GRyan Masters Blog

Cybersecurity and Encryption

11. Victory for Encryption — May 29, 2016

11. Victory for Encryption

Recently in the news there has been articles about the Senate encryption bill. The bill has not had the support needed, so for now it is effectively dead. With the current political landscape getting ready for the new presidency, voting on this bill could potentially harm the parties. The CIA and NSA have said that they would not back this bill because they know that this would impact their encryption as well (Fingas, 2016).

This is certainly a victory for the way of encryption. If this bill would have passed, the American encryption would be the same as having a gate to protect your property, but not being able to lock it. The bill also shows how desperate politicians are to write up a bill and through it to The House and The Senate to vote on without knowing anything about the implications. If this bill would have been passed, the American people would have been crippled by their own government.

GRyan

Fingas, J. (2016, May 29). Senate anti-encryption bill is effectively dead, for now. Retrieved May 29, 2016, from http://www.engadget.com/2016/05/28/senate-anti-encryption-bill-dies/
Advertisements
10. Snowden calls out Google over Allo — May 21, 2016

10. Snowden calls out Google over Allo

In a recent news article, NSA whistleblower, Edward Snowden, says that “Google’s decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe. Avoid it for now (Tung, 2016).” While this is not totally the case, Allo uses end-to-end encryption if the users select incognito mode. This will also reduce the function available during app use. Thai Duong, Google’s ‘cyber overlord’ and co-lead has said “I can’t promise anything now, but I’m pushing for a setting where users can opt out of cleartext messaging. Basically with one touch you can tell Allo that you want to, “Always chat in incognito mode going forward,” and from that moment on all your messages will be end-to-end encrypted and auto-deleted (Tung, 2016).”

Thai goes on to explain that the primary security for Allo is that message disappear after a set amount of time. Allo will also not be viewable by Google. Thai explained that Google would sacrifice if using end-to-end encryption by default; “In normal mode, an artificial intelligence run by Google, but no humans including the Allo team or anyone at Google, can read your messages. This AI will use machine learning to analyze your messages, understand what you want to do, and give you timely and useful suggestions. For example, if you want to have dinner, it’ll recommend restaurants or book tables. If you want to watch movies, it can buy you tickets (Tung, 2016).”

This is interesting coming from Google. Allo is developed with the disappearance of messages as security instead of encryption. What if the messages are captured before the server deletes them? What impact will this have on the usage of the messenger? Let’s hope that Google knows what they are doing when it comes to the disappearing messages. With the current spike in the government being interested in recovering data from devices or servers when needed for investigation, what will happen when the courts give an order to Google to produce information that was transmitted within the Allo app.

GRyan

Tung, L. (2016, May 20). NSA whistleblower Snowden: Google Allo without default encryption is “dangerous.” Retrieved May 21, 2016, from http://www.zdnet.com/article/nsa-whistleblower-snowden-google-allo-without-default-encryption-is-dangerous/
9. British Judge Rules in Favor of Hacker. — May 13, 2016

9. British Judge Rules in Favor of Hacker.

The British FBI, (The National Crime Agency) confiscated the computer and hard drives from Louri Love, who was accused by the U.S. Authorities for hacking into multiple federal systems between 2012 – 2013 (Gallagher, 2016). The National Crime Agency served Love with an order to turn over the passwords for his encrypted data, and Love did not comply with this request. Love then launched a civil case to request The National Crime Agency return his equipment to him. When Love filed this case they again asked for his compliance with the original order to give them the password for the encrypted data and also said that they cannot give the equipment back to Love because some of the data on it does not belong to Love, (the hacked data).

On Tuesday, at Westminster Magistrates’ Court in London, judge Nina Tempia ruled in Love’s favor. Tempia said that she was “not persuaded” by the National Crime Agency’s argument that Love should be compelled to disclose his passwords and encryption keys to prove his ownership of the data. She also took a swipe at the agency’s attempt to “circumvent” the Regulation of Investigatory Powers Act, which she described as the “specific legislation that has been passed in order to deal with the disclosure sought (Gallagher, 2016).”

This was a great victory for Love. Love said “If they’d ruled in the other way it would have been very concerning for anyone who has to store sensitive information, especially people with obligations to clients, people under their care in terms of their confidentiality (Gallagher, 2016).”

The U.S. Authorities are also looking to extradite Love so he can be tried in American courts. Love has been diagnosed with Asperger’s syndrome and does not feel that he would receive a fair trial in the U.S (Gallagher, 2016). Love also said “There will be no decryption” and fully intends to defend this case to the fullest.

The encryption battle rages on and it is good to see that judges like Nina Tempia are still on the bench and willing to defend what is right and not who holds the highest power. I believe the FBI had no right to pursue Apple Inc. because of what a customer decided to do with his device. If I buy a Toyota and go on a mass rampage and run-over everyone that I see, is the government going to go after Toyota and try to force them to tell me why I did it?  or possibly force them to detect my GPS location at every second during the spree and locate an audio message that may have been received inside the video? As the battle over encryption wages, stay tuned for weekly updates.

GRyan

Gallagher, R. (2016, May 10). British Hacker Wins Court Battle Over Encryption Keys. Retrieved May 13, 2016, from https://theintercept.com/2016/05/10/uk-hacker-lauri-love-encryption-court-victory/
8. Encryption Racism — May 8, 2016

8. Encryption Racism

The battle for encryption rages on. The debate between the FBI and Apple Inc. has forced encryption matter to the front of the line. Now more than ever, people are paying attention to encryption, even if they know nothing more than encryption is a way to protect your data. Many other countries are starting to approach the encryption barrier before it becomes a problem for them. India has announced that it has developed a mobile forensics tool that can handle smartphone, even the iPhone (Kochar, 2016). India has accepted that encryption may become a problem to law enforcement and create issues with them properly conducting their duties.

There is another protest that is against the banning of encryption for reasons of discrimination. Anti-encryption measures are a violation of our first and fourth amendment rights (Renderos & Putterman, 2016). Already, communities of color, or non-American, are experiencing a rise in illegal surveillance, boarder control, and illegal policing (Renderos & Putterman, 2016). What I don’t agree with this article about (“To the next POTUS: For communities of color, encryption is a civil right”) is that is encryption is weakened or that state or the Federal Government decides to change the way that encryption is allow, all Americans: black, white, hispanic, muslim, etc.. will suffer equally. To say that communities of color will feel the effects greater, is false. Yes without the encryption to protect those within the community, surveillance measures will be more successful, but technology and data do not have a race. Everyone will be equally likely to have data compromised. Also, just as with any other laws that are passed to reduce any aspect, the criminals will prevail while the law-abiding citizens give into the law and become victims of these same laws.

Encryption is not a topic that should be decided on using it or not, or even the topic of reducing the effectiveness of it. The government needs to come up with a way to combat it the same way they have developed methods to deal with other situations. If the government is going to reduce encryption standards, they should also mandate that everyone leave a spare key to their house with the local police in the event they need or want to get into your house (same for vehicles). Sometimes it makes me wonder if the government really protects its’ citizens, or do whatever they see fit to complete its’ own objectives.

GRyan

Kochar, R. (2016, May 7). A Tool For Mobile Forensics Has Been Developed To Handle Encryption, Including iPhone, says Ravi Shankar Prasad. Retrieved May 8, 2016, from https://www.entrepreneur.com/article/275384
Renderos, S., & Putterman, M. T. (2016, March 7). To the next POTUS: For communities of color, encryption is a civil right. Retrieved from http://social.techcrunch.com/2016/05/06/to-the-next-potus-for-communities-of-color-encryption-is-a-civil-right/
7. The Encryption Debate — May 1, 2016

7. The Encryption Debate

What started as a crime has now turned into a national debate. The massacre that happened December, 2015, at the Inland Regional Center in California, was the start of the FBI vs. Apple Inc. debate. The FBI acquired an iPhone from one of the killers, and was pressuring Apple Inc. to modify their iOS software and allow for the FBI to gain access to the device. This need for access to the devices lead to a Supreme Court lawsuit, and has started a national debate over encryption.

There is a new bill that the Senate is trying to pass “Compliance with Court Orders Act 2016” (114th Congress, 2016). If this bill is passed, what will become of encryption standards? There are many concerns with this piece of legislation. If this legislation is passed it will not have good implications. Companies that abide by the law will follow this new bill, but the criminals, terrorist, or hackers will not. These groups will abuse this bill to their advantage. Also this bill does not apply to a particular venue i.e. communication companies like Apple Inc, WhatsApp, Viber. These companies are in the site of everyone’s minds because Apple Inc. is the highlight company for the creation of this potential bill, but this will apply to every company that uses encryption. From operating systems (OS), companies that create encryption software, and companies that deploy encryption, will be subject to weaken standards or using software that has a backdoor.

The Federal Government will not follow this bill. They will create another bill that allows the use of unfettered encryption to remain on government information systems. This bill will also create “new criminals” because some companies will not comply with this bill because of the increased security vulnerabilities that will be created by the government.

If this was a decision that would not have heavy security impacts on companies, then the bill would not be an issue. This bill is being attacked at every angle. Many say that this bill was created by people that do not understand encryption nor the implications that this bill will have on industries (Peterson, 2016). Bob Lord, Yahoo’s Chief Security Officer, talks about why Yahoo is looking into encryption that even Yahoo cannot decrypt. (Twitter, 2016).

GRyan

114th Congress. (2016, April 30). Compliance with Court Orders Act of 2016. Retrieved May 1, 2016, from https://www.burr.senate.gov/imo/media/doc/BAG16460.pdf
Peterson, C. (2016, April 30). Hated encryption bill should prompt U.S. intelligence reform. Retrieved May 1, 2016, from http://venturebeat.com/2016/04/30/hated-encryption-bill-should-prompt-u-s-intelligence-reform/
Twitter, A. S. (2016, April 28). Yahoo’s Security Chief On Encryption Debate: What Is The Greater Good? Retrieved May 1, 2016, from http://www.npr.org/sections/alltechconsidered/2016/04/28/475883338/yahoos-security-chief-on-encryption-debate-what-is-the-greater-good
6. Viber has implemented end-to-end encryption within its’ app. — April 21, 2016

6. Viber has implemented end-to-end encryption within its’ app.

Viber, a competitor to WhatsApp, has also just release that they have implemented end-to-end encryption for its’ 7 million subscribers (Conger, 2016).  The COO, Michael Shmilov, announced that the encryption being used by Viber will only allow the communicating party to see the messages, and that the company does not have access to the content of the message sent using its’ app. The company does have the visibility to see the phone numbers of the party communicating. A Viber spokesperson did tell TechCrunch that “MD5 is not being used”, and that “Viber will not grant backdoor access under any circumstance and in and country” (Conger, 2016). Viber has taken the side of Apple and WhatsApp.

One thing that is troubling many is that Viber has yet to publish any information on how they plan to encrypt messages or which type of encryption that they will use. Joe Hall, the chief technologist of the Center for Democracy and Technology, is concerned that these companies are to quick to use encryption that they may not be completely securing the technology the way they should (Conger, 2016). “In the rush to encrypt everything, I’m hoping encryption doesn’t become just a fad, resulting in poor security engineering. It’s not clear if that’s what’s happening here, but I suspect we’ll see that at some point,” Hall told TechCrunch (Conger, 2016).

What is the government going to do with this growing encryption retaliation? Before we know it the National Deficit will increase by another trillion dollars because the government is suing every company in America that uses some type of encryption. Should the general public be worried about this? On a daily basis citizens use passwords to access information, encryption is used when logging into many business websites to purchase items, to check banking information, or even encrypting data so that spies on public networks are not stealing their data. The government forcing corporate entities to give up their encryption security so that the government can get information from one persons phone is the correct approach. While getting the information for this one device, they are creating a vulnerability in every device that uses the same type of security.

Grant Ryan

Conger, K. (2016, April 20). Viber defends new end-to-end encryption protocol against criticism. Retrieved from http://social.techcrunch.com/2016/04/20/viber-defends-new-end-to-end-encryption-protocol-against-criticism/