For the past few weeks I have included the following message in my email signature:

IMPORTANT NOTE, PLEASE READ:

Unless this email is encrypted, it will
almost certainly be read by multiple unknown
third parties; archived, processed and any
information contained in the email used for
purposes unknown.

If this makes you uncomfortable, please
read up on OpenPGP and email encryption. I
am happy to help you get started.

Please also read my data jurisdiction
statement:
http://mapkyc.me/158prCK

This is to draw attention to the fact that nearly all traffic that crosses UK and US borders is intercepted and read by the government, and in the case of the US, used for economic as well as political espionage.

If this makes you uncomfortable, and it should, especially if you’re using email for business, you should look at implementing email encryption throughout your company, and training your staff accordingly.

GCHQoogle: so much for "Don't be evil"Another day, another set of terrifying revelations about how we’re all being spied on.

So, what have we learnt from this?

Bruce Schneier has a nice summary, but in short, from what I understand, the situation is as follows:

Firstly, the bad news is that if the NSA or GCHQ want in, there is very little you can do. They simply have far too many resources; they have lists of exploitable vulnerabilities for every network connected device you own, have techniques to break into your wifi, own the root SSL certificates so they can hijack your HTTPS session, can reconstruct the electromagnetic emissions from your monitor into a picture, can root kit your mac, windows PC, games console and turn any mobile phone into a bug… and if all of that fails, they can just kick your door down.

The point is that these are all resource intensive things to do and don’t scale very well, plus there is a much higher chance of discovery. This is why they’ve concentrated on communication interception as a primary attack vector.

Some good news is that it looks very much like the actual encryption algorithms themselves – with a few possible exceptions – haven’t been broken (yet). Instead, as many of us who have been watching this unfold have suspect, they’ve been concentrating on weaknesses in the implementation of these algorithms; exploiting existing bugs (which have often been reported to them by industry partners or spies), or by deliberately creating bugs in implementations, or by circumventing the encryption altogether and getting access to the companies that hold the data on our behalf.

The fact that good crypto is probably still good is little consolation since, because of the engineered vulnerabilities, the cryptographic technologies that protects our privacy, medical and banking records, and the systems that run our entire economy, have still been compromised. Presumably this is what Theresa May meant when they said they could “Handle HTTPS”.

Even if you believe that the security services are brave noble and true defenders of our liberty, it is the height of naiveté to believe that a security hole will only be exploited by us but not them. It is only a matter of time before some other power, or even just plain ordinary crackers, exploit the same security holes to steal your identity or the contents of your bank account.

What can be done

The latest leaked documents do offer a glimmer of hope; by their own admission, the techniques they are deploying are massively vulnerable to disruption (so much so that it seems employees at GCHQ are under strict orders to not even speculate about how information is obtained). It seems that countermeasures, if adopted by the population at large, could very well be effective.

The first thing to do is get political; write to your MP, join the EFF and ORG etc. The security services have gone rogue, but that is a political problem which needs a political solution.

However, in the same way that while we have laws against burglary we still lock the door, we need to change up the way we conduct business on the internet.

This and earlier leaks have made abundantly clear that we absolutely can not trust cloud services, proprietary software products or software that communicates using closed proprietary protocols. Windows, OSX, Skype, Facetime, GMail, Facebook, etc, have all been compromised to some extent or another. Strongly consider moving over to Free software alternatives for your software, since the peer review process inherent in the development process makes them a much harder target to compromise.

Perform regular security audits; keep up to date with patches, and adopt a multi-layered approach to security that mixes protecting your electronic borders with detecting breaches when they occur. Do not rely on proprietary antivirus software to protect you, they’ve been compromised.

Remember, if they really want you, they can have you, so fundamentally the technical countermeasures we adopt should be focussed on changing the economics of mass surveillance. If significant portions of the population stopped using cloud services like Gmail and Google docs, and moved towards a self hosted solution, there would be no tempting large cache of data that could be sucked up. If everyone made more extensive use of strong crypto (and really, there is NO excuse to still be sending things cleartext), then we dramatically increase the effort required to surveil the population at large.

If we can deny them these cheap attack vectors, then we force them to use the much more expensive vectors mentioned above which, crucially, do not scale to the population at large. We don’t remove the ability of the security services to monitor the handful of genuine bad guys out there, but we prevent the possibility of any fishing expeditions, and crucially we stop some future government using mass surveillance via the internet as a tool of oppression.

The fallout from the Snowden affair seems to keep coming, with the shuttering of not one but two secure email services.

For those who have been living under a rock for the past month or so, Edward Snowden is the whistleblower and political dissident who leaked evidence of vast illegal US and UK internet surveillance projects, and who has currently been granted asylum in Russia. Given the American government’s shockingly poor record on the treatment of its political prisoners, as well as their clear desire to make an example of him, I for one am relieved Russia stepped up to its obligations under international law. Granting Mr Snowden some respite from persecution, however temporary that may be, was both legally and morally the right thing to do, even if the cognitive dissonance that I feel from the reversal of the traditional narrative is giving me a migraine.

Known in crypto-analysis circles as “The Rubber Hose technique”.

Lavabit, a Texas based provider of encrypted email apparently used by Snowden, shut down to avoid becoming “complicit in crimes against the American people”. Later Silent Circle, based in Maryland, did the same, taking the view that it was better to close down and destroy its servers than to deal with the inevitable bullying.

The message seems to be simple. You can’t rely on the security of services where the data is out of your control, especially if the machines or companies involved have ties to the USA, but to say you’re safe from this sort of thing because you use a non-us provider (as many seem to be saying) is frankly delusional.

For those who are looking for alternatives to giving all your data to a third party, I do suggest you check out the #indieweb community, especially if you’re a builder. #indiewebcamp-uk is happening in September in Brighton, RSVP here.

It seems it is fast becoming a dangerous time to be a software creator, and no matter how secure your platform, you always run the risk of the rubber hose technique. As an industry, we are living in “interesting times“, it will be interesting where we go from here.

Update: Graham Klyne points out that Silent circle haven’t shuttered their end-to-end encryption offerings.

Image “Security” by XKCD.