Government Surveillance, Time to Reform?


There has been a recent push back against the government claiming that they are impeding on the privacy rights of users. Eight companies, including AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo, co-authored a letter to President Obama stating their concerns. In this letter, the major companies broached the issue of the global interference with users’ internet accounts and discussed the fact that governments do indeed need to protect their citizens but not at the cost of civil liberties. Along with the letter, was created to raise awareness and call the government to action.

Request for Transparency

One of the biggest requests in the letter was to create transparency. The website stated, “Governments should allow companies to publish the number and nature of government demands for user information.” Companies like Microsoft and Twitter recently announced steps that they are further taking to ensure that they are using the most advanced forms of encryption to ensure the security of their users’ information. Transparency from the government is a great concern for users and companies worldwide.

Request for Clearer Framework

Another major request the website brought to the forefront was the need for a “robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty, or ‘MLAT,’ processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.” For example, it is well known that in our country we have more freedom when it comes to internet use than other countries like China An agreed upon, transparent framework would avoid conflict between differing laws.

Request for Our Rights

The question that lies beneath all of this is at what point will the rights of internet privacy and our constitution be respected? The open letter to Obama on from the major companies states our constitutional right in regards to internet safety most accurately.

“We understand that governments have a duty to protect their citizens, but this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.”

In the words of Francois-Marie Arouet, better known as Voltaire, later reiterated by Uncle Ben to a soon to be superhero, “with great power, comes great responsibility.”



The 'Cryptopocolypse'

To further iterate a topic broached last week, this week an article by Patrick Lambert on investigates the issue of cryptography soon becoming obsolete by our own advancing computing power.  Cryptography is used to secure data in the virtual world, be it stored locally or on the internet, by taking advantage of some simple yet unintuitive properties of mathematics, and wrapping said data within it.  For a detailed look, you may also refer to our post earlier this month which describes various aspects of the topic; The surface level detail however is this: It is cryptography that allows us to protect our sensitive files, our personal data and our messages to others from prying eyes on the Internet, and without it, any data, anywhere on the net is fair game to anyone.

Hence why the forthcoming moment when our computing power advances enough to easily crack any standard cryptographic practices in use right now is being called the ‘cryptopocalypse’.  In the event that this happens, all computer security would be rendered meaningless in an instant, and the reasons that this would be such a terrible and chaotic event need not be expounded upon.  Is there really a chance of this happening? The topic has been long debated by experts.

The initial threat against cryptographic algorithms is the ability to reverse them, which would allow someone with malicious intent to analyze the encrypted data to remove the encryption by running the mathematical properties used to create it, backwards.  The entire cryptographic system is built on the idea that this is nearly impossible to do, and would take more guesses than any person has time for in their lifetimes.  So why have a person make guess after guess for years on end, when a modern computer can do the same in fractions of the time.  Computers are getting fast enough to ‘brute force’, or make tremendous amounts of guesses per second as to what the sensitive data is.  The latest version of the ‘Hashcat’ password cracker software for example, now supports attacking passwords of up to 55 characters long, and is capable of conducting about eight billion guesses per second as to what that password is – and has been previously known to do well in cracking passwords of 15 characters.  What will the next update be capable of?

Read more

Password breaker successfully tackles 55 character sequences

Are we heading for a ‘cryptopocolypse’?

Microsoft Abandons Lesser Crypto Algorithm MD5

Microsoft is in the process of strengthening their security by retiring its use of an increasing dated cryptographic hashing algorithm known as MD5.  You may recall from a previous post of ours that the purpose of hashing algorithms such as MD5 is to employ heavy mathematical principles to obscure and conceal data for use in sending and storing it securely, and also that not all those algorithms are alike.  The 160 bit Sha1 algorithm for example, is considered to be more secure than the 128 bit MD5, and the Sha256 even more so, continuing to Sha512 and beyond.  The number of bits used by the algorithm has a direct correlation with the ease in cracking it, though as the computers used to crack them grow more and more powerful, previously effective algorithms progressively begin to lose their effectiveness, until their security is trivial altogether.

Microsoft is well aware that this has happened to the MD5, and so they appear to be making hunting down and eliminating these lesser algorithms in their services.  Back in June, Microsoft set their new minimum key length of RSA keys to 1024 bits, and now by striking out the use of MD5 in digital certificates, they’re seeking not only enhance their cryptographic techniques, but to leave behind the now unsecure ones as well.  The move comes in the form of a few security advisories released this week that state the following:

Security Advisory (2661254)

Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Security Advisory (2862973)

Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

The patches described, which appear to be optional, are available only for testing now, and are slated for deployment in February of 2014.