Suddenly the eternal debate between privacy and security has found itself in focus after some governments have suddenly seemed to have found a new security threat- humble blackberry. Of course, public is whole heartedly supporting governments- The word “security” has magical effects.
I personally think this latest controversy is essentially a hoax. Governments are simply misusing people’s lack of understanding of how encryption works to stroke public outrage. What essentially is encryption? Any information is a number for computers. Everything is saved as a sequence of 0 and 1. Now when you encrypt something you provide the data and a password to encryption software. The software simply performs complex mathematical operations on these two “numbers”. For simplicity sake lets say the original data is 10 and you provide password 8. Let’s take a very simple encryption. Say, we raise 10 to power of 8 and store the result 100,000,000(in binaries). Now, this stored number is utterly unless you know the password and mathematical operation that was performed on data. If you know that, then you simply take 8th root of 100,000,000 and get the original data as 10. If you don’t know the password, knowledge of encryption algorithm only is useless. In simple terms, x (data) y (password) =z (encrypted data). If you have only encrypted data, z then there is no way to know original data x without knowing password, y. Of course, modern encryption algorithms are much more complex than this simple example. That rules out any way to mathematically solve the equation to get possible pairs of x and y.
When you send sensitive information over internet/ mobile network, the data is routinely and automatically encrypted (without any password from you). This is to protect against hacking attacks to steal data before it reaches the intended recipient (Notice https instead of http in secure WebPages?) Once your data reaches the target server, it is again decrypted and stored securely. If blackberry is forced to share its encryption logic, the security agency can intercept and read data sent by users. Or maybe blackberry can give access to decrypted mails on its server. I am not sure of technical details of how blackberry stores data. But in essence what security agencies are trying to intercept is the communication that has been sent in good faith by user without any encryption by user himself.
Surprisingly, to circumvent security agencies armed with blackberry encryption codes is hilariously simple. Those who don’t want their communications to be sniffed will surely not rely on routine automatic encryption. They can simply encrypt the data using their own password before sending it. There are many softwares freely available to do this (TrueCrypt is a good one. You can Google it). What is happening is you are sending encrypted data z (100,000,000 instead of 10) to begin with. Blackberry will encrypt it again to say q and security agencies can again “decrypt” it back to z. But that doesn’t help if z itself is encrypted and is useless without password. Is there any way security agencies can still sniff out original data x (10) from encrypted data z (100,000,000)? NO. Without knowing the password there is no way. Only possible way is what is called brute force attack- trying to guess the password by trying out all possible combinations of keys. But a strong password and that method will take years (maybe decades for 256 bit encryption) even for supercomputers to crack. And then certain types of encryption, by their mathematical properties are immune to even this attack (http://en.wikipedia.org/wiki/Brute_force_attack ). Not surprisingly, security agencies (not only our technologically challenged police, but also FBI) have failed time and again to crack encrypted data. (Not convinced? Here are the examples- http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html, and http://www.infoworld.com/d/security-central/red-brigades-pda-highlights-encryption-controversy-298?page=0,0 )
So what’s all this hue and cry about? I think it’s simply a backdoor entry for governments to private communications of unsuspecting users. Those who don’t want their communications to be intercepted (terrorists/ criminals) will be encrypting their data before sending anyway. Only loser is innocent end user. If any techie can give more insight on it please comment.
Subscribe to:
Post Comments (Atom)
Posts
8 comments:
Well with the Govt. bored of bickering about each other
and tired of the saas-bahu serials so now what they want to do is monitor phone calls and sms between couples to add spice to their dull colourless life .With no city names being changed, no more old issues revived for criticizing the dead
and no more reservation categories being found out
life can be really dull for them
. So what's better than the pleasure of listening to a wife's complaint, a lover's spat or a bitching kitty party discussion.
Obviously most hooking for them will be the hot sex lines for which they paid earlier, now they can get a part of the excitement for free. The security officials are obviously thrilled and we can look forward to their participation in the 'security activities'
. This step is very much in line with Mckinsey's article on 'excitement and fun in the workplace'
. Pampers XL has already doubled its sales according to AcNeilson reports
with daroga's stacking them up for the 'night duties' at the security centres in all 'high alert areas'
It's also a nice income source as identified by the Govt. for those security officials who are not content with the extra salary doled out to them in the 6th pay commission. As an example let me state - it can be used to blackmail a guy cheating on his wife, or a two timing lover, the possibilities are endless.
On a totally unrelated note, none of the last terrorist attacks used the blackberry, yet they did manage to do all they wished. So what makes the blackberry access so special.. Ah!! yes the post-mortem, after all the story of the Govt. uncovering 'how they did it', sells equally well on all the news channels.
My best wishes with the overjoyed authorities for their fight against 'external' terrorism. I end with a quote from digital fortress 'who will watch the watchers'.
well said friend. cant add much to that.
as far as I am aware, RIM is working to release a security patch sometime this year which will allow governments to tap into the blackberry communication (which will now be routed through a local server) sent out via that server, specifically the blackberry chat scripts and internet usage which can then be scanned for particular words.
I doubt e-mail/attachments etc are really an issue here since those can easily be scanned from the web server where it is stored.
Dude,
Agree that the sudden concern over 'security' aspects that too by our slow to react 'patriotic' Indian adm is a little baffling. But I dont see anything coming out of this arm twisting tactic. I dont think they have either the resources or time to go eaves dropping on more than 10L BB users.
Mithun
I disagree to your views..
I know that there are ways to encript the data more.. but atleast the authorities will have a way to track the people who are using such encriptions.. Do not forget.. its not just the message but also the people who are using such means that helps the authorities to identify them. If a generic encription is there then we cant even identify those people.
Also, I do not see why Blackberry need to have such a level of encription? Country like UAE has also banned blackberry..
And why should 1 million users of BB be the reason to increase the threat to our country? Are you ready to give up your or your dear ones life for Blackberry?
Blackberry is facing problems across the world and its shares have dropped a lot due to this.. so i think they need to act and make it available.. what is there problem?
Thanks all for your comments. Certainly not for arguments, but just for clarification. -
1. "chat scripts and internet usage which can then be scanned for particular words. " Do our authorities have so much time? Think there hands are full with VIP bandobast. Indian security agencies are not able to protect civilians on street. From where will they get time to scan chats? And why didn’t they do it earlier and stopped terrorist attacks?
2. Harshal!! Thanks for comments buddy.
"Country like UAE has also banned blackberry" - Yes but most liberal countries like USA allow it without any modifications. Why filp flop between superpower or gulf country as per convenience?. Why cant we act like a superpower if we have courage to claim to be one?
"And why should 1 million users of BB be the reason to increase the threat to our country? Are you ready to give up your or your dear ones life for Blackberry?"
Now, that brings me to the reason i wrote this blog. What hurts me is the ease with which we let our politicians off their responsibility. Terror attact? Simple. Ban blackberry. Will that solve the problem? Government had access to every email and chat that was ever used in this country by terrorists – including Kasab. Did that stop attacks on our citizens? No. Why? The harsh truth is babus and netas don’t give a damn about dead people. Instead of accepting responsibility they just want to be seen “acting”. We need to fix responsibilities. And we need to ask tough questions. And we need to concentrate on real issues instead of increasing red tapism by creating another post of a babu who will monitor chats- and be driven around by four chaprasis in a white ambassador with red light. We need to act where it matters- better trained police, more intelligence and responsible government. And we can do that better without divertions of chat monitoring.
Looks like there is still hope since mainstream media has finally started to see through the government's hoax as these articles prove: http://epaper.timesofindia.com/Default/Scripting/ArticleWin.asp?From=Archive&Source=Page&Skin=ETNEW&BaseHref=ETM%2F2010%2F08%2F31&ViewMode=GIF&GZ=T&PageLabel=25&EntityId=Ar02500&AppName=1
http://technoholik.com/news-views/govt-of-india-we-won-blackberry-huh/599
Post a Comment