It was curiosity that drove me to listen to the WHD Conference that hosted the infamous Edward Snowden this year. So much hype, so many secrets and even more betrayals infest my mind when I hear his name. Ever since his arrival in Russia I have dismissed him as a half cocked System Administrator who had decided to play Russian Roulette (pun intended) at the behest of the many lives that “Heard The Call” to protect and preserve the freedoms our forefathers died for. However in this instance I was more interested in the message that so many journalist and news affiliates flocked half ways around the world to hear from this “Holder of Secrets”. The fame and notoriety of this man is premised upon his WhistleBlowing revelations from the years he spent working at the NSA.
This time I will not infect this read with my background, or the reason for my bias. Instead I will examine the content and provide the reader with insight, and in some cases usable tools for the next wave of Data Scientist, Journalist, and Tech Service Providers to leverage. While I may inject tones of pure opinion to the topics presented I assure you my bias can be substantiated with years of experience, not read theory. I digress…
The presenters premise in this conference based itself upon a topic most in the tech and privacy world could interpret as Data Privacy Focused. Placing (in my opinion) a unique focus on the US and Foreign Intelligence Services capabilities to intercept communications under the label of Mass Surveillance. Mass Surveillance in laymen terms is the idea of a organization or government entity having the ability to listen, intercept, record and collect information from multiple sources with the intent of intelligence collection.
Keen to the topic of the future of Data Security and Communication Security (COMSEC) as its called in certain circles the attendees of the WHD Conference saw the opportunity to collect as many “secrets” or in more realistic terms “methods” that will ensure the integrity of their respective communications without the NSA being able to intercept it. One of the questions that raised an eyebrow was directed against the use of Mass Surveillance and its effectiveness to thwart terrorism. To my surprise Mr. Snowden eagerly drew the conclusion that it was NOT an effective measure and proceeded to mention and name recent attacks that he surmised that many intelligence services knew of the attacks but weren’t able to stop them. Clearly this rubbed me the wrong way, instead of rebutting this message I will address it with a simple yet hopefully profound statement. Only statistical analysis of all thwarted incidents would deduce whether or not Mass Surveillance is effective. But because these statistics are more than likely highly classified, as to ensure the “formula” is not circumvented, it will be hard to defend either side. He did however define that Mass Surveillance is a effective method to collect intelligence, and those familiar with Intelligence Operations know that Intelligence drives operations. Fin
Progressing through the various questions and summations made during the review there were a few points I think are worth mention. Specifically Zero Knowledge and its effectiveness when applied appropriately alleviates the Burden of Investigation from Service Providers and places the responsibility on Law Enforcement. The Internet in its post adolescence stage was meant to be a open forum to collaborate, communicate and share information. Overly policing the internet would in my opinion drastically degrade its value in the core elements of its function. With that I do agree, but as one journalist mentioned this does carry a unique problem. If it is not policed then how are we to stop the malice that it perpetuates without a mature policing solution? Example? Child Pornography, Drug and Weapons Trading and so forth and so on?
This is where I believe proper segregation of jurisdiction is at play here. We all know that any tool can be used for good and bad irregardless of design. An example that was presented went something like this “ When someone purchase a car from the dealership, and someone uses that car to conduct a bank robbery, is it the fault of the Car Manufacturer that the car was used to rob a bank? Of Course not, so how should we expect the same in the digital world? The only way to reach a viable and morally sound remediation from a Service Providers perspective is to Not Know or as coined in the Data Hosting world Zero Knowledge implementations. Heres an idea to digest- You cannot Lie About What You Dont Know, or more relevant to this topic “ Your (SP) cannot violate your integrity with its client base by giving access to Law Enforcement, that it honestly Does Not have access to.
Instead of toiling around with the morality of such an implementation. Perhaps its best we look at it from a strictly economic point of view. If a service provider such as Mega, does not know and cannot access its clients data then it inherently put the burden of investigation in the right hands “the investigators”. Or if we zoom deeper into the weeds and speak to the individual who wants to ensure privacy from end point to end point, the technology should not be held responsible but rather the individual.
Ironically this is not a new idea many regulations require this implementation and not just Government entities. Take a look at FISMA Access Control, NIST 800 Series, and FEDRAMP. Access to the data contained in a properly certified FISMA system is strictly prohibited by the hosting provider. Again secrets that aren’t really secrets, just practices not known by the masses. This was demonstrated in an answer Snowden presented when asked by the audience “With all of the Secrets and tricks you know, do you think you are being tracked right now? His answer was YES, he even went so far to indicate that all the members of the audience are now part of a record for reasons they should understand why.
There were other points made in the review that I will not entertain due to the purely juvenile nature they presented. However I will leave the reader with the following “Non Secrets” that can be adopted for personal or business use. In efforts to give the reader the illusion that there are secrets and revelations to be discovered- here are a few bits&digits that should satisfy your thirst for privacy.
If you want your communications to be secure, remember that End to End is the only way. Mathematicians develop Encryption, and very rarely has a Encryption Algorithm been compromised. The compromise typically happens in its use and implementation.
Before you blame the NSA for snooping through your emails and listening to your phone calls, focus attention on the EULA agreements your service providers lend you when you gleefully sign up for their services. I assure you there will be ample surprise when you understand that the big guys (Google, Microsoft, Yahoo) all tell you in non specific terms your expectation of privacy is non existent. Try your hand a PGP.
Expectation of Privacy is something you should believe in as much as the Unicorn and Pot of Gold at the end a rainbow. Establish your own COMSEC rules and stick to them. Deviations to a Draconian COMSEC policy only allow for others to intercept.
Zero Knowledge is a very useful and brand amplifying phrase to use if your a service provider. But ensure you know or consult with someone who does understand what it means before you lend your private data in their hands. Zero Knowledge is fairly old, but think in the terms of Forensic Accounting. If you can trace the money you can find the culprit in the same spirit. If your data service provider claims to be Zero Knowledge inquire to the methodology it uses to mask your payment method, your use method and how it intends to keep your identity safe in the event the “We are here to Help” boys knock on the door asking for the records.
Dont believe in the hype, NSA isn’t your worst enemy. There are data brokers who have more information on you than most 3 letter intelligence services. They sell and barter your information much more than you would imagine. Want to know more? bitsdigits.com
If you are a journalist, Service Provider, or just a Privacy Conscious citizen the burden of keeping your information private is on YOU. Not anyone else, educate yourself on things like I2P, TOR, WICKR, PGP/GPG, Whole Disk Encryption, and Remote Locking. Privacy is not as illusive as you may believe. Though WikiLeaks and Snowden Leaks may lend you to believe so, its that same defeatist attitude that allows you to slip up and not ensure you are armed with the know how.
Look towards industry standards that are being adopted by cooperations that are required to adopt Data Security Standards. Breaches and Hacks in the news are not a result of a Ft. Knox type of institution with Oceans 11 (movie reference) level of complexity. The intrusions are typically a result of some process that upper management didn’t effectively monitor like Patch Management, or Email Spear Phishing attack awareness. Put your organization to the test, call a company that has the know how like bits&digits to exercise your capability to ensure data security is not just a phrase thrown around in status meetings. HIPAA/SOX/GLBA/FISMA these regulatory standards if implemented with zero deviation are sound enough to protect an institution from breaches. Its the waivers, and excuses NOT to adhere to them that result in these companies being hacked.
Low Hanging Fruit is just that. If you don’t know ask. There Are No Secrets, just things you don’t know. FIN