Exceptional Access to Encrypted Communications

Bob Barr has recently added his voice to the ongoing call of law enforcement to provide exceptional access to encrypted communications. Here’s why that’s not going to work.

“Exceptional access — as governments propose — is the problem of making a system selectively secure. I can tell you, it’s hard enough to make a secure system. It’s vastly harder to make a system secure except for governments, and only available to governments that consist of ‘democratically elected representatives and [a] judiciary’ as the GCHQ authors imagine.”

—Jon Callas, “The ‘Ghost User’ Ploy to Break Encryption Won’t Work.” DavisVanguard.org. July 24,2019.

Is being able to access the encrypted communications of everyone enough? Between the drone’s Gorgon Stare above, the Ring camera on every other front door for police to access, televisions tracking every show being watched, phones and digital assistants listening in on conversations, fitness trackers as evidence in court cases, Stringray and other technology for phone tracking, license plate readers to track vehicle movement over time, surveillance balloons and so on, it feels to me like the police and military are a little under-powered these days.

I was promised a camera in my television watching my every move, a Room 101 for not sufficiently toeing the line and a boot stomping on a face of humanity forever. Was Uncle Orwell lying to me?

A (Relatively Easy to Understand) Primer on Elliptic Curve Cryptography | Ars Technica

“If you just want the gist, here’s the TL;DR version: [Elliptical Curve Crytography,] ECC is the next generation of public key cryptography, and based on currently understood mathematics, it provides a significantly more secure foundation than first-generation public key cryptography systems like RSA. If you’re worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt. If you’re interested in the details, read on.”

—Nick Sullivan. ” A (relatively easy to understand) primer on elliptic curve cryptography.” Ars Technica. October 24, 2013.

How to Boost Your Data Privacy With a Virtual Private Network

“Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.”

—Eric Jeffrey, “How to Boost Your Data Privacy With a Virtual Private Network.” Security Intelligence. November 2, 2018.

A layman’s explanation of VPNs and why you should be using them. I’ve mentioned VPNs before. If interested in using one, check this website for a comparison of different services.

Intra

“Intra protects you from DNS manipulation, a cyber attack used to block access to news sites, social media platforms and messaging apps.”

https://getintra.org/#!/

An app from Google’s Jigsaw Team that incorporates encrypted DNS lookups that come stock in 9 into older versions of Android. Not as good as using a VPN, but better than nothing.

Click Here to Kill Everybody – Bruce Schneider

“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals’ safe houses would be more secure, but it’s pretty clear that this downside would be worth the tradeoff of protecting everyone’s house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won’t make it impossible for law enforcement to solve crimes; I’ll get to that later in this chapter.) Regardless, it’s worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We’ve got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.”

—Bruce Schneider. “Five-Eyes Intelligence Services Choose Surveillance Over Security.” Schneider.com. September 8, 2018.

WireGuard VPN review: A new type of VPN offers serious advantages | Ars Technica

“WireGuard is a new type of VPN that aims to be simpler to set up and maintain than current VPNs and to offer a higher degree of security. The software is free and open source—it’s licensed GPLv2, the same license as the Linux kernel—which is always a big plus in my book. It’s also designed to be easily portable between operating systems. All of that might lead you to ask: in a world that already has IPSEC, PPTP, L2TP, OpenVPN, and a bewildering array of proprietary SSL VPNs, do we need yet another type of VPN?”

—Jim Salter. “WireGuard VPN review: A new type of VPN offers serious advantages.” Ars Technica. August 26, 2018.

Do we need yet another type of VPN? Why, yes. Yes, we do.