Encrypted Communication Has Never Been Easier – Security Never More Challenging

ProtonMailJust over two years ago I decided to spend some time digging into an emerging class of encryption tools that were making a solid run at simplifying the notoriously cumbersome use of PGP.

“So I stopped being lazy and have encryption implemented across all of my devices. Now, I have a 4096-bit RSA OpenPGP key, The Chrome extension Mailvelope is handling Gmail encryption, Thunderbird and Enigmail are configured on the Linux box, and IPGMail is setup for the same on my iPhone.”

Now I wasn’t looking to implement the strongest security model. I just wanted to see how challenging it would be to implement and use reasonably safe tools across all of my devices. These tools, all of which sprang to life pre-Snowden, did represent a huge improvement in usability but none of them would have passed the mom test.

Fast forward a very short two years and the landscape is starting to look very different. Free elegant encrypted email services like ProtonMail (listen to my interview with co-founder Andy Yen) and Tutanota are now viable alternatives to Gmail for millions of people. Encryption is baked-in and transparent to the user. If you were creating your first email account today there would be no reason not to start with an encrypted-by-default solution and we are rapidly approaching the point where the absence of end-to-end encryption in some of these tools will be perceived as a fatal flaw by consumers. Tresorit

Encrypted cloud storage is significantly easier to use as well. Here we see the same kind of evolution from plugins or add-on applications that add encryption capabilities to standalone tools like SpiderOak and Tresorit that encrypt by default. These services greatly simply security by making it a nearly invisible function of the software. Are they as easy to use as Dropbox? Close, but not quite. However, they are reasonably easy. In fact, I use Tresorit for all of my file storage across all of my computers and phone. The convenience penalty is now so slight that it is essentially negligible for a large portion of the user base.

SignalBut nowhere has the shift toward usability been more evident than in the mobile app market. People have literally thousands of options to choose from. Although it must be said that the number of good options is substantially lower than the total. Still, the barriers to encrypted text messaging, photo sharing, and even voice conversations on your phone just don’t exist. Secure communication is drop dead simple.

And Now A Warning

The tools that I’ve mentioned here are all reasonably secure. Reasonably. That’s a very important caveat but what does it mean? It means that, as I’ve said before, true security requires more than tools. Every tool and every model has numerous attack vectors. If your secrets are juicy enough, say they’re interesting to a superpower or country with advanced intelligence collection capabilities, then they will find a way to literally or metaphorically read your mail.

Reasonably secure in this context means that people who are not targets of incredibly sophisticated adversaries can expect these tools to do exactly what they say they do. If you are Edward Snowden or on this exclusive list then these tools are not for you. In fact, the internet is not for you at all unless you’re willing to employ a radically different security model. ProtonMail is even honest enough to remind its users of that in a breakdown of their threat model:

ProtonMail Warning

You’re probably not the next Snowden (lucky you!) but all of us have to think about who we are, who wants our information (seemingly everyone), why they want it, and what precautions must be taken to prevent that disclosure. Security requires more than an app. It requires thought. And this is why it will always be difficult – even as the tools get easier to use.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

The Linux Foundation’s Linux Workstation Security Checklist

Linux workstation security checklistKonstantin Ryabitsev’s high-level security recommendations for Linux Foundations systems administrators is probably not the kind of document that most of you would read. In fact, I’ve known a shocking number of SysAdmins who wouldn’t take the time to read something like this. But trust me it’s worth reading – even if you don’t understand it.

Now you’re probably wondering how reading something that you don’t understand could be useful. That’s a very understandable point of confusion. But when it comes to security the things that you don’t know or don’t understand are the things that could literally or metaphorically kill you. The stuff you don’t know is the most important stuff.

A lot of very technical people follow and read Blogs of War but I am primarily sharing this for the benefit of the other 99% – those of you who probably won’t fully understand Konstantin’s recommendations.


Because if you’re even remotely interested in security this will give you topics for exploration. This is a pretty cool jumping off point for those of you who want to learn more about securing yourself and your hardware. And don’t get too hung up on the Linux-specific recommendations because many of the concepts and vulnerabilities are universal. If you’re not interested in learning more about this topic that’s fine too – as long as you’re comfortable with the risk.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

Hillary Clinton’s Email Server: Dissecting the Risks with William J. Tucker

William J. Tucker joins me again to discuss Hillary Clinton’s decision to manage her own email services while Secretary of State. While this decision has angered political opponents and government transparency advocates (not to mention a few historians) we are bypassing the political and legal issues to zero in on the risks associated with her decision – and there are many. Join us as we walk through the information security and intelligence aspects of this story and examine the risks posed to Hillary Clinton, our government, and potentially anyone that maintained contact with her through this method. If you’re not concerned now, you will be.

You can follow William J. Tucker on Twitter and read his guest posts on Blogs of War:

Everybody Spies – and for Good Reason
Hawaii a Priority Target for Foreign Espionage
Would the U.S. Really Kill Edward Snowden?
Snowden’s Snowjob?

Subscribe to Covert Contact via iTunes
Subscribe to Covert Contact via RSS
Follow @CovertContact Twitter
Check out the Covert Contact blog

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

ISIS/ISIL: Jihadists Go for the Lulz

CBC The Current - ISIS/ISIL: Jihadists Go for the Lulz

I don’t seek out media appearances but last week was a busy one for me. I was interviewed by CBS News, BBC World Service, Jonathan Green of Australian Broadcasting Corporation’s Sunday Extra, and by Piya Chattopadhyay of the CBC’s The Current. I also had invitations from NPR and CTV that I, unfortunately, had to turn down due to time constraints. It was a busy week but thankfully all of the journalists, hosts and producers who reached out to me had a sincere interest in complex stories. They are my kind of people so talking to them was actually quite fun.

A thirty minute guest slot on a radio show seems like an eternally long time when the invitation is extended. But believe me when I tell you that it passes in an instant. A five minute appearance is even worse. It’s like being shot out of a cannon. I still have no idea what I said during my brief 1 a.m. BBC World Service appearance but I do know that an absolutely terrifying number of people do. So that leaves a few more thoughts on this subject that I didn’t quite get to…

It wasn’t too long ago that the hacker group LulzSec rampaged through the internet. They appeared to be an unstoppable force. They were seemingly above the law. In fact, they openly mocked it day in, day out. Throughout it all their message was magnified by non-stop attention from global media fueled by a massive social media footprint. For months the feds looked absolutely lost and outmatched. In reality, they were quite the opposite. They quietly and methodically identified the key players, picked the core group apart, then shut them down and locked them up. Along the way they leveraged the intelligence gathered and the informants created to go on a rampage of their own. The feds won and they won big. So when looking at groups like this it’s important to remember that Superpowers don’t tweet their way to lulz. They use intelligence, police work, courts and the occasional missile. And Hellfires are the ultimate last lulz.

ISIS, although far more dangerous and disturbing, has swept into the public consciousness in much the same way as LulzSec. Their spectacular success on the ground has been augmented by a clever, well-orchestrated, social media campaign. More importantly, its members and supporters speak the language of social media, and are able to build campaigns around it, in a way that few other groups have. They get snark. They understand the quirky humor and leverage it to their advantage. They know how to make their message move and how to trigger a response. They even have technical resources to help them do that. All of it would be unremarkable, actually, if not for their mission and the surrealness of unspeakable brutality juxtaposed with the odd kitten and AK-47 pic.

Still, none of this should be surprising. We are now in era where a good portion of the planet has grown up with social media. In the very near future (and in the case of ISIS right now) extremists won’t have to learn how to leverage the tools or the lingo. Everyone of fighting age will be a digital native with life in social media that likely pre-dates their radicalization. All of this social media campaigning (which still strikes some as sophisticated) will be second nature to them. And again, in the case of ISIS, it is obviously second nature to many of its supporters right now.

A rapid stream of ISIS victories, massive amounts of media coverage and millions of breathless tweets have had a powerful combined effect on the group’s image. Like LulzSec at it’s height they appear to be unstoppable. And while they are a massively destabilizing force in the region, the general public (and many journalists) should start taking a much more critical view of their propaganda. This five year projection would be a good place to start.

ISIS Trolls the Internet with its Five Year Expansion Plan

When looking at this map it is important to understand that ISIS is thriving in a near vacuum created by conflict in Syria and a completely dysfunctional Iraqi government and military. They have not been at the top of a superpower’s target list. And now, after this onslaught, the group has risen to the top of several kill lists. They are creating enemies on a massive scale. So that five year expansion plan is equal parts wildly optimistic recruit bait, psychological warfare and outright trolling. What the group really needs is a five year survival plan. Life for them is about to get much more challenging.

Technology is a Double-Edged Sword

It is quite easy to understand how a broad social media campaign helps ISIS. But their success in this area will create some problems for the group over the long haul. Their members and supporters are feeding scores of intelligence analysts across the globe. Members and supporters are being cataloged, mapped and tracked back to their real identities on a massive scale. Those hashtag campaigns that encourage supporters around the globe to check-in are also an intelligence goldmine. Some of them will use privacy tools to evade detection but mistakes will be made and when they are several services will be waiting.

Another early success for the group, the use of an Android app to boost their social media presence, will also come back to haunt them. Not only will it be a source of valuable intelligence but it illustrates a point of vulnerability for eJihadists who might be surprised to find that their next favorite app was actually created by an opposing intelligence agency or freelancer. Loose digital networks are shockingly easy to infiltrate and misdirect. This one is going to be targeted on a massive scale.

Obviously, this is a reminder that the internet will remain a persistent battlefield for governments and extremists. But it should also serve as a reminder that quick and easy propaganda victories by small forces do not translate into won wars. And governments, in case you haven’t been watching the news for the past year, know how to wage a digital war. More importantly, they know how to take an online battle into the real world on a scale that ISIS does not yet fully appreciate. They can troll the U.S. government all day with Michelle Obama Photoshops but the memes and hashtags that seem so amusing in the early stages of this conflict may be viewed with regret once ISIS realizes the response they’ve triggered.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone