End-To-End Encryption Isn't Just About Privacy, But Security
from the legacy-of-ed-snowden? dept
Nicholas Weaver has a fantastic article over at Wired detailing how GCHQ and NSA’s “quantum injection” effort works to install malware on the computers of targets via packet injection. As he notes, this effort “turned the internet backbone into a weapon.” That’s dangerous on multiple levels. He explains that, while experts have been suggesting this for years, cleartext traffic isn’t just a privacy issue, it’s now a security issue:
If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgicom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own.
Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.
The only way to protect against this is to encrypt everything:
The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.
Encryption doesn’t just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.
Thankfully, he’s not the only one thinking about this. As we pointed out a few weeks ago, IETF is moving forward, full-steam ahead, on looking at ways to make the internet secure by default.
That seems like a very useful consequence of all of this. While we’ve mostly been focused on what’s happening at the political and policy levels around here, the technology can make a lot of that meaningless. The simple fact is that an awful lot of security online has involved kludges pasted on later, after problems or concerns appeared. Rethinking and rebuilding a more secure (it’ll never be perfectly secure but it can be a lot more secure) internet from the ground up isn’t just good for protecting privacy and keeping away from snooping spies, but it’s just a good plan, in general, for security.
Filed Under: cybersecurity, encryption, end to end, nsa, online attacks, online security, packet injection, security, surveillance
Comments on “End-To-End Encryption Isn't Just About Privacy, But Security”
My internet was already secured, but I do welcome more security, layers, layers and more layers of it.
Oy. What's been obvious to me for years is now seeping into noobs.
“turned the internet backbone into a weapon.” — Sheesh. You only have to understand a bit of how it’s designed — the root servers, plain text everywhere, open addresses in every browser request — to see that it has NO OTHER PURPOSE than for spying.
Just for history: in 1979, Neil Young (of Crosby Stills Nash and Young) wrote (one of his best in my opinion) “Computer Cowboy (Aka Syscrusher)” which speaks exactly of SNOOPING / HACKING the then almost unknown networks. “He rides the range at midnight [allegoric, see?] … to bring another system down, and leave his alias behind”. Security problems are SO not new.
And has this noob never heard of Google? The MAIN spying done on teh internets is BY Google and Facebook!
Oh, and mainly, this intended lack of security will become the excuse for hardware lockdown and personal identification everywhere. All as intended from the start: a panopticon system surveilled by gadgets, the utter end of personal freedom. The Internet IS the Big Brother telescreen system.
“The new Google privacy policy is: You have no privacy.”
12:16:54[n-257-0]
Re: Oy. What's been obvious to me for years is now seeping into noobs.
^^^ Wish that I’d learn to preview. That’s what it’s for.
Re: Oy. What's been obvious to me for years is now seeping into noobs.
Whoops. 1982. Here for your delectation the lyrics (stolen no doubt):
Well, his cattle each have numbers
And they all eat in a line
When he turns the floodlights on each night
Of course the herd looks perfect!
Computer Cowboy.
Well, he rides the range ’til midnight
And the wild coyotes yowl
As he trots beneath the floodlights
And of course the rhythm is perfect!
Computer Cowboy.
Ride along computer cowboy
To the city just in time
To bring another system down
And leave your alias behind:
Computer syscrusher.
Computer syscrusher.
Crusher. Syscrusher.
Syscrusher.
Re: Re: Oy. What's been obvious to me for years is now seeping into noobs.
LYRIC COPYRIGHT INFRINGEMENT!!!
Re: Re: Re: Oy. What's been obvious to me for years is now seeping into noobs.
Yes indeed, the copyrighted material has been infringed and the artist deprived on remuneration by arch-hypocrite OOTB.
I presume that’s an anomaly on your part. So, shall we extradite you, Cathy? Huh? Shall we drag you from your home and treat you like a criminal for copying and pasting lyrics on a site that hosts adverts and therefore makes money from your infringement, you grifting, thieving, pirate?
Re: Re: Re:2 Oy. What's been obvious to me for years is now seeping into noobs.
*of remuneration.
Re: Re: Oy. What's been obvious to me for years is now seeping into noobs.
What a bitter and twisted person that OOTB must be! I have visions of a darkened room in a dingy basement in a less-then-salubrious neighbourhood occupied by a gnarled old man hunched over a yellowing keyboard desperately racking a few brain cells to try and produce aimless and completely irrelevant trolling posts to surpass previous attempts at what HE must presume to be intelligent comments. Nobody is fooled for one minute by such inane and puerile ramblings. I believe there is a diagnosis for such a person who desires to be the centre of attention and I would suggest a doctor is consulted.
Re: Re: Oy. What's been obvious to me for years is now seeping into noobs.
So you’ve finally become an anti-copyright ‘freetard’ blue?
Or do you think copyright laws only apply to other people?
Re: Oy. What's been obvious to me for years is now seeping into noobs.
Dear OOTB:
Wouldn’t you argue that TechDirt has it backwards? That end to end encryption is not just about Security but is about Piracy, er, um… I meant Privacy?
I also believe solving international spying abuses, is just as much a technological issue, as it is a legislative issue.
That’s why the NSA perverting organizations such as the NIST, is so horrible.
As bad as it is, this is good...
As bad as it is when this stuff happens, it could be good if we learn from it. I don’t want the NSA spying on us, but we have become complacent and hopefully this is the kick in the pants that will change that.
Intelligence of other countries should thank them
To make spying and espionage effort toward American general public / business much much easier.
Now I understand why UK said Snowden is harming the national security ***of UK***.
Re: Intelligence of other countries should thank them
Maybe I’m misunderstanding you, but it seems like you are missing the point. The reason the Snowden revelations were so damaging isn’t because it is making spying on terrorists harder. It is so dangerous because it is going to hamper attempts to track their own citizenry.
So it really doesn’t have anything to do with the Americans or the British, per se.
Think about this: The NSA or GCHQ each have multi-billion dollar budgets. They have thousands of employees. They sweep up tons of information. They wield massive amounts of power. If you think they want to give that up, you are crazy. End-to-end encryption would wreck all of that and make 90% of NSA and GCHQ useless.
Re: Re: Intelligence of other countries should thank them
” End-to-end encryption would wreck all of that and make 90% of NSA and GCHQ useless.”
Not really. Do you think terrorist groups use gmail to communicate? Yet they tap Google.
They simply invent an enemy wherever they can monitor.
Like Al Qaeda always magically popped up in any country they want to attack.
http://articles.washingtonpost.com/2013-08-12/world/41335229_1_syria-islamic-state-foreign-fighters
And terrorists suddenly are doing conference calls, just after the Skype tapping revelations come out.
https://gawker.com/embassy-closing-terror-plot-uncovered-on-al-qaeda-confe-1052738613
And, ‘anonymous’ suddenly stops being a MEME used by any hacker and is redrawn by the spooks as a cyber-terrorist-army, with ‘cells’ and a control structure and geographic leaders, anonymous in Australia, anonymous in Indonesia…. etc.
If you’re always fighting phantoms, it’s easy to create any number of phantom enemies to fight.
Re: Re: Re: Intelligence of other countries should thank them
But once again, what I’m getting at, most of that goes away (aside from the Al Qaeda thing) when end-to-end encryption is put into service. The NSA and GCHQ simply won’t be able to harvest the traffic.
Not really. Do you think terrorist groups use gmail to communicate? Yet they tap Google.
I think we are agreeing here. I said in my prior comment that they point was NEVER to spy on terrorists (although that was the excuse). With end-to-end encryption, spying on Gmail or Skype or whatever is ineffective. So what is the NSA’s or GCHQ’s job at that point? Why would they be around? Maybe they can get back to their actual mission instead of spying on their own citizens.
Re: Re: Re:2 Intelligence of other countries should thank them
With end-to-end encryption, spying on Gmail or Skype or whatever is ineffectiveThat really isn’t true. Especially as the world transitions to IPv6 they will be able to monitor traffic on the backbones to see who talks to who, even if it is encrypted.
Really not much different than tracking the Meta-Data from cell phones. I may not know what you said, but I know who you said it to, for how long… If you talk to the wrong people then I will attack the end point (install spyware, or more likely activate it, since it is likely built in at this point) to garner further information.
Re: Re: Re:3 Intelligence of other countries should thank them
I’m not an expert here, but I think you are mistaken. End-to-end encryption doesn’t just cover the message itself. It also covers the transmission of that message including its sender and its destination. I think this would be tied into DNSSec. For email specifically, it would involve the previously mentioned Dark Mail.
http://www.techdirt.com/articles/20131030/11091025070/dark-mail-alliance-lavabit-silent-circle-team-up-to-try-to-create-surveillance-proof-email.shtml
The point of end-to-end encryption is that it would be end-to-end and not leave any dangling metadata. Perhaps there would be some ability to track the amount of data transmitted, but that would be obfuscated by sending extra data, using compression, sending messages split into chunks, or using stenography.
Re: Re: Re:4 Intelligence of other countries should thank them
I am an expert. Even encrypted data has meta data. The packets will reveal for example Packet size, Source, Destination, Source Port, Destination Port (which can reveal type of traffic, such as Web, Email…)
Don’t get me wrong, encryption makes the NSA et al job harder, but it is still possible. They would have to change to a multi layer approach, and would concentrate even harder into forcing back doors into encryption protocols. Many people believe they already have backdoors into some protocols, and they may well have the private keys issued by many cert sites.
Re: Re: Re:4 Intelligence of other countries should thank them
He’s not mistaken at all. Just to get the data from one machine to another over the internet requires information about where the data packet is coming from, where it is going, timestamps, and other miscellaneous things. This data cannot be hidden or the transmission won’t succeed. There’s really no way around this.
What you can do is use thing like an onion router (like Tor) to obfuscate the transmission path. It’s not perfect, but helps a lot. If you’re only worried about specific services, you can use proxy chains (for web browsing) or anonymous remailer chains (for email) to get a similar effect.
Not only is end to end encryption necessary for security and privacy, Individuals and companies need to manage their own keys, and data. Microsoft does not encrypt their internal traffic and they want businesses and individuals to use their cloud, which seems like a good way of telling the government what you are doing and saying.
Meaningness
Yeah, TOOLS that EXIST have that tendency to affect REALITY more efficiently than the wasteful enforcement of arbitrary rules by a self-granted monopoly on coercive violence.