Human Rights

We have always been at war with crypto

The dream of the 90s is alive

As we debate "responsible encryption," here is a long scroll of pullquotes from the previous incarnations of CryptoWars. If you're concerned about this, donate to the EFF -- they've always been there, fighting this insanity back.

1995

"Opposing Clipper is an odd pairing of civil liberties activists and corporations. The activists worry that the government could have too much access to private exchanges. Companies have chafed at export restrictions that stop them from using the best encryption technologies in products they sell abroad. … Companies would rather include many different encryption technologies in the products they sell and don't want to be locked into government-approved hardware. They also point out that their customers overseas are unlikely to want to use the Clipper lock knowing that the U.S. government holds the keys."
-- https://www.washingtonpost.com/archive/business/1995/03/16/three-ways-t…

Entropy Story-time: From Claude Shannon to Equifax

Mix Two Colors / Pietro Jeng

There's an piece floating around that does a great, succinct job at summarizing Claude Shannon's contributions to our modern understanding of information. If you haven't read The bit bomb on Aeon, head over there. It'll make your brain happy with things like this:

"Shannon – mathematician, American, jazz fanatic, juggling enthusiast – is the founder of information theory, and the architect of our digital world. It was Shannon’s paper ‘A Mathematical Theory of Communication’ (1948) that introduced the bit, an objective measure of how much information a message contains."

The article digs deep into how easy it is to predict things - especially language. It ends up focusing on the power of pattern detection in being able to compress information:

"Shannon expanded this point by turning to a pulpy Raymond Chandler detective story […] He flipped to a random passage … then read out letter by letter to his wife, Betty. Her role was to guess each subsequent letter […] Betty’s job grew progressively easier as context accumulated […] a phrase beginning ‘a small oblong reading lamp on the’ is very likely to be followed by one of two letters: D, or Betty’s first guess, T (presumably for ‘table’). In a zero-redundancy language using our alphabet, Betty would have had only a 1-in-26 chance of guessing correctly; in our language, by contrast, her odds were closer to 1-in-2. "

Let's talk about PGP

I've been working on a new way to explain email encryption; I'd appreciate feedback on this approach. If you're looking to try email encryption out - buy me a beer (let let me buy you one) if we're in the same place, or check out the usable, in-browser work by Mailvelope.

New GPG Keys!

I am transitioning both my professional and personal GPG keys. This transition document (in full, below) and both updated keys are signed with both old and new keys for both personal and professional accounts to validate the transition.

In short:
[email protected] - new keyID 270C17F1
[email protected] - new keyID FDDB8C25

If this is all greek to you, GPG (or PGP) is a way to encrypt your email so that only other specific people (who must also be using GPG) are able to read it. While we think of email like regular mail, with a level of privacy like something in an envelope, the reality is that it's better to compare it to a postcard. If you're interested in getting started, I highly recommend EFF's excellent PGP guide, and Mailvelope is a super-easy browser plugin to help get you started in more secure webmail (it works great, for example, with gmail).

On Piracy

Now, there are many problems in the world of digital security - from governments around the world undermining privacy technology or firewalling their citizens off from information to valiant but underfunded security tools having the time to focus only on keeping the tool safe, but not making it easy to use. Some of these problems are rather significant, some are more approachable, but there remains a hidden problem, so pervasive and pernicious that it undermis all of our good work in bringing usable, human-centered privacy and security tools to wider audiences.

A Recent History of Back Doored Encryption, in 4 links

TSA Keys, 3D-printed

This is partially a footnotes section from last week's Crpyto Saves Lives post, but every week brings new stories, and this week was a doozy. So, let's recap the whole "backdoored crypto / secret golden keys can work" argument:

Claims:

(1) We can protect private information

*Cough* OPM *Cough*

Update: "Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet. The information contains voters’ names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000."

(2) Well, we are really good at protecting super-important crypto keys that only give good guys access,

So, those luggage locks with a "golden key", now required world-wide that only trained TSA agents can pop open? Yeah, about that... - TSA's master key set was allowed to be photographed, and while that photo was quickly taken off the internet, the damage was done. Anyone can now 3D print completely functional TSA keys.

(3) Besides, adding a backdoor won't cause problems!

Tags

Encryption saves lives

There are many great arguments to protect truly private communications from a human rights perspective, and specifically through a Constitutional lens -- restoring the privacy of having a conversation in your living room and having your personal records stay personal are core first and fourth amendment rights which have suffered greatly in the digital age.

My work takes me around the world to support journalists, human rights activists, and a wide variety of amazing people working to improve the world. They are all facing incredible threats posed by powerful actors. These adversaries use malware, hacking, and all forms of digital attacks to compromise the networks of activists.

Open source, trusted, strong cryptographic tools -- and increasingly, trusted commercial systems such as Google's -- are their only available defense, in situations where failure can include targeted harassment, indefinite imprisonment, torture, and even death.

Encryption saves lives.

Let's talk about Organizational Security.

SAFETAG Logo

I have a piece up on Medium about our SAFETAG project. It's a project that myself and another colleague have spent countless hours building out to really focus on working with small non-profits on assessing their risks and providing a framework for them to think critically about what really matters to their work, and how to most reasonably address them based on potential impact, real risk of it happening, and their capacity to change digital security practices.

It continues to be very rewarding work, and our tiny team has gotten to see a lot of amazing changes take place by the organizations which have been audited through this process. Anyhow. Check out our piece on Medium: https://medium.com/local-voices-global-change/meet-safetag-helping-non-… , but also take a look at the framework itself at SAFETAG.org. It's an open source framework, and we'd love to see questions and commits over on our github repository!

5 Headlines about buzzfeed you never expected to read!

So, via @runasand, I learn that Buzzfeed's writers have PGP keys:

I hear all @BuzzFeed journalists have the ability to send encrypted emails. Wonder when we'll see this in other newsrooms.— Runa A. Sandvik (@runasand) September 15, 2015

I cannot express in mere words how much this makes me happy in the world of normalizing real people having the ability to send actually secure email (especially to journalists!). PGP's various implementations get a lot of heat for their lack of usability, and the process itself, even with a theoretically super-easy interface, is still a complex set of ideas to understand and use in your normal communications. So every organization I see that is willing to tackle this head-on, and (hopefully!) have internal champions, mentors, support, training, and drinking games (I presume) to really encourage adoption is a huge win, be that a 3 person organization or a 100-person organization.

Still, I can't help myself:

"All of Buzzfeed's PGP Keys -- you won't believe the last one!" (Sorry, I cannot help myself) https://pgp.mit.edu/pks/lookup?search=%40buzzfeed.com&op=index

"Buzzfeed journalists can send encrypted emails -- but why they send them will blow your mind!"

"Top 10 passwords buzzfeed journalists use for PGP -- #8 will drive you crazy!"

"3 pieces of metadata not protected by encrypted emails you'd never guess!"

"5 attachments you never thought you'd be able to send encrypted to buzzfeed!"

Tags