Last year at Black Hat we had an interesting conversation with Tammy Moskites from Venafi. Although Tammy is both the CIO and CISO of Venafi the conversation did not focus on that company or the product as a whole. Instead we talked at length about trust and controlling the keys to data and devices. This conversation is still a very important one as continue to see attacks and vulnerabilities in the systems that control access to and the encryption of important data.
In the war against (yes against) encryption there are many things to hide behind. One of the most frequently used is that criminals will use it to mask their dastardly deeds. The term criminal is, of course interchangeable with just about any other popular bad guy; pedophile, drug dealer, terrorist…. You know the list. Anytime there is even a hint that one of these media boogeymen used some sort of encryption, we hear that law enforcement and the government need to be able to break encryption.
In the fast paced and insanely stupid argument between privacy advocates and national security advocates we often hear how we need to give up one or the other. The security guys say that privacy will block criminal activity so we need to give up some of that. On the other side the Privacy gang feels that giving up privacy is only hurting the people that are not doing anything wrong. They also feel it has an impact on free speech and limits discourse. What neither side is getting is that they both are right. Strong privacy protections and encryption allow for better and more secure communication. The complement each other in a way that no one seems to get.
Last year at Black Hat USA 2014 we met up with a company that was looking to make some changes in the way we protect our data, Ionic Security. The concept was very simple, but the implementation was sure to be complex. I was not sure that what they wanted to accomplish could even happen. However, after a conversation with them I became more than interested. It was a simple concept, but it did not need to be overly complex. To make things even more interesting this was not a truly new idea, but it was one that had never been implemented for real data security.
Edward Snowden is the gift that keeps on giving. After walking out on the NSA with a ton of secret documents detailing the extent that the agency and their partners were digging into ordinary people’s lives he started to release them. Even after the first and very damaging release of documents Snowden promised that there was more and worse to come. We have seen some pretty bad things coming from the classified document stash including a report that was recently published by Der Speigel.
Apple is truly ramping up the PR machine and has even managed to get a few people in government to make some rather outrageous statements on the new phone and iOS 8. One of the new stories going around is about how the new iPhone and iOS8 are suddenly “NSA Proof” because they have added data encryption. The fallacy of this claim is almost beyond belief and shows once again that most in the technical press have absolutely no memory.
DEF CON 22, Las Vegas, NV 2014 - Yesterday at DEF CON we had the chance to listen to Christopher Soghoian, Principal Technologist, American Civil Liberties Union talk about the state of the surveillance state and how we can help fight against it. Of course you might think that his talk would be about the use of spy proof technologies, but oddly enough very little of that was talked about except to make it clear that talk of spy-proof technology makes people in Washington nervous.
In the late-90s the world was shocked when a single collection of code was able to destroy a number of computers through malicious instructions. Named Chernobyl (or CIH and Spacefilter) this virus was able to overwrite data and even the BIOS on systems. It infected around 60 million computers and cuase upwards of $1 billion in damages around the world. Although there were other viruses before this nasty bug hit the scene, CIH was the start of the anti-malware commercial machine. It was not until after CIH that we really saw companies spring from the ground offering protection from future events like CIH.
There is a lot of information flying around the internet about security this month. Much of this is due to the looming Black Hat and DEF CON conferences that kick off in August. While many of the articles hitting the net are malware centric we are hearing about a few more that punch more than a few holes in the security of some very popular devices. We have seen Blackberry poke at Samsung and their Knox secure phone layer and vice versa. The biggest one that we have seen is the 58 page document published by security expert Jonathan Zdiarski about the iPhone.
As we have reported on multiple occasions, Microsoft is working very hard to change the way that people see them. There are many reasons that they need to do this and it is a job that is not going to happen overnight. This has been a big part of what new CEO Satya Nadella has been doing since he took the top job at Microsoft. After changing the push for the Xbox One and Windows they are now trying to overcome the stigma dropped on them by Edward Snowden’s revelations of complicity with the NSA.