Skip to content

Is Cryptography a lost fight

Posted on:September 27, 2013

If you have a computer, a tablet or a phone you must have heard about the story of the NSA leaked by Edward Snowden, where they are spying on EVERYONE in the world. Bear with me, as I try to explain; why this fight matters to you –random reader reading this article- and why we should change our methods to face internet surveillance.

Indeed, this might have been impossible ten years ago, but now hundreds of millions of dollars later we can safely say that your electronic devices do not belong to you anymore. Any email, chat, phone conversation you have made in the last few years is probably stored somewhere in a data-center belonging to the NSA.

And any data-analyst could -as easily as you- get into your computer if you are a “person of interest” browsing your files, passwords and financial details so that they could paint you in the image of the villain they want in a court –or elsewhere-.

But as a non-US citizen, living somewhere far in the world, what might the mighty NSA want with me, you may wonder. I’m not that important to be recorded or spied on, you may say.

Why should I care?

Well my friend you have asked THE question. “Why” is but the form following the function of “what”

, and what you are is a user of the web, a number, an IP address. You don’t matter now, but yet you will be recorded, stored and analyzed for your trends and patterns, just in case you might be “a terrorist looking to reenact 9/11”. And even when you are “cleared” by some algorithm your data will still be stored, just in case –they say-. Just in case that someday Osama Ben Laden will call you to deliver some pizza or trade some stocks on his behalf. Who knows, but be assured, these guys know what they are doing, so even though it’s classified, you must be relieved to know that they will NEVER look at your data without a proper court order, and why you may ask you should be assured, well they say –and promise- that they will regulate themselves but you have to trust them on it, because it’s classified and you can’t check if they are doing it properly.

And if you need further reassurance, you should also know that if you are not an American citizen it’s considered as “legal” surveillance and they are not obligated to respect any of their “safeguard” regarding your data.

Are you reassured yet?

Luckily the force does not have only one side; indeed, in the other hand we have groups of people, some NGOs and lawyers fighting every day to provide us; simple net-citizens with enough legal and technical tools to cover ourselves from this intrusive bulk spying program.

You can thank people like Wikileaks, EFF, Cypherpunks and a lot of other people for exposing such practices and trying to put a legal and technological end to them.

Tools exist and have been under the grand-public media spotlight ever since last summer’s leaks, as cryptography has become the number one defense and protection against such programs, where the logic is “They can capture the traffic, but I won’t allow them to read it”. Cryptographic tools aim towards encrypting the messages/data you want to send, in such a way that only you and the destined receiver can read them properly, every one listening in the middle will only see rubbish, unless he has a way to compromise your encryption.

These tools have been there for quite a while, and if there is a chance that you are one of the few interested in this field you might have been using the same software and tools for the last five years, without an urgent need for update.

Let’s take TrueCrypt and Enigmail as a study case. TrueCrypt is one of the most used disk/directory encrypting tools there is.

As I see it TrueCrypt is favored instead of its competitors for three reasons:

It’s on the fly. Meaning, it encrypts your data as your work and save normally, no extra steps are needed once it’s running. It’s cross platform, it’s available for all major systems, Windows, Mac and Linux. It has the ability to “hide” an entire disk or system so even when your computer is physically compromised, those who has it can’t prove or see the existence of a certain hidden system.

Enigmail, on the other hand is also a cross-platform plugin for Thunderbird but its aim is not to secure your local data as TrueCrypt but to provide a secure communication tool. It is recommended by many as the “safeguard of emails”.

This might seem great, all one needs is a little change of habits and little adaptation in order to be safe.

But wait, can we –really- as “experts” recommend such apps for general public use, as people in “hot-zones” or conflict areas might trust us and those apps for their physical safety and sometimes even lives.

Can we really GRANTEE these apps for extreme situations use?

Let’s start with TrueCrypt, the development of this project has started over seventeen years ago, it’s probably older of most people reading this. And we find ourselves here in late 2013, using the version 7.1a released almost one year ago, and still unaudited. If you are not familiar with the term, auditing an application, means testing it security, checking if it does what it does and if there are any design/implementation flows. These tests should be done by 3rd party independent experts, and they are quite specific, so you can imagine the cost. And that’s why a year later we have rumors that TrueCrypt has been compromised and no way to prove it yet.

But, you may wonder, why are experts still recommending it if they are not certain yet of its safety. Well, not all of them do. Many cryptography professors stand their ground in the matter of TrueCrypt and other tools as they don’t trust them yet. And propose other algorithms instead.

But the main tendency is that it is an open-source stable software offering a “better” solution then the others out-there. And people will continue to recommend it and use it, until a proper audit is made to back it, or to abandon it.

Let’s now talk a bit about Enigmail (Open-PGP), a great app, in constant active development and updated in a regular way. It is proven to be “secure” providing transparent encryption/decryption service and key-management. All very nice, but I absolutely hate it! And I’m not the only one. We as a community love to hate Enigmail. We all use it, or have used it in a point of our lives, but its complicated un-attractive interface and user-experience make teaching it to new users a living-hell, and something to carefully plan your week around.

User interface and experience, have been always a problem in cryptography, as tools (if not created for terminal command line usage) have the worst possible interfaces, making using them a shore any novice would avoid.

On the other hand, such tools are usually developed on public Gits by teams of volunteers, and published on free licenses. Thus making profiting from them almost impossible. This problem makes the development of updates and bugs fixes an un-easy task, done when the developer is available on his spare time from his day-job.

And here we have our main issue with Cryptography, we are a community based on volunteerism, and pro bono work, facing giants of the economy and state financed agencies. These invest every year hundreds of millions of dollars to expend their capabilities to survey and control our data flow, while we still operate like it is 1960.

The teen-punk-hacker working in a garage stereotype may sell well in movies, but in real life we need a juristic update on the ways we operate and maintain our projects. Government funds for projects are not a viable solution (like in Tor) as they will always raise the question about independence and integrity. Crowd-funding is also a temporary solution, as it depends really on the marketing technology and not on the content of the project.

We need to think of a new model for the “free-security-software” or else we won’t be surviving for long, facing giants of finance with hundreds of people working specifically on new ways to watch us every single moment of the day. We can’t afford part-time involvement any more, and we can’t afford living in margins of the new balance –as much as we like to-. The EFF has been doing a great job in this matter, and I believe that many should follow the example as it has been proven that it works.