Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Tech Policy Daily’s Gus Hurwitz has a post up today arguing that encryption is a distraction from true security. It’s an interesting read, but thoroughly misguided. Hurwitz suggests that the focus in tech should not be on encryption, but rather on the security of the systems. His argument boiled down:

Most cybersecurity incidents do not involve breaking encryption. Nor would they be prevented by stronger or more pervasive encryption. Consider recent incidents in the news: Yahoo!’s loss of data from 500 million user accounts, the unprecedented DDOS attack on security researcher Brian Krebs’s web site, and attacks on voting machines. These are the sort of incidents that are happening with alarming frequency; they are the sort of incidents that have the greatest potential to have tangible harmful effect; and they are the sort of incidents that all users are concerned about. …

Better or stronger encryption does little, if anything, to prevent these sorts of attacks. A more productive use of resources is to focus on better design and testing – ensuring that users securely use systems, designing security mechanisms that they won’t bypass, and designing systems that can continue to operate securely operate under compromised conditions.

On the importance of securing systems, Hurwitz is right. More attention must be paid to strengthening security overall. Corporate players, especially, should face serious repercussions for breaches that result in user data being compromised. Until there is a price to be paid, the cost of poor security practices is relatively minor compared to the cost of robust protections.

What Hurwitz misses, however, is what those protections are likely to look like. If corporate players suddenly faced stiff penalties for breached data, the first step most would take is end-to-end encryption. There is a good reason for that.

Despite Hurwitz’ dismissal of encryption, it is just as, if not more, important than security. If a system encrypted end-to-end is breached, there is little of consequence that could be gleaned from the breach because all data compromised would be stored in an unreadable format.

The reason hacks are so damaging currently is that most data is not stored encrypted. It is stored in plain text or as normal files. Once the  breach happens, the data is lost.

Under Hurwitz’ concept of security being most critical none of that changes. All systems will have vulnerabilities, no matter how much is invested in securing them. So what do you do when they are broken?

By starting first with encryption, you stop the hemorrhaging before the cut is even made. The system protects the data first, and the system second. Our current systems are completely backward in that regard, as is Hurwitz’ thinking. In an end-to-end world, content should never be viewable in transit. That is especially true when transit relies on anything as inherently insecure as the open Internet.

What’s more, you reduce the motive for attack by ensuring that anything gained will be of no value.

Hurwitz’ line of thinking, sadly, is typical of policy proposals in DC. There is a reason for this, too. By diverting the focus to security, rather than encryption, we guarantee the prying eyes of the surveillance state.

Only in an end-to-end world do we safeguard our data against all outside eyes, not just the “bad” ones.

 

 

 

 

I’m just an average man, with an average life
I work from nine to five; hey hell, I pay the price
All I want is to be left alone in my average home
But why do I always feel like I’m in the Twilight Zone?

When I come home at night
I bolt the door real tight
People call me on the phone I’m trying to avoid
Well, can the people on TV see me
Or am I just paranoid?

Rockwell’s “Who’s Watching Me?” tells the story of a man who feels like he is under constant surveillance by some unknown entity. Two stories out of the world of tech privacy and surveillance today would likely make Rockwell think those lyrics didn’t go far enough. Or, as Max said in the cult classic movie Strange Days:

The issue’s not whether you’re paranoid, Lenny, I mean look at this shit, the issue is whether you’re paranoid enough.

It was revealed today that hacker-turned-Facebook-founder Mark Zuckerberg tapes over the camera on his laptop, as does FBI Director James Comey. That latter part is particularly ironic given that its quite likely the FBI that may be spying on you. As I mentioned yesterday, the FBI is already using software to scan almost a half billion images of Americans (despite few privacy protections). It’s also no secret that the FBI is pushing for massive new surveillance powers under the guise of “keeping us safe”.

It’s good, then that a coalition of internet companies have come together to create a public awareness and advocacy campaign. No Global Warrants is pushing to raise awareness and has a petition up to contact Congress to make your voice heard. While that is unlikely to prevent government from further suppressing your rights, it should, hopefully, make people aware of the issue and aware of how extensive the government’s expansion of its surveillance capability is.

In the meantime, there are some steps you can take to protect yourself. First, you can follow Zuckerberg’s lead and secure your cameras. Amazon sells these handy little slides for laptops and tablets that slide open and closed easily and avoid the tape residue. These cell phone camera covers are also handy and better looking than tape. You also might think twice about sharing a ton of photos of yourself. I realize that is probably unheard of in our selfie obsessed culture, but it makes facial recognition much more accurate if they have snaps of you from every angle.

There are steps you can take to secure your physical devices like ensuring your hard drive and all external storage are encrypted (I like VeraCrypt). Apple has encryption built in through FileVault, but you have to enable it through System Preferences -> Security & Privacy -> FileVault.

You should also, under NO circumstances, be using the same password on every website. I’ll be covering that soon, but there are a lot of password lockers that a) keep all of your passwords securely and b) make it so that you don’t need to remember passwords at all. They’re easy to setup, and enable you to have different, unique, and strong passwords for every site you visit. With free services like Dropbox to store the encrypted password files, you can also use them on every device.

While many of these steps will help protect you from hackers and identity thieves, the FBI has also been known to illegally hack computers. While much of the evidence stemming from that investigation has been tossed by several courts, the FBI is pushing to address that problem through these expanded powers. So you really want to get comfortable with protecting your information from actors both good and bad.

 

It seems that almost every day there is another story of a company, website, or celebrity that has been hacked. Sensitive information – everything from banking details to naked selfies – gets posted online and embarrassment and financial devastation grows. Despite the constant flow of information about high-profile hacks and the commonplace occurrence of identity theft, people still don’t take basic precautions to protect themselves, and websites don’t take basic precautions to protect user data.

When a hacker breaches a site like MySpace, and compromise their user database, they can compromise your email/username and password combinations. If you reuse that same combination on other sites, it is very easy for hackers to write a script to compare those credentials against other popular sites, and identify which ones give them access. It is no surprise that the number of Twitter accounts hacked in the past few weeks is exploding, given that many or most of those people likely also had MySpace or LinkedIn accounts, and were likely using the same password on all of them.

Twitter acknowledged as much when discussing the announcement that 32 million user credentials were available on the dark web.

“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.”

Many websites are now informing you when a login is attempted on your account from a new location, but this is still neither common or foolproof. Some sites still store user credentials in plain text, though encryption of user credentials is more common than not, these days. The strength of that encryption varies, however.

If you are using the same password across many websites, it is just a matter of time before you will be hacked. You really should be using a better method to keep yourself secure. Password locker systems (KeePass or KeePassX, for instance) allow you to keep an unlimited number of passwords stored in a single location and allow you to simply click to copy the correct password and paste it into login forms. You don’t need to remember them all, and most of these systems have a mobile app version that keeps a synchronized copy for logging in via your devices.

Whatever system you choose, it is well past time when you should be taking your personal information security much more seriously. If you are using the same password for your Facebook account and your online banking, you are dancing in a virtual minefield and it’s just a matter of time before something blows up.

We’ve launched this blog to look at developments in the area of cybersecurity, privacy, encryption, and government surveillance, because their intersection is the epicenter of the digital world. Discussions of the balance between security and privacy will drive most tech discussions for the next ten years. Much of this starts with you being better informed and empowered to take an active role in securing your personal data.