provided with jabber addresses on the firm’s jabber server. All chats are encrypted end-to-end via OTR. Technically, OTR negates the requirement that the firm retain control of their own jabber server from a security perspective, but up-time and reliability are also concerns that are better addressed by running an independent jabber server. Multi-party OTR chats are handled by Crypto Cat.

Browsing: Users can browse the internet using the Tor Browser Bundle or Chromium Browser. Since all connections are forced through the firm’s VPN automatically, using Tor may result in slightly higher latency than would be typical for Tor. All websites visited by firm employees are visible to the system administrator, unless the employee chooses to use Tor. If the employee is visiting a site that deploys SSL, then the sysadmin will not be able to see the content of their traffic with that website, even if they are not using Tor.

VI. Conclusion:

In order to minimize productivity loss as users become familiar with their new workstations, as well as to insure that any problems with the system are worked out before critical firm information is transferred to the the new system, it would be prudent to build the secure infrastructure alongside the existing infrastructure, while maintaining strict compartmentalization. That way, users will be able to become familiar with their new systems and administrators will be able to adapt to user requests and implement them into the secure system as it is developed. The pre-existing system will only be shut-down once the new, secure infrastructure is considered stable.

This system can be further hardened for user groups whose threat model extends beyond the one described above. If the adversary is willing and capable of breaking into the physical office premises, or if the adversary has the capability and willingness to find and destroy the user group’s servers, or arbitrarily arrest the user group’s personnel, a modified approach is required. The “forced on” VPN connection between the client machines and the server can be replaced with a Tor hidden service connection. This would hide the location of the clients from the server (and vice versa), and the location of both the clients and the server from the adversary. All outbound connections (for example, when a client is browsing the web via the server connection) would also be routed through Tor. This setup would allow for a group of people to coordinate and share office infrastructure without a physical office, or even to continue to work while operating “underground.” While deploying a Tor hidden service would harden the system against attack, it would also introduce greater network latency for users who can operate in the open.

This is just an initial attempt to describe what a more secure office infrastructure for attorneys, journalists, activists, and others might look like. Please feel free to provide feedback & criticism.

Notes:

1 A ritualized conflict short of war

2 https://en.wikipedia.org/wiki/CoreOS