Thursday, 28 March 2013

Key parties help you remain private or what is old can be new again

Two decades ago in the age of cypherpunks it was all the rage to sign each other's PGP (pretty good privacy) key pairs. Well, it was all the rage in certain circles of crypto geeks. Back then encryption was still illegal as an export quantity from the US. There was something more in the notion of signing keys and exchanging them when it was illegal. Back in those early university days the whole notion of private communications and protecting the right to speak was made available through the creation of a fairly simple cryptographic tool. For many these days Zimmerman's PGP with its command-line interface would be considered far from user-friendly.

A rebirth of key parties, that is cryptographic key parties and not the 70s couples parties, has come about in the form of a CryptoParty. These started just a couple years ago here in Australia with the passing of the Cybercrime Legislation Amendment Bill 2011. The reason comes from a fear of monitoring. To some this is warranted. In other cases it is simply about learning cryptography in a simple manner and one would hope is also a means to disseminate security advice.

The aim of a CryptoParty is to create a general awareness of the Tor anonymity network, encrypted file shares such as TrueCrypt, and virtual private networks. The fear from government is that this will make crime easier. Although criminals can use cryptographic tools, they have no need of attending a CryptoParty to learn about it. Even before cryptographic tools were made legally available and placed into common use, criminal groups and governments used cryptography for a variety of nefarious purposes. Cryptography is one of these things that cannot be easily controlled and the proverbial cat has long escaped the bag.

The unfortunate side of what we see reported about CryptoParties comes from an overabundance of biased reporting. Many members of the "Occupy", anonymous and anti-globalization movements have been seen attending these functions. The primary concern that has led to a number of a security and privacy advocates initiating the rebirth of a Cypherpunk icon was the proposed introduction of a two-year data retention bill.

This misinformed attempt to address a serious issue from Australian Federal Attorney-General Nicola Roxon shows some of misinformation, ignorance and poor judgment that surround electronic crime. Instead of taking an economic approach to crime in making it less profitable, a move that would seriously impact criminal activity, the focus has been a typical knee-jerk reaction to the symptoms. The resulting response has seen a rise in security awareness sessions in the CryptoParties. They do not cover everything to do with security and in many cases offer people a false sense of security but at least their heart is in the right place.
There are serious issues to be addressed. Cryptography is a tool that can aid in some of these problems. Like every tool it has good and bad uses. Like every tool we need to look at how it is used. A hammer was utilized in the murder of Russian spam lord Vardan Kushnir for a purpose it was not designed for. Cryptography is used by criminals similarly uses it is not designed for. Just as banning hammers will not stop in a variety of crimes, banning cryptography will do nothing to stop the criminal use of these products. Not that this is saying any attempt has been made to ban cryptography. What has been occurring is a grassroots movement designed to make people aware of the tools that are available.

On a serious issue of course comes from the miss founded belief that cryptography is itself security. Like every tool it needs to be used correctly to function correctly. Often there is a belief that the use of cryptography will help you remain secure in all cases. This becomes problematic when people start to believe that they do not need to secure their host computer because they have cryptography. We see this all the time in the use of SSL or secure sockets layer. This is touted as a means of securing commerce when all it actually does is secure tunnel between computers and does nothing to secure the database, file system or other data repositories.

In using cryptographic tools, we take a first step. As such, there is value in the message promoted through CryptoParties, but we're yet to see whether this will continue into teaching the real fundamentals that will actually make us safe online. Cryptography means little if the systems we are using have not been secured correctly. If those you wish to protect your privacy against have access to monitor your keyboard for instance, there is little that encrypting a message will do. Most criminal groups know this. Malware often captures keystrokes to intercept passwords that are sent encrypted.
The aims of those promoting CryptoParties could be a benefit, but it is yet to be seen whether they will extend into the fundamentals and actually form a means to teach basic online security.

No comments: