Category Archives: Security

Privacy, Security, and Encryption

Privacy, Security, and Encryption

by Richard White

2016-03-12

There are a number of conversations going on right now related to the ideas of privacy, security, and encryption. Three contexts:

  • Do government representatives (NSA, FBI, local police, etc.) have the right to access your personal information–metadata, phone calls, emails, etc.–without a warrant?
  • Does the FBI have the right to compel Apple to create software that will provide government agencies with access to information stored on Apple-manufactured hardware?
  • Was Edward Snowden wrong to make copies of secret documents and share them with journalists, with the intent of exposing what he viewed as government corruption?

All of these conversations are fundamentally concerned with the question of whether or not people have a right to privacy, and how hard the government has to work to “invade” that privacy.

There’s much to be explored here, more certainly than can be covered in a brief blog post. My talking points regarding the subject–my “elevator talk” when the occasion arises–include these:

Just about everyone agrees that people need privacy, and have a right to privacy. This is a documented psychological need–people need time alone, and act differently when they are alone. The United States of America, in its Fourth Amendment to the Constitution, includes federal prohibitions against “unreasonable search,” which has been interpreted to include a wide variety of forms of surveillance.

This need for privacy is not just psychological. Most people feel that financial transactions, including the ones that we all conduct with our own banks, should be protected. Indeed, financial transactions on the Internet *must* be private; if not, the communication structure of the Internet allows for those transactions to be viewed by others, “good guys” and “bad guys” alike.

Our world is digital now, and the means of ensuring digital privacy is encryption. Encryption is simply “math applied to information,” in a way that ensures the information can be accessed only by the intended recipient. Encryption is a means of making sure that things–my bank information, my personal information, my business transactions, my diary–can be private.

Some government representatives, including the FBI and most recently President Obama, are calling for mandated “backdoors” in certain systems that will allow the “smallest number of people possible” access to anyone’s private information.

This point of view is flawed, for two simple reasons:

  1. Exchanging private information is possible, and has been done for years, without computers and/or phones. Requiring a company to place a backdoor in an operating system doesn’t change the fact that any of us can freely exchange messages via that phone that have been encrypted by another means. Encryption is math, and you can’t outlaw math. Ultimately, backdooring doesn’t “protect us from terrorists.” It just violates our rights to unreasonable surveillance.
  2. Providing backdoors in technology fundamentally means that one is building in a means by which normal security mechanisms can be avoided. This system, by its design, also allows untrusted agents to avoid the normal security mechanisms once they’ve obtained the means to do so. There is no way to allow only good guys to bypass security. Bad guys get to use the same bypass.

    (One easy example: The federal government Transportation Security Administration suggests locking your luggage with TSA-approved locks: Your luggage remains secure, but allows them to access your luggage for inspection without having to destroy the lock. Only the TSA has the keys that will open these locks… until they don’t. Now your baggage lock has a backdoor that the bad buys know how to defeat.)

If you’re concerned about the consequences of giving child pornographers, Chinese dissidents, and the Russian mafia access to this same encryption, there’s no way around that. (Or maybe you DO want to protect the Chinese dissidents? You’re going to have to make up your mind.) Those people will need to be dealt with the same way they always have been: legal warrants for wiretaps, legal warrants for reasonable search and seizure. At the end of the day, weakening encryption doesn’t stop the bad guys–it only makes it easier for them to victimize good guys like you and me.

Decipher this secret message and I’ll give you $100.

U2FsdGVkX1+Z8Wx61sOSQghi2ANM0QfXVXJzM7tP5eo=

Other interesting articles on this topic:

Whither Data?: Dude, where’d my content go?

Whither Data?: Dude, where’d my content go?

by Richard White

2014-09-20

Part II in our series.

In a previous post, Whither Media?, we explored the ongoing transition away from physical media, and what implications this transition might have. The related question is Whither Data?: What happens when your content—your written documents, photos, email, music, etc.—are all stored on somebody else’s computer?

The Cloud is a term that has a number of definitions, but typically it refers to a collection of servers run by a company that (usually) offers a user access via Internet to that data and those services. In addition to offering Internet access, a cloud-based service typically implies multiple servers hosting redundant copies of the data, providing faster access to the user and backups of a user’s data.

If you use Google’s Gmail, your email is stored on their servers, “in the cloud.” If you use Google Docs, your documents are stored on servers, “in the cloud.” Microsoft’s Office 365 stores your Word, Excel, and PowerPoint documents “in the cloud.” And although you may not think of it this way, many social networking sites such as Facebook also provide content and services “in the cloud” so that your conversations, photos, status announcement, comments, and Likes are store where you and others can view them.

There are a number of powerful advantages to using cloud-based services, and most of these are self-evident, especially to teachers. At my school, which provides Google Apps for Education (GAFE) to teachers and students, we’ve been able to offload our email services to Gmail and provide Google Docs and Calendars to the entire community, allowing for teaching strategies and communication workflows that simply weren’t possible before. Content Management Systems (CMS) and their educational offspring Learning Management Systems (LMS) provide a structure—usually a proprietary one—in which a teachers information can be delivered and a students interactions with that information can be tracked.

I love the fact that the ability to share data from user to user and machine to machine has become easier. Without cloud services, teachers would be forced to a) try manage an endless and non-linear flow of emailed attachments (something some of us still do, I’m sorry to say), or b) implement and manage our own servers to which students can upload documents, and from which they can download them. (Actually, I do do this, but it’s in the context of a computer science course in which those processes are part of the curriculum). Cloud services allow for shared files, shared folders, and drag-and-drop functionality that “just works” (most of the time).

There are two caveats here, however. The first concern is security. Unless students are encrypting their documents before uploading them, there’s the possibility that the information in those documents—perhaps confidential, private information—may be visible to others, either in transit or on those servers. The reality for most teachers, I think, is that the documents that students are sharing with us—book reports, essays, lab reports, homework assignments—don’t require a high degree of security, and so maybe this is just fine. If you were having students email Word documents to you before, having them work on a GoogleDoc on Google’s servers is at least as secure, and almost certainly more unless they’ve elected to make the document’s contents available publicly.

I am not a doctor or lawyer and am not aware of the specific legal requirements concerning the secure storage of patient or client information, but I would investigate that carefully before using cloud services for these purposes.

Perhaps a more significant concern for teachers and students, however, is retaining access to cloud-based content over the long term. Low-priority content like quizzes or in-class essays may not be of much concern to students, but more significant essays, research papers, or portfolio work has a higher value, and may even be submitted to colleges as part of an application. Ideally, a student would be able to retain access to their work—and it is their work, isn’t it?!—for some indeterminate time into the future. Which cloud-based services allow for that?

The notorious offenders here are the providers of online books—where online notes and marginalia disappear when your one-year access license expires—and the various Content Management and Learning Management Systems, with password-protected access that may not extend beyond the current year. Students who create or store documents in these systems are at high risk of losing access to them when the end of the school year comes around, or the next school year starts begins (depending, of course, on the administration of the system).

The same may happen with Google Apps For Education, although it is much easier to export this data onto a student’s own computer or data storage device, assuming he or she has access to something more than a Chromebook. Here, a personal Google account may come in handy, although questions about privacy of these documents may be relevant.

exporting_a_google_doc

I don’t think we’ve yet reached the point where lost access to data is a broad concern, although some are wrestling with this issue already (as mentioned previously here. 34:20 in show). As we ask that are students create more and more of their work in a digital form, however, it’s fair that we keep these questions in mind: ‘Should students have access to the data that they’re submitting to me?’ and ‘How do I go about facilitating that access?’

Opening the Gates

Opening the Gates

2012-08-24

by Richard White

It’s a new school year! I don’t see my students for another few days, but many of the teachers are already back at work, greeting colleagues, cleaning classrooms, prepping calendars and websites, and a hundred and one other things that go into starting things up again.

It’s a special year for the science teachers and math teachers at my school. After a hard year’s worth of new construction, our brand new Math/Science/Library building is ready to go. The number of science classrooms has increased, our facilities have improved drastically, and we now have 10 ThinkPads installed in each of our two physics classrooms, with everything from Vernier’s Logger Pro to Microsoft’s Office to the University of Colorado’s excellent PhET Simulations installed. Having a set of computers installed in the 9th and 12th grade physics classrooms is going to revolutionize the way we teach physics at our school. I can’t wait to tell you about it.

But there is nothing more revolutionary than this simple fact:

Our school is opening up access to the Internet.

Teachers at our school have had mostly unfiltered access to the Internet for at least ten years, but students, until recently, have only had highly filtered access, and then only on school computers. This was presumably out of fear for their online safety, although students have access to literally anything they want on the Internet via their cell phones.

That all changed over the course of the summer, however, thanks in part to ongoing discussion in our Educational Technology Committee. Our IT Director, however, was almost certainly the one who did a little last-minute verbal judo to help encourage the decision. Regardless of how it came about, my school has now joined an increasing number of high school campuses that provide students with effectively free access to the World Wide Web.

Although my school is occasionally guilty of moving a little slowly on some of these things—I’m occasionally the one issuing this charge!—here, we’ve made the right move.

A friend forwarded an article to me earlier this evening, however. It contains a long series of Internet Safety Talking Points, and is a telling reminder that some schools still suffer from a “culture of fear.” I know all too well how hard it can be to be patient in the face of what appear unyielding barriers to the kind of technology-based policies and progress that are vital for educating our young people.

But the right conversation, at the right time, can make all the difference.

Keep the faith.

Perfect Passwords, Every Time

Perfect Passwords, Every Time

by Richard White

2011-07-20

Man, I am really getting tired of all this talk about passwords.

Okay, okay, I’m one of the people who has been talking about them, but… still. Seriously. Can’t we all just learn how to create awesome passwords and be done with it?

You know all the don’ts, right?

  • Don’t use words found in any dictionary, English or otherwise.
  • Don’t use any personal information: names, dates, social security numbers…
  • Don’t use the same password for multiple uses/websites
  • Don’t use a password that is too short.

And then there are the dos, which can be a bit overwhelming.

  • Do use a mix of letters, numbers, and special symbols.
  • Do use different passwords for different sites, and change your passwords regularly.
  • Do use a longer password.

I probably don’t need to spend a great deal of time explaining the rationale behind these rules, which are well-founded. Bad guys do try to guess your passwords, both to important things like your bank account, and seemingly trivial things like your email (which they can use to get your bank account passwords). Bad guys use computer programs to try to guess your passwords. Bad guys look at passwords stolen from other places like Sony and try to use them for your other accounts.

It’s a jungle out there. But here’s how you can deal with it. All you need is a system.

It needs to be your own system, of course. You don’t want to reveal your system, your pattern, your trick, to anyone else, because then they’ll know your system, and will be able to guess your passwords. Not good.

But I’m going to show you my system, and you can use something similar, and then we won’t ever have to talk about how to make good passwords again, mmm-kay? :)

Here’s what you need:

  1. A root
  2. A place indicator
  3. Padding
  4. A time indicator

Let’s see what those four items mean, and how they can be used to create a good password.

1. A root

The foundation of your passwords is a good root password, sufficiently random that no one will be able to guess where it came from. You will use this same awesome root for every site you use. My personal recommendation is to use the initials of a favorite song lyric or passage from a book.

Some examples:

“In the beginning, God created the Heavens and the Earth.” ItBGctHatE
“Ob-la-di, ob-la-da, life goes on, bra” Oldoldlgob
“We, the people of the United States…” WtpotUS

These are already some pretty good little passwords, but they’re too short (susceptible to random guessing) and they aren’t going to be different based on place. Let’s fix that.

2. A place

We’re going to add, on either side of your root password, one or two characters that are unique to where that password is being used. For this exercise, let’s say that we’re just going to add a single letter before and after our root, and those letters (according to the system I’m using, are the first and second letters in the place name. If I’ve selected “WtpotUS” as my root password, how does that affect our passwords?

User password on my Windows computer WWtpotUSi
Amazon account password AWtpotUSm
Bank account password at Chase CWtpotUSh

Notice how cool this is: Even if someone were to see me typing in my Windows password, without knowing my system they wouldn’t have any idea which of those letters are the root and which are associated with the Windows machine. They wouldn’t even know to look for such patterns, there’s so much entropy in that password.

So now I have a reasonably good password that’s different for different situations. For some people, that’s good enough. But we can do better, and very easily.

3. Padding

We haven’t yet used any special characters in our password—#, &, %, (, @, etc.—and using special characters is an easy way to increase both the complexity and the length of our password. For my situation, I’m going to use the three characters “!@@” both before and after my passwords. My passwords now are:

User password on my Windows computer, with padding !@@WWtpotUSi!@@
Amazon account password, with padding !@@AWtpotUSm!@@
Bank account password at Chase, with padding !@@CWtpotUSh!@@

4. A time indicator

It may be that you want, or need, to change your passwords from time to time. Some systems require this, and other people just think it’s a good idea. One possibility is to include some sort of date signature in your system, but keep in mind that it can’t look like a date signature; otherwise, someone who learns one of your passwords is going to have a big clue about your other passwords.

In my system, I try to change my passwords every 3 months or so, starting on my birthday in February, and append to that the digit of the year. So my passwords from February to April in 2011 will have a 21 included. From May to July the passwords will have a 51 included.

User password on my Windows computer, with time indicator for February – April, 2011 !@@WWtpotUSi21!@@
Amazon account password, with time indicator for May – July, 2012 !@@52!@@
Bank account password at Chase, with time indicator for November, 2010 to January, 2011 !@@CWtpotUSh111!@@

And that’s all there is to it.

Okay, okay, I know what you’re saying: “I don’t care about changing my passwords every three months.” Fine. Leave #4 off your list.

Or, “Can’t I just use once special character for my padding, rather than three?” Of course you can—make your own system, based on similar parameters: high entropy (disorder) in your password, and greater length (in order to discourage brute force attacks).

Or, “Do I really need a system this complex for my Webkinz subscription? Probably not, but I know some 8 year olds who are pretty darned protective. Use your password system at your discretion.

It bears mentioning, too, that if most of your passwords are used on the Internet, then a service such as LastPass or KeePass might be valuable to you. They offer true entropy, and site-specific passwords managed by a single master password. Of course, relying on a third-party to manage your security can have its problems too.

Using and maintaining passwords is hard work, but it’s increasingly important that we all have a basic working understanding of what’s involved. Root – Place – Padding – Time is a useful, customizable way of creating and remembering stronger passwords.

Good luck!