Encryption Does Not Undermine Society's Security, It Is Essential To It
In the same week British Prime Minister Cameron proposed a ban on encryption “to keep our people safe”, Der Spiegel revealed that the NSA uses private internet users “as human shields in order to disguise its own attacks”. Juxtaposing public statements of government officials with the covert operations they authorize behind closed doors makes it abundantly clear that network security is an essential part of 21th century democracy.
As was to be expected (which does not make it any less awful) p...
In the same week British Prime Minister Cameron proposed a ban on encryption “to keep our people safe”, Der Spiegel revealed that the NSA uses private internet users “as human shields in order to disguise its own attacks”. Juxtaposing public statements of government officials with the covert operations they authorize behind closed doors makes it abundantly clear that network security is an essential part of 21th century democracy.
As was to be expected (which does not make it any less awful) politicians lined up to use the heinous Charlie Hebdo attacks to push their agenda for expansion of government control over communications including travel, limiting free speech, and online communications.
A bitter irony considering the millions taking the streets to commemorate the fallen cartoonists were a testimony to the widespread support for free speech.
The most far out proposal came from David Cameron who asked rhetorically: “in our country do we want to allow a means of communication between people (…) that we cannot read” and answered with a “no we must not”. Followed by a promise that if re-elected he'll implement legislation “that makes sure that we do not allow terrorists safe space to communicate with each other.”
The means to secure communications online is to encrypt them, which is why Cameron's proposal can be interpreted as either a ban on encryption all together or forcing a backdoor into every piece of software that enables encryption. The idea of a UK-wide encryption ban has been convincingly shot down by technologists pointing out this would throw the country back to a pre-digital age as bank transactions, sensitive business data, diplomatic communications, et cetera, et cetera, et cetera, could no longer be secured online.
Mandatory backdoor
Backdooring, however, seems to find more fertile ground at least among fellow politicians. US president Obama chipped in: “If we find evidence of a terrorist plot (...) and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem”. He counted on the cooperation of the major internet companies because “they’re patriots”.
Leaving aside the question to what extend the tech giants would be willing to cooperate considering the Snowden disclosures about the NSA's and GCHQ's escapades motivated the recent trend in ramping up security, this would involve the rather impossible task of preventing bad folk from writing their own encryption applications.
But the real snag is, of course, that the technology does not discriminate. You can't create a backdoor that only targets a specific group of people. So what Cameron really is asking is “do we want citizens to have a safe space to communicate that the government can not access?”. And, due to the nature of security vulnerabilities which do not discriminate either – the question finally comes down to “do we want citizens to have a safe space to communicate that any agent with sufficient resources can not access?”.
The resounding 'no' of Cameron & friends should worry us all.
Encryption is the only way to protect civil data
It worries the US National Intelligence Council. In a secret 2009 security report it expressed grave concern about the failing security of the “US information infrastructure” which poses a great risk for businesses and individuals, The Guardian reported on January 16 based on documents from the Snowden archive. Network security is in such a deplorable state “organizations should assume” their networks are “already potentially compromised by foreign adversaries”, the report warns. Businesses and individuals are exposed to online crime and espionage “due to the slower than expected adoption (…) of encryption and other technologies”, the report states. The tools to raise the level of security are readily available: “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions”.
However, online security is still a subject most internet users -private or corporate - pay little attention to. Educating people about the why and how of online security is something governments could take upon themselves, just like they consider it their responsibility to educate people about, for instance, health issues.
Democratic values
But rather than informing people about the risks, some elements in government actively exploit the vulnerabilities resulting from that lack of security awareness.
GCHQ, the British secret service, collected 70.000 emails including those of journalists from news agencies such as Reuters, The BBC, The Guardian and the New York Times, James Ball of The Guardian revealed on January 19, also based on Snowden documents. The catch was part of an exercise that took place in 2008, to test a new program designed to differentiate between emails collected in bulk. Tens of thousands of emails were collected in a time frame of 10 minutes and the program fished out those of journalists. The emails were then freely shared on the GCHQ intranet.
In the same article Ball reports that the secret service considers journalists a threat: “journalists and reporters representing all types of news media represent a potential threat to security”. In threat assessments journalists are often ranked alongside terrorists and hackers.
A free and open press is indisputably one of the pillars of the “liberal modern democracy” Cameron claims he wants “to keep safe”. But to do so he proposes to expand the powers of a government agency that infringes on the communications of journalists seemingly for sports and uses the means it is ostensibly given to prevent terrorist attacks to fight the journalist threat.
Safety
On the other side of the pond the NSA exploits poor network security for its own purposes with equal abandon. The NSA sniffs the internet for computers infected with malware and – instead of warning the owner – infects them again with its own malicious software to use them for its own nefarious purposes. The technique called Quantumbot was made public in an article published in Der Spiegel last week, based, once again, on Snowden documents.
Quantumbot targets computers that are part of a botnet - a collection of thousands or even millions of compromised computers that are remotely controlled by an attacker or botherder. Using Quantumbot the NSA is able to wrest control over infected computers from the botherder. If the computer appears to be owned by an American, the NSA notifies the FBI Office of Victim Assistance, if they are from anyone else in the world, the computer is conscripted by the NSA to serve as "pervasive network analysis vantage points" and "throw-away non-attributable CNA (Computer Network Attack) nodes". Der Spiegel concludes: “This system leaves people's computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, Quantumbot uses them as human shields in order to disguise its own attacks.”
A safe space to communicate
Do we want citizens to have a safe space to communicate where all the available security measures are in place as protection against criminals, terrorists and rogue government agencies? Should this question be raised in reference to the physical space we occupy and are so familiar with I doubt anyone would answer with a negative. And I am sure that any politician who would, can start planning a new career. Once this question is transposed to the internet, we're less certain.
We shouldn't be.
A mandatory backdoor or a ban on encryption weakens the security of the global networks that are
an integral part of society. Its security has become indistinguishable from security of society itself. Any politician demanding to give that up has neither freedom nor security in mind. S/he seeks control.
Image: null-byte.wonderhowto.com
As was to be expected (which does not make it any less awful) politicians lined up to use the heinous Charlie Hebdo attacks to push their agenda for expansion of government control over communications including travel, limiting free speech, and online communications.
A bitter irony considering the millions taking the streets to commemorate the fallen cartoonists were a testimony to the widespread support for free speech.
The most far out proposal came from David Cameron who asked rhetorically: “in our country do we want to allow a means of communication between people (…) that we cannot read” and answered with a “no we must not”. Followed by a promise that if re-elected he'll implement legislation “that makes sure that we do not allow terrorists safe space to communicate with each other.”
The means to secure communications online is to encrypt them, which is why Cameron's proposal can be interpreted as either a ban on encryption all together or forcing a backdoor into every piece of software that enables encryption. The idea of a UK-wide encryption ban has been convincingly shot down by technologists pointing out this would throw the country back to a pre-digital age as bank transactions, sensitive business data, diplomatic communications, et cetera, et cetera, et cetera, could no longer be secured online.
Mandatory backdoor
Backdooring, however, seems to find more fertile ground at least among fellow politicians. US president Obama chipped in: “If we find evidence of a terrorist plot (...) and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem”. He counted on the cooperation of the major internet companies because “they’re patriots”.
Leaving aside the question to what extend the tech giants would be willing to cooperate considering the Snowden disclosures about the NSA's and GCHQ's escapades motivated the recent trend in ramping up security, this would involve the rather impossible task of preventing bad folk from writing their own encryption applications.
But the real snag is, of course, that the technology does not discriminate. You can't create a backdoor that only targets a specific group of people. So what Cameron really is asking is “do we want citizens to have a safe space to communicate that the government can not access?”. And, due to the nature of security vulnerabilities which do not discriminate either – the question finally comes down to “do we want citizens to have a safe space to communicate that any agent with sufficient resources can not access?”.
The resounding 'no' of Cameron & friends should worry us all.
Encryption is the only way to protect civil data
It worries the US National Intelligence Council. In a secret 2009 security report it expressed grave concern about the failing security of the “US information infrastructure” which poses a great risk for businesses and individuals, The Guardian reported on January 16 based on documents from the Snowden archive. Network security is in such a deplorable state “organizations should assume” their networks are “already potentially compromised by foreign adversaries”, the report warns. Businesses and individuals are exposed to online crime and espionage “due to the slower than expected adoption (…) of encryption and other technologies”, the report states. The tools to raise the level of security are readily available: “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions”.
However, online security is still a subject most internet users -private or corporate - pay little attention to. Educating people about the why and how of online security is something governments could take upon themselves, just like they consider it their responsibility to educate people about, for instance, health issues.
Democratic values
But rather than informing people about the risks, some elements in government actively exploit the vulnerabilities resulting from that lack of security awareness.
GCHQ, the British secret service, collected 70.000 emails including those of journalists from news agencies such as Reuters, The BBC, The Guardian and the New York Times, James Ball of The Guardian revealed on January 19, also based on Snowden documents. The catch was part of an exercise that took place in 2008, to test a new program designed to differentiate between emails collected in bulk. Tens of thousands of emails were collected in a time frame of 10 minutes and the program fished out those of journalists. The emails were then freely shared on the GCHQ intranet.
In the same article Ball reports that the secret service considers journalists a threat: “journalists and reporters representing all types of news media represent a potential threat to security”. In threat assessments journalists are often ranked alongside terrorists and hackers.
A free and open press is indisputably one of the pillars of the “liberal modern democracy” Cameron claims he wants “to keep safe”. But to do so he proposes to expand the powers of a government agency that infringes on the communications of journalists seemingly for sports and uses the means it is ostensibly given to prevent terrorist attacks to fight the journalist threat.
Safety
On the other side of the pond the NSA exploits poor network security for its own purposes with equal abandon. The NSA sniffs the internet for computers infected with malware and – instead of warning the owner – infects them again with its own malicious software to use them for its own nefarious purposes. The technique called Quantumbot was made public in an article published in Der Spiegel last week, based, once again, on Snowden documents.
Quantumbot targets computers that are part of a botnet - a collection of thousands or even millions of compromised computers that are remotely controlled by an attacker or botherder. Using Quantumbot the NSA is able to wrest control over infected computers from the botherder. If the computer appears to be owned by an American, the NSA notifies the FBI Office of Victim Assistance, if they are from anyone else in the world, the computer is conscripted by the NSA to serve as "pervasive network analysis vantage points" and "throw-away non-attributable CNA (Computer Network Attack) nodes". Der Spiegel concludes: “This system leaves people's computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, Quantumbot uses them as human shields in order to disguise its own attacks.”
A safe space to communicate
Do we want citizens to have a safe space to communicate where all the available security measures are in place as protection against criminals, terrorists and rogue government agencies? Should this question be raised in reference to the physical space we occupy and are so familiar with I doubt anyone would answer with a negative. And I am sure that any politician who would, can start planning a new career. Once this question is transposed to the internet, we're less certain.
We shouldn't be.
A mandatory backdoor or a ban on encryption weakens the security of the global networks that are
an integral part of society. Its security has become indistinguishable from security of society itself. Any politician demanding to give that up has neither freedom nor security in mind. S/he seeks control.
Image: null-byte.wonderhowto.com