Category Archives: Privacy

Encryption – iOS8, Google, and OSX

When Apple announced that iOS 8 would enable encryption of the on-device files by default, there was a lot of ill-informed outrage by various pundits and law enforcement types around the world.  After Google also announced plans to follow suit in the next release of Android, FBI director, James Comey, described this as allowing “people to place themselves above the law.” Predictably, various politicians, police, and spies complained that it would make their lives somewhat more difficult and trotted out the standard disinformation tactic that only terrorists and paedophiles would need this capability.

The trouble with the argument that only people of bad intent would need to encrypt their phones or computers is that there is clear evidence in recent history of who considers themselves to be “above the law”. Hint: it’s not consumers. Could it be the FBI illegally searching call records for years without warrants? Perhaps the NSA’s illegal surveillance of US citizens? Even the Daily Mail was driven to report that over 25% of searches by UK police were illegal. There are similar stories in Canada, Australia, and New Zealand, not to mention all the countries we were supposed to be better than because their police and government undertook this kind of surveillance.

Not content with state actors breaking the law, we find that companies are also stealing data and information from individuals.  Not Chinese state authorities, but stalwarts like Verizon who were hijacking and tracking all traffic using a “perma-cookie”, LinkedIn illegally slurping users email contacts against their express wishes, Google illegally collecting wifi network info, and AT&T illegally copying all internet traffic and passing that traffic to the NSA.

So who are the bad people in this equation? I have to add the various police and security forces of most of the countries in the world to the list of people who will break the law to steal my personal data and files.  Faced with overwhelming evidence of illegal activity going on all around me, I’m currently in the process of encrypting all my external and internal hard drives (using FileVault on OS X).  I’m very happy to see that this is default behavior in the latest Yosemite release of OS X – although I’m holding off upgrading for other reasons.  I will happily embrace two factor authentication wherever offered and encryption of all traffic and stored files as far as practical.

If the police or legal authorities of whichever country I am in at the time wish to follow the laws of that land and swear a warrant for lawful access to my machines, I will respect that process. Until then I’ll be using 256-bit encryption as widely as possible.

As an interesting aside, the RIPA (Regulation of Investigatory Powers) Act  in the UK makes it a criminal offence, punishable by up to two years in prison, to refuse to provide encryption keys to police. Many other countries have similar laws, but the USA appears to be currently upholding the 5th amendment.

Two factor security challenges

<Updated> Clarification of specific issues with 2-factor authentication by vendor:

Apple – two factor authentication becomes three factor when Apple disables your password and refuses to re-enable or change it. The Recovery Key then becomes the only factor in single factor auth.

Microsoft – two factor authentication with your MS Account (live? not sure what they brand it as this week) is not supported for Office365 accounts – so you have to generate a new one time application password each time you reboot your computer.

Ebay/PayPal – handoff from Ebay to Paypal (with 2 factor auth) doesn’t work on iPad. Prompts for password and then redirects prompting for SecureID token.  Does appear to work on Safari for Mac.

Dropbox – does appear to work, but I’m sure I’ll find flaws

Google – do they even have two factor? I don’t use their spying stuff.

 

Those of you who follow me on twitter will know that earlier in the year Apple’s poor excuse for two-factor security and support frustrated me for months (literally) and ended with me losing everything I had ever paid for with that account and having to create another account from scratch.

I’m now finding out that Microsoft has implemented two factor security in a similarly half-assed way.  I just switched to a personal MS365 subscription for Office 2011. Since installing Office 2011 I had been annoyed by the 365 login screen each time I rebooted my computer.  But now I’m using my own account with 2 factor auth, it’s even worse. I get prompted for a login, but my password doesn’t work – I then have to login to account.live.com, authenticate, generate an app password, copy that and then paste it into the prompt screen.  After talking to 9 different MS support people, none of whom even understood the issue, I have to assume it’s working as designed.  Their only advice was to turn off two factor authentication.

Add to that my experience last week where the handoff between eBay and PayPal (also with 2 factor auth) was completely broken on the iPad and my conclusion is that for normal users the overhead and annoyance associated with security is untenable.

We are surrounded by news of security breaches on a daily basis and yet the largest software companies in the world can’t implement two-factor security properly. Password management is a mess because web pages prevent you from copying passwords into the login screens or because apps on your mobile devices forget the password at every update and again don’t support pasting of username and passwords.

I’m a technical person that has been using these systems since the mid 1980s. I understand the importance of password management, secure authentication, etc. and I’ve even experienced the outcome of hacked passwords and lost accounts. But to expect “normal” users to manage these broken and difficult to use tools is ridiculous.  People will just throw up their hands and go back to 1234 or password because trying to do the right thing is too hard and ends up with you locked out of your account.

I’m not sure how this is going to improve.  The burden for these insecure systems is still placed fairly and squarely on the shoulders of people with lithe to no interest or training in technology. There’s no clear competitive advantage in more secure and easy to use logins because nobody at the companies pays any price for their failures.

  • Two-factor authentication (as it is implanted by almost every tech company) is broken.
  • Username / password is broken.
  • There is no clear alternative currently out there.
  • We will continue to get daily reports of “hacking”, “cracking”, and online theft.