The 5th Amendment and Your Computer

I’ve always felt that being forced by a court to unlock a safe or decrypt a computer drive was a violation of the 5th Amendment’s protection against self-incrimination.  Whether you produce a physical key/combination or a password is irrelevant in my mind.  It seems that the EFF feels the same way.  The case of Francis Rawls brings this issue to the forefront and also highlights an interesting peer-to-peer network called Freenet.  Mr. Rawls is being held indefinitely on contempt of court charges for refusing to decrypt his two external hard drives.

Since I’m not a lawyer I won’t try to hash out complex legal issues.  The legal issues are laid out here and you can read them for yourself.  The EFF filed a friend-of-the court brief in this case that states their position on the issue.  Read it if you so choose.  My take-a-ways are these:

1. The courts and the law need to recognize that technology has changed how we humans interact with one another, with how we order our lives, and how we store our private and personal papers, thoughts, and inner most secrets.  We have moved into a digital world while the law is still stuck in the old world of physical keys, hard copy papers, and physical vaults.  In the case of forced decryption you must use the contents of your mind to render intelligible what is currently unintelligible (encrypted data).   I view this as a 5th Amendment violation.  In my opinion the law needs to catch up to the way we currently use encryption to protect the important contents of our lives which are now kept on computers and smartphones.  It needs to bring 18th, 19th, and 20th century civil rights protections into the 21st century.

2.  What if you really do forget your password?  Can you really rot in jail in the USA for years on end without a trial?  What if someone plants an encrypted device on your person or property and tips off the police that you’re hiding illegal content?  That could get very ugly very fast.  Even if you are eventually cleared you may still loose your job and reputation.

3.  In my opinion peer-to-peer networks like Freenet can give a false sense of security to people and lead to disastrous consequences.  If you are conducting sensitive activities and aren’t using the anonymity of the Tor network then you are making a mistake.  The case of Mr. Rawls begs the question - if Freenet is so secure and anonymous how did Mr. Rawls get caught?  To quote from the site itself:

Communications by Freenet nodes are encrypted and are routed through other nodes to make it extremely difficult to determine who is requesting the information and what its content is.

Users contribute to the network by giving bandwidth and a portion of their hard drive (called the “data store”) for storing files. Files are automatically kept or deleted depending on how popular they are, with the least popular being discarded to make way for newer or more popular content. Files are encrypted, so generally the user cannot easily discover what is in his datastore, and hopefully can’t be held accountable for it. Chat forums, websites, and search functionality, are all built on top of this distributed data store.

Note the sentence - “Files are encrypted, so generally the user cannot easily discover what is in his datastore, and hopefully can’t be held accountable for it.”  Hopefully???? Really???  ‘Hopefully’ you won’t be held accountable for someone else’s illegal content??????  ‘Hopefully’ you won’t go to prison for decades because of someone else’s stuff??   WTF??   Based on that sentence alone I would never install such software on my computer.  Folks, I can’t tell you what to do but please use some common sense when engaging in sensitive, anonymous activity, whether you’re a dissident, journalist, student, or member of a vulnerable group. Anonymity is hard and if you let others put something on your computer you may be called to account for it.  Knowing what’s on your computer and keeping it safe can be the difference between life in the real world and life in prison.

More thoughts on computer privacy and anonymity

Given the contentious 2016 election and the renewed debate over government surveillance I decided to post a new page to the blog about how to maintain privacy and anonymity on the internet.  Follow this link to see the page.  The political environment in the US and around the world is not and has not been friendly to the privacy rights of individuals.  While total anonymity is impossible there are at least some steps everyone can take to secure sensitive data and make themselves harder to track.  Most people aren’t very technical and don’t think much about securing their private data when using computers and smart phones.  I’m hoping I can help those non-technical folks who are interested in protecting their privacy to do so. I really love what the EFF has to say about surveillance and I hope more people will read it.

It’s not just journalists or important people who should take their online privacy seriously.  The average citizen and political activists of all kinds should have a real interest in protecting themselves online.  The DNC hack/phishing attack in 2016 drives that point home.  In fact, anonymous speech can be crucial to a vibrant democracy.  When political and social pressure is brought to bear it can drive people to self censorship.  Social media makes it easy to find people with unpopular opinions and then ostracize or harass them.  Who wants to go out on a limb with a new idea if they know opponents of that idea will attack them personally?  If ideas are presented anonymously then maybe the idea will be judged without prejudice toward the originator of the idea.  The Federalist Papers were initially published anonymously to minimize personal discrediting attacks that might be leveled against certain individuals.  The Anti-Federalist Papers were done the same way.  Imagine that - a battle of ideas and arguments not personal attacks on individuals and their private scandals.

Private individuals should feel free to contribute to the public discourse and make their ideas known without fear of online harassment.  Knowing how to defend oneself online will boost confidence and lead to more political involvement.  Knowledge is power and technical knowledge is no exception.  In the times we live in such knowledge is paramount.  Educate yourself and engage with the online world in full force.  The bottom line is that if your are a political or social activist you owe it to  yourself to make your data secure and keep your private life private.

The Security Of Our Voting Machines Needs To Be Taken More Seriously

I’ve often wondered if foreign governments (Russia or China for instance) or maybe just angry hackers have plans to hack our voting systems in an attempt to influence the outcome of our elections.  The presidential election is right around the corner so the issue of voting machine security is on the radar.  Voter fraud and intimidation have occurred in the past many times.  Voting is a fundamental right and fraud threatens the integrity of our democratic system.  No one wants to talk about the security vulnerabilities in electronic voting machines.  Especially not the companies that make them or government officials.  But they can be hacked in different ways.  The recent flap over the DNC hack just confirmed my suspicions.  The more we try to make voting convenient and easy using modern computer technology the more we open ourselves up to attack.  When I came across this article the other day it reminded me just how vulnerable we are.  Please read it.  It is well worth your time.

Along these same lines, The Institute for Critical Infrastructure Technology published a good paper detailing how easy it is to hack these machines and steal voter data.  We need to treat voting machines as critical national infrastructure.  Security features of the machines need to be standardized across the country.  This is a national issue and demands a nationwide response.  At the very least we need the machines to have redundant paper backups that can be audited and compared to the electronic totals to verify accuracy.  It is time we take election security much more seriously.



The Weak Link In Cyber Security: Humans

It’s no surprise that we humans are our own worst enemy when it comes to security.  We tend to be lazy, complacent, and far too confident in our defenses. We don’t keep our software patched, our curiosity causes us to open dangerous attachments or click on dangerous links, we use poor passwords and we’re often too eager to be helpful to the social engineer on the other end of the phone.  Here is the link to a great write up on how human nature helps the cyber criminal.  One of the important takeaways from the story is that the vast majority of exploits target security holes in software that have been round for months or years. According to the article, “the top 10 known vulnerabilities accounted for 85 percent of successful exploits.”  The vulnerabilities are well known yet nothing has been done to patch them for whatever reason.  63% of data breaches involve weak or stolen passwords.  Phishing attacks are also on the rise and are succeeding because of the things people do – like click on attachments or links in suspicious emails.  Many of these phishing emails are well crafted and thought out.  They can convince employees that a manager within their organization is requesting data when it is really a spoofed email from an attacker outside the organization.  In one case a community college employee was tricked into emailing sensitive employee data to a criminal.  The data was gone as soon as the email was sent.  When these attacks are successful the compromise happens quickly (93% within minutes of the breach).  However, detection is much slower – 83% of breaches weren’t discovered for weeks or months afterward.  In cases where network penetration occurs the data is gone within minutes in 28% of the cases.  There are often three prongs to the modern attack:

1. Send phishing email with malware or link to malicious website

2. Install malware on target computer

3. Elevate privileges and access more data or use the site as a jumping off point for attacks on yet more sites.

The defenses are basically the same as they have always been – train your employees not to do dumb things (good luck with that), use two factor authentication, keep your software patched and up to date, back up your data, monitor your network and look for users who don’t belong or exceed their authorized access levels, and encrypt your important data.  Whether at work or at home be vigilant.  Good security practices pay for themselves.

Malware Threat Is Getting Worse

Keeping your computer, smart phone, and home network safe isn’t getting any easier. Unless you’ve been living under a rock the past few years you probably already know the malware to exploit your digital life is getting easier to obtain and more effective all the time.   Ransomeware is becoming big business and much more common.  Criminals who aren’t technical or command line proficient can now launch malware they don’t understand from a GUI interface. This article gives a good description of how these exploits work. Simply visiting an infected website can allow malware to attack your computer or smart phone. Cyber criminals are also going after smart phones with exploits designed just for them. People often use their phones to browse the web and check email even though the phones don’t have the security features likely to be found on a well secured desktop.  One nasty exploit is called “Angler” and it will inject malicious URLs into website ads redirecting the victim to another website where malware is installed.  In response to such attacks this article recommends a layered defense to protect your computer.  It offers some insights into various ways malware infects a system, hides itself, and does its dirty work.  Malware can disguise itself quite well and hide from your antivirus. If you want to stay safe online the same old rules apply - keep your system updated and patched regularly, don’t let Adobe Flash run automatically (Flash accounts for some 80% of the exploited software vulnerabilities), don’t click on attachments in emails if you aren’t 100% about them, and don’t say “yes” to enabling macros unless you know what you are doing.  If you’re concerned about the safety of your system I suggest reviewing my simple tips for securing your computer. After that you can explore more advanced means of protection.