At Zeall, we offer our employees the courtesy of free hosting for their personal blogs, in hopes of furthering their professional image. Today, we completed the migration of the employee Wordpress instance from a shared hosting provider to its own VPS, and simultaneously deployed TLS certificates (thanks, Let’s Encrypt!) for all domains hosted there (including this one).
Recently, Blue Coat Systems has been approved as an intermediate certificate authority. If you aren’t versed in network security, this means nothing to you. However, be assured that it is a big deal.
Blue Coat is primarily known as a vendor of application-layer (deep packet inspection) firewalls. In other words, they help people sniff your data — primarily in order to censor the Internet. Maybe your company’s firewall blocks access to YouTube and Facebook while you’re at work. That’s no big deal — Blue Coat delivers something a bit more sinister.
I recently had a friendly debate on IRC about how much privacy you really need for it to be considered “enough.” Arguably, the answer is “there is never enough.” And still, there are plenty of people who would be perfectly content having no privacy at all.
Many argue that the key to privacy is actually transparency. If we use open source software, we can all audit it to be sure it is free of backdoors and bugs which may leak information. Perhaps this is why increasingly many users (but unfortunately still less than 2% overall) now prefer Linux to proprietary operating systems. But even among Linux users, there is not much knowledge about how deep the privacy rabbit hole goes.
Before I return to the debate about how much privacy is really sufficient, I’d like to give a quick overview of some of the tools one can use to preserve their privacy. I will discuss four levels of privacy: network, OS, firmware, and hardware.
By now, everyone should know that Dual EC DRBG is unsafe. Way back in 2013, it was revealed that it has many weaknesses, some of which were traced back to the NSA (with the help of Edward Snowden’s leaks). Whether or not it really was inserted by the NSA, the backdoor has been proven to exist and is easily exploitable.
For those of you who don’t know, a DRBG, or “deterministic random bit generator,” is essentially just a way for computers to generate random numbers. We need random numbers for cryptography — they form the basis of our secret keys. If a random number generator is compromised, then the keys it produces are unsafe to use.
Governments do not trust encrypted data.
Some high-profile names have suggested in the past few months that we encrypt absolutely everything we transmit over the Internet. The reasoning behind this proposal is that if everything is encrypted, then governments cannot apply as much scrutiny to individual messages. If we only encrypt data that we want to hide, then that data will interest them. If the data interests them, the government will easily find a way to obtain (and decrypt) it.
Last week, allegations were made that the US government paid Carnegie Mellon security researchers a large sum of money to defeat Tor’s privacy mechanisms. The federal government certainly has a history over overstepping its boundaries with surveillance, but this is an unprecedented and frightening leap toward a world without privacy.
Last week, Reddit user M00glemuffins exposed some of Comcast’s internal documentation instructing support personnel on how to deal with calls about its new “Data Usage Plans.” The Internet has condemned the policy as a “data cap” and is exploding with speculation about Comcast’s motives in implementing it.