Government Email Problems, Wikileaks, Russia, Drone Leaks, NASA Security and Other Counterintelligence Nightmares

The Covert Contact podcast kicks off again with an admittedly rambling, but hopefully entertaining, start as I review a number of high profile security issues with counterintelligence pro William Tucker. We look at the hack of DCIA John Brennan’s AOL account, Hillary Clinton’s email problems, and then ponder the broader risks associated with the personal accounts of key U.S. officials. And while we’re at it what’s with the curious lack of interest that organizations like Wikileaks have in exposing officials in Russia or North Korea. What’s up with that? Then we move on to drone leaks and drone policy before closing out the show with a look at the almost depressingly terrible security practices exhibited by NASA in the Bo Jiang case. Again, it’s a bit of a ramble but hopefully a fun one.

You can follow William J. Tucker on Twitter and read his guest posts on Blogs of War:

Everybody Spies – and for Good Reason
Hawaii a Priority Target for Foreign Espionage
Would the U.S. Really Kill Edward Snowden?
Snowden’s Snowjob?

Other Covert Contact Episodes Featuring William:
Episode 15: Hillary Clinton’s Email Server: Dissecting the Risks with William Tucker
Episode 12: Counterintelligence: William J. Tucker Breaks Down the Challenges

Covert Contact
Subscribe to Covert Contact via iTunes
Subscribe to Covert Contact via RSS
Follow @CovertContact Twitter
Check out the Covert Contact blog

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

Encrypted Communication Has Never Been Easier – Security Never More Challenging

ProtonMailJust over two years ago I decided to spend some time digging into an emerging class of encryption tools that were making a solid run at simplifying the notoriously cumbersome use of PGP.

“So I stopped being lazy and have encryption implemented across all of my devices. Now, I have a 4096-bit RSA OpenPGP key, The Chrome extension Mailvelope is handling Gmail encryption, Thunderbird and Enigmail are configured on the Linux box, and IPGMail is setup for the same on my iPhone.”

Now I wasn’t looking to implement the strongest security model. I just wanted to see how challenging it would be to implement and use reasonably safe tools across all of my devices. These tools, all of which sprang to life pre-Snowden, did represent a huge improvement in usability but none of them would have passed the mom test.

Fast forward a very short two years and the landscape is starting to look very different. Free elegant encrypted email services like ProtonMail (listen to my interview with co-founder Andy Yen) and Tutanota are now viable alternatives to Gmail for millions of people. Encryption is baked-in and transparent to the user. If you were creating your first email account today there would be no reason not to start with an encrypted-by-default solution and we are rapidly approaching the point where the absence of end-to-end encryption in some of these tools will be perceived as a fatal flaw by consumers. Tresorit

Encrypted cloud storage is significantly easier to use as well. Here we see the same kind of evolution from plugins or add-on applications that add encryption capabilities to standalone tools like SpiderOak and Tresorit that encrypt by default. These services greatly simply security by making it a nearly invisible function of the software. Are they as easy to use as Dropbox? Close, but not quite. However, they are reasonably easy. In fact, I use Tresorit for all of my file storage across all of my computers and phone. The convenience penalty is now so slight that it is essentially negligible for a large portion of the user base.

SignalBut nowhere has the shift toward usability been more evident than in the mobile app market. People have literally thousands of options to choose from. Although it must be said that the number of good options is substantially lower than the total. Still, the barriers to encrypted text messaging, photo sharing, and even voice conversations on your phone just don’t exist. Secure communication is drop dead simple.

And Now A Warning

The tools that I’ve mentioned here are all reasonably secure. Reasonably. That’s a very important caveat but what does it mean? It means that, as I’ve said before, true security requires more than tools. Every tool and every model has numerous attack vectors. If your secrets are juicy enough, say they’re interesting to a superpower or country with advanced intelligence collection capabilities, then they will find a way to literally or metaphorically read your mail.

Reasonably secure in this context means that people who are not targets of incredibly sophisticated adversaries can expect these tools to do exactly what they say they do. If you are Edward Snowden or on this exclusive list then these tools are not for you. In fact, the internet is not for you at all unless you’re willing to employ a radically different security model. ProtonMail is even honest enough to remind its users of that in a breakdown of their threat model:

ProtonMail Warning

You’re probably not the next Snowden (lucky you!) but all of us have to think about who we are, who wants our information (seemingly everyone), why they want it, and what precautions must be taken to prevent that disclosure. Security requires more than an app. It requires thought. And this is why it will always be difficult – even as the tools get easier to use.

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

Encryption as the New Norm: Discussing A Changing Internet with ProtonMail Co-Founder Andy Yen

Over the past couple of weeks I’ve been evaluating ProtonMail. This service is part of a new generation of tools (most inspired by Edward Snowden) developed with the aim of delivering robust encrypted communications and file sharing to the widest possible audience.

Blogs of War readers know that I’m not an Edward Snowden fan, far from it in fact, but I do believe that we have to secure the applications and communication channels that now pervade our lives. Not because I’m worried about the NSA. Frankly I’m far more worried about every other threat. However, I’m also keenly aware of the terrorist and criminal threats we face and why law enforcement agencies and intelligence services (the friendly ones) are deeply concerned about bad actors having the ability to go dark.

There are well-intentioned people on both sides of the privacy debate (see episode 18 with retired FBI agent David Gomez for a law enforcement perspective) and Andy Yen, as a privacy advocate, makes a powerful case for making encrypted communication tools as widely available as possible.

For more from Andy I recommend his TED Talk “Think your email’s private? Think again.“

Subscribe to Covert Contact via iTunes
Subscribe to Covert Contact via RSS
Follow @CovertContact Twitter
Check out the Covert Contact blog

Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone