Encryption: Will Political Insecurity Decide Your Security?

You own your own security. Bottom-line, when it comes down to planning how to protect yourself and what is yours, that decision should belong to you. But that’s not what President Obama, UK Prime Minister David Cameron or French Prime Minister Hollande would have you believe after their exchange of inflammatory rhetoric last week. If these three global leaders have their way, rather than securing our freedoms in the face of terrorism, they’ll be restricting the safeguards we need in place, and opening the cyber backdoor to those threats they fear most.

It appears fear fuelled knee-jerk reactions following the horrific terror attacks in France. French PM Hollande called for tighter surveillance measures to potentially weaken and cripple encryption in France. That encouraged UK Prime Minister David Cameron to say he’d like to ban certain forms of encryption, impacting popular messaging apps like iMessage and WhatsApp. You can read this post by Cory Doctorow to get a shopping list of what they want to limit http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html. US President Obama’s new Internet security proviso followed hard on the heels of Cameron’s call to outlaw encryption. Instead, they want to build “backdoors” into applications, that would allow government officials to have the ability to read all media and messages, and effectively give the state far more access and control over everyone else. But as Cory so aptly points out “there’s no back door that only lets good guys go through it.”

Official White House photo by Pete Souza

When Obama delivers his State of The Union address on January 20th, he’s going to make his case against encryption, and against the people in InfoSec who watch our backdoors constantly, identifying and tracking down threats from around the world.  There is a lot of money being made by people who can breach security, acquire our personal data, and sell it to the highest bidder.  The stakes are much higher when it comes to securing our critical infrastructure: power, water, communications, defense.  We have clear proof that those systems have already been targeted and penetrated.  Those systems are vital to our way of life, and deserve the best protection we can offer.

Rob Graham has written an excellent response to this in his blog, Errata Security, and he levels this warning: “The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as “national security” and “cyberterrorism”, then this should be your biggest fear…This creates an open-door for nation-state hackers and the real cybercriminals.” http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VL1RgkfF_p6.

Call me crazy, but I think we should listen to those who know a lot more then the rest of us think we do. Misguided Security warns “once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary”. http://misguidedsecurity.blogspot.ca/2015/01/wi-fight.html Encryption keeps data safe, keeps identities safe, whereas backdoors and uninvited surveillance create risk.

These guys aren’t the hackers – they’re the ones that protect us from them.  Yet the term is dangerously misunderstood. Rob Graham explains “Because of our knowledge, we do innocent things that look to outsiders like “hacking”. Protecting computers often means attacking them.” There’s a diligent army of highly skilled folks working on our behalf out there, scrutinizing infinite lines of code to catch what we don’t want to have. They share what they learn in real time, a collaborative, co-operative and highly effective network. Given the opportunity, we really should be listening to them.

Thanks to the folks in InfoSec and the tools they use daily, I’ve watched botnets being launched by attackers from China.  To see what is coming at us in real time just click on this link to a map by Norse  http://map.ipviking.com/

We need the freedom to innovate and explore technology so that it will serve us better. As Rob Graham points out, “Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. ”  How can we defend ourselves if we handcuff those who do? There’s currently a movement afoot within the InfoSec community to spread the word and explain the real value of encryption so that everybody understands they have a stake in this. (I admit, I may be owning one of these shirts myself).

Currently, this seems to be couched as a “tech” issue, with the political pundits throwing words around like “cyber”, “encryption” and “hacker”, terms that can easily be used in a campaign of fear-mongering by government policy makers to assume control. The assumption is that the average person will probably stop listening because they consider this out of their realm, so it doesn’t apply to them. But that couldn’t be further from the truth. This argument is not just about technology anymore. It challenges current standards of freedom and privacy, and within that, how we get to protect ourselves. And everything we hold dear. Isn’t that our decision to make?

Thanks for reading!

Cheryl Biswas

Je Suis Charlie

As a writer, it is my duty now to speak for those whose voices have been silenced forever. But there are no words left for what happened in Paris.

All I can do is express my sincere and deepest condolences to the families who have suffered the loss of a loved one. And affirm my support and solidarity to all writers and journalists around the globe who do what they love, what they believe.

Terrorism doesn’t get to win. It doesn’t decide what we write, what we make, who we are.  We won’t let that happen. Today, and always, Je suis Charlie.

Attribution: A Word to the Wise

It has been one month since the hack attack on Sony.  Thirty days rife with speculation, hype and hyperbole that threw the press into a feeding frenzy.  In early days it seemed temptingly easy to believe the attack was in retaliation by North Korea for an American comedy that showed their beloved dictator, Kim Jong Un, being executed.  North Korea made an excellent villain as the story played out, and the extent of the damage done to Sony was revealed.  For most people, the information as presented in the media made the decision for them: North Korea was behind the attack. But after reading a particularly relevant  blog post by Misguided Security (http://misguidedsecurity.blogspot.ca/2014/12/doing-un-walk.html), I realized I needed to carry the message forward:  not everyone is getting all the details on the Sony hack, and that is as damaging as the hack itself.

Let me admit my guilt here and now. I did believe that North Korea was behind the attack, setting the tone for one of my earlier blog posts.  While I still consider them an InfoSec menace, I’ve read and considered what other wiser, more informed minds had to say.  I’m very glad I did because now, in the true spirit of this blog, I can share what I have learned. I’ve published this account on my Cybersecurity blog,  http://whitehatcheryl.wordpress.com/  and am now sharing it here, because in our ever-changing world, technology is an essential component of everything we do. Two words: critical infrastructure.  Over the past few months, concern by major security agencies and political powers in the US has amped up over the potential vulnerability to attack faced by their main water, power and communications sources. Fact is, nation-state sponsored hackers from Iran have attacked critical infrastructure in the US and it has been documented, which could explain the elevated levels of suspicion. Which makes this cautionary tale even more relevant. ( http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf )

From the outset there were many within the InfoSec community who declared that there wasn’t enough proof that it could be North Korea.  Over the past few weeks, that chorus of voices has steadily grown, and consistently put forth solid reasons to back their arguments, all the time asking for definitive proof to back the allegations that it was North Korea.  It was a fair and rational stance, taken by a group of people who are dedicated to and experts on Information security.  More interested in promoting the truth than themselves, they put their reputations on the line to publicly dispute the assertions made by the FBI and high-profile press pundits.

These are people whose opinions I respect and trust, for good reason. They have years of experience tracking malware and real cyber threats.  As events unfolded and  coverage mushroomed, the CEO  of TrustedSec  showed the need for calmer heads to prevail when he said  “Speculation backed with little facts …we need to be careful…” and then “ We are using some strong words right now and need to back it up without a shadow of a doubt.”  His sentiments were echoed by another cautionary voice in the InfoSec community. “We have to be careful on our rhetoric of war and blame, as these little comments can mean big things.”(Jericho).

There are now many excellent blogs and posts about the attack on Sony, and they all give compelling reasons why we should think before we jump on any bandwagon, in this case the one that North Korea did it.  The best place to start is with a simple, factual chronology of events.  I like this on-going post, started  Dec. 5 by Risk-Based Security  (https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/).  It states, for example, how the now-infamous “Passwords” folder likely was created by the hackers, GOP, when they released the files, and not Sony.  But perception is paramount in the blame-game, and unfortunately Sony found itself caught in the unforgiving glare of speculation.  Deflecting negative publicity onto North Korea as the evil perpetrator could help serve as damage control, especially if they were portrayed as a threat to national security. That wasn’t hard to do in the given current global concerns regarding ISIS and the Middle East.

It’s so easy to jump to conclusions, to see what we want to see.  But as the Sony hack has hopefully taught us, we need to take the time to make informed decisions, and especially to listen to those who challenge assumptions with facts.  Throwing around accusations without proof isn’t just foolish, it’s dangerous.  It’s a great way to make a bad situation worse.  When we know certain nation states are capable of irrational and unpredictable behaviour when provoked, levelling accusations requires more care and discernment.  As ‘Jericho’ says, “make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.” Because given all I’ve read, attribution can become a weapon, and not necessarily one of choice.