Should we ban encryption so that terrorists can’t use it?

Short answer: No. Read on.

A pattern has been emerging in the last few years of terror attacks: An attack happens, then politicians and spying bureau chiefs call for increased powers of surveillance without oversight. They use (mostly unproven) statements about encrypted technology being used to communicate, preventing the ‘good guys’ from seeing what they are doing. This was certainly the case for the recent Paris attacks and Trevor Timm has written an excellent piece on the various political agenda that Paris is being used for – and on the incompetence of the spy agencies in failing to prevent the attack.

SMSes and phone calls that are used in normal communication are unencrypted. These can be snooped on and, despite the fact, the attackers’ SMS communications were not intercepted and the attacks happened. The simple matter is that there are too many people to monitor to effectively prevent an attack. Plenty of people who are known resent the ‘free world’ will never get around to actually kill in the name of that resentment. How does a spy agency know which communications to actually watch for when there are so many potential threats?

The other much simpler reason for not banning encryption is that encryption benefits humanity. It keeps our data safe from criminals. It allows us to log in to our Facebook, our emails, our dating apps, our bank accounts with some reassurance that people who intend to harm us in various ways are not able to do so. Banning encryption totally removes that security blanket. We are all harmed by banning encryption. To take such a drastic step is to acknowledge that the terrorists have won – that we are so terrorised that we would willingly enable criminals to view our bank accounts and our private lives.

What about the possibility of enabling backdoors (or ‘front doors’) that allow only the government to view encrypted information? To put it simply, this is not possible. If a backdoor (call it ‘front door’ if you wish) is created, criminals will find it and misuse it. Or perhaps hostile Governments. Don’t take my word for it. Take Barack Obama’s.

See my previous post: Did the Paris shooters communicate using Playstation 4?

Did the Paris shooters communicate using Playstation 4?

The news has been spreading that the Paris shooters planned their attacks using the Playstation 4. Is this true?
1. There is no reason to believe that it is.
2. The belief that they did so originated from an interview given by the Belgian interior minister, Jan Jambon, three days before the attack, talking about IS in general, and not about the particular attack which was then in the future.

The more interesting question is whether it matters if they did.

Should governments now start monitoring in-game chats in the Playstation network? OK. How about in-game chat for the Xbox? How about Words with Friends? The above are examples of communications that get ignored on account of the huge amount of noise from actual gamers. How about spoken words or a real-time drawing or video? Then there are real messaging applications, some of which are encrypted, some of which actually do a very good job of it.

Should governments start monitoring communications between every app that is built and made available to any two humans in order to ensure that terrorists do not plan something? Is this even possible? It may be interesting to think about a Person of Interest – like system that has the ability to monitor everything and alert the good guys when danger threatens someone. Thinking that the government can eavesdrop on every communication is folly. Aside from the technical hurdles for encrypted communications, there is the hurdle of the huge volume of noise to sort through.

Governments should come to the realisation that mass-surveillance is not the answer and that porn-viewing and playing video games is just perhaps a wastage of hard-earned tax money. There is pressure from the electorate to be seen doing something after any act causing terror, but doing something useless or harmful is worse than doing nothing.

TSA keys – less than worthless

Do you use a lock with the red and white icon as the one in the picture? If so, I hope that you do not think your luggage to be secure. And not because the Washington Post published a picture of the keys.

The United States’ Transportation Security Administration (TSA) has authority to security-check humans and luggage moving through airports in the USA. This includes a right to inspect your bag in your absence. Not being particularly good at this security thing, they have deemed that if you want your baggage to arrive undamaged at the destination, you had better use TSA-approved locks to which they have master keys. The ones that you see in the big picture.

Consider the implications. Thousands of TSA agents all over the United States possess these keys. In order for this system to be secure, every one of these keys must be kept hidden, used only for the intended purpose, and the certainty must exist that no one other than the agent/TSA team must ever come into contact with their set. If someone criminally-minded were to get hands on those keys, and had access to baggage… AHA! But who could be so evil? The TSA has fired at least 513 officers for theft since 2002. Even if the TSA officers could be trusted with the bags, no one else could be, on account of the fact that the master keys are out in the open. And what does it take for someone to make a copy of these locks? A photo of the keys, no more.

What the TSA have done then, with their invasive searches that threaten to destroy bags, is to reduce security for everyone. Being required to use TSA locks means that nothing of value can be placed in check-in luggage on a flight to/from/in the United States. The Washington Journal article only brought out the fact into the open; it did not cause it.

Passwords ain’t nothing but trouble

You may be familiar with the standard script that your IT gives you about password complexity: it must have 8 characters or more, at least one small letter, one capital, one numeric character and one special. If you are in IT, you may have even seen the Dilbert strip above and felt it hit home.

What’s with these requirements? It is the length and complexity of a password that determine how a hacker with very little information about the user can crack the password. The methods are various: For a password with just 6 characters, a “brute-force” attempt can be made using all possible combinations of six characters to match a piece of encrypted text that is known to contain one’s password. If it is longer, “dictionary attacks” are made against known common passwords or actual words as brute force rapidly loses effectiveness. So “Pa$$w0rd” is a bad password, despite it having all the requirements stated in the first line.

The problem here is that the more complex and long the password becomes, the harder it is for the user to remember. This results in the worst problem of all: The password gets written down.

I have come across many posts over the years trying to cover this topic. I recall someone recommending passphrases on the basis that length and not complexity was key to making a password unhackable. Then there is this:

And yet we have missed something crucial. All of the discussion so far was about one password. I now have more than one hundred passwords, about twenty of which I use on a weekly basis. None of these methods are even slightly usable if we have to remember such a large number of passwords.

If we try to memorise, we need to find some patterns with slight variations. If we do lose a couple of these patterns, a person who is interested in getting your information may figure out the pattern. There are some sites that we use that may store passwords very poorly, sometimes even in clear text.

I mostly gave up on memorisation a few months ago and started using a password manager. This comes with its own set of problems. If, for some reason, the password manager is unavailable when one needs to log in, login may be impossible. If someone malicious (or merely mischievous) should get access to one’s unlocked password manager, one can get locked out of all one’s accounts. If the password manager is installed locally on one device, you still need some means of remembering passwords when using other devices. If it stores information that is accessible over the internet it can be used from many devices, but may be more vulnerable to attack.

What can we do? There are people working on that very question. Biometrics is one possibility for the future. We now have mobile phones that unlock upon fingerprint and finger swipe identification and office doors that open using retinal scans. If these technologies gain wide commercial acceptance in various products that we use, they may one day allow us to log in to websites and applications as well. People have currently proven many of these technologies to be theoretically hackable, but the products will keep improving.

Plenty of smart cards are brought out all the time, but they tend to have one flaw: they can easily be lost / stolen. Technologies are now coming up that require the smart card in addition to a biometric or a simple memorisation option. For the sake of our security and convenience, I hope that passwords get replaced by something better in the next decade or two.

This essay was originally posted at my LinkedIn  page: https://www.linkedin.com/pulse/passwords-aint-nothing-trouble-vijay-luiz