Communicating freely


Archive for the ‘security’ Category

There is no such thing as a free lunch

Thursday, August 3rd, 2006

Gmail makes me nervous because it’s actually a giant advertising data farm.  Google harvests the text of every message and uses it to place little advertisements that suit my personal tastes or vices.  The Gmail threading system is smart.  It’s a terrifically designed web application.  It’s just worrying when we think about personal security.

I think the paradigm of ‘free’ services powered by advertising is not necessarily a good thing.  It offers a certain immediate service (free email!) but at a serious cost (Google gets to read everything you write).  People are going to have to realise that nothing is actually free.  There is a cost somewhere down the line when it comes to providing server farms with these services.

I don’t think that future web applications will be free.  I actually think I’ll be paying for a private web application when I take out my subscription to my operating system.  You know, I’ll buy my UbuntuPLUS package which will bundle a year of UbuntuMAIL and UbuntuPRODUCTIVITY and other web goodies to ensure my data can follow me around the world regardless of whether my laptop makes it with me or not.

I think there are two primary reasons for this occurring.  The first is that I don’t want Google reading my mail (calender, instant messages, office documents).  The other is that boxed software is becoming a commodity and the provision of useful web services is the next logical profit arena.

I posted a couple of days ago talking about how we can have private personal data on servers that provide web applications.  A comment replying to this assertion was posted to my blog suggesting that if a server does not interact with personal data its just a big storage mechanism and no more useful than a USB key.  I respectfully disagree.  Let me explain why.

There is personal data and there is personal data.  For instance, I am glad that my webmail provider knows my name because this allows us both to be pretty sure only the real Shane has access to the webmail account.  That’s personal, and that’s fine.  Google can have it.  However, I don’t want my webmail provider reading my incoming mail.  That’s personal and Google cannot have that.  I want encryption.  I want privacy.

Now, let’s imagine a service called ‘GooglePRIVATE’ which I paid for.  I give Google $24.95 a year to use their spiffy web application under the condition they never read my email.  They get my name and my credit card.  I get encrypted email.  We’re both happy.

GooglePRIVATE could work by storing my email in an encrypted database.  When I go to log onto GooglePRIVATE a session is established between my computer and their server.  My name and password give me access to my account and the password is also used to decrypt a local session of the database incrementally.  First of all the index arrives and shows my threads.  As I’m being absorbed by the message subjects the rest of the database is streaming and decrypting in the local session ready for use.

The server is providing storage, authentication and the algorithms for searching my mail.  It’s also the place where the web application lives (meaning updates are simple and automatic).  My local session is providing horsepower for decryption and the temporary session that holds my unencrypted mail.  When I’m done my database re-encrypts and drifts back to it’s home in the larger database at Google.

I’m sure you see where I’m going with this.  That’s a rough example of how I can envision web applications that don’t require a total loss of user privacy.  That’s the type of web application I would pay for because it would give me convenience without opening a door into my brain.  It’s bad enough with just me living in here.

Security is a process

Monday, June 26th, 2006

Security is a process.  That means it’s not a tool, it’s not something that comes out of a box, and it’s not easy to get right.  Security depends on a chain of different things moving in tandem to counter dangers and weaknesses.  Security does not exist; it’s a way of anticipating or reacting to problems and ensuring that certain goals are met.

Digital security is about countering digital threats.  In my case that usually means considering the threat to communications, more specifically the information contained inside emails.

The security threat with emails sounds something like this: people want to send private messages through a public network where random computers can intercept the messages.  We have to work out how to ensure the messages remain private even if they are intercepted.

The easiest way to do this is to encrypt the messages.  This means that even if someone intercepts the message they won’t be able to read a thing.  The only person who can decrypt the private message is the person who should be reading it.  Perfect.  The overarching security threat is solved by an overarching solution.

The problem returns when we look at the details.

How will we encrypt the private message?  If we use really strong encryption (symmetric encryption) we have to tell the recipient the password.  Transmitting a password is a terrible security risk.  If we use hybrid encryption (PGP) we lose a certain amount of cryptographic robustness.

It becomes evident that security processes inevitably end up being about trading off different percentages of security and practicality.  We need to balance our requirements (sending a private message privately) with the reality of the situation (the only way to send a completely private message is not to send it at all).

A good security process is a careful analysis of the security threat and the security requirements.  It is a balance between theory and practicality that will ensure the main goals of the enterprise are (more or less) met.  Sometimes the security process will fail.  That’s just a mathematical certainty.  There is no such thing as perfect security.

If you think about it there isn’t even such thing as really good security.  What’s a secure workstation?  One you don’t use.  What’s a secure communication network?  See above.  If you actually deploy something you set in motion variables that ensure that at some point or other the security process will fail.  There will be an error along the time and one link in the chain will open.

It is very fortunate that most of the time security is not really quite as important as people may think.  Most private emails are private from a select few individuals like your boss or your wife.  The level of security required to keep them out of your affairs (literally or otherwise) is far less than that required to prevent the NSA checking to see what socks you are wearing.

Even critical security is often time-sensitive.  This means that if a security process offers a good chance of maintaining itself for XYZ time-scale it will often accomplish the required goal.

To put it more bluntly: security processes often translate into either confusing people who have no chance of breaking through them or buying time before professionals break through.  If you’re dealing with professional security life becomes all about buying time.  It’s just insane to think any security process will make a wall that people can’t dig holes in.

Encrypted email is used to send private messages.  It’s pretty tough to crack a PGP encrypted email by brute force.  It takes a lot of computing resources to do that sort of thing.  Of course, the NSA, GCHQ and China intelligence have a lot of computing resources.  If you’re hiding from these guys you’re going to need a lot more than encryption.

Holistic is the word we’re looking for.  A real security process is going to be holistic.  If we’re talking email that means looking way beyond encryption.  Of course we’ll include encryption, but we’ll also be including things like geographical movements (where are the messages coming from?) and time-based analysis (when are these messages being sent and in what order?).  We’ll combine thousands of factors to try to work out how to make a process that will buy enough time to accomplish a goal.

From another perspective, you might bump into a security process and try to work out how to break it before the people using it accomplish their aim.

Maybe the most important thing about any security process is the people using it.  Social engineering has got to be the primary way security processes are cracked.  You meet a guy, get him drunk and get the information you need.  That leads you to another bit of information and so on.  This is how intelligence agencies get a lot of breakthroughs.

For a moment there I drifted into the big picture.  You’re not so interested in how the NSA will discover what XYZ said on ABC trade mission.  But let’s apply the holistic thought to normal everyday encryption.  Holistic processes still apply if you want to go about things properly.

If you want to send a private messages to someone (and that message is to be truly private) simply downloading something like Enigmail OpenPGP will not work.  You need to think locations, you need to think about what will happen to the private keys on both ends of the communication chain.  You need to think about stored emails and the possibility that someone will find them in six months.

You need to think about the fact that even if the emails are encrypted they still exist.  Someone browsing the computer can see that you sent an email to a certain address or name.

There are holes everywhere and we’re just talking about sending a private message to one person in a normal environment.

If you want security then think process.  Look at yourself, look at your objectives, and make a call.  Balance your end-goal against the idea of true security (not doing anything at all), and find a way forward. Remember to plan for the inevitable failure of the security process as well.  Perhaps not today, perhaps not tomorrow, but inevitably it will fail.  If you need something that will work in the long-term you’ll have to keep changing and evolving the security process, replacing each potential access point as probability throws it out of favour.

What’s the most likely way a two-way private message conversation will be compromised?  Any guesses?

Yes.

One of the parties will tell a friend.

That’s what I mean about security being a process.  And people are the least reliable part of the process.  We have to take this into account when we try to secure a communication channel.