On Security

Sorry for not posting for a while. I've been wandering around in techie-land for a bit.

I've always thought that online security is important. I've also always taken a decidedly lazy approach to it. I used eight character passwords that were dictionary names with a few letter-to-number transpositions. I didn't always pay attention to whether I was using a secure interface when I set up an email account. I didn't pay attention to whether or not the web pages I was looking at were secure.

It was the Edward Snowden incident that really started to wake me up. If you don't know, Edward Snowden is an ex-NSA counterintelligence specialist who leaked thousands of classified documents on the NSA's domestic spying programs. You can read about it here. It woke me up. I'm typing this fully aware that once Google crawls this page, an NSA droid somewhere has added my blog to a list of sites mentioning Snowden. This post isn't about what I think of what Snowden did. Maybe I'll address that later.

So, some reflections on online security...

Usernames and passwords are part of a completely broken security system. They date back to the early days of computing. We have made gigantic leaps forward in technology, but we're still using an antiquated system for you to prove to a computer that you are who you say you are. It was an OK system back then because A) people were more honest, and B) computers just weren't powerful enough to run a brute force attack to crack a password in a reasonable amount of time. These days, things are different. Passwords are cracked all of the time. There are better ways for you to prove your identity, and the really sad part is that they have been around for quite a while. The most prevalent method is to use a cryptographic key. It works like this. You create a secret key and a public key. Think of them like keys to a lock box that holds messages. Anyone can use your public key to put a message in the box, but only you can take them out using your secret key. In public key authentication (a techie term for using your public key to prove who you are), you give your public key to the internet entity you want to contact (your bank, your Amazon account, etc.). Then, when you contact the site, you present your key. The site looks to see if it has a record of your key, and if so, it sends you a message using it. You prove that you can read the message by using your secret key and telling the web site what it said. The keys are very long strings of random data. For all intents and purposes, they can't be cracked any time during the remaining lifespan of the universe. A similar way to prove who your are is with digital certificates. They work in a way similar to public keys, but they involve a trusted third party that certifies that you are who you say you are. Another way that has been around for quite a while, but never seemed to gain traction is the zero knowledge proof (ZKP). In the ZKP system, you have a secret that you share with the website, kind of like a password, but more complex. You never send the secret to the website after you initially share it. When you go to the site and log in, the website will ask your browser indirect questions that will prove that your browser knows the secret. Once the browser proves that it knows the secret, the website lets you in. Because no passwords are exchanged, they can't be phished or cracked. The questions that the website asks your browser are different every time, so no one can listen in and use the last set of questions that were asked.

A lot of people think that because they can't see their internet traffic, neither can anyone else. Once again, the whole internet system was invented (not by Al Gore) a long time ago. Even though it was initially built by the defense department, no serious thought was given to securing what traveled over the wires. The people who built it never imagined what it would become. Only in the last few years have people begun to take security of the lowest levels of the internet seriously. The Snowden incident has accelerated that. There will be more attention paid to things like encryption (hiding things in secret codes) and traffic analysis (snooping to find out who is talking to whom and how). That's a good thing. A lot more commercial websites will start to use secure interfaces. Does your browser say http, or does it say https? It matters. Secure transports use the cryptographic key system I described above to turn all of the information that goes over the internet into random gibberish that can only be decoded by the parties on either end of the traffic. No one can listen in on the conversation, including the NSA.

The email system is probably the most broken thing on the internet. It it based on a simple, but archaic system, regular mail (sometimes known as snail mail). You give someone your address, and then they can send you messages. Sadly, so can the evil bastards who generate junk mail. The email system has the same problem, and it adds additional problems to the mix. An email message can have browser links in it. If you click on the link, it will send your browser to some location on the internet. That location could have malware (viruses and other bad juju), and if you are using a defective browser (in other words, Internet Explorer), you run the risk of putting a virus on your computer without knowing it. Also, most email is not sent over a secure transport. With snail mail, it's not likely that someone is going to open up random letters and read them for nefarious purposes. With email, it happens all of the time. With snail mail, you would probably know if it happened. With email, you don't. I am very sure that at least half of the people who read this post have had an email intercepted for one reason or another. And finally, the most infuriating aspect of email is spam. With snail mail, you might get half a dozen or so junk letters in a week. With email, you can (and will) get hundreds per day. Spammers have no shame, and they use automation to flood inboxes everywhere with crap. Spammer know about security, though, and they can hide their tracks. Evil bastards. Once again, using things like public key encryption (like I described above), no one would be able to track or intercept your emails. Using keys, certificates, and another kind of cryptographic identity called digital signatures, no one can fool you into believing that they are someone else.

Security is important. Instant information can lead to instant destruction of your privacy. Think about it next time you log into a site using "SusieQ" as your username and "happy1" as your password.