Podcast: Understanding the Limits of Intelligence and Counterterrorism

In episode 31 of the Covert Contact podcast I’m joined by The Soufan Group. Patrick is a former CIA case officer who specializes in counter-terrorism issues. Patrick’s background in both law enforcement (US Air Marshals and the US Capitol Police) and intelligence has positioned him to understand the full array of challenges we face in our intelligence and counterterrorism efforts and it is those challenges that we focus on in this podcast.

How dow we deal with unpreventable attacks? How do we attack root causes? How can an enormous bureaucracy like the U.S. government adapt to fight incredibly agile adversaries? Does consumer encryption really present a significant barrier? How do we find the balance between human intelligence and technology driven collection? We cover it all – and then some in this episode.


Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

Matthias Pfau: Tutanota and the Battle Against Mass Surviellance

Mattihias PfauMatthias Pfau is co-founder and developer of the encrypted email service Tutanota. Tutanota is part of what can be considered a post-Snowden development movement that aims to short-circuit government mass surveillance capabilities. I spoke to Matthias to discuss his project and where he believes that the battle between privacy advocates and governments is heading. 

John Little: So how is Tutanota doing? How is it being received? Do you think the project will be sustainable from a financial standpoint?

Matthias Pfau: Very good. We are experiencing massively increasing sign-up rates with thousands of new users coming in daily. I think people value most that their entire mailbox is encrypted and that we truly have no access. We plan to build upon this by adding features like an encrypted calendar and other groupware functions in the future. We have a lot on our list, and we would like to develop much faster, but we keep our budget tight. The upside: Tutanota already is sustainable: We’ve released our first Premium features with custom domain support three months ago. Many of our existing users switched to Premium immediately so that Tutanota: we have reached break-even.

What excites us the most is that many of our users simply upgrade because they WANT to pay for a secure service that respects their privacy without really needing the offered Premium features. That proves that people are realizing how harmful it is that companies and other third parties spy on their data. We believe that this is the start of a trend and that more and more people will make the switch away from the Googles of the world soon.

John Little: A number of other encrypted email services have been rushed into service recently. ProtonMail is a good example. How does Tutanota plan to differentiate itself in this emerging market? And will the market still exit if the massive players like Google move to more secure models?

Matthias Pfau: We believe that there are not too many encrypted services, but too few. The more services there are, the more people discuss these option and become aware of the fact that it has become very, very easy to keep their data private. What we can say about Tutanota is this: We encrypt the entire email – subject, body, attachments automatically. We encrypt all your data stored in Tutanota, even your contacts. We have build a scalable encryption solution that we can easily transfer to future additions like an encrypted calendar or encrypted cloud storage. It took us about three years to lay a solid foundation (server structure, encryption method, flexibility to change encryption algorithms when needed) for Tutanota so that we are well prepared for the future. We also have an up-time higher than 99.99 percent so that Tutanota is always available.

Plus Tutanota is a true open source project. You can GitHub: build and run Tutanota locally if you want to be more independent from us.

We don’t think that Google is a threat to Tutanota. Their business model relies on the fact that they can search their user’s data and post targeted ads. The security options Google implements will continue be add-ons only. In contrast to that, encryption is the default in Tutanota.

John Little: One challenge users face at the moment is fragmentation. We can send encrypted communications to other users on the same platform but not between platforms in many cases. Is this something that Tutanota is working on? Are you actively discussing this with other companies and developers?

Matthias Pfau: You are completely right, this is definitely an issue we need to tackle. We would like to make Tutanota interoperable with other services. We’ve been in contact with Openmailbox and know that they are open to the idea. However, we want to focus on developing more features for our users first. In addition, people on Tutanota can send end-to-end encrypted emails to anybody when they exchange a password. And many of our users do this as we can see from the encryption rate: To date already 37% of emails sent from Tutanota are end-to-end encrypted. This is a great success as it makes mass surveillance very, very hard, if not impossible.

John Little: The hacker community is diverse but Edward Snowden’s revelations seemed to have an impact on a significant percentage of the hackers I know. The reaction was an almost universal shift away from cooperation or sympathy with governments in places where there had been some success in getting the two camps to better understand each other. What’s your sense of where the community stands now?

Matthias Pfau: We are not in direct contact with the community so we can’t really say. What we see in Politics, however, is that politicians tend to act against the common opinion of IT security experts when it comes to the internet. One of the best examples is data retention: Even many IT experts and criminal investigators state that data retention does not help to prevent terrorist attacks. Nevertheless, politicians around the world resort to this method to prove to their voters that they do everything they can to increase security. In fact, this is just a big show that every tech-savvy person sees through, thus, they feel appalled by politicians and their actions against their citizen’s rights.

John Little: Let me clarify a bit because I did not intend to imply maliciousness with the term “hacker.” Stepping back away from this specific battle alone (although it is obviously the most extreme point of tension) how do you think governments who absolutely need the skills of developers, cryptographers, and security experts restore some of the goodwill that has been lost over privacy issues?

Matthias Pfau: We did not understand your questions to imply maliciousness. Governments in many cases seem not to understand how to make the Internet more secure, but rather rely on mass surveillance tactics. In my opinion they can only restore the goodwill of the community – not just hackers, but all privacy-advocates – if they get proper consultation from Internet activists such as the EFF or in Germany netzpolitik.org. As long as they tend to work against these groups instead of listening to their advice, the prospects for Internet laws are very bad.

John Little: We’ve seen fundamental changes in the public’s understanding of security in the past few years but there is still a long way to go. Do you think that we are moving towards ubiquitous encryption? Five or ten years from now will we see platforms or apps succeeding without it?

Matthias Pfau: At least that is what we are trying to achieve! We, as tech companies, have to make encryption so easy and running so smoothly in the background that the consumer has no reason anymore to use non-encrypted services. Given the extent of surveillance done by Secret Services and marketing companies around the world, this our only chance. Without self-protection, all our secrets including health issues, family problems, drinking habits and so on will become publicly accessible soon. This is not the kind of world I dream of for my children.

John Little: States have immense capabilities and they have directed significant resources at intercepting encrypted communications. It’s what intelligence agencies do – and always have done. How do you see this battle playing out from a technical perspective? Could consumer level encryption eventually leave even the most sophisticated agencies in the dark? Could large governments essentially render consumer encryption models irrelevant (as some would argue that they have done already)? Or does the situation continue to remain murky as advantages shift slightly back and forth?

Matthias Pfau: The more people use encryption, the harder it gets for governments to monitor the Internet. This also makes mass surveillance as it is currently done impossible. Governments can still try to monitor individuals with targeted attacks. We have to be honest here: Encryption does not protect someone when he is committing crimes. But that’s not the point. The point is that illegal surveillance of everybody’s data becomes impossible and that is well-achievable with encryption technologies such as Tutanota.

John Little: Do you get the sense that governments are starting to come around to the idea that strong consumer encryption, encryption free of backdoors or other weaknesses, is an inevitable necessity? Do you get the sense that you’re winning?

Matthias Pfau: That’s hard to tell. Of course we would wish for such a move, but politics is hard to predict. We do, however, see that governments themselves increasingly understand that they need strong encryption that is easy to use. The more politicians understand that encryption is to their own benefit, the more likely it gets that they will also consider it to be valuable for all their citizens. So, let us say, we are hopeful!


Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

Government Email Problems, Wikileaks, Russia, Drone Leaks, NASA Security and Other Counterintelligence Nightmares

The Covert Contact podcast kicks off again with an admittedly rambling, but hopefully entertaining, start as I review a number of high profile security issues with counterintelligence pro William Tucker. We look at the hack of DCIA John Brennan’s AOL account, Hillary Clinton’s email problems, and then ponder the broader risks associated with the personal accounts of key U.S. officials. And while we’re at it what’s with the curious lack of interest that organizations like Wikileaks have in exposing officials in Russia or North Korea. What’s up with that? Then we move on to drone leaks and drone policy before closing out the show with a look at the almost depressingly terrible security practices exhibited by NASA in the Bo Jiang case. Again, it’s a bit of a ramble but hopefully a fun one.

You can follow William J. Tucker on Twitter and read his guest posts on Blogs of War:

Everybody Spies – and for Good Reason
Hawaii a Priority Target for Foreign Espionage
Would the U.S. Really Kill Edward Snowden?
Snowden’s Snowjob?

Other Covert Contact Episodes Featuring William:
Episode 15: Hillary Clinton’s Email Server: Dissecting the Risks with William Tucker
Episode 12: Counterintelligence: William J. Tucker Breaks Down the Challenges


Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone

Encryption as the New Norm: Discussing A Changing Internet with ProtonMail Co-Founder Andy Yen

Over the past couple of weeks I’ve been evaluating ProtonMail. This service is part of a new generation of tools (most inspired by Edward Snowden) developed with the aim of delivering robust encrypted communications and file sharing to the widest possible audience.

Blogs of War readers know that I’m not an Edward Snowden fan, far from it in fact, but I do believe that we have to secure the applications and communication channels that now pervade our lives. Not because I’m worried about the NSA. Frankly I’m far more worried about every other threat. However, I’m also keenly aware of the terrorist and criminal threats we face and why law enforcement agencies and intelligence services (the friendly ones) are deeply concerned about bad actors having the ability to go dark.

There are well-intentioned people on both sides of the privacy debate (see episode 18 with retired FBI agent David Gomez for a law enforcement perspective) and Andy Yen, as a privacy advocate, makes a powerful case for making encrypted communication tools as widely available as possible.

For more from Andy I recommend his TED Talk “Think your email’s private? Think again.“


Tweet about this on TwitterShare on FacebookShare on TumblrShare on RedditShare on LinkedInDigg thisPrint this pageEmail this to someone