The Next Crypto Wars

AusCERT 2016 Opening Keynote

Christopher Soghoian works for the team within the ACLU that sues the FBI and other agencies over their use of surveillance. His Twitter profile simply says “I fight surveillance”.

Christopher Soghoian speaking at AusCERT2016
Christopher Soghoian speaking at AusCERT2016

"For 100 years our telephone systems were designed with surveillance in mind,” he says. Carriers and governments have always worked together to ensure surveillance was baked into communications services.

Soghoian says part of the reason was that telephone carriers came from government entities. And as infrastructure has changed, from copper to fiber, governments have injected themselves into those projects to ensure governments "could get what they wanted when they needed it”.

Turning his attention to the Apple vs FBI, Soghoian says the fight had been building for a while. While the focus of encryption was usually on data at rest, this fight moved the fight to data in flight. For example, iMessage moved communications from open to encrypted in 2011 - without any extra effort on the part of users.

Comparing this to the use of encrypted email - something Soghoian advocates - which is too hard, suddenly users could send encrypted data that the “carrier” - Apple in this case - had no access to the communications.

This was the pivot point where governments suddenly lost access to communications.

“Apple doesn’t want to be in the surveillance business’” says Soghoian.

Christopher Soghoian speaking at AusCERT2016
Christopher Soghoian speaking at AusCERT2016

In contrast, Google’s new messaging system, Allo, does not encrypt messages as Google is looking for opportunities to monetise the service by integrating it with online concierge services.

Unsurprisingly, Soghoian turned his attention to the exploits Edward Snowden.

“That disclosure kickstarted an international conversation,” says Soghoian. The result was a new point of differentiation in the security market where end-to-end encryption became a selling point. For example, a recent update to WhatsApp enabled end-to-end encryption for all users without any extra action needing to be taken - “they simply flicked a switch”.

The irony, says Soghoian, is that the encryption used by WhatsApp was developed using US tax-payer dollars. He quoted presidential candidate Senator Hillary Clinton who said, in 2011, that encryption was useful as it protect users from censors, hackers and thugs who imprison people who dissent.

But now, we are seeing politicians saying "unpleasant things” about tech companies and pushing back against user access to encryption. The terrorist attacks in Paris in late 2015 accelerated the legislative fight against widespread encryption although this hasn’t yet come to pass.

Many of the government rules are happy for end-to-end encryption to remain in place but for tech companies to retain a copy of the encryption key - what is called “key escrow”.

Soghoian says the trouble is that if there’s a second encryption key there will be someone who wants to steal it. This was what happened when Gemalto was attacked resulting in a vast number of SIM cards they manufactured becoming compromised when they were stolen by UK Government Communications Headquarters.

The GCHQ executed the hack by targeting system administrators at Gemalto - a group of users that many government agencies consider to be “fair game” according to Soghoian.

Similarly, when RSA was hacked by Chinese parties, it was encryption keys held by RSA that were targeted.

“This shows we cannot trust key escrow,” says Soghoian.

Christopher Soghoian speaking at AusCERT2016
Christopher Soghoian speaking at AusCERT2016

Centralised surveillance systems, says Soghoian, are significant targets. For example, the Chinese government allegedly attacked Google in order to access communications records in order to identify potential intelligence operatives working for the United States.

Soghoian’s key message is that we need more encryption and not less.

Part of the challenge, says Soghoian, is companies that use encryption such as Apple and WhatsApp don’t make it obvious that the services are encrypted. As a result, people are still using unsecured channels for business communications and encrypted services for less critical, personal communications.

For example, cell phone communications can be easily intercepted as they are either unencrypted or encrypted with weak ciphers. More worrying is that the equipment required for doing this is available online or easily made for less than $200.

“We can no longer trust these channels”.

Encryption doesn’t stop government surveillance but it does stop bulk surveillance says Soghoian. It’s possible to hack into specific devices but they simply lack the resources to hack every device. That means they need to target their surveillance, rather than surveil everyone.

Tags hackingApplersa securitysurveillanceencryption softwarekeynote speakerstargeted attacksGCHQACLUGCHQ hackAusCERT2016Crypto warsApple VS FBI

Show Comments