Viewing entries in
Technology

Strong Encryption: A Necessity Not an Option

Comment

Strong Encryption: A Necessity Not an Option

Lawyers and anyone else who has a commitment to security and privacy need to support strong encryption, despite the risk of its misuse by unsavory people.  The idea that we can give ready universal access to some people - i.e. law enforcement - and not others - i.e. hackers and foreign governments - is neither practical nor desirable.

If you want to give the government access on demand to encrypted data, you can do it one of two ways.  You can use weak encryption that the government can crack.  Unfortunately, that means that most other competent hackers can crack it as well.  Encryption algorithms are necessarily public.  One of the advantages of this is that you have a large research community working on detecting weaknesses and patching them before they are exploited.  However, it also means that people are going to figure out how to break them.  Putting a weak lock on your house so that the police can get in is not necessarily the best way to keep out burglars.

The other way to address the problem is through a "back door" or universal key.  The problem with a back door or a universal key is that if the wrong people obtain it, they have instant access to everyone's encrypted devices. And once a key hits the Internet, everyone will have it, and you will effectively nullify everyone's encryption in one fell swoop. As one might imagine, this does pose a problem for the security of financial transactions or personal privacy or even lawyer-client confidentiality.

It is foreseeable that terrorists could use encryption to kill people.  It is also true that terrorists can use trucks to transport loads of fertilizer and accelerant and blow up federal buildings.  Yet we do not hold Ford Motor Company liable for Timothy McVeigh's misuse of their truck, nor Monsanto for the misuse of their fertilizer, nor Exxon for the misuse of their petroleum.  Axes are designed for use on trees and need to be sharp; the fact that we need to contend with the occasional LIzzie Borden does not mean that we should keep them dull.

No sensible person would deny the horror of dying in a terrorist attack; there are few more searing moments than watching people jump from the twin towers.  In evaluating risk, however, one must evaluate probability as well as severity.  The fact is that you are more likely to die because your shelf of ornamental law books collapses and crushes you than you are to be killed in a terrorist attack.  We greatly exaggerate the risk of terrorism in light of its spectacular and well publicized consequences; it is a classic example of a fallacy based on emotional appeal and the availability heuristic.  It is the same kind of reasoning that makes people erroneously believe that we are safer in a car than an airplane.

All of life is a matter of playing the odds and evaluating costs and benefits.  In my view, the benefits of secure information and privacy outweigh the remote risk that I might be killed because the police were not able to crack an iPhone of a potential terrorist whom they had identified before the fact and intercepted based on the communications in the phone. Or to invoke Benjamin Franklin's oft-quoted words, "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety."

 

 

 

Comment

Government and Media Stumble on Keeping Data Safe

Comment

Government and Media Stumble on Keeping Data Safe

Nice article from the Washington Post, but as usual governments and the media are behind. As anyone who is paying attention knows, length is only one variable in creating entropy, and randomization (as opposed to patterns) is also important. See, for example, Diceware.  In addition, the RANDOM inclusion of special characters, numbers, capitals, upper case and lower case increases entropy by creating a greater number of possible choices. Best password practice, as I understand it, is to use a long, random word password (see again Diceware) to protect a password manager (e.g. LastPass, 1Password, or KeyPass) which contains long, unique, computer generated passwords -- difficult to parse and virtually impossible to memorize - coupled with two factor authentication. No wonder it is so easy to hack the government.  Of course, there exist better alternatives to passwords altogether, such as SSH keys, but these are generally not widely available to individual users on typical workstations.

Not to mention that any sane person would use strong encryption for storage and communications, but inexplicably, manufacturers are just beginning to build it in and most people are not sane. For secure communications, one is probably much better off using something like WhatsApp than email, but we really can't get away from email, can we? Especially for archival purposes. (For email encryption, I offer my clients Virtru, S/MIME, and PGP.) My top choices for storage of date online are Tresorit and OneDrive for Business, in that order. (My personal impression is that Tresorit is more secure but OneDrive for Business is (generally) more convenient, since it integrates seamlessly with Microsoft Office). Of course, it doesn't really much matter in some ways, because all of our personal data is already in the cloud anyway, so much so that marketers can tell a woman is pregnant even before she is aware of it. See Dataclysm.

Comment

Comment

Secure Your Laptop

UPDATE 6/1/2014

TrueCrypt is no longer a secure alternative for encryption. See Why TrueCrypt Is No Longer a Choice

 

 

In an age that loudly proclaims the death of privacy, there still some things one prefers to keep to oneself; and the contents of one's laptop are likely to be among them.  Financial records, medical correspondence, and legal communications are among the potentially legitimate but sensitive information one might carry on one's laptop.  And despite close attention and careful precautions, laptops sometimes get lost or stolen.  Under these circumstances, an account password is not enough to keep data safe.  Fortunately, however, full disk encryption is now easier to implement than ever.

One longtime popular implementation of disk encryption is TrueCrypt, which has the advantages of being a free, independent, third-party application whose source code is open to inspection.  Opening the code to inspection helps insure that there are no "back doors," or means by which law enforcement, three-letter agencies, or hackers could more easily decrypt the drive without having to crack the code or guess the password.  TrueCrypt remains a respected and viable means of encrypting a drive, but it is perhaps not the easiest way to do it on a Windows computer.

On Windows PC's running Windows 7 Ultimate or Enterprise or Windows 8 Pro or Enterprise, Microsoft has implemented full disk encryption software known as BitLocker. If you are using modern hardware, right-clicking on the (non-boot) drive you wish to encrypt and setting a password should be all that is necessary to encrypt the drive.  Remember the password, because you henceforward need it to access your encrypted drive every time you boot the computer. (On some older machines, it may be necessary to disable the requirement for TPM in order to encrypt. See BitLocker FAQ.)

Comment

© Charles Williamson Day, Jr., 2016. All rights reserved.

Disclaimer: This site is attorney advertising and informational in nature. It does not constitute legal advice. Persons seeking legal advice should consult with a licensed attorney in their jurisdiction. No link, comment, or email to or from this site constitutes or establishes an attorney-client relationship.