Go home Yahoo, you’re drunk (part trois)

Yahoo has had another hack. Yes, another. No, not the one announced about two months ago for 500 million accounts (that hack occurred in 2014). This hack is one billion (which occurred in 2013). No, this isn’t just more of the tally for the one with 500 million. Confused yet? If you’re still using Yahoo for anything, then I’m confused too.

Long story, short: Yahoo discovered another hack of one billion of their accounts (they seriously have that many?… they can’t all be active accounts… seriously). Yahoo doesn’t know yet how this one happened. (Judging from all the previous hacks, can we just file this under Competency and move along? -Ed) Some sources cite that spammers have purchased this hack database for $300,000. At least, we think the dollar figure is attached to the one billion account database. Yahoo has had so many hacks lately, they’re starting to all blur together like a slurry of ‘Here’s how not to do things’ reports.

Makes folks wonder if Verizon is sticking around with this potential merger thing in the hopes it gets so bad that Yahoo pays them to acquire the company.

All jokes aside: change your password for Yahoo. And, change that same password you use everywhere else even though you know you’re supposed to use a separate password for each account but you haven’t gotten around to setting up KeePass or LastPass. Or, close your Yahoo account. And probably set up KeePass or LastPass.

Or, y’know, all of the above.

Advertisements

Death of the Constitution, thanks

Funny, I didn’t think I’d be old enough to see the dystopian future become the dystopian present.

The likely candidate for the head of the CIA, Mike Pompeo, states “The use of strong encryption in personal communications may itself be a red flag,” according to Motherboard. Notwithstanding that just about every politician uses encrypted communications in both work and personal mediums (they’ve been red-flagged for years, right?), this is a dangerous stance on a number of levels. The view that private communication should be subject to the Chilling Effect, and that the First Amendment may no longer hold weight in his eyes is troubling.

Further, this stance (oft repeated by other politicians and alphabet soup agencies) indicates that metadata is no longer sufficient for their appetite. Ever wanting more (more power, move over-reach, more control, more room to operate outside the law), simply collecting metadata on millions of U.S. citizens not under any investigation or suspect of any crime is not enough. They now want content.

Not to anyone’s surprise, the government now wants to know who you talk to, and when, and for how long, and how many times, but also what you say. And what will be the next step when the content isn’t enough to satiate their hunger for more?

This has to end.

The rampant disregard for personal freedom, for the Constitution and the Bill of Rights, and the notion that the government and law enforcement are above the law has to stop. Ever increasing is the fact it’s You The People, not We The People.

I am able to write this blog thanks to the First Amendment. The First Amendment holds five freedoms: freedom of speech, the press, religion, peaceful assembly and to petition the government. These freedoms weren’t included as the 21st Amendment, or the Tenth, or the Third. It was the very first, and thus most important, documentation of specific freedoms every citizen of the United States owns.

I use the word owns specifically here – we own them from the debt paid by the founding forefathers and from veterans and from all that has come before in America. Bought and paid for with work, blood, war, sweat and tears. It was a heavy price paid. And it will not be stolen or bartered or de-valued by those corrupt officials that believe the laws of this country are their door mat.

Featured image blended by BitMerc.

Loading…

The election has come and gone (mercifully), and to the shock of some parts in the country there was a winner and a loser. Shocking. Curiously, that’s usually how an election goes. Someone wins, and someone loses. There are no Certificates of Completion or Attendance Ribbons. Everyone can’t be a winner. You are not a special little snowflake.

I don’t really have any emotional attachment to either the winner or the loser of this election. They were the two worst candidates I’ve seen in over four decades. It was like trying to decide between dying by lethal injection or the electric chair. No matter which you pick, you aren’t going to be feeling all that great at the end of the cycle. Besides, I don’t trust anyone in government, anyway.

It’s funny how people are rushing to encrypt their emails and messages now after the election. Like the thought didn’t occur to them prior to November 8? Is their content now suddenly secret? They think the government wasn’t reading them on November 7? Do tell – inquiring minds want to know…

In far lighter news, Watch_Dogs 2 releases in a tick over 24 hours. So, woot for that and all. And, A Tribe Called Quest dropped a new record on Friday, much to my surprise and delight. It’s called We Got It From Here – Thank You 4 Your Service, in case you were wondering. The second track “We the People” is particularly good, methinks.

That’s about all fit for publication. There’s plenty more going on here, but … again… “fit for publication.”

Deuces.

Featured image used with permission from JokieGameplay

The lowdown on encryption

We need to talk about encryption and data safety. Yes, encryption can be complicated at times. The effort is certainly worth it and, in today’s state of affairs with mass surveillance, the effort is almost mandatory. Hackers abound, alphabet agencies and First World governments are bulk collecting, and even for-profit companies are trading in consumer data and profiles like they are baseball cards.

This post isn’t going to go into the fathom depths of technicalities. Encryption is my job, however, and it has quickly become a hobby as I see data stolen, sifted and traded in the 21st Century. We are going to fracture the whole of encryption into three separate pieces in order to categorize and discuss them. These are proprietary, open-source , and end-to-end encryption. No, these categories aren’t on the same plane, nor are they mutually exclusive of each other. But they serve our discussion for today.

PROTIP: You never have, nor will you ever, read on this blog anything regarding “military-grade encryption.” The reason for this is elementary: it’s bullshit. There is no such thing as military-grade encryption – there are military standards for encryption levels, and those levels are available to everyone on the Internet. If you ever hear someone talk about it seriously, walk away. If you read about it online, close the tab and never go back. Military-grade encryption is not a special program or service available only to the military. Anyone that tries to sell products or services as such are either grossly inept at encryption or are not on the level about their products. I would insta-distrust someone if they used that term.

Encryption methods are either proprietary or open-source code. Proprietary means closed-source. That is, it is developed as copyrighted methods or products, and its code (or, source) is closed for inspection or public view. Think of KFC’s chicken recipe or Coke. You know what the product is and what it does, but you don’t and won’t ever know what exactly goes into making it. Microsoft’s BitLocker encryption that is part of Windows Professional operating systems or Enterprise editions is a prime example. Does BitLocker encryption work? Absolutely. Is it good enough to stop hackers if your computer is physically stolen? You bet. Good enough to be a safe harbor for HIPAA protection of Protected Health Information? Sure is. Able to stop the NSA? Not a chance.

It’s the last bit of the preceding paragraph that should grab you. It won’t stop a government from accessing your data. Microsoft builds the encryption into the operating system, and not around it as an outer shell. Microsoft may or may not have back doors built into it. The public won’t ever know, because the public can’t view the source to inspect with certainty for back doors. So if it can’t be proven no back doors exist, then the possibility (even if not probability) exists.

Is that to say proprietary encryption has no use? Certainly not. BitLocker is fast with little to no overhead on the computer’s boot times or resources. In many cases, it’s good enough. ProtonMail, encrypted email based in Switzerland, is the same. There are plenty of times when ProtonMail is sufficient for emailing colleagues.

security-265130_960_720

The converse to proprietary is open-source. By definition, open-source means the source code (or, recipe) is open for any and all to view, modify for their own use, or fork and make a branch to create their own version based on the original source (with some caveats like it has to stay open-source or you have to attribute the original code, etc.). The now-abandoned TrueCrypt is/was an open-source encryption program. VeraCrypt is a fork of TrueCrypt, and a current open-source encryption program still maintained and quite the successor. I have personally read through the source code of VeraCrypt version 1.16 as well as version 1.18a (as of this post, the current version). GPG encryption (for email, as well as data) is another open-source example

The benefit with open-source code is two-fold: the public at large can inspect it to look for holes or bugs; and the public’s scrutiny for bugs aids the developer and strengthens the code overall.

Finally, the discussion needs to include end-to-end encryption. This is when a message is encrypted by the sending party before transmission occurs, and is only decrypted after the recipient receives the message and has it on a device. The importance here is that no party in between the sender and recipient can open the encryption (telcomm, Internet Service Provider, software maker, etc.). Skype uses end-to-end encryption, as do many other messaging services like Wickr, WhatsApp, iMessage, Signal, ProtonMail and others.

So end-to-end encryption is the silver bullet, right? Unfortunately, no. End-to-end encryption can be susceptible to man-in-the-middle attacks, spoofing the sender or recipient, and a host of endpoint security issues (if the sending or receiving device has been compromised before the message was sent or received). But overall, end-to-end encryption can be very strong…

IF…

The main caveat to end-to-end encryption is one of the other fractions previously discussed: proprietary software. Skype is a messaging service with end-to-end encryption. But, what if Microsoft can open that message with a backdoor on a whim from an NSA request? End-to-end encryption means nothing at that point. Strong encryption uses open-source software with very long, random passwords to lock it. Strongly encrypted messages must further employ open-source encryption with end-to-end encryption. When emailing or instant messaging critical data, both end-to-end and open-source encryption must be used, along with good endpoint (device) security and strong security methods (no reuse of passwords, no sharing of passwords, no malware infections on the endpoint, etc.).

That means the strongest encrypted email would have to use open-source encryption and end-to-end methods. This is why GPG encryption methods are preferred for email. But, you have to have the technical know-how to generate your own private keys (to encrypt your data) and public keys (so others can encrypt data to send you). Both private and public keys are required to unlock GPG encryption emails. If a reader were to send me a GPG-encrypted email, they would have to use their private key and my public key to encrypt it. That way, only they and I can open or read it. No other private or public keys will work. Conversely, to send them a GPG-encrypted email, I would use my private key and their public key. What if I didn’t already have their public key? I couldn’t send them a GPG-encrypted email. Public key exchanges are a prerequisite to GPG-encrypted emails. This is why you see more and more journalists post their public keys in their signature lines of their online articles, to facilitate receiving truly encrypted emails from someone.

If you are interested in setting up your own GPG keys and encyrption, download GPG4Win (with Kleopatra already built in) to create your keys and Mozilla’s Thunderbird email client with the add-on EnigMail to send/receive and use GPG keys. Protip: when creating GPG keys, never forget to set an expiration date on the key (meaning, it’s good forever). EVER! And, don’t accidentally give out your private key when you mean to give out your public key. 

My public key for my email address of c [dot] robertson95 [at] gmail [dot] com is: 6894 4162 AD3B D3AF 43BD 37E7 CE20 34C2 0395 040F

No, you can’t have my primary secure email address(es) :p

Featured image used under CC license from Pixabay.com

Yahoo is at it again, part deux

Reuters.com recently reported Yahoo “helped US spies scan all its emails in real time for a single phrase.” By “helped” the article details that Yahoo wrote a custom program or script or algorithm to search real-time for a specific trigger (read: key word or phrase) in all incoming emails and attachments. Yahoo then placed discovered emails onto a server for the intelligence agency to later collect. The Reuters article suggests this is the first recording a “U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages” and ultimately led to the departure of then CISO Alex Stamos.

What are the ramifications?

First, this wouldn’t be simply the first time a U.S.-based tech company agreed to search incoming emails for a surveillance/intelligence agency. It would be the first time on record of a U.S.-based, private corporation, that is also a (relatively) large tech giant with millions of users, did the surveillance work for the intelligence agency instead of just handing over raw data or building back doors or looking the other way. Yahoo stepped up and did the dirty work for the U.S. government agency, handing over the results after the search was concluded. It’s not enough that the NSA and FBI are pillaging the rights of American citizens who are not under investigation and that have committed no crime. Now a global tech company is the lapdog of Big Brother and doing the bully work for them.

Additionally, the official response from Yahoo was “Yahoo is a law abiding company, and complies with the laws of the United States.” (-source) (Protip to Yahoo PR jockeys: “law abiding company” is a compound adjective/modifier and should be hyphenated to law-abiding company as shown here and here and here and here. But I do understand… Yahoo has way bigger issues than grammar at present.) Was there a warrant issued to Yahoo for this work/spying/invasion to be commissioned? Was there a public record court order issued to Yahoo to comply with this demand or request? If not, then Yahoo at large is stating publicly that U.S. Intelligence officials are now lawmakers. By Yahoo’s corporate logic, the NSA and FBI et al can simply make a request or demand and it is law. It. Is. Law.

jackie-chan-wtf

Intelligence agencies are not the law, nor are they lawmakers. To the contrary, the NSA has repeatedly shown disregard for the laws by trampling the Constitution (a document that, in fact, IS THE LAW) and the Fourth Amendment. Several other large tech companies (Microsoft, Apple, Facebook and Google) demonstrated fairly well, at least publicly and in this situation, to not have their collective heads up their posteriors by stating none of these firms would simply abide by the request without fighting the demands in court.

If Yahoo.com users didn’t already have enough reasons to drop Yahoo services like a bag of hammers, this should be the Falcon Punch Killing Blow. If Verizon doesn’t run for the hills… well, stranger things have happened. Dumber things, too. But this should be a wake-up call (or, reminder) to tech companies everywhere as well as Internet users: your data isn’t safe just because you assume it is or because it’s in the hands of another company, large or small. The only data that is safe is data that is encrypted. And, that may not even be enough.

Advertisements