next topic »

[on:]

I don't have a deep understanding of encryption except that I think I understand the principle of asymmetric encryption where you have a public/private key pair and anything encrypted with the public key can only be decrypted with the private key.  This would seem to me to be strong enough encryption to thwart any broad information-gathering type eavesdropping.  It wouldn't stop a dedicated attack on a series of communications between two known stations of course.  Man-in-the-middle attacks and other types of attacks are pretty good at getting around encryption in these cases.  But in terms of "gather everything, put it in a database, index it" I think that would kill this type of collection.

Why aren't there commonly available commercial encryption communication devices?  For example, cell phones, land phones, email clients, etc., that detects if the other station supports asymmetric encryption and then exchanges keys and encrypts the data, just like SSL.  You would think there would be a huge legitimate (and also illegitimate) market for this sort of thing.  And with the power of computers and smartphones these days, there would be no problem with a software-only implementation.

What am I missing?

[Reply #1 on:]

What am I missing?

People are stupid/lazy/cheap.  Unfortunately the current state of the art means that using encryption requires the user to be knowledgeable, to think, and to act.

Also remember encryption is only part of the story. Even the metadata tells someone a tremendous amount about you - encrypting your phone conversation so that the NSA can't hear you ask mom "how many kilos of C4 was I supposed to pick up?" doesn't help your security all that much if they can use the metadata to know that you placed the call from Achmed's Bomb Shop.

-j

[Reply #2 on:]

I think using encryption is illegal in several countries.

[Reply #3 on:]

I think using encryption is illegal in several countries.

Yep, my wonderful country considers exporting encryption technologies to be the same as exporting nuclear weapons. Only above a certain threshold though (meaning it has to be weak enough for the CIA to bruteforce in a few hours).

[Reply #4 on:]

What am I missing?

People are stupid/lazy/cheap.  Unfortunately the current state of the art means that using encryption requires the user to be knowledgeable, to think, and to act.

Also remember encryption is only part of the story. Even the metadata tells someone a tremendous amount about you - encrypting your phone conversation so that the NSA can't hear you ask mom "how many kilos of C4 was I supposed to pick up?" doesn't help your security all that much if they can use the metadata to know that you placed the call from Achmed's Bomb Shop.

-j

Is that really true?  How long did it take for you to set up the SLL in your browser?  Did that setup process really cause your laziness to stop you from using SSL?  I am joking here, of course.  With asymmetric encryption, all the transmission station needs to do is to randomly select two really large prime numbers, multiply them, and publish that as the public key.  Now anything sent to that station encrypted correctly with that public key can only be decrypted with the private key.  I simplify, of course, but the basis of asymmetric public key encryption actually lends itself to very simple implementation.  And I understand what you mean about the other types of data that can be connected, in fact this seems to be the data actually being collected the most.  But still, if phone and email transmissions were as easy to encrypt as your browser session to Bank of America, AND IT IS!, then why not?

[Reply #5 on:]

I think using encryption is illegal in several countries.

Yep, my wonderful country considers exporting encryption technologies to be the same as exporting nuclear weapons. Only above a certain threshold though (meaning it has to be weak enough for the CIA to bruteforce in a few hours).

That was the case many years ago but I thought that policies under Bill Clinton relaxed that a lot.  It used to be we wouldn't sell supercomputers to the Russians or Chinese.  Now that the Chinese actually fab a lot of these parts it can't be stopped and they actually have the fastest computer in the world for the moment.  I think this still applies to embargoed nations, but not to others.  After all, the browser on phones we export can do SSL and encrypt the heck out of browser transactions.  It just won't do it for phone or text data.

[Reply #6 on:]

I think that commercials available encrypted phones are available at a price over here in th uk.
I need to check the details Monday though.

[Reply #7 on:]

Why aren't there commonly available commercial encryption communication devices?

The last conversation I had on a cell phone went like this... "Hey."  "Hey."  "Which brand of pudding should I get?"  "Doesn't matter.  Just make sure it's a variety pack."  "Got it.  I'll be home in about 10 minutes."  "Bye."  "Bye."

If someone wants to listen to my conversations they will soon die of boredom.  I suspect that's true for the vast majority of communications.

You would think there would be a huge legitimate (and also illegitimate) market for this sort of thing.

In the U.S., not really.  Industrial espionage is illegal (and very expensive from the ensuing lawsuit).  Most other conversations are like the one above.

These folks also think there's a market...
https://silentcircle.com/