Electronic privacy? There's no such thing
You will never be secure if you labor under the delusion of privacy
Computerworld - Most people suffer from the delusion of privacy. They think it can be guaranteed somehow for their various electronic gadgets. But that is a delusion, and sadly even many in the information security field don't know it. Still, it's surprising how strong the desire to believe otherwise is, and how tech companies will sometimes try to feed that illusion.
Take the news that the encryption in Apple's iMessage can potentially be cracked. I was surprised, but not because the encryption could be cracked. That's a given, no matter the encryption algorithm. I was surprised because I didn't know that iMessage used point-to-point encryption. I just assumed that Apple could always read my messages. Call me uninformed for having missed that news, but what I think is that I was actually better informed than those people who saw Apple's promise that it couldn't decrypt iMessage traffic and let the delusion of privacy lull them into thinking that was really true. Believe me, we'd all be better off if we just acted on the theory that there is likely to be a back door every time.
Don't get me wrong. The fact that iMessage uses encryption is refreshing. Such encryption will do a lot to protect most of us in most of what we do (but more on that later). What is not refreshing is that Apple at best implied and at worst misrepresented that its encryption was uncrackable. Any computer professional in this day and age who thinks that any form of electronic communications is completely secure really doesn't know his profession.
OK, I used to work at the National Security Agency, where I was taught that there is no such thing as unbreakable encryption -- just encryption that is strong enough. We used a relatively easy-to-describe formula based on how long information needed to be kept secret. For most time periods, you could come up with an encryption method and algorithm that (supposedly) couldn't be broken for that amount of time.
Using that rule of thumb, you could use relatively weak encryption for plans for a military battle that would happen within a week, but encrypting satellite communications would be trickier, and a lot chancier. After all, a satellite has a long lifespan, and meanwhile down on Earth, there will be exponential computing advances making it easier to break any encryption algorithm used. Complicating things, a satellite's hardware couldn't be replaced (unlike, say, the gear for naval communications). You would have to use encryption that is well beyond what is considered state of the art. But the NSA would never tell itself that the advanced encryption had solved the problem and guaranteed that the communications would be secure. It realizes that even state-of-the-art encryption will inevitably be broken. You just had to hope that, by the time it was broken, nobody would care about the underlying data.
More by Ira Winkler
- Ira Winkler: My run-in with the Syrian Electronic Army
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!