18 June, 2013

Privacy vs Protection: A look at what the NSA PRISM impacts you



The following are my thoughts regarding the recent news of the NSA surveillance of their PRISM program. If you are not aware of what it is, or its full extent, you can read more about it at places like The Verge and Security Now! at GRC.

Update: I added a link to a post from The Verge about the number of terrorist attacks prevented.

Growing up, my dad raised horses. To keep the horses in he set up a very powerful electric fence around the back half of our property. Every other second 10,000+ volts surged across the line dissuading the animals to breach their perimeter.

My dad did this to protect the animals from getting lost and possibly injured by controlling where they could go. It also protected them from possible predators outside of the fence. Though it was a good thing to have, that fence has caused me more pain than anything else on our little ranch. Why? Because being a curious kid I touched it far too many times; sometimes accidental sometimes not. Just in case you were wondering, 10,000 volts hurts! Note: Yes it really was 10,000 volts, but the amps were nearly zero. Also, since it pulsed on and off it couldn't electrocute anyone.

Why bring this up? I've been reading various articles about the recent discovery of the NSA PRISM program. If you don't know what PRISM is, basically it has been discovered that the NSA has been gathering tons of data on US citizens from across various ISPs, cell companies (Verizon and AT&T), and tech companies. The tech industry and privacy concerned citizens have exploded with anger and concern about this invasion of privacy. Though I don't like the idea of my seemingly private conversations being logged for possible future review, I think there is a valid reason for such surveillance, assuming it is used for our good and not by people who are corrupted with power (which I'm sure some feel the US government is).

Protection vs Privacy

Why is the NSA gathering so much data about people, foreign and domestic alike? What is it they are looking for? Do they want to know about your friend who called to see if you want to go to lunch? How about the password to an account your spouse forgot? I got it, they want to know about that affair you are trying to keep secret... right?

If the reports are true, and the NSA is "spying" on Americans, it isn't to know what things you are hiding from your family, friends, or the world at large. They are looking for terrorist activity. They are looking for those predators that are trying to hurt us Americans. That begs the question, what do we want from our government; protection from those who wish to harm us, or for the government to ignore our "private" conversations on the public Internet?

Encryption Will Save Us?

So what is the solution? We can petition the government to stop but I have a feeling even if they say they will, they'll find new ways of doing it, our online communications is very valuable data. It isn't that we can't trust our government to follow through and obey their own laws, it just that the bulk of all Internet traffic flows through the US. If we want our government to filter terrorist from foreign sources they also have to filter through US communications. If regulating who they can watch won't work then what should we do as citizens, at least those who are concerned -- it seems the bulk of citizens aren't (66% agree with what PRISM does) -- is to encrypt all communications so even if the communication is captured at least the government won't know what was said.

Let’s say that the majority of citizens were concerned and did encrypt all communications, from IM to email to voice calls, all encrypted. What happens then? With an increased awareness of encryption systems among citizens means an increased awareness among criminals/terrorist. I'm pretty sure more sophisticated criminal outfits already use encryption end-to-end anyway. As more and more people take their seemingly private conversations on the public Internet and make them truly private with encryption the NSA and FBI have nothing to see but a lot of noise, though they will still know who sent what, when, and to whom; just not what was said. Well that is great and all, but the problem now arises that these agencies, whose mission is to protect US citizens, can't do their job in a timely fashion. Because once they see something suspicious in communication patterns they can't just look up the data to see what was said, they'll have to break the encryption first and that delay may cause the deaths of quite a few people depending on what attack they can't prevent.

And now we go back to the protection vs privacy argument again. If we all encrypt our data then we have our privacy but now we have little protection since the criminals will likely use encryption too. The NSA has stopped over 50 terrorist attacks around the world because of this surveillance program; such as a bomb plot at the New York Stock Exchange. How many terrorist attacks have they missed since 9/11, not nearly as many as they've thwarted. What that means is, if in a perfect world we could encrypt all of our data to assure our privacy or the government just stopped watching, there would likely be an increase in crime, terrorism, and casualties we haven't seen in the US before. Some people attack the US because they are crazy and don't care of dying. But if a criminal/terrorist thought they could attack without being caught because no one could see the preparation or thought no one was watching, a lot more people and groups will commit crimes. "While the cat is away, the mice will play."

Summary

Ultimately what matters is how this news impacts you and how it could impact others, including those whom you love. As I mentioned before, I don't really like the idea of being watched, but know that the NSA and FBI aren't watching you specifically. There is too much data for them to do that. They are watching for patterns and establishing a history of patterns. If you never do anything to trigger suspicion then I doubt anyone will even look at your online doings. Now if you feel there is something that you want to share with someone and you don't want the government to know or you just want to cover all your bases, encrypt it. If you don't want the government to know who originated or received said encrypted data there are ways to hide your identity as well.

Otherwise, know that your communication patterns are being recorded and possibly the data you send onto the public Internet is being captured too. This is the world we live in, even before the Internet. I'm sure growing up you've had parents, teachers, adult leaders who watched what you did just in case you got involved in something harmful to you or to others. Nothing has changed, we are still watched, just who is doing the watching changes. Fighting against this I don't think really does anything positive. What is better is how to adapt to it. Honestly, you've always figured the government was watching anyway right?

My last question to you is, do you trust your government, its checks and balances, to have you, as a US citizen, as the most important asset to protect?

24 April, 2013

Getting Rid of Passwords

A quick note, related to my last post, regarding user authentication and identification. The Verge has a piece today about Google joining an industry work group to find a replacement to the password. I looked into FIDO, the group Google joined, and I think my system may be the more robust, secure, and convenient for user authentication and identification than what has currently been proposed, but I'm just one guy. If you are interested you can check out The Verge article, or just check out the link below that links directly to the source.

FIDO (Fast IDentity Online) Alliance

17 April, 2013

A Theoretical Single Sign On System

Recently on Google+ I got into a conversation with  +Andy Kinsey  about Single Sign On (SSO). That got me thinking... If I were to create a "prefect" SSO system what would it entail? Since I'm not a developer --in any way-- all I can do is theorize; but hey that might get the ball rolling.

Note: I started writing what I intended to be this blog post, but two days later I ended up with a five page white paper on a SSO System. Though some may really enjoy reading long form articles, for this post I'll just summarize. Once I've finished the white paper, I'll include a link to it in an update.

Quick glossary entry: Single Sign On (SSO) is an authentication information system that allows multiple separate services share a single credential token. Simply said, one password to rule them all. ;-) Or rather, one username/password combo that can login to multiple sites from different services.  SSO can be used in a couple of different ways; one way as I've just mentioned, one login for multiple sites. It can also be used as one session to multiple connected services; such as you login to your computer and now can access your email, corporate intranet, and file server without having to login again. For this article I'll be focusing on the first use, one username/password for multiple sites from different providers.

SSO authentication flow chart
SSO authentication flow chart

At the very core, most SSO systems follow the flow chart above. One of the most common SSO system is +OpenID Foundation's OpenID. You can sign up with any Provider, enter various bits of information about yourself, and when you go to a site that supports OpenID, you enter your OpenID username and go. You'll be directed to your Providers verification page where you sign in, and then back to the site you started from but now you are logged in. Though you can prove with this system that you are the owner of the OpenID, by logging in with the Provider, there is no way to prove your real identity. Plus OpenID wont secure your information and communications, they just help you login.

Recently the US Government has put together a government and private sector consortium on creating a SSO system that will provide quick and easy login, like OpenID, but also provide a way to verify identity. With those key points they are getting closer, but still don't provide the complete package.

To have a "perfect" SSO, the system would need: an access mechanism, a way to verify the user's identity, and provide enhanced security. The answer is quite simple: OpenID + multi-factor authentication + PGP.

In my white paper I go in greater detail about how it would all work and what is needed but simply put, if you were to have an OpenID account and one of the things you stored in that account was a PGP encryption public key, and require the user to provide more than a username and password you have the makings of something quite secure.

Just with multi-factor authentication the security level steps up when you require 2 or 3 different authentication factors. Add in an encryption key that can, 1. secure your data, but more importantly 2. allow for a mechanism to prove your identity, and now the system is complete. I'm honestly surprised that no one has done this yet.

OpenID has the access request mechanism down, and a couple of providers have even added one of the other two requirements for a complete solution on top of it, but no one has done all three.
Symantec's Personal Identity Portal is an OpenID provider that couples it with a smartphone authenticator app.
StarCom offers free/low-cost SSL certificates (S/MIME) which can be used to verify identity, and they to are an OpenID provider as well, but they stop there and don't complete the package.

If anyone knows of a solution that does provide the whole package, or a developer who wants to work for free for me to create it (then make royalties after it goes to market) then let me know in the comments.