Encrypted Communication Has Never Been Easier – Security Never More Challenging

ProtonMailJust over two years ago I decided to spend some time digging into an emerging class of encryption tools that were making a solid run at simplifying the notoriously cumbersome use of PGP.

“So I stopped being lazy and have encryption implemented across all of my devices. Now, I have a 4096-bit RSA OpenPGP key, The Chrome extension Mailvelope is handling Gmail encryption, Thunderbird and Enigmail are configured on the Linux box, and IPGMail is setup for the same on my iPhone.”

Now I wasn’t looking to implement the strongest security model. I just wanted to see how challenging it would be to implement and use reasonably safe tools across all of my devices. These tools, all of which sprang to life pre-Snowden, did represent a huge improvement in usability but none of them would have passed the mom test.

Fast forward a very short two years and the landscape is starting to look very different. Free elegant encrypted email services like ProtonMail (listen to my interview with co-founder Andy Yen) and Tutanota are now viable alternatives to Gmail for millions of people. Encryption is baked-in and transparent to the user. If you were creating your first email account today there would be no reason not to start with an encrypted-by-default solution and we are rapidly approaching the point where the absence of end-to-end encryption in some of these tools will be perceived as a fatal flaw by consumers. Tresorit

Encrypted cloud storage is significantly easier to use as well. Here we see the same kind of evolution from plugins or add-on applications that add encryption capabilities to standalone tools like SpiderOak and Tresorit that encrypt by default. These services greatly simply security by making it a nearly invisible function of the software. Are they as easy to use as Dropbox? Close, but not quite. However, they are reasonably easy. In fact, I use Tresorit for all of my file storage across all of my computers and phone. The convenience penalty is now so slight that it is essentially negligible for a large portion of the user base.

SignalBut nowhere has the shift toward usability been more evident than in the mobile app market. People have literally thousands of options to choose from. Although it must be said that the number of good options is substantially lower than the total. Still, the barriers to encrypted text messaging, photo sharing, and even voice conversations on your phone just don’t exist. Secure communication is drop dead simple.

And Now A Warning

The tools that I’ve mentioned here are all reasonably secure. Reasonably. That’s a very important caveat but what does it mean? It means that, as I’ve said before, true security requires more than tools. Every tool and every model has numerous attack vectors. If your secrets are juicy enough, say they’re interesting to a superpower or country with advanced intelligence collection capabilities, then they will find a way to literally or metaphorically read your mail.

Reasonably secure in this context means that people who are not targets of incredibly sophisticated adversaries can expect these tools to do exactly what they say they do. If you are Edward Snowden or on this exclusive list then these tools are not for you. In fact, the internet is not for you at all unless you’re willing to employ a radically different security model. ProtonMail is even honest enough to remind its users of that in a breakdown of their threat model:

ProtonMail Warning

You’re probably not the next Snowden (lucky you!) but all of us have to think about who we are, who wants our information (seemingly everyone), why they want it, and what precautions must be taken to prevent that disclosure. Security requires more than an app. It requires thought. And this is why it will always be difficult – even as the tools get easier to use.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

The Linux Foundation’s Linux Workstation Security Checklist

Linux workstation security checklistKonstantin Ryabitsev’s high-level security recommendations for Linux Foundations systems administrators is probably not the kind of document that most of you would read. In fact, I’ve known a shocking number of SysAdmins who wouldn’t take the time to read something like this. But trust me it’s worth reading – even if you don’t understand it.

Now you’re probably wondering how reading something that you don’t understand could be useful. That’s a very understandable point of confusion. But when it comes to security the things that you don’t know or don’t understand are the things that could literally or metaphorically kill you. The stuff you don’t know is the most important stuff.

A lot of very technical people follow and read Blogs of War but I am primarily sharing this for the benefit of the other 99% – those of you who probably won’t fully understand Konstantin’s recommendations.

Why?

Because if you’re even remotely interested in security this will give you topics for exploration. This is a pretty cool jumping off point for those of you who want to learn more about securing yourself and your hardware. And don’t get too hung up on the Linux-specific recommendations because many of the concepts and vulnerabilities are universal. If you’re not interested in learning more about this topic that’s fine too – as long as you’re comfortable with the risk.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

The Return of the Gold Dinar: What is ISIS Up To?

ISIS Video: The Return of the Gold Dinar


ISIS is extremely proud of their latest video but, trust me, it’s a bit of a snorefest. But, it’s also very different. The horrific violence they’re known for is there but only in comparatively small doses. Instead they’ve opted to take a lot of fringe financial theory (the kind you might have heard already if you pay attention to Ron Paul or Glenn Beck ) and wrap it The Mummy Returns production values. Then, just like a college freshmen who has taken one economics class and read a dozen conspiracy theory websites, they drone on and on and on. It’s weird – just not weird enough to be interesting.

Of course, what we really need to know is why they’re going to all of this trouble. I’m still processing this but from their perspective:

  1. The production values project authority and capability. Their internal and external audiences both need reassurance.
  2. The pseudo-intellectual financial theory will not impress economists but it will resonate with people who view alternative financial systems as a rejection of current political systems. There are large numbers of people in the Middle East – and the United States who share this view.
  3. It checks the theology box by claiming to be a model that is more inline with Islamic principals.
  4. Money is central to statehood so this reinforces that claim.
  5. At the end of the day the ISIS wants to be seen as a viable alternative to existing powers. Videos like this (and the factors mentioned above) help support that case – at least in the eyes of potential recruits and supporters.

The alignment with the non-Islamic conspiracy thought in the West is the most intriguing aspect of this communication. Is this convergence intentional or is it a coincidence arising out of the fact that these ideas on the financial fringe have been circulating for a long time? I can’t make a call on that at the moment but it is certainly a question worth considering.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone