Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Battle Fronts in the Crypto War

or, These aren’t the droids apps you are looking for…

The Chinese government has passed new anti-terror legislation, drafts of which have been criticized for months due to broad language, and the massive privacy concerns. This legislation is a critical move in the global Crypto War – effectively giving the Chinese what the FBI has been seeking for well over a decade: a CALEA-style law, that mandates providers be able to supply law enforcement with decrypted data. This means no end-to-end encryption, this means adding backdoors (even if they are called something different, they are still backdoors).

Who is really being targeted here? #

Seeing a tweet talking about it, I started to comment on the need for open-source, easy to use, hard to censor communication tools – then I realized, that’s not what this is about. They couldn’t care less about open encryption tools; this isn’t about GPG, or Tor, or any of a thousand other tools. This is about iMessage, about WhatsApp, about a small number of widely used applications that are operated as a service and are (sometimes) secure by default.

As a developer, a contributor to open source projects, there is a bit of ego involved here – I’d like to think that something I could do would be enough of a threat to their surveillance programs that they’d care. But that’s not the case, and that isn’t the case for the vast majority of people. Unless you work for one of an exceedingly small number of companies, this doesn’t target your work.

The type of people who really care about security, about hiding their tracks will do so no matter what a government mandates – they will master the tools, they will understand the technology, they will understand the threats they face, and often go to great lengths to protect their identity. Then there’s everybody else.

The vast, and I do mean vast, majority of targets are not nearly so careful, they only use the easiest, most available tools, leak information at every step, don’t fully understand how their enemy operates or how they would be attacked. They are paranoid of the wrong things, and blissfully ignorant of the most pressing threats.

For those that are going to put the effort into hiding, HUMINT is likely the only way they will be discovered, for the rest – all the work can be done from a desk. Some behavioral analysis (likely fairly automated), some paperwork to gain access to their data, and done. A target identified without even leaving the office.

There is a long history of law enforcement using wiretaps to get easy answers – sometimes identifying those involved, other times verifying what actually happened (there is also a long history of abuse). Law enforcement has long sought to extend this ability beyond phone systems to every form of communication, regardless of medium or method of transport. With the advent of accessible encryption, a new complication was put in place that pushed them further away from this rich source of data.

Many in government see encryption the same way: it’s great, as long as we can easily get around it.

Laws like this are aimed at the majority of people who look for easy security, and expect it from a service provider such as Apple. It’s aimed at putting them under the same rules for backdoor access that telecommunications companies are under now. It doesn’t touch those that truly care about protecting themselves, but by adding new backdoors, it does put everyone else at risk.

Adam Caudill


Related Posts

  • Crypto Crisis: Fear over Freedom

    Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors. Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here:

  • The Door to Nowhere

    Today I was walking around, exploring the local downtown area, and I noticed a door. Or more accurately, what used to be a door, and the symbolism was too perfect to ignore. It’s a door to nowhere. A door once stood here, carefully built, thoughtfully placed, well crafted. Long ago someone decided that they didn’t want the door to exist anymore — so they filled it in. They made an attempt at reversing the decisions of the past to suit their desire at the moment — but they couldn’t.

  • Security By Buzzword – Why I don’t support Ensafer

    Update: I had a call with Ensafer’s CTO, Trygve Hardersen to discuss the issues I brought up, and what they can do about it. First, they updated the site so that downloads are now over HTTPS. He stated that the infrastructure that powers their service is separate from the website, and everything is over HTTPS. They are working on making documentation available, and hope to have the first documents available soon.

  • Crypto Front Door: Everyone Welcome!

    For decades, the US Government has fought — sometimes with itself — to prevent the use of secure cryptography. During the first crypto war, they allowed strong cryptography within the US, but other countries were limited to small keys — making brute force attacks practical. But what about those pesky US citizens? They didn’t really want them to have strong crypto either — enter key escrow. What is key escrow? According to Wikipedia:

  • On Apple, Privacy, and Device Control

    If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics. The announcement covered a few new features being added to the next version of Apple’s operating systems, namely: Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.