Real People Don’t Care About Encryption

<rant> Amber Rudd – the Home Secretary appears to be talking about things she does not understand. I guess my biggest gripe here is this: “If you don’t understand something – ask. If you have a rough idea – have a go. If you are making policy, and media statements representing a country’s populous…. then have your ducks in a row”. I do not believe this is too much to ask as a policy maker and magnet for media attention home and away.

The reality is end-to-end encryption is as much a means to kid people into thinking the communications are safe and secure much as anything else. The reality is that while this is technically true – the point to point part is COMPLETELY AND UTTERLY MUTE if the end point is compromised. When I say compromised we are talking pwnd / hacked / malware / trojan – what have you. Obviously – as has recently been underlined it is REALLY hard to tell whether this is the bad man, the state, the state bad man, or a good dude acting like a bad man to figure out their shizzle and do good things.

So – let’s take a moment and consider the headline here – the blindingly stupid thing – the elephant in the room of terrorists and “think of the children” and those are the words that were used:

REAL PEOPLE DO NOT CARE ABOUT ENCRYPTION

This to be fair is right up there with “BUILD A WALL!” for me. It is verging on the kind of car crash art that should be hung in guilt frames with expert lighting in tall domed rooms with nice wall paper off of Trafalgar Square. It is delicious. Its stupidity knows no bounds. I counter with this:

THEY MAY NOT CARE ABOUT IT BUT THEY RELY ON IT

IT IS PERVASIVE – MODERN SOCIETY IS BUILT ON IT

TO LINK IT TO TERRORISM IS NO MORE PRODUCTIVE THANK LINKING CARS, TRUCKS OR GUNS

Lets abstract this for a moment from “Real People” and phrases such as “have nothing to fear” – and take a moment to change these for other phrases:

– Real people don’t care about the Otto Cycle

– Real people don’t care about the Von Neurman Cycle

– Real People don’t care about fractional distillation

– Realy People don’t care about Frequency Hopping Spread Spectrum / Code Division Multiple Access.

… sure – but is that an argument for flagging people for using them, or outlawing them, or breaking something (cars, computers, fossil fuels, radio) that was working so that your mechanism can be inserted? Engineering, historically,  tends to suggest no… go fourth and multiply.

To put this another way it is a continual surprise to me that REAL PEOPLE do not know how a car works… I mean really works… however drive them – maybe their whole lives. Real People care about encryption in the same way as they care about their top dead centre lead and lag size in degrees until it all gets loud, and tinsel on that one journey you have to take at 3am in the snow, and your phone has no reception. It is a layer within a platform you use. In the same way as I really am pretty much clueless as to the workings hands on of anything under Layer 3 in the OSI model ; D

Do people get excited about the concept – sure – sometimes – but when they do not, they sure as hell would be irritated if it went away and the mechanisms, protocols, services built on them went away.

While obvious Orwellian overtones loom – it is equally the lack of thought, vision and down right *understanding* that leave me regretfully FAR from stuck for words.

So – what is end to end encryption

The concept is simple. However it is achieved, between point A and point B – it’s really REALLY hard (but not necessarily impossible – an important point) to find out what is passing between the two.

As mentioned earlier – if you have access to point A or point B you do.

If you happen to be able to see or interact with point A or point B and you are not meant to – then the game is up my friends.

How does it work – give me an example?

Sure.

Say I have a crate, with a padlock on it. I want to get the contents to you – by post / courier, but I do not trust the courier with the key… what IS a man to do?

Well – something like this:

  1. You place the message in the box and close the lid.
  2. Padlock the box, and give it to you.
  3. You add your padlock, you hand it back.
  4. I take my padlock off, leaving yours only, and hand it back.
  5. They take off their padlock and open the box and read the message.

… yup – that’s about it. Mystique be gone. We are done, let’s pack up and go home : )

So imagine if you could do that with some fancy maths. You have a key in the form of a PRIVATE KEY that you never share, and you have a PUBLIC KEY that is out there for every man, Jack and his dog to see, use, have, love. The PUBLIC key forms the basis for their padlock for anything headed to you, and your PRIVATE key unlocks it. You cannot deduce a PRIVATE key from a PUBLIC one. Keys themselves are often salted – that is to say they need a password to use them, and in fact, the password makes the key itself make sense / be usable.

This is no longer the reals of Bletchley Park – this is day to day…. and goes on ALL the time in a lot of places, scenarios, that go unseen to your average Joe Q Public. The maths is SUPER HARD – but so is the maths that keeps your flight to your holiday in the air, or makes the logic in your phone’s hardware work…. we are no longer a society of people with THE BOOK, we have progressed to us all having access to books, to instant knowledge, and not having to understand to use many kinds of technology and engineering…. we are in a world where you no longer buy the drill bit and drill – you buy the hole. Look around you. This is the Social Age…. Information Age is as dead as the Industrial one. Factual. I digress….

 

Terrorist check list

So lets pull some classic end to end cryptography…. lets see what kind of users we should be singling out here:

So what about WiFi? Remember the good old days when some scamp would drive around in a car with his mates, with laptops, with magnetic based antennas on the roof sending jolly messages to your printer because they could… and generally documenting what was where? No? No… erm… sorry… no… neither do I… that certainly wasn’t me. Back in the day there was no encryption by default – it was not “de jour” the technology was not as ubiquitous as it is now, and quite frankly you need a device to allow your device to attach on the whole. WEP was a thing back then.

WEP was what you enabled, smiled and thought “that will keep those well meaning youths out of my network”.

Will it now? WPA and WPA2 followed. More sound encryption, less overhead, more powerful hardware – and before you know it – your “real person” is not likely to connect to a network they see without a padlock beside it because it may as well be a van with “free candy” written on the side… you just don’t do that kind of thing.

So yeah – anywyay – WiFi? Encryption.

How about those websites that come up with SECURE, or HTTPS, or bars and things, you know green or blue, or even the ones that say they are not secure? What kind of MADMAN would use such a thing? Well – apparently they are catching on. In fact they are so common that the companies (ie businesses – that are in business – to ‘make money’) are issueing them for free in some cases. Take two examples – EncryptionEverywhere, and LetsEncrypt. The latter I have experience with, and uses stock TLS encryption with PKI as you would expect from any webiste certificate but they GIVEN THEM AWAY FOR FREE. They renew (automatically unlike the paid for ones) every 3 months too – oh – and as if this evil were not unspeakable enough they are introducing wildcard ones before too long (January 2018). Thus far they have issued no fewer than 100 Milion certificates. FETCH THE LIST?!!!! I can feel Daily Mail readers bursting into flame and reaching for the Basildon Bond as I type!

Lets assume this has to be weakened. Given the strong reliance on these world over – and the NEED to keep these up to speed and patched – you can wave goodbye to banking online. Shopping Online. In fact anything that involves personal information as the DPA (Data Protection Act) is a soppy puppy compared to the soon to be law EU GDPA which is a full on rabid rottweiler with an petite for honest mistakes for breakfast!

VPN – UP AGAINST THE WALL! Who are these desperate dangers to society using such things? Hiding their communications from all and sundry? Take them away! Well – chances are they are connecting over a network they do not trust. These are people calling into work to get access to resources they do not want open to the world. These are people in coffee shops that would rather take their chances in unprotected-no-pants-party than join a public network. They are tunnelling their traffic out so that its all in a nice little opaque sub-duct until it emerges on the other side of the perimeter fence.

While we are at it – lets through this curve ball in there – The Onion Router TOR – the gateway to “the dark web” as the media love to call it like it is an occult apparition that needs to be conjured – it is in really a US Naval Military project that got applied to the real world. Some times anonymity is good. Not just for when researching the bad person, but when you just plain don’t want Google, Facebook, your ISP, your healthcare provider to log those online searches about depression, or a terminal genetic condition you are researching “for a friend”…. because they do… and they keep them…. FOR EVER…. and that IS a mighty long time. SO delivering encrypted streams between worldwide exit and entry points is not all about the darker underbelly of society… as between you and me there is as much of that in the real world as there is online… it is just far more accessible (not that I would know mind… but you know what I mean).

 

To Conclude

These are just a few examples. There are many. They are endless. They are everywhere.

What we ACTUALLY need to be doing is the opposite, and as the brand name suggests ENCRYPTION EVERYWHERE.

Encryption should be default.

It should be transparent (as it is with HTTPS web pages).

It should be on data at rest [Death Star Plans jokes here].

It should be praised as the last remaining bastion of a free and progressive society.

People should be held aloft as shining examples of best practice for use of cryptography – for encrypted drives, decent passwords, two factor authentication, different passwords for different sights, GPG/PGP, HTTPS, VPN, TLS, SSL, SCP, SSH the list goes on. These are leaders. These are responsible people.

We live regretfully in a world where the REAL people she refers to use the same password everywhere. Their password is their name with a 1 on the end, and only because they needed to use case and a number to be allowed to use it. THESE PEOPLE ARE REAL AND THEY DO WALK AMONGST US I HAVE PROOF.

With the shit sandwich of IoT (Internet of Things) about to explodify in ways you cannot even begin to comprehend both in terms of wonders and blunders…. we need to mature to meet the challenges of modern technologies.

This, this is coming from someone for which this is NOT his field, he just works with it. As right now Ms Rudd – you have all the foresight and understanding of a Luddite. A destroyer of technology. Opportunity. Credibility.

I can only assume this is an attempt to push the hard of thinking to these platforms, with much mention of WhatsApp owned by the known compliant Facebook – none of Signal and Telegram… or indeed GPG and PGP. One can only hope this is not a last ditch attempt to salvage what control and visibility that the current surveillance affords, or genuinely enforce a golden key, or backdoor to cryptography. As I read of educators spreading the word on cryptography and encryption being jailed in Turkey this week – somehow we seem to be taking giant leaps backwards towards Witch Hunts and the Spanish Inquisition. Madness.

This is simply put Muppetry of the highest order.

I need a stiff drink now, a breathe, and sit do…. oh hang on I already am. But my thoughts are down – and no doubt be re read and refined. If I can make one person see the futility and stupidity of this – then this has been worthwhile.

In the interim I will wait for the noise of jackboots and the knock…. …maybe even with the big red key.</rant>

One Response to “Real People Don’t Care About Encryption

  • I am fortunate enough to work in an environment where people can talk about things. It is good to talk. It is good to have differences of opinion. If you cannot talk about things and reason them – you do not have a reasoned opinion – you have a belief… you know like fairies.

    So – Anyway – their take was similar – to the point of commenting on a LinkedIN post regarding it… which sparked the conversation.

    So lets take the following and summarise:

    POINTS

    1. WhatsApp – is a part of Facebook. They are a compliant organisation;

    2. End to End – is only an issue for someone doing mass surveillance;

    3. The Law – if monitoring was installed, they would not be allowed to talk about it;

    4. Herding – Nothing says “can all you bad people use this” like a statement saying we cannot read your shizzle if you use this platform;

    5. Golden Keys and Backdooring – apparently they are NOT looking for these – so what are they looking for?

    6. Munitions – GPG/PGP has always been classified as a weapon under US law and as such distribution to other countries was restricted;

    SUMMARY

    New technology – With the introduction of quantum cryptography and other cypher methods there are no rules on their proliferation. It has always been a given that given enough time and resources you could probably brute something. “cryptographically secure” doesn’t mean secure for ever. Just you would neeeeeed to want to get in. The introduction of QUANTUM CRYPTOGRAPHY looms. This is a Pandora’s box, along with quantum computing that is going to change all of the rules. It is possible that now is the time to reclassify cryptographic method. Which – to be fair is not such a dumb idea. However to demonise it – to announce that “real people” do not need it, do not care about it… well that – THAT is just dumb.

    /me Shakes head in a disapproving manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar