Guest Post by Mark Nestmann
You have to admit that the US government has a pretty dismal record when it comes to computer security.
In just the last year, the Office of Personnel Management (OPM) revealed that hackers had stolen the personal information of more than 20 million current and former federal government applicants and employees. The stolen data included more than six million fingerprints – considered the “gold standard” for proof of identity.
If that wasn’t enough, the IRS acknowledged it also had suffered a massive data breach, with hackers stealing information of more than 300,000 taxpayers to claim more than $50 million in bogus refunds. And just a few months later, the IRS admitted that the system it used to identify taxpayers electronically had itself been hacked!
While I don’t consider myself an expert on computer security, I can tell you the steps I would take if an organization I ran suffered breaches of this magnitude. The first thing I would do is pull the plug. Take the systems offline – completely – until the vulnerabilities were isolated, repaired, and then tested under a variety of attack scenarios.
The second thing I would do would be to encrypt everything on both infected and non-infected networks. And by “everything,” I mean exactly what that word indicates.
With encryption software, no one but you and your intended recipient can read your email messages, text messages, instant messages, etc. You can even encrypt your entire hard disk to protect everything on your PC from prying eyes. If hackers managed to penetrate your network, all they’d see is unintelligible gibberish.
For instance, here’s a link to a message I just wrote to myself in an encrypted format. Can you tell me what it says?
Give up? The message is simply, “Encryption works.”
However, encryption doesn’t just help protect the communications of good people. It also protects the communications of criminals and terrorists. For that reason, some people think that the government should always have a convenient way to unlock encryption to read, listen, or view messages. A “back door,” if you will.
That’s a really horrible idea, because strong encryption is really the only certain way to protect sensitive databases like the ones hackers penetrated at the OPM and IRS. And of course, there’s a very real prospect that hackers might discover the back door. That’s happened on numerous occasions in the past.
For instance, when encryption first came into the forefront in the 1990s, police and intelligence agencies worried about “going dark” – not being able to monitor the encrypted communications of criminals and terrorists. The Clinton administration responded with a proposal for an electronic circuit called the “Clipper Chip.”
The purported advantage of Clipper was that it provided a standard for securing private voice communication. With Clipper, however, the government would hold a back door – a key that could be used to unlock encrypted conversations. Congress refused to go along with the scheme after a researcher discovered the actual back door in the Clipper design. It would allow anyone with the knowledge of the compromised algorithm to listen in. And some in Congress figured out that it wouldn’t do much good anyway, because criminals seeking to protect their communications would simply use equipment or software created outside the US.
But apparently some members of the US Senate have short memories. On April 7, the leaked text of a bill called the “Compliance with Court Orders Act of 2016” showed up online. Basically, it would require communications companies presented with an “authorized judicial order for information or data” to provide end-to-end unencrypted data to law enforcement.
Essentially, the proposal would criminalize user-controlled encryption in every modern smartphone. In addition, “license distributors,” such as Apple iTunes or Google Play, could only distribute software that’s in compliance with these requirements. Essentially, anyone posting an app on any US-based software distribution platform would have to prove to the distributor that Big Brother – or anyone else who found the back door – could unlock whatever encryption it included.
Not surprisingly, the US tech industry reacted with horror to this proposal. Michael Beckerman, president and CEO of the Internet Association, put it succinctly: “The draft legislation, as currently written, creates a mandate that companies engineer vulnerabilities into their products or services, which will harm national security and put Americans at risk.”
In response, the sponsors of the bill – Senators Diane Feinstein (D-CA) and Richard Burr (R-NC) – cut and pasted a bit and came up with a slightly less draconian proposal. The only real difference from the leaked draft is that the bill narrows the scope where the legislation would apply: in cases involving drug offenses, child victims, foreign intelligence operations, or any other offense that caused or could cause death or serious injury.
Fortunately, this bill doesn’t have a snowball’s chance in Hell of passing. President Obama hasn’t endorsed it, and there is concerted opposition within the Senate Intelligence Committee to the proposal. But all bets are off if there’s a terrorist attack on American soil where encryption plays a role. At that point, voters will be baying at Congress to “do something.” And you can count on Congress to enact very stupid legislation that could mandate some type of encryption back door.
What’s almost laughable about this entire effort is that as I pointed out a moment ago, it would be incredibly simple to bypass these restrictions entirely. Anyone who wants to communicate privately would simply need to use non-US encryption products without the built-in back doors.
It wouldn’t be a bad idea to prepare yourself for this development by starting to use non-US encryption technologies. There’s a summary of the encryption resources we use to protect our communications and data in this article. You might want to start using these tools yourself, if you’re not already doing so.
Mark Nestmann
Nestmann.com
The one we use (VPN) at The Nestmann Group is Cryptohippie.
Finally, you’ll want a non-US e-mail provider. A good one is ProtonMail. The company offers end-to-end encrypted email and is based in Switzerland. That means your stored emails are secure from US subpoenas and court orders. In addition, ProtonMail has no access to the contents of your email, because only you have the password used to encrypt your email messages.
good info.
For every hack a new defense will be created, for every defense created there will be a new hack.
Our elected idiots believe they should have a easy backdoor, for our safety. Yup, sounds about right.
At the root, this is a demonstration of delusion – if only we had [ backdoors, wiretaps, satellite imaging / snooping, informants within, total control of communications ] we could [prevent terrorism, stop crime, catch pedophiles before they victimize, stop wars, win wars, protect the country]. The delusion / illusion is called TOTAL CONTROL, and posits that sufficient intelligence / snooping will enable total control.
Of course, the no-goodniks figure out they are being spied on, and resort to [sneakernet thumb drives, face-to-face conversation in remote locations / totally public noisy locations / unknown locations, hand-written encrypted communications, steganography, other measures] to defeat the total control freaks, and the dance takes another turn. Meanwhile, the rest of us are victimized to pursue an impossible goal – and the failures [9/11, Benghazi, Syria, Libya, the War on Drugs, Fast & Furious gunrunning, the DHS] get more and more attention and money …..
This is the very essence of an unsustainable situation, and will continue to fail until better minds demand it stop. Which may well lead to replacement with something WORSE … but let’s not give the Total Control Freaks any more ideas, they’re bad enough already…
A good friend of mine was one of those 300k the IRS allowed to have their identities stolen. They have two kids and bought a house, so they were looking at a pretty good sized return. When they went to file about a month ago they learned that a return had already been paid out in their names the previous month. After talking with the IRS and starting the process of clearing it up, they were told it will probably take a fucking YEAR to get settled…..
So first they let your information get stolen and give your money to someone else, then they make you spend money(out of pocket) and hours of your time to correct their fuck up. Sounds about right
I simply will never EVER believe any government when they try to tell me when a person is guilty of ANYTHING.
If I am ever on a jury, and the prosecution is the government, I will simply vote not guilty.
Card802
This is why I tell every young person who asks what a good career is, go into cyber security.