Tuesday, 26 May 2015

Vulnerabilities accrue over time

I was thinking a week or two ago about writing something about how security and privacy vulnerabilities can accumulate, sometimes gradually, sometimes in leaps and bounds, often in unexpected ways.  It’s part of the answer to the frustrating question:

Why should I care about privacy if I have nothing to hide?

which, as I’ve said before, is akin to the creation idiocy:

If we came from monkeys, why are there still monkeys?

Although I’ll concede that the latter is the more idiotic by a considerable margin, they could be equally harmful in their various different ways.

But I haven’t had time yet, so read this by Cory Doctorow instead as a good example.  It was one I too had in mind for my post (honest).

Cory talks about Logjam, which lets attackers intercept apparently secure communications by tricking browsers and servers into using weak crypto.  Many servers operate a weak crypto mode which looks – to the browser – as though strong crypto is being used.  As Cory explains, this is an artefact of Clinton-era legislation ruling the exportation of strong crypto illegal, classifying it as a weapon.  Weak crypto was a backdoor used across national boundaries so that US security agencies could intercept encrypted messages whenever they wanted.

Because of how the internet (and software development and distribution) works, there are still many servers out there supporting the weak crypto mode and we suddenly have a problem far worse than anyone thought at the time (and we thought it was pretty disastrous then):

But it's not the 1990s anymore. Crypto doesn't just protect the Web -- it secures your car's wireless interface to keep attackers out of your brakes and steering; it secures your pacemaker against wireless attacks that can kill you where you stand; it secures your phone against having the camera and mic remotely operated by "sextortionist" voyeurs who blackmail their victims into performing live sex acts on camera with the threat of disclosure of nude photos covertly snapped by their compromised networked cameras.

You might feel you have nothing to hide.  Maybe you really don’t (although I doubt it. It’s easier to believe that you just don’t have a very good imagination), but you certainly have something to lose.  Insecure or blabbed conversations about entirely innocent things can still be harmful.

And, of course, we didn’t evolve from monkeys.  We share an ancestor.

I’ll get around to finishing that more general post one of these days, hopefully.

No comments:

Post a Comment