September 27, 2013

An exploration of computer (in)security - for mortals...

Well it's been a while since my last blog post as I haven't really felt like I've had much of any relevance to contribute to the world. Lately I've been feeling a pull to contribute more and have been mulling over issues thrown into sharp relief by the revelations of the Edward Snowden saga.

By now, I'm not sure there are too many people in the world who haven't heard of this guy or what he has brought to light. For those who have no idea what I'm talking about or why you should care, here it is in a nutshell:

Edward Snowden was a member of staff working on behalf of a private US company contracted to the National Security Agency as a systems administrator. The NSA is America's version of GCHQ, the communications gathering centre behind MI5/MI6. Earlier this year, after flying to Hong Kong, he leaked a huge trove of information to Glenn Greenwald, a reporter for the UK newspaper The Guardian, regarding gob-smacking NSA abuses of the US constitution that has huge global ramifications relating to all forms of communication. After leaking this information he fled to Russia, allegedly enroute to Bolivia or Guatamala to escape the long arm of the CIA. The US revoked his passport mid flight leaving him trapped for a few weeks in the transit zone of Moscow's Sheremetyevo airport. After Bolivia granted Snowden political asylum, the US violated international law by grounding the Bolivian presidential plane in Spain under suspicion they were trying to smuggle Snowden out of Russia, which South American governments are all still furious about. The Russians eventually provided him political asylum and he was allowed to leave the airport transit zone and remain in Russia for a year while he finds alternative means to drop off the grid and escape from the CIA for good.

The information released by the Guardian sent the head of the NSA Keith B. Alexander to court to account for the actions of his office, where he committed perjury by denying having spied on the American people - evidence later proved this was a lie. During the course of all this, it came to light that a secret court was granting secret decisions to secret law enforcement requests for information on people - the Foreign Intelligence Surveillance Court (FISC for short) has been secretly granting all kinds of illegal surveillance activities on the grounds that because the court provides legal oversight, the surveillance activities aren't illegal - except that the court wasn't democratically elected (on the grounds that it was secret) and doesn't appear to answer to anyone. The outcome of these decisions are that companies are forced to provide access to any data the US government says they want and the company is gagged from discussing it under penalty of... ? Who knows what the penalty is for breaking a gag order, I have no idea - prison I guess, or the use of whatever trove of information the NSA has against you to discredit you, close down your company and destroy the remainder of whatever life and freedom you thought you had.

It turns out that the NSA is bascially recording every internet transmission, including those of both the American people and everyone else around the world and has the ability to read basically anything deemed "secure" by current internet security protocols. For instance the technologies we are all sold as keeping your vital personal information secure from prying eyes, the technology that puts the little padlock in your browser address bar that you're told to trust as the gold standard for your internet safety, labelled SSL or TLS and other three letter acronyms designed to make your eyes glaze over can easily be bypassed by the US government (I'll explain the details of that revelation in a future post).

So that's the situation in a nutshell - everything you're told is "safe and secure" on the internet should be questioned - everything!  Just about everything the public is taught about internet security by the media is at best inaccurate and at worst, a lie. Every transmission is recorded, most things can be read easily and most of what's left can be decoded with a little effort. Nothing is as cut and dry as you're led to believe, nothing you do online is as safe or secure as you're led to believe and probably take for granted.

I hear you say "So what, I'm in the UK, the NSA has no legal jurisdiction here", you may have a point, but any information you transmit over the internet most likely flows through the US or is hosted on servers based in the US or by US companies. That means your information is fair game... and the US is not above having you extradited for things you've done that are a crime in the US but not in your home country (such as Richard O'Dwyer who they sought extradition for providing links on his website to copyright infringing material... and if they can't get you legally extradited, they'll quite happily kidnap you and return you to the US for trial in what they call extraordinary rendition.

Anyone that's known me well knows that I've always had a vague fascination with encryption and cryptography, vague in the sense that any 10 year old boy shown how to write secret messages is fascinated by it. For those that are unaware of what encryption and cryptography is, it is the art of concealing a message by scrambling it up using a process that only the intended recipient can later unscramble to reveal the original message your wrote. In the meantime, anyone else looking at it won't be able to read it, nor could they modify it without the intended recipient knowing.

I've tinkered with many cryptographic and security tools in my life but have never really taken to heart just how seriously I should take it... after all, I'm a nobody, I don't do anything interesting, at least, not in the eyes of any government. I'm not a conspiracy theorist, particularly. I don't have enough political influence to be a threat to anyone, so why should I really care?

In the past couple of weeks, I've started a journey into exploring computer and internet security in the hope that I can pull together a solution that will help everyone become not only more security conscious but actually build the basic skills to manage our own computer security more comprehensively.

I will be blogging about my discoveries in (hopefully) plain English that my kids will be able to understand growing up - I want them to be able to take charge of their own computer and internet security as that starts to become important.  So stick around and hopefully my discoveries will spur insights that are of benefit to more than just me and my family, but to everyone reading my blog as well.

I encourage everyone to contribute in the comments, this is a journey for me as much as it is for everyone else. I don't by any stretch consider myself an expert in this arena yet, there is much I don't know. We're all in this together and I hope it turns out to be as fascinating to everyone else as it is to me, after all, the outcome of this journey will hopefully help keep all of our information as private as I believe it should be - and hopefully you do too.