I have mentioned in my books and on this blog that I like to convince people to use encryption. More specifically I like to persuade them to use the encryption that I use, especially for data-in-motion. There are a couple of reasons for this. First, if more of us use encryption, the more “noise” we all generate. Encrypted calls, messages, chats, and emails become the norm, none of them stand out just because they are encrypted, and the less alerting any one individual using encryption is. I also like to convince others to use the encryption that I use because it gives me a secure communication pathway with them. Individuals with whom I communicate represent a fairly significant weak point in my own security if I must revert to insecure email, voice, text, and other forms of communication with them. Finally, the more mainstream encrypted apps become, the easier it is to get others to join the fun. At this point it is not at all uncommon for one of my friends to install an encrypted app and see that several of his or her contacts is already on there. Continue reading “How to Convince Friends and Influence People (To Use Encryption)”
The legislatures of New York and California have recently introduced bills with language that would ban the sale of encrypted smartphones in their states. The bills are strikingly similar in that each would require devices manufactured on or after January 1, 2017 and sold in the respective state to be capable of being decrypted by the manufacturer or “operating system provider”. Failure to comply with the bill would impose a penalty of $2,500.00 per device.
Though the architects of these bills assure us this would affect only a very small minority of the population, this is alarming to me as an individual for both ideological, privacy-based reasons and for the inherent folly of insecurity as a feature. As a layman (read: not an attorney) I can only guess where the legal system will come down on this issue. The area in which I do feel slightly more qualified to weigh in are the potential second- and third-order effects of the passage of a law to ban smartphone encyrption. There are several possible outcomes of a law like this, but all of them hinge on the actions of the “operating system provider[s]”. The three possible outcomes that I imagine are listed below, but I cannot assign a reliable likelihood, either relatively or absolutely, to any of them.
- The first possible outcome that occurs to me is that manufacturers support the spirit of the law totally and either build backdoors into devices (probably more likely) or remove smartphone encryption entirely (probably less likely). Smartphones would no longer be available with unbreakable encryption, generally speaking. Privacy conscious individuals would have to purchase phones like the Blackphone and have them shipped to states where such laws are not passed. I see total capitulation as unlikely for Apple who, as of late, has staked a portion of its reputation on security and protecting consumer privacy. However, the impact of losing the ability to sell flagship devices in two of the four most populous states in the U.S could quickly change anyone’s mind. This is perhaps the worst possible outcome; lawmakers would achieve a decisive victory over encryption that would impact consumers nationally, not just in their state(s).
- The second possible outcome is that manufacturers create “CA and NY Compliant” models of their devices. This option would be almost as bad. Anti-privacy lawmakers in other states would be emboldened and, to borrow some Red Scare lingo, the dominoes would begin to fall. Doubtlessly a few states would hold out (one imagines Wyoming and Montana, and perhaps New Hampshire becoming the last bastions of digital freedom) but the damage would be done. The message that customers in these states would send to Apple and Google is “we don’t really care about encryption”. Eventually manufacturers would probably simply revert to selling a single, backdoored or unencrypted version of these devices.
- The third option, and the one that I hope occurs is that Apple and Google simply refuse to sell their products in these states (assuming this is a possibility, i.e. not in violation of contracts with cellular service providers or other legal impediments). The reason I hope for this outcome should these laws passed and be deemed constitutional is the reaction I imagine. This result would impact consumers directly, and hit them where it hurts: right in the smartphone. Their outcry would be immediate and overwhelming. Customers on the edges of these states would flock to Arizona, Nevada, and Oregon, New Jersey, Connecticut, Massachusetts (and maybe Canada?), to buy the new iPhone 7s and the latest Samsung Galaxy. AT&T, Sprint, T-Mobile, and Verizon would lobby hard for the right to sell smartphones again in these states where their businesses would take a major economic hit. Sales and management jobs at these locations would be lost, as would tax revenue in the affected states. New AT&T, Sprint, T-Mobile, and Verizon stores would spring up, ringing the terrestrial borders of these states almost overnight. As much as I enjoy imagining shuttered Verizon stores from San Diego to San Francisco, that level of business impact would probably never be felt before the law was repealed (though it might; alcohol prohibition did last thirteen years).
If these laws pass and the manufacturers stick to their proverbial guns, it will likely become another failed experiment in prohibition. Tell people they can’t have encryption? You’re likely to be met with sighs, yawns, and indifference. Tell people they can’t have smartphones? You’re much more likely to be met with torches and pitchforks. One hopes the latter impediments are of the metaphorical variety.
If you read just about any article about Wi-Fi security the question of hiding/not hiding your Wi-Fi SSID (Service Set Identifier) will almost inevitably come up. The SSID is the Wi-Fi router’s “name”, and it is what you click on when you wish to connect to that network. Most of these articles will say that hiding your SSID is counterproductive as it will make you more interesting to a hacker. In full fairness, this also includes my own writing. In both the Windows 7 and iOS editions of Your Ultimate Security Guide I recommended NOT hiding your SSID. I had some reasoning for recommending this: in my estimation it amounts to profile elevation. Like sending a Do Not Track request to a website, a hidden SSID makes you more distinctive than everyone around you.
But does hiding your Wi-Fi SSID alone really make you a more attractive target? To quote the inimitable Ulysses Everett McGill of O’ Brother Where Art Thou?, “it’s a fool who looks for logic in the chambers of the human heart.” To unequivocally say that an attacker will target you just because your SSID is hidden may not be tell the whole story, or may simply be dead wrong. Criminals are not known for following the same set of mental processes that guide the actions of the average, law-abiding individual. Sure, it may make you the more interesting target because you may seem like the more challenging target. But just as equally, it may not. The hacker may be looking for soft, langorous targets. Or perhaps he or she is after a specific target that is not you.
I think the reason this is constantly brought up is that SSID hiding has been placed in the “security” category of features for Wi-Fi networks. I contend that this is not a security feature at all. Choosing not to broadcast your SSID is, in my opinion, merely a choice about how “noisy” you want your network to be. While hiding your SSID cannot protect you from Anonymous, it do a few things. It can prevent your neighbors from seeing your network, and prevent kids in the waiting room at your practice from connecting to it. Again, it will absolutely not prevent a determined adversary from finding your network. There are various tools including inSSIDer and Kismet that will find these networks with ease.
My bottom line is this:
- Hiding your Wi-Fi SSID network is a personal preference that is essentially neutral as a security measure. It doesn’t necessarily make you less secure or a more attractive target, though it might based on factors that we can’t begin to model (i.e. human unpredictability).
- Hiding your SSID for security reasons is ineffective and an example of security-through-obscurity. If you are hiding your SSID as a security measure you should reconsider.
There are meaningful security measures you can take for your Wi-Fi network. The best and strongest of these is to ensure that your signal is encrypted with WPA2. The WPA2 protocol is actually very good (do not use WEP or WPA). It offers much, much more protectiong than silencing your Wi-Fi SSID. Another meaningful measure is to use a virtual private network; this will protect your traffic regardless of the security of your Wi-Fi. It will also protect it at a much deeper level, and provide you with a bunch of other benefits. We will delve much more deeply into Wi-Fi security in the upcoming Thirty-Day Security Challenge, so stay with me!
Those of you who follow this blog have doubtlessly noticed that I haven’t posted anything here since mid-December. My absence has been for good cause, however. As I’m sure you’ve noticed the main site has undergone a serious reboot with the blog to follow suit shortly. This has consumed a serious amount of my time around the holidays. There are several other exciting projects that are also underway that are keeping me busy. Below is a quick rundown of what to expect in the coming year:
There are three changes coming to the blog. Most superficially, and as mentioned above, the look of the blog will be changing sometime this month to mirror the look and feel of the main site. Next, and perhaps most importantly the blog will also be encrypted with https by the end of this month (like the main site currently is). Finally, I intend to post longer-form articles here in the coming year and as a result may post as infrequently as once every two to three weeks.
Complete Privacy and Security Desk Reference: Volume 1 (Digital)
I spent a couple of weeks with Michael Bazzell last month working on our upcoming joint work. We made excellent progress but due to legal review and some other unforeseen issues this work will likely not be available until late March. Rest assured we are working hard to get this book into your hands as quickly as possible. You may also notice the title has changed since my last post about this work to include “Volume I (Digital)”. This is because we had such a large raft of content this work will be broken into at least three volumes.
Your Ultimate Security Guide: Android
Work has officially commenced on Your Ultimate Security Guide: Android. This work will follow the same format as my previous two works and teach you how to thoroughly secure your Android handset and the communications that occur on it. Your Ultimate Security Guide: Android will be available in March 2016.
I have create a Twitter account: @secguide. You can follow me there to see when new blog posts are available and checksums are updated.