Happy new insecure 2017: my resolutions and wishlist for new year


Here we are, a new year comes and we, as cyber security expert, will keep warning the world about the deeply insecure world we are living.

And we will announce new technologies and new devastating scenarios related to new technologies. IoT and Cloud will rise their evil face while bad people will be lurking in the dark waiting to attack the innocent lamb crossing the road.

But, in all of this, the most of the damage will be still done by bad designed systems, by managers that does not understand what means living in a digital world, by politicians that understand cyber security issues only when they have something to gain, by entrepreneurs that still will invest in security as a disturbing side effect.

If I can make a wish for the new year is to see finally a different approach to information security, an approach that take into account that

1) to be secure you need well designed systems first and then cover it with some security geek technologies. If the design is crap all your security is crap no matter what you use on top

2) there is not security if your devices are not designed with security in mind, good code and code lifecycle is the best insurance, so if you buy the cheapest then do not cry … is your job to look for what you need and so yes is your fault if something goes wrong.

3) that finally companies, managers, entrepreneurs understand that security is within process, and not just a bunch of technologies put on top of something that you do not have the slightest idea what it is, you can’t protect what you don’t understand

4) that if people do not understand then people will not follow even the most basic rules, so training is not an optional, but the very basic. And to be sure the first that have to learn are the “CxO” which should get off the throne and start learning the world they crafted.

5) that if we keep thinking that IoT is wonderful but do not understand what IoT will bring in terms of cultural and technical problem we still will never understand what means putting security on this.

6) that if you hire an expert and then you don’t listen to himher then you are wasting hisher and your time. then do not blame the messenger.

7) that if you think that this complex field we call security can be covered by a junior that knows it all you are probably wrong unless the junior is a genious

8) that if you, security expert, think your counterpart has the slightest idea what you are talking about, you are probably wrong because you did not realize they do not understand what they does not know.

9) that all of this is part of the business, and therefore the business should took all this as one of its element, and not just a nasty annoying add on.

10) that next time someone talk about APT tells you the truth, the only way to stop an APT is to stop the attacker otherwise…. it would not be an APT

I know I know I am a but naive and still believe in fairy tales…

 

happy safe and secure 2017 to you all

security awarenesssecuritysecurity culture2017

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Happy new insecure 2017: my resolutions and wishlist for new year was originally published on The Puchi Herald Magazine

Advertisements

Cryptography, keeping on the big lie


So Cryptography would be a National Security Issue?

th (1)I’m tired to be polite and politically correct when talking about encryption. Let us be clear and honest, all those crypto_war is a pile of crap. Every time I heard someone claiming that we should not enforce strong cryptography I wonder: to they have the slightest idea what they are talking about? Probably not, considering also most of the objections against cryptography I heard.

Listening to those “enlighten” minds it seems that without cryptography the world be a sort of heaven where intelligence could have the possibility to solve any criminal case. And it seems that cryptography is used only by the ones who want to act against the laws and the public safety. Well may be would worth for them, and us all, to do a reality check.

Encryption and weapons

encryption-100621667-primary.idgeEncryption is always associated with military technology. The Wassenaar agreement (http://www.wassenaar.org/)  stated what should be considered and not a “sensitive” or military technology. Encryption is in that agreement.

So for someone encryption is a weapon.

encryption has been always used in war context, as well when there were political sensitive issues. Beside the modern math behind encryption, the tools or techniques to hide or make not intelligible a message are old as war and therefore old as humanity.

It seems that the more advance the technology is, the more advance is the need to consider this as a weapon. It is a long story, from traces in Old Egypt Kingdom (1900 BC) to the Caesar Cipher history is plagued by examples of cipher and cryptography more or less successful attempts (it is successful if you do not decrypt the message, of course).

But let us be clear, modern encryption, from Turing to Diffie-Hellman-Merkle is basically math, and math is math. I am sorry but considering math as a military weapon is like considering a hammer a weapon. Can’t be a hammer used to kill someone? yes and directly. Can be math used for the same purpose? wait no … unless the math book is really heavy.

Alas nowadays the math can be implemented into technology, and therefore it is accessible also to the ones that does not have a cryptography degree. But technically speaking, since math is math, anyone could develope a mathematical model to implement cryptography, this would make himher a weapon maker? Actually for some people yes (see all the PGP affair).

Apparently the issue here is the democratization of encryption as something everyone can have access to (bad and good guys) more or less as knifes and hammers and (in some countries) weapons.

Modern technology allow us to implement strong encryption environments, but at the same time rise up the level of “unwanted” decryption capabilities, the faster  our computers are, the more encryption need to go deeper (longer keys, better algorithms…) to be effective. But this is the world we are living.

It is out of doubt that encryption can be used in a war-like scenario, and that can protect communication and sensitive data, but at the same time is clear that those are implementations of something that is of public domain (alas a big defect related to science). You can block the export of those technologies, but can’t avoid a good mathematician design a decent algorithm that supersede your limitation, and some decent coder to implement it.

As a limitation, per se, is not so smart at the end, unless you think you are the only one able to do those things.

Encryption and criminality

th (3)If encryption can be used to protect valuable military information and communication, can be also used by criminals. No question about it. But again we are talking about something that is public domain (math, you know) and encryption, cryptography, communication masquerading have been out there since…ever.

Targeting one tool just would shift the criminals to another tool. Once you make possible to decrypt the internal IPhone infrastructure you think criminal would rely on it? (if ever).

Most of the communication is passed in clear, talking or writing, or sending videos. But at the same time those communication can contain hidden messages even without encryption. As in a baseball game when non formal communication is given between pitcher and catcher on which ball will be the next to be launched, hiding the content of a message disguising it with another is something common. And this does not require encryption and can be as effective as the previous one.

Actually this is the most used vehicle of communication when you want to send a “secret” message or store info. Encryption is just one of the tools that can be used by criminals.

Encryption and intelligence

th (4)So it seems that, anyway, without encryption intelligence work is not possible? this is quite a curious statement mostly because it comes out, mostly, from the same people that declare to collect only “metadata”.

So basically they do mass surveillance (regardless it is legal or not in other countries) to collect only “metadata” but the same are useless against terrorism and criminality? That does not make any sense to me.

It is like the old good intelligence of old times now is useless and we rely only on decryption of messages.

So let us be clear on this. Metadata can gives us a lot of information on a communication transaction and, sometimes, it is all you need if you are doing your intelligence work with intelligence (nice joke,isn’t it? lol)

If you have two suspects, and those ar starting to exchange encrypted messages, well, you have good reason to make your surveillance more stronger.

But if you do not have suspects? well the answer is decrypt all messages from anyone and look inside the content to find out if this is terrorist related.

Is this effective? may be, I do not question it, is this respectful of privacy? no it is not. Would be like preventing criminality bringing everyone in front of a court, I mean every citizen, may be at the end you will find even some criminal, but the most will be innocent people brought in front of a court.

So all the point here is that withouth intelligence opening a Pandora box with bad encryption (as the export grade restrictions that are sill harming our digital world) is, at least, questionable.

Can this makes law enforcement and defence agencies work more hard? yes and not. If this crypto-war is made to cover inefficiency in the intelligence capabilities of those agencies is for sure a problem.

Unless the point is to substanciate that only mass surveillance activity can save us all. But it is funny, mass murdered killers post their statements on Facebook (in clear) and we does not notice it, and at the same time we keep talking about encryption?

It is just me that sees a odd situation or ….

Encryption and the internet

th (5)We all know what HTTPS is, or we should, at least. We all know what TLS/SSL is, or we should at least. We all know what PKI is, or we should at least.

Internet technology rely heavily on encryption, since encryption  is one of the basic pillar of: security; authentication; authorization  and non repudiation technologies. Withouth encryption all those mentioned things could not be effective on the internet where there is not a direct and visible contact between the counterparts.

A system is as secure as its weakest component, therefore weakening encryption is damaging all the internet.

Let’s be clear again, encryption is not the only answer. When me make a VPN (HTTPS, SSL, TLS, IPsec…) we are fairly sure that what we put at the beginning of the transmission pipe is what will arrive at the end of the pipe. But encryption can do a little on the content of the transmission itself, so if we put manure at one side of the pipe we will receive manure at the other side, this is why encryption is just one of the needed technology to be implemented.

But I do not think anyone doubt that without encryption most, if not all, the achievement of modern internet economy would have not been possible, or you would like to pass your credit card data in plain text? (well actually is what you do when someone swipe your card on a card reader, but this is another story.)

Encryption and privacy

One of the most important encryption value, those days, is to preserve privacy and intellectual property. With the expanding exposure of our life to the digital world, and the promise of the IoT (Internet of Terror–sorry , my mistake, Internet of Things) encryption is becoming, day by day, the tool to preserve our privacy.

Basically one time we would have counted on the privacy of our walls, and till we do. But our world has expanded dramatically, and will expand way more in the future.

Being entitled to some privacy is a right, and in some countries (as EU) it is considered one of the  fundamental human rights. Alas in the digital world only encryption can take the job of our walls. Weakening encryption means make your home with transparent walls. May be you like it may be not. But I wonder why this glass house concept has never been presented as a mandatory security tool from enforcement agencies.

This will make easier to look for fugitives, stolen merchandize, drugs and so on…

Encryption and “backdoors”

th (6)This is only for this phone.. yea right…

“I am sorry, I swear I’ll never do it again..”, ow many time parents have listen those words from kids? We do not believe them, of course, we know they will do it again untill the lesson will be learned.

I seems that the same approach does not work with grownups. They do not learn even in front of evidence.

The point it seems not to be understood by some people is that there is not only one owner of knowledge outside there. I tries to explain before that modern encryption is based on math, and math is public domain stuffs. This means basically that anyone with enough knowledge can work to build or harm encryption systems.

When you plan to put a “backdoor” (or better weaken the way a key is generated, to make it guessable) to access some data, it is just a matter of time that someone else will find the weakness. Only an idiot can think heshe is the only owner of those kind of technologies.

Chryptologists and security experts worldwide think the same, recent examples of vulnerabilities related to “export grade encryption crap technology” prove this point, but this seems not clear yet to someone.

Like climate change issues (and why not, creationism), political believes are incredibly blind to simple facts: it will not work.

It is not that security experts and cryptologists does not care about security, or does not care about terrorism and criminality. On the contrary, they care a lot. But they are forced to have a vision that is not shortsighted by contingency. If you do it today someone else will do it tomorrow, it is simple as at. There is no way to stop researchers to look for vulnerability; they can be good or bad, they can be trustful or not, but they will do it, you like it or not.

Encryption and trust

But the question on encryption is way more deeper and complicated. There is a problem every time you make a system weaker: you lose trust and create a precedent.

As in San Bernardino case, there is no way to guarantee someone else will not ask to access another phone, and another and so on.

Beside this, it is clear that once you do this for one phone, you will be forced to do this for other phones. And then there is the cloud and IoT there waiting for those requests.

We should face two issues:

  1. encryption is something used to preserve data confidentiality, integrity and transmission. How can you trust a system that is openly weak?
  2. how can we trust the controller?

I tried to clearly express my view on point one before, if you weak a part you weak it all. Basically it makes the whole system untrastable, and since we states trust is the paramount for security, weaken it will simply shift the use on other tools. It will not a problem for terrorist to use self made encryption tools, that may be make the message look as a plain text …

But I would like to focus on the second point.

Can I, as european, trust a system that can be penetrated by USA intelligence without my knowledge? I am not talking just form a personal perspective, but also from a government one.

The answer is obviously no. even if we are ally. And the reason is in documents and facts that show how even allies have their skeletons. Snowden (and some other reports before him actually) just make public somethings we were all aware of, but just too focused on denial to take position.

We live in an interconnected world, and we can not think what we do is without consequences on global scale. sure we can choose to not care, or not talk about it, but consequences will be hitting us we like it or not.

Once a nation ask for a weaken encryption for “security” reason, there is no guarantee it will not use it also for other purposes. This means that export grade restrictions, now that the world care and is aware of the problem, or “backdoors” and similar things will rise up a similar answer from the other countries. It is quite amusing to notice that what is a “security matter” for a country can be perceived as a violation from another. Of course we are the good ones, God is with us (Jeez this remember me something, may be in another language) therefore they are the bed guys, isn’t it? So we can be trusted they can’t…or may be we can not trust anyone and so consider the encryption a defence tool from anyone?

I know a balance is hard to be found between privacy and security, but if trust is mined you just will not have more security, because bed guys always knows how t protect their stuffs.

Encryption and business

th (7)So, would you buy, or trust for what it matter, something with a clipper chip on it? Seriously? If you do not care about security and privacy probably yes, if you care obviously not.

So vendors, technology and services provider should hae to make a double offer: with weakened security or not. May be offering hard discount for the weakened security version of the product. I can Imagine the motto:

“Be insecure for your security”

 

 

 

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Cryptography, keeping on the big lie was originally published on The Puchi Herald Magazine

The Greenland Diaries

monsters, monsters, everywhere

Sableyes

Sabbles woz 'ere

La vita attraverso il cinema

La vita attraverso il cinema

Technology... in PLAIN ENGLISH!

TechMania 411: Finding the reasons for the mania

Attila Ovari

Loving Life and Inspiring Others

danniecardenas

A topnotch WordPress.com site

clarencesyf

A great WordPress.com site

leonardoztf

This WordPress.com site is the bee's knees

kathymichaelis

A great WordPress.com site

suzettejeanner

Smile! You’re at the best WordPress.com site ever

elliottelizond

A topnotch WordPress.com site

sonyasaavedra

Smile! You’re at the best WordPress.com site ever

martinaricks

This WordPress.com site is the cat’s pajamas

eugenechampion

A great WordPress.com site

skylar9722

A fine WordPress.com site

Linguaculture

Nobody is able to change the world, but everyone has the chance to understand it. - A nessuno, in particolare, è dato di cambiare il mondo, a tutti, però, è dato di comprenderlo. (Andrea Bocelli)

Hotman Sihombing

www.WordPress.com

%d bloggers like this: