Tag Archives: email safety by encryption

Repeat performance: Paris Attacks May Renew Encryption Debate

FILE - In this June 2, 2014, file photo, Apple CEO Tim Cook speaks at an event in San Francisco. The deadly attacks in Paris may soon reopen the debate over whether and how tech companies should let the government sidestep the data scrambling that shields everyday commerce and daily digital life alike. The Obama administration continues to encourage tech companies to include backdoors, although it says it will not ask Congress for new law that requires them. Cook has said that the trouble with that approach is that "there's no such thing as a backdoor for the good guys only." (AP Photo/Jeff Chiu, File)

FILE – In this June 2, 2014, file photo, Apple CEO Tim Cook speaks at an event in San Francisco. The deadly attacks in Paris may soon reopen the debate over whether and how tech companies should let the government sidestep the data scrambling that shields everyday commerce and daily digital life alike. The Obama administration continues to encourage tech companies to include backdoors, although it says it will not ask Congress for new law that requires them. Cook has said that the trouble with that approach is that “there’s no such thing as a backdoor for the good guys only.” (AP Photo/Jeff Chiu, File)

In this June 2, 2014, file photo, Apple CEO Tim Cook speaks at an event in San Francisco. The deadly attacks in Paris may soon reopen the debate over whether and how tech companies should let the government sidestep the data scrambling that shields everyday commerce and daily digital life alike. The Obama administration continues to encourage tech companies to include backdoors, although it says it will not ask Congress for new law that requires them. Cook has said that the trouble with that approach is that “there’s no such thing as a backdoor for the good guys only.” (AP Photo/Jeff Chiu)

The deadly attacks in Paris may soon reopen the debate over whether – and how – tech companies should let governments bypass the data scrambling that shields everyday commerce and daily digital life.

So far, there’s no hard evidence that the Paris extremists relied on encrypted communications – essentially, encoded digital messages that can’t be read without the proper digital “keys” – to plan the shooting and bombing attacks that left 129 dead on Friday. But it wouldn’t be much of a surprise if they did.

So-called end-to-end encryption technology is now widely used in many standard message systems, including Apple’s iMessage and Facebook’s WhatsApp. Similar technology also shields the contents of smartphones running the latest versions of Apple and Google operating software. Strong encryption is used to protect everything from corporate secrets to the credit-card numbers of online shoppers to intimate photos and secrets shared by lovers.

That widespread use of encryption, which was previously restricted to more powerful desktop or server computers, is exactly what worries members of the intelligence and law enforcement communities. Some are now using the occasion of the Paris attacks to once again argue for restrictions on the technology, saying it hampers their ability to track and disrupt plots like the Paris attacks.

“I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris,” former CIA deputy director Michael Morell said Monday on CBS This Morning.

The last such debate followed 2013 disclosures of government surveillance by former National Security Agency contractor Edward Snowden. Since then, tech companies seeking to reassure their users and protect their profits have adopted more sophisticated encryption techniques despite government opposition. Documents leaked by Snowden also shed light on NSA efforts to break encryption technologies.

In response, law-enforcement and intelligence officials have argued that companies like Apple and Google should build “backdoors” into their encryption systems that would allow investigators into otherwise locked-up devices. The Obama administration continues to encourage tech companies to include such backdoors, although it says it won’t ask Congress for new law that requires them.

“The Snowden revelation showed that backdoors can be destructive, particularly when they’re done in secrecy without transparency,” says Will Ackerly, a former NSA security researcher and the co-founder of Virtru, which provides encryption technology for both companies and individual people.

On Monday, Attorney General Loretta Lynch said the government continues to have “ongoing discussions” with industry about ways in which companies can lawfully provide information about their users while still ensuring their privacy.

Last week in Dublin, Apple CEO Tim Cook noted that “there’s no such thing as a backdoor for the good guys only. If there’s a backdoor, anybody can come in.” In other words, any shortcut for investigators could also be targeted by cybercriminals eager to hack major corporations – a la the devastating cyberattack on Sony late last year – or to target individuals for identity theft or extortion, as reportedly occurred following the disclosure of records from the infidelity dating site Ashley Madison.

In the same speech, Cook said Apple will resist attempts to weaken encryption in iMessage. A draft law recently introduced in Britain would require telecommunications companies to provide “wider assistance” to police and intelligence agencies in the interests of national security.

Like iMessage, Facebook’s WhatsApp encrypts all communications from “end-to-end” – a technique that blocks anyone outside the conversation from reading or seeing what’s being sent. Although Facebook can’t see the content of the messages, it does track who is talking to whom and stores their phone numbers – information that can be valuable for law enforcement officials trying to sniff out terrorist plots and fight other criminal activity.

Steven Bellovin, a Columbia University professor and computer security researcher, says he isn’t surprised by the effort to bring back discussion on encryption backdoors. But he adds that it’s way too early to tie it to the Paris attacks.

“We don’t know how these people were communicating and with whom,” he said. “If they were communicating with homegrown software and there’s some indications of that, then a mandatory backdoor is not going to do any good.”

Source: Associated Press

ooo

Henry Sapiecha

ALL EMAILS SHOULD BE ENCRYPTED IT IS SAID, SO FIND OUT HOW & WHY HERE

Why We Should Encrypt Everyone’s Email as security

Ladar Levison is the owner of the encrypted email startup Lavabit. After Edward Snowden’s NSA document leaks last summer, Levison rebuffed government demands to hand over the email service’s private encryption keys—opting to shut it down instead. He spoke about his new project Dark Mail, online privacy, and how encrypting our email helps disassemble today’s unconstitutional surveillance networks.

Q

When we talk about email, how much of our online communications are truly private?

A

I think everybody today needs to assume that if they’re communicating electronically, somebody is listening. Over the last 20 years we’ve been communicating across the Internet with a level naïve innocence that has been lost forever.

One big issue is that today’s electronic communication systems have gotten so complex that they are all but impossible for private citizens to understand. And that’s because these systems have been built with layer upon layer of complexity. If any of those layers has a vulnerability, an organization with the access and resources of the NSA can exploit it to gain total control of the system. The only question is how difficult it is for them to do so.

Another issue is that while we have the encryption technology to protect email messages, the current state of endpoint security (meaning the security of your individual computer or device) is abysmal—almost laughable to the Tailored Access Operations unit which employs more than 1,000 engineers whose only mission is expanding their exploit catalog. If your device is compromised, it doesn’t matter how strong the encryption is, a snooper will simply steal the keys protecting your messages.

Q

Why should we be so concerned about keeping our email encrypted and private?

A

For one, privacy is a form of security and protection—an assurance that what we write won’t one day be used against us, to blackmail us into conducting some nefarious deed. I look to history and shudder to think of what Joseph McCarthy, Richard Nixon, or J. Edgar Hoover would have done with the surveillance capabilities of today.

One of our most basic rights as American citizens, as people, is the privacy of our papers—our thoughts in written form. Why should this right be forfeited simply because the thought was typed into a computer and stored in a cloud?

But the most important reason is this: By encrypting our email, we force a potential attacker to break into our devices if they want to read our private messages. That changes the game. Instead of sweeping up everyone’s communications wholesale, without much incremental effort, we force them to pick and choose specific targets. And this would be a huge step towards making unconstitutional surveillance obsolete

Q

Talk to us about Dark Mail, your newest project.

A

Dark Mail is really an effort to turn the world’s email dark—to make email encryption ubiquitous, universal, and automatic. The simplest explanation of what we’re doing is that we’re rewriting the protocols of email—the standard rules computers use for delivering email messages—so that messages are encrypted before they leave your computer and can’t be decrypted until they’ve reached the recipient’s computer. And because this is built into the system, there’s no cognitive burden. Grandma could use this—you don’t need to understand encryption or why it’s important. If someone can use email today, they will be able to use Dark Mail tomorrow.

Just to be clear, one important distinction is that Dark Mail is a technology—it’s not [an email] service. Our hope is that different email service providers will implement support for Dark Mail. In fact, we’ll be publishing the specifications and releasing the code as free software. That way, the community can help us find vulnerabilities and make Dark Mail even more secure. It’s even possible that others will take our design and improve on it. And if they do, more power to them.

Q

So how does Dark Mail work?

A

Dark Mail is built around something called asymmetric cryptography, in manner similar to [a piece of software called] PGP, which stands for Pretty Good Privacy. It involves two keys (think passwords) to work. You generate a public and a private key. You then give your public key to the world, so that anyone in the world can send you a message that has been encrypted using the public key. Once the message has been protected using a public key, only someone with the corresponding private key can unlock it. At least in theory, the only person with access to the corresponding private key is you.

Now all you need to do is protect it.

But Dark Mail is more complicated than simply taking PGP and making it automatic. For example, we’re working on making the Dark Mail key discovery process resistant to manipulation by bad guys with big budgets. Were also working on the metadata problem—or making it harder for an outsider to track when and with whom you’re communicating. Without that, we will lose our ability to associate freely. I know this from experience. Contacting the EFF shouldn’t make you a surveillance target.

Q

Is this type of encryption even legal?

A

Yes. If you go back to the early ‘90s, the person who wrote PGP, Phil Zimmermann, freely released his software to a handful of friends. Eventually PGP source code found its way onto the global Internet. For his trouble, Zimmermann was subjected to a 3-year criminal investigation, which would eventually be dropped and never result in charges against him. At the time, in 1991, any form of encryption that was strong enough to be considered unbreakable by the federal government was classified as a munition—as a weapon—and was subject to strict distribution controls.

In large part because of Zimmermann, those laws would get repealed, and the victory would become one of many battles that make up a period known as the Crypto Wars. Freedom would eventually prevail. We won the right to create and distribute software with strong encryption. All we need to do now is use that right.

Henry Sapiecha
flashing-bright-blue-line-300x5