TechCrunch reported today that US attorney general William Barr says Americans should accept security risks of encryption backdoors and this idea is a very, very bad one. There is NO FUCKING WAY that I will allow my devices to have a backdoor in them … ever … and please note: this is NOT about me maintaining my social media, email or chat privacy. This is about protecting MY data and MY personal and client accounts.
If the U.S. Department of Homeland Security, Medicaid, Army, Office of Personnel Management, Department of Defense — and companies with their business and reputations at stake — can’t keep hackers out of their systems, how will the government protect a backdoor?
Check out this list of breaches on Wikipedia which starts out with this in the opening paragraphs, and scroll down to see how many companies and governmental organizations have been breached:
It is estimated that in the first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches. In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.
If a backdoor is legislated to be put in our smartphones, tablets and computers, I can absolutely guarantee that it will get out in to “the wild” and be used by blackhat hackers, regardless of what NON-TECHIES like Barr and Trump spout off about in rallies or articles.
Like CGPGrey has said, “There’s no way to build a digital lock that only angels can open and demons cannot. Anyone saying otherwise is either ignorant of the mathematics or less of an angel than they appear.” I submit that most leaders are not only ignorant of both the math and why it is not technically feasible to put a backdoor in to encryption, they only care that we can keep governmental (and hacker!) prying eyes out of our most sensitive information.
One glance at my iPhone shows that there are numerous apps that could destroy me financially and potentially provide access to my LastPass password manager … allowing subsequent access to nearly 2,000 passwords for clients and every website I’ve signed in to in the past. For example these apps being compromised:
- Charles Schwab with access to my entire portfolio
- Wells Fargo with access to my wife and my accounts
- My Bitcoin wallet
- My Apple Wallet with multiple credit cards and Apple Store cards with money in them
- Signal communication app — which protects our communications when my wife, kids or myself are traveling overseas
- My LastPass app with connections to my password vault…
- …and too many more.
I could go on and on but let me have John Oliver amusingly inform you about the realities of having the government put a backdoor in and defeat encryption:
Congressional “theater” is happening right now and our ‘Congress Critters’ are all seemingly outraged at the privacy violations by Facebook, Google, and all the other tech companies we all use every day. Some even want to break them up as do various Democratic presidential candidates.
But I’d like you to notice that there is not a *peep* from any of them about all the other tracking companies out there, especially ones like Palantir.
Those tracking or “secondary surveillance network” companies are the REAL privacy threats. Literally everything you do digitally is tracked including:
- Buying anything either online or offline as your credit card data can be purchased by tracking companies and combined with other data
- Emailing and texting metadata is captured (the content is protected as a warrant is needed to search within an email)
- Moving around with your smartphone in your pocket provides tracking data of your movements
- Everything you do (or your devices do automatically) through your internet service provider is tracked now that net neutrality is dead (ISPs can sell your data)
- Everywhere your face is “recognized” by a camera connected to an increasing number of systems without any regulation since your public persona can be photographed
- And much more.
Want to See How Bad It Is?
Palantir is one company that has always scared the beejeezus out of me out of me as I’ve personally analyzed this completely opaque and secretive organization. But it wasn’t until I read this article Revealed: This Is Palantir’s Top-Secret User Manual for Cops did I say HOLY SHIT THIS IS BAD!
Turns out Motherboard obtained this Palantir user manual through a public records request, and it gives unprecedented insight into how the company logs and tracks individuals and their system goes far beyond what I ever imagined as a worst-case scenario:
“Palantir is one of the most significant and secretive companies in big data analysis. The company acts as an information management service for Immigrations and Customs Enforcement, corporations like JP Morgan and Airbus, and dozens of other local, state, and federal agencies. It’s been described by scholars as a “secondary surveillance network,” since it extensively catalogs and maps interpersonal relationships between individuals, even those who aren’t suspected of a crime.”
In addition, this article 300 Californian Cities Secretly Have Access to Palantir shows how hard various law enforcement and other agencies are hiding the fact that even use Palantir:
Motherboard obtained documents via public record requests which reveal that the scope of Palantir’s influence in California is significantly larger than previously documented. Payment records indicate that between January 2012 and March 2017, about three hundred cities, collectively home to about 7.9 million people, had access to Palantir’s Gotham service through the Northern California Regional Intelligence Center (NCRIC), which is run through the Department of Homeland Security.
Why use Palantir’s Gotham service instead of licensing the software outright?
Gotham is one of Palantir’s two services, and the other service is Palantir Foundry. These 300 police departments could request data from Palantir, and an NCRIC agent would retrieve this data and provide it to local police. Per this arrangement, none of these departments have to disclose the fact that they have access to Palantir.
Read these articles and go scan the manual and you’ll see that it is trivial for any user of their system — whether directly with Palantir or one of their “service” companies — to obtain a HUGE ARRAY OF PERSONAL DATA on any one of us!
Again, notice how Palantir is not even in the conversation any Congress Critters or presidential candidates are having? Also, where is the mainstream media in all of this?
These secondary surveillance network/tracking companies are already out of control. Congress must act now but they won’t unless you tell them to do so and vote accordingly going forward.
Want to know more and/or take action like I have?
Ask your Congressperson and Senators to pay attention to and regulate these tracking/secondary surveillance network companies:
- More on Palantir
- More on Secondary Surveillance Networks
- Find your member of Congress and contact him or her:
Since I care (as we all should) about privacy, security, government surveillance, third-party trackers, and all the other downsides that have already happened to this thing we love called the internet, WE ALL need to stand up and make our voices heard about the recent bill passage to gut net neutrality. That's why I just donated (and have continued to donate) to the Fight for the Future cause and will be watching the livestream next Tuesday, June 11th, to see what is happening and to leverage social media to bring attention to it.
One year ago, Big Cable’s dream came true: they killed net neutrality, giving ISPs like Comcast, Verizon, and AT&T control over what we see and do online. Millions of people demanded that Congress restore net neutrality. In response, the House of Representatives passed the landmark Save the Internet Act. But Senate Majority Leader Mitch McConnell — who has taken over $1 million in campaign donations from Big Cable — is refusing to allow his branch of Congress to vote on this popular bill. So on June 11th, net neutrality supporters in the Senate will try to force a vote using a procedure called “Unanimous Consent.”
How can you help?
We’re organizing an epic livestream so that millions of everyday people just like you can watch their lawmakers, and hold their lawmakers accountable for their actions … or inaction. Fill out the form above and tell Congress why you support net neutrality. We'll make sure your comment gets hand-delivered to Congress, and we'll be reading our favorite comments during the livestream on June 11th. You can also spread the word on social media to make sure everyone knows what's happening.
Watch the livestream on June 11th
The team of scientists and engineers that came out last year with the wildly successful end-to-end encrypted email service, ProtonMail, has now officially made public their new highly secure (and very fast!) virtual private network (VPN) called ProtonVPN.
As a ProtonMail user I’ve been incredibly pleased with the service and its security and this morning I signed up for their newest offering, ProtonVPN. I did so mainly because of the features, but also because it’s from a company I trust and, as a beta user, found it to be fast, robust, secure, and rock-solid.
I’m also stunned by how quickly they’ve nailed the key features needed in both email and VPN to keep us private and secure. A big plus also is that the company, Proton Technologies AG, is based in Switzerland, a country whose laws favor privacy, security and non-disclosure which is the perfect place to headquarter the firm:
“ProtonMail was founded in 2013 by scientists who met at CERN and were drawn together by a shared vision of a more secure and private Internet. Since then, ProtonMail has evolved into a global effort to protect civil liberties and build a more secure Internet, with team members also hailing from Caltech, Harvard, ETH Zurich and many other research institutions.
Today, we help our community of millions of users secure their private data online. More than 10,000 supporters have assisted us in this mission by donating to make this project possible. Thanks to your support, we are continuing to develop state of the art email privacy and security technology from our home base of Geneva, Switzerland.”
ProtonVPN has several key features that are a bit geeky, but have turned my head as someone who is deep in to cyber security:
- Secure Core: This architecture gives their secure VPN service the unique ability to defend against network based attacks. Secure Core protects your connection by routing your traffic through multiple servers before leaving our network. This means an advanced adversary who can monitor the network traffic at the exit server will not be able to discover the true IP address of ProtonVPN users, nor match browsing activity to that IP.
- Strong Encryption: All your network traffic is encrypted with AES-256, key exchange is done with 2048-bit RSA, and HMAC with SHA256 is used for message authentication which means it is VERY secure.
- Forward Secrecy: The encryption cipher suites they use only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, ProtonVPN generates a new encryption key, so a key is never used for more than one session.
- Strong Protocols: They exclusively use VPN protocols which are known to be secure (OpenVPN and IKEv2). Though I’m not a cryptographer, every one that is whom I follow online swears by both of those protocols which have been examined and certified secure by top cryptographers all over the world.
- Physical Security: The company has gone to extreme lengths to protect ProtonVPN’s Secure Core servers to ensure their security. Critical infrastructure in Switzerland is located in a former Swiss army fallout shelter 1000 meters below the surface. Similarly, our Iceland infrastructure resides in a secure former military base. Our servers in Sweden are also located in an underground datacenter. By shipping our own equipment to these locations, we ensure that our servers are also secure at the hardware level.
Other Key Features Include:
- Open Source: Goes without saying that their transparency level is very high and having their software reliant on open source software examination and certification is a big selling point for any of us.
- No Logs Kept: Under Swiss law they don’t have to keep them so they do not.
- DNS Leak Protection: They ensure that your browsing activity cannot be exposed by leaks from domain name service (DNS) queries.
- Kill Switch: Their desktop and mobile applications come with a built-in Kill Switch feature which will block all network connections in the event that the connection with the VPN server is lost.
- Tor VPN: ProtonVPN comes with Tor support built-in. Through their selected Tor servers, you can route all your traffic through the Tor anonymity network and also access dark web sites. This provides a convenient way to access Onion sites with just a single click.
Take a look at their pricing page. They have a free offering (which is currently shutdown due to the overwhelming response and signups this week) and I signed up for the “PLUS” level today since, as a current ProtonMail user, I got a bit of a larger discount on both ProtonMail and ProtonVPN as a bundle.
I need to end with this: I’ve analyzed more than a dozen of the top VPN providers and previously chose Private Internet Access (which I still have active since I’m paid through April of 2018) and, especially for the non-geeks out there, it’s still the easiest to use, they keep no logs, have the most data centers, and still has my strong recommendation.
But if you’re extra-serious about your VPN — or have specific needs to be highly secure when online — I’d absolutely recommend you immediately go and signup for ProtonVPN.
While discussing cyber security and online safety with clients, family and friends, I’ve had several of them ask me for guidance on how to secure their communications and web activities. While a thorough examination of all the detail surrounding privacy, security, and good online habits could be the length of a book, let me give you some of the basics along with a few links to learn more.
There are several reasons you should care about whether your online, digital communications and web surfing are private:
a) Tracking: Ever wonder how Facebook knows you just shopped for Corningware at Amazon and suddenly the ads on Facebook are displaying other bakeware companies? Would you be surprised to know that nearly all websites you visit set a little digital file called a “cookie”—a file that can prove to be very beneficial most times—but that some cookies are set by third party companies that do nothing but track ALL of your website visits (and much more) everywhere?
b) Are You Naked on Public Wifi? If you ever connect to a public Wifi hotspot, you should know that it is trivial for a Wifi hotspot to be spoofed and you might have already inadvertently connected to it! There are also packet-sniffers that can view any unencrypted traffic going back and forth between your laptop or device and the Wifi router and some blackhat hacker can view it.
Want to see how incredibly trivial it is to create a man-in-the-middle attack and spoof a Wifi hotspot? Then read this article which should scare the beejesus out of you (it did me). It’s called Maybe It’s Better If You Don’t Read This Story on Public WiFi and its tagline is this:
We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.
If after you have read that article you are still logging on to public Wifi hotspots without using a VPN, please comment below and give me your argument as to why you think it’s OK to get online with public Wifi and no VPN. I’ve yet to hear a single, valid reason why someone shouldn’t connect securely.
c) Government Surveillance: You’ve undoubtedly heard about Edward Snowden who revealed the vacuum mass surveillance apparatus in place by the National Security Agency and that they’re are scooping up ALL metadata about who called whom; what websites you visit and searches you perform; what texts you send; who your Facebook/Twitter and other friends are; what photos you post; and much more.
As a preview to what might very well happen here in the U.S. under a Trump administration, a new law just passed in the United Kingdom and it will give you a taste of what is probably coming to America…and soon…and why we all need to be more diligent about our privacy and security. The UK Now Wields Unprecedented Surveillance Powers — Here’s What It Means spells out what we could expect in the US in the near future:
The UK is about to become one of the world’s foremost surveillance states, allowing its police and intelligence agencies to spy on its own people to a degree that is unprecedented for a democracy. The UN’s privacy chief has called the situation “worse than scary.” Edward Snowden says it’s simply “the most extreme surveillance in the history of western democracy.”
The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and granted royal assent on November 29th — officially becoming law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary.
It is also probable that both the UK and the US will take steps to ban end-to-end encryption (one reason I use more and more services outside the US) and/or legally force companies to insert backdoors in their software so law enforcement can get in to the computer or device you own, especially without having to secure one of those pesky search warrants. It’s actually a lot more ominous than that, but writing much more about it is beyond the scope of this post.
Are you scared now?
You should be. I am, and I stay abreast of all of this every, single day. Read on for some specific tips and tricks to stay safe online.
Edvard Munch’s painting The Scream…and a few scared internet users
To say I was stunned reading this editorial in this morning’s Minneapolis StarTribune is an understatement. I rarely get fired up enough to write a letter to the editor, but this time I felt compelled since they got this so wrong and I’m embarrassed for them that they published this editorial.
I just sent them my rebuttal and I reprint it below with the StarTribune’s paragraphs in italics and green. Also, since the StarTribune apparently did little-to-no research, I’ve provided them with helpful links.
Curiously the StarTribune changed the linkbait-like editorial title in the online version by toning it down, perhaps realizing that characterizing it as “Apple defies order” is wrong: National security is at stake in Apple’s faceoff with feds.
U.S. security at stake as Apple defies order
Apple Inc., the world’s largest info-tech company, now stands in defiance of a federal court order, saying it will fight attempts to force it to help the FBI crack the iPhone of a San Bernardino terrorist involved in a major attack on U.S. soil that left 14 dead and 22 injured. Apple says the government is overreaching and would be setting a dangerous precedent.
The company is wrong on both counts, but the world of encrypted information is a complex one. It is worthwhile to proceed carefully, because this could prove to be a critical showdown in the growing clash between privacy and national security.
Your editorial, “U.S. security at stake as Apple defies order” was one of the most stunningly naive positions I’ve read yet when it comes to the controversy over Apple’s stand on weakening the encryption of one, single iPhone. A weakening that would instantly open a Pandora’s box of cyber threat problems of which you are obviously clueless and seemingly dismissed out-of-hand.
First, it should be noted that the government negotiated for two months with Apple executives. When those talks fell apart, Justice Department officials turned to a federal judge, who ordered the company to create a way to bypass the security feature on the phone. The FBI had obtained a warrant to search the phone and, not incidentally, the consent of the employer that had issued the phone to Syed Rizwah Farook.
First off, it should be noted that the FBI permitted San Bernardino officials to change the password on the terrorist’s iCloud account (rebutted by FBI, now blaming official) and only then, obviously realizing their mistake, requested Apple’s help. Had they not done so Apple has stated publicly it would have been possible to obtain the shooter’s iCloud backup data. Since this mistake was made, the FBI then negotiated with Apple to recover what they could. Discovering that doing so was not possible, and subsequently failing in convincing Apple to create software to weaken iOS (the operating system that controls the iPhone and iPad) so they could break into the device without having it ‘wiped’ by its ten password attempt limit, the FBI then obtained a court order hoping to force Apple to create a method to do so.
Apple has complied with what Justice officials characterize as “a significant number” of government requests in the past, including unlocking individual phones. Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance operations. The company has continued to tighten its security systems and decided to no longer maintain a way into individual phones. Farook’s iPhone 5c was among those with a 10-tries-and-wipe feature that essentially turns it into a brick if too many false passwords are entered. Newer operating systems employ ever-more-sophisticated security features.
The government’s authority to get private information, such as texts, photos and other stored data, through a warrant is not at issue. The key here is whether the government can compel a private company to create a means of access that the company contends will weaken its premier product.
Cook maintains that creating a “master key” to disable security on Farook’s phone ultimately would jeopardize every iPhone. With more than 100 million in use across the country, that is no small threat. There are, however, technology experts who say Apple could create a bypass — allowing for what’s called a brute force hack — without affecting other phones.
With respect to your position on Apple’s creating this sort of “bypass” for this single iPhone, all while acknowledging this is not a “small threat” for the 100 million iPhones already in existence, you then opined, “There are, however, technology experts who say Apple could create a bypass” “without affecting other phones.” This is your supposed justification for minimizing the threat of putting in a backdoor (or what you euphemistically characterize as a “bypass”) for those 100 million+ iPhones already in existence? Who are these so-called “experts” anyway?
Though our national security is an absolute imperative, the Edward Snowden revelations about mass NSA surveillance—and what most of us see as a direct violation of our Constitution by them (as well as their practice of passing that data to the DEA, FBI, IRS and local law enforcement)—the intelligence community made their bed…and now they have to lie in it.
From Wired’s article called Apple’s iPhone Encryption Is a Godsend, Even if Cops Hate It:
It took the upheaval of the Edward Snowden revelations to make clear to everyone that we need protection from snooping, governmental and otherwise. Snowden illustrated the capabilities of determined spies, and said what security experts have preached for years: Strong encryption of our data is a basic necessity, not a luxury.
And now Apple, that quintessential mass-market supplier of technology, seems to have gotten the message. With an eye to market demand, the company has taken a bold step to the side of privacy, making strong crypto the default for the wealth of personal information stored on the iPhone. And the backlash has been as swift and fevered as it is wrongheaded.
Though this is clearly the right thing for Apple’s business—especially if they continue to hope to sell in countries like China (see Apple iPhone a danger to China national security)—I still want to say, “Thank you Apple…seriously.“
Last night was part two of the PBS Frontline program called United States of Secrets. It was one of the best, most thorough overviews of what is going on with the NSA’s vacuum surveillance that I’ve ever seen.
You owe it to yourself, and the future of our children, to be aware of what’s going on.
NSA Finally In The Light
I’ve been deeply concerned about the massive, sweeping surveillance going on for over TEN YEARS! Whenever I bring up this topic (and online security in general) too many of my family and friends just shrug and say, “Oh well.” Frankly, I just don’t understand why most people don’t seem all that concerned about our fundamental erosion of liberty caused by the NSA’s mass surveillance.
Thankfully the Edward Snowden whistleblowing finally shined a light on what I intrinsically knew was going on shortly after 9/11 (see Snowden’s revelations and the overall controversy at The Guardian’s NSA Files website section). Yes, I feel vindicated for my paranoia but that attestation is not something I longed for…instead I hoped the government’s drive to classify their constitutional violations and illegal activities as “keeping America safe from terrorism” would stop.
Unfortunately that whistleblowing has made it increasingly hard for companies who sell their technology outside of the United States. For example, the NSA was inserting hardware in Cisco routers which caused CEO John Chambers to write a letter to President Obama asking for it to cease…now.
One of the podcasts I listen to regularly is Security Now, a TWiT show. Every one of these shows (as well as many of the shows on the TWiT network) finds me learning a great deal that I use personally, for my company, or my own “Security Tip of the Week” on the Minnov8 Gang Podcast. To say I find Steve Gibson and Leo Laporte knowledgeable, trustworthy and reliable is an understatement — and I’ve taken to extending those feelings to their advertisers — since Leo continually touts the fact that he only supports advertisers he vets and actually uses.
But I think these guys either had a lapse when it comes to the VPN provider proXPN, or they have never signed up for a trial period with this vendor and then tried to cancel the account during that trial period (which I now suggest they have a TWiT staffer do for EVERY potential advertiser).
Making it hard to cancel is the oldest trick in the book to get some percentage of people to pay when you charge their credit card immediately and then make them jump through a bunch of hoops to cancel and get a refund. Here is what happened and why I strongly caution you to consider another vendor for your VPN services:
Would it be OK for the government to collect all of your private data in one place, share it between agencies, enable companies to send anything “suspicious” to our intelligence agencies, all in the name of keeping us “safe?” What if your Facebook friends and photos you post were collected and sent to the government by Facebook? What if your internet provider (e.g., Comcast, Time Warner) or mobile provider (e.g., AT&T, Verizon) intercepted and sent your check-ins, photos posted, emails sent, websites visited and all your digital traffic to a government intelligence agency?
It’s happening now and a bill, CISPA, will only make it easier.
CISPA, the Cyber Intelligence Sharing and Protection Act, has been reintroduced in the House of Representatives. It’s the contentious bill that would provide a poorly-defined “cybersecurity” exception to existing privacy law. CISPA offers broad immunities to companies who choose to share data with government agencies — including the private communications of users — in the name of cybersecurity. It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency.
Andrew Couts at Digital Trends — a refreshingly pragmatic voice in technology — pointed out in this article All You Need to Know about Washington’s Big Cybersecurity Push that this CISPA bill isn’t horrible, just far too incomplete.
The problem with CISPA—and many of these Washington knee-jerk “homeland security” legislative reactions—is that the legislation itself has far too many holes in it, the obvious potential for abuse exists with the usual lack of strong oversight, and companies have been granted immunity (just like AT&T was in the ongoing NSA Warrantless Wiretapping fiasco) so there are no checks-and-balances on them either.
As an aside, if you don’t know about the NSA $2 billion plus data center nearing completion you should. Read this Wired article from last April and it will make you stop-and-think about what the government might do with all the data they’ll increasingly have access to if CISPA passes as-is: The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say). It always amazes me that the gun-nuts out there are SO concerned about their 2nd amendment rights being taken away but are either clueless, too stupid, or not bothered to become aware of the fundamental Constitutional rights U.S. citizens have already lost…and continue to lose bit-by-bit.
Couts said this in his article:
Like Obama’s cybersecurity order, CISPA’s primary aim is to increase the sharing of cyber threat information (or CTI, as the cool kids call it). Unlike Obama’s order, however, CISPA allows the sharing of information in both directions – from government to business, and vice versa. Sharing is not required by the law, but it is allowed.
CISPA also provides broad legal immunity to companies that collect and share CTI with the federal government, as long as they do so “in good faith” – which might mean businesses can’t be sued or charged with crimes for collecting and sharing CTI under CISPA. Furthermore, CISPA shields the shared CTI from transparency mechanisms, like the Freedom of Information Act (FOIA).
Read the full text of CISPA here: PDF.
HOW TO OPPOSE CISPA (it’s really easy and fast to do so): That’s why I oppose this legislation. Since I’m a member of the Electronic Frontier Foundation (EFF) I was particularly pleased that they made it extremely simple and fast to send a letter to your congressional representatives. You can do so here and it will take 2-5 minutes.