Are today’s communications more secure than ever?

charles-barsotti-enemies-yes-but-doesn-t-your-moat-also-keep-out-love-new-yorker-cartoonI’m going to start this post blowing the punch line, which is an unequivocal: “yes, but…” Yes because today’s communications can use stronger encryption than ever, and it’s getting stronger all the time, historically speaking. Ah, but the but. . . . You’ve got to read the article to see how we’re managing to throw all that security out the window, and what can be done about it.

I don’t think anyone will argue seriously that this doesn’t matter because he/she/(it?) has got nothing to hide. If this were true nobody would wear clothes in summer. Everyone has things that at least would be embarrassing to see aired in public. To say nothing of banking information, taxes, or medical stuff. This has always been the case since the invention of speech (that’s way before writing), and has given rise to jargon, code, and cipher of different kinds. After millennia of competition between those, cipher seems to have emerged victorious as the strongest tool for security in communications.

Here “cipher” is used to mean a perhaps mathematically-heavy manipulation of individual symbols (letters in classical ciphers, binary digits in modern computer ciphers) that render the message unintelligible, but which nonetheless can be reversed by those possessing the knowledge of a special “key,” again, made of letters or binary digits. Classical ciphers have evolved over time, from the very simple Caesar cipher where a constant alphabetical shift is applied to all letters, which seems laughable to day but apparently worked quite well for Julius Caesar, to pre-computer spy ciphers like VIC, which the NSA was unable to crack until the secret was revealed by a defector.

harold-edgerton-bullet-piercing-an-appleExcept for a privileged few, all of those classical ciphers were broken by “the enemy,” meaning a group of highly intelligent and motivated individuals—usually because a war was going on at the time—often in the payroll of a major government. If a cipher can be compared to armor around a secret, those guys and their tools were bullets. Traditionally, bullets always won against armor. These “bullets” were magnificent indeed, and went as far as building the first electronic computers as tools to crack ciphers such as the German Enigma.

But then something happened. Computers began to be used to produce better armor as well, and here math played on their side. Every time they complicated the cipher so that, for instance, an additional letter could be used in the key, this added a small percentage of additional effort when enciphering, but to those trying to decipher the message without the key, it multiplied their effort by 26 times. Of course, computers use binary rather than letters, but the image still illustrates what was going on. Today we are living the shift from 128 to 256 bits for most binary keys, which perhaps doubles the amount of enciphering computation, but makes the work of a brute-force cracker 2^128 = 3.4E38 times harder. That’s 38 zeros, folks, the English language does not have a word for a number that large, or even a fraction of that, so forget about it.

5qxcjgrQuantum computing? No problem. Double or quadruple the encrypting effort, taking advantage of the new technology. Then cracking effort multiplies by a factor that I don’t dare to guess but is sure to be absolutely huge. Armor wins again, perhaps by a wider margin than ever.

Okay, so then where’s the But?

The big But (no pun intended, of maybe it is; you decide) is that we feel less private than ever, perhaps because in fact we are. We are being asked to supply all kinds of personal information in order to access services as trivial as storing vacation pictures or voting on who the coolest band is. Older folks feel out of control because they are uncomfortable with the technology. Younger folks feel just as out of control because they sense that all that data collection is not being done for their benefit. And indeed they are right. The largest beneficiaries are the services themselves who, under pretense of a “more satisfying user experience” are running social experiments (Facebook, are you listening?) or simply selling that data to advertisers. Whoever is not receiving “targeted” spam these days please raise your hand. If that wasn’t enough, major hacks happen every day, and the public is quickly losing the sense that there is any privacy anymore.

Because everybody, including the young or even “experts” wearing Grateful Dead t-shirts day and night, are being forced to trust the untrustworthy, every minute they spend online. Great security on paper, but running somewhere where users cannot possibly verify it and therefore trust it with any level assurance.

It doesn’t have to be this way.

dumtermSome of us still remember the time when computers were really expensive and all you could buy was a dumb terminal that connected you to a large (for the time) computer shared by many. Then hardware got cheaper and people moved processing to their own machine, where they could keep some control over it. And then the Internet got faster and everything moved back to “the Cloud”. The only real cloud here is that inside users’ heads. That “Cloud” that users trust so implicitly (perhaps because increasingly they aren’t given any options), is in reality a big computer owned by a big corporation that needs to make money from your data. Your touch-screen ultra-high resolution computer is merely passing everything along, its mass storage filled with code that you nothing about and its processor largely occupied with the task of popping ads at convenient times (for the advertiser) and collecting usage data to be sent to its big brother. Sounds reassuring?

So am I advocating to go back to pigeon mail? No, just to educate yourself and act consequently. For instance:

  1. no_cloudStop speaking about “the Cloud.” Propagating that innocent-sounding term only serves to make people forget what is actually going on. Call it “the Google server,” or “the Apple server,” or “Microsoft Corporation,” or whatever it happens to be.
  2. Encrypt your stuff locally and do not trust the services’ purported “safe” encryption, even if they publish the code plus a ton of scientific articles about it. You don’t know if they are actually using it. If you use their email, encrypt it at the client, before they see any of it (I have an app for that).
  3. Prefer local apps to apps running on a browser unless they let you see all the code, which means JavasScript and nothing else. Store your files in your computer (preferably encrypted) and then, maybe, allow them to be backed up to an external server.
  4. Definitely do not use a Chromebook. With a Chromebook you aren’t even given the option to do what I say above. Google owns your data and everything you do with it. Their mantra is “do no evil,” but how do you know that they’ll keep living it when temptation is too strong?

steve-jobs-big-brotherIn other words, stop being lazy and please drop that willful ignorance about what is happening to your data. If you want control, you can get it. Just don’t expect Big Brother to tell you how to do it.

2 thoughts to “Are today’s communications more secure than ever?”

  1. You have apps mainly for text encryption – i.e. PassLok, URSA.

    The most needed encryption is for files. Some of the most useful apps are: VeraCrypt, AESCrypt, and 7z/Keka. Do you have any comment on those apps, all of which run on the clients’ device.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.