Top Secret

by Dave Michels

It turns out that some people actually have secrets. I don’t. I regularly share every thought via videos, tweets, and posts. Or do?

We all have secrets. Some are more interesting than others. If our emails and chats became public, there’d be a lot of  ‘splainin’ to do.

Some feel that trading things like access to a social service for some private information is a good deal. Targeted ads are better than pantyhose ads. While there’s some truth there, most are unaware of just much information they are trading, how valuable it is, and how it gets used against them. It’s odd, but advertising and other forms of online emotional manipulation tends to be a problem that only affects “other people.”

Some feel WhatsApp encrypted messages or a VPN protects their privacy. But that’s a bt of a leap. If I was really snoopy, I might start a cheap VPN service. Anyone can and the VPN provider is in the perfect position for what’s known as a man-in-the-middle attack. The VPN provider can monitor all encrypted communications.

Do we know really know if WhatsApp messages are secure? I have no reason to think otherwise, but I also know that E2EE is as good as the key management. In this case Facebook does the key management. Anyone with access to those keys has access to the messages. Plus, there’s tons of info in the metadata. WhatsApp is popular for customer engagement, so even without access to the message we might guess that someone suddenly chatting with Ford is a good prospect for Chevy. That could be a good advertising model. I wonder if Facebook thought of that?

Let’s face it, if you really want security you should turn to a commercial encrypted commutations service. I’m talking about services such as Encrochat, Sky Global, and Anom. These providers offer ultra secure wireless devices that promise full E2EE. Oh, I should mention they all share something else in common: They have all been penetrated by law enforcement in the past year resulting with the arrests of a large portion of their customers. Anom is the most recent, and wasn’t even hacked. It was being operated by the Australian Police and the FBI.

Law enforcement wants all encryption to have a back door so they can access it legally if necessary. They appear to be doing a pretty good job of accessing encrypted content without the back door. The bigger problem with back doors is they compromise all encryption in two ways. A back door means that hackers might penetrate it – they seem quite capable of penetrating just about anything they want to including the most secure computers in the world. The supply side attack of Solarwinds wasn’t even that revolutionary. Hackers cracked RSA back in 2011 and managed to get the keys to every customer of RSA that felt it necessary to secure content with the best tools available.

The other vulnerability with back doors is managing proper access. That’s tricky. Snowden revealed how unchecked processes created mass illegal monitoring (PRISM). Last week, we learned Trump’s DOJ allegedly illegally investigated political rivals. Apple even let us down. Apple became a champion of the people by defying a court order to decrypt a phone back in 2016, but evidently rubber-stamped the the DOJ’s request for access to the metadata of congressional Democrats. Apple effectively let us know that their crusade to protect our privacy has limits – and gag orders. Regarding that 2016 case, the whole thing went away when the FBI hacked in without Apple’s assistance.

It is a bit concerning that encryption is failing so easily. I think that’s largely implementation. I know that modern encryption when done properly is very secure. Consider that Bitcoin has never been hacked (exchanges yes, core Bitcoin no). Its market cap kissed a trillion dollars just a few weeks, so believe me hackers have tried. The FBI appears to have cracked a bitcoin wallet, but few details are known. They have not hacked Bitcoin, and if they did had they would have recovered the full ransom. Blaming Ransom attacks on Bitcoin is like blaming Ford for armed robberies that use a get-a-way car.

My point in all this is encryption is really, really important. Yes, it makes things harder for law enforcement and spies, but it also allows each of us a shred of remaining privacy. In the US, the Fourth Amendment protects us from unreasonable searches and seizures by government. In 2021 that means encryption.

Which is why it’s odd that full E2EE with key management is so rare in enterprise communications. Part of this is because many providers actually access the content as a feature. For example, backend services that monitor conversations enable advanced search and discovery. So a full E2EE encryption would break a lot of features that users value. More options that enabled E2EE for enterprise use cases are needed. The NSA recently evaluated several collaboration apps from a security perspective because many federal employees are working from home. It published its findings, and found that Cisco Webex, Wickr, and Wire were deemed relatively secure. 

Google just announced client-side encryption for Workspace. This gives its enterprise customers direct control of the encryption keys for their data, making data at rest an in transit on the platform “indecipherable to Google.” Previously, Google alone handled the encryption of customer data in Workspace.

I find it odd that more enterprises are not demanding total control over their encryption. Perhaps that will be the next big thing in enterprise comms?

That’s a lot of encryption stories in just one month (and we are only half way thru June).