A couple of weeks ago on SysAdmin day, I was speaking with a favorite sysadmin and the conversation turned to encryption. Yes, if you hang out with a sysadmin and a security guy, the conversation is that interesting. (Insert yawn here.)
Encryption is the method used to scramble the contents of a file or an entire disk so that it is unreadable to anyone who does not have the decryption password.
While there are different encryption “strengths” that you can use, most of the commercially available products on the market offer encryption that is strong enough that most criminals cannot unscramble or undo the encryption.
In fact the criminals now use encryption in their own operations.
Ransomware, for instance, encrypts your files and demands payment for the decryption key. Even some police organizations have resorted to paying the ransom.
The sysadmin I was chatting with did not believe in the power of encryption. As far as he was concerned, the big government organizations (NSA, FBI, GCHQ, and those types) have already figured out how to break all of the encryption. That type of mindset is not just simple paranoia, it is ADVANCED paranoia!
This is a general problem in the security industry. We want to educate our users about good security, but we sometimes lose sight of what we are really trying to accomplish. If we want to teach folks how to protect their data with encryption, it is counter-productive to then go off the extreme edge about how a government agency can break any encryption.
Don’t encrypt your data because you’re worried that a government will access it. Encrypt it so when you accidentally lose your laptop or portable USB drive, the person who finds it cannot simply read all your private, sensitive information.
I am not myopic. I know that the big government entities can find something incriminating about all of us if they are in a “prosecutorial mood”. After all, all they have to do is turn on the microphone on my cell phone to hear my version of automobile commuter karaoke – hours worth of entertainment.
The commercial products available, such as PGP and even Microsoft’s BitLocker, do an excellent job of protecting your data from prying eyes. (While there are free encryption tools available, my personal recommendation is that you use one that offers good support, just in case you need assistance with it.)
Most of the products are easy to use and require little technical expertise to get set up and running. Of course, I am moderately paranoid, so I recommend you encrypt your entire hard disk rather than just individual files.
Protect your data, and let’s keep singing in our cars to keep the Federal Agents entertained.
I have often read that emails are as easy to intercept and read as postcards. Is that true even though email accounts these days use https? Is it important to use a VPN while accessing the net through public wifi even though the sites you are visiting use https?
It isn't that simple.
You must understand that https is for websitee; when you're logging in to an email account over https, you're using what is called webmail (I do not use webmail for a variety of reasons including I run my own mail server with proper backup/secondaries). But mail is delivered and received by their own protocols. And often those aren't encrypted. Then you must consider that if the server (or any that are involved) is compromised, you can't be 100% sure of what has been seen or not.
Furthermore, and this is important to your second question, https has a lot of problems (even to the core); not to say it isn't good to have but don't consider it a 100% thing. And yes, as for VPN, you should use them but note that even they are not perfect and are still vulnerable to MiTM attacks (man in the middle) which has serious implications (change man to be 'computer or device controlled by a criminal', 'middle' meaning between the site you're connecting to and your own computer and then interpret it literally).
Thanks for the explanation.
Most important first:
"That type of mindset is not just simple paranoia, it is ADVANCED paranoia!"
NO. It IS NOT paranoia. It is DEFEATIST AND APATHETIC. Paranoia is something else entirely and is far more serious (look up paranoid ideation, delusions of persecution, etc.). Furthermore, those who are extra careful are not paranoid (but many say things like it is a healthy dose of paranoia – it isn't though, it is being aware that there are risks all around [you]); they are conscious of security (or whatever) and realistic. Again, that is something else (take a wild guess how I know know this, if you feel the need – I honestly don't deny it has plagued me because it is part of me nonetheless).
" (While there are free encryption tools available, my personal recommendation is that you use one that offers good support, just in case you need assistance with it.)"
Open source: GPG – it is widely used and this includes for signing packages (etc.). Plus, you can audit it yourself.
"The sysadmin I was chatting with did not believe in the power of encryption."
Yeah, and TELNET Is still the norm for remote login … right ? In fact, TELNET before RFC 2946 ( https://tools.ietf.org/html/rfc2946 – data encryption option) is still the best. Then again, since the option isn't widely supported in clients (or for that matter…), and since TELNET is long outdated (ever since SSH which is quite old now)… it doesn't really matter that much, whether encryption option is enabled or not. I would hate to see how he runs his system(s) and I sincerely hope he doesn't maintain a network! (I suppose, also, that he doesn't believe in encrypted passwords, and doesn't believe in anything except plaintext [forget ciphertext]! That is completely stupid, dangerous and irresponsible; encryption goes back centuries!)
"As far as he was concerned, the big government organizations (NSA, FBI, GCHQ, and those types) have already figured out how to break all of the encryption."
Yeah, and then they also have export restrictions and thus export-grade encryption. Which incidentally, they've been hit by this themselves (serves them right and frankly is nothing but expected).
I fully agree that the reason that most people should encrypt is to protect themselves from criminals. And this is what we should be telling people.
I disagree about governments' capabilities. I do not believe that the NSA and GCHQ can break most of the encryption we use. However, I do believe that they can go around it.
For example, FBI is fully capable of breaking into my home and tampering with my computers. And I have no intention of engaging in the kind of operational security needed to defend myself against such attacks. But I do believe that they would need to do something of that nature to deal with some of the "off the shelf" crypto that I use (such as my password manager or my full disk encryption).
My reason as an end user to use crypto is to make things much harder for criminals, should my data or machines fall into their possession. But because I don't know the differences in capabilities between, say the RBN and the NSA, I go for crypto that I presume no one can break.
But my reasons for using a very strong security design when it comes to developing products for end users is so that I have nothing useful about my customers worth capturing either by criminals or governments.
It's all about your personal threat model. If that includes the like of NSA/GCHQ then you're probably f***ed and should not use anything with a microchip.
Most people will just have to contend with wrong place/wrong time type situations as you say, making encryption a good call in the event you're unlucky and happen to get caught out in the game of life.