November 2013 | SafeLogic

Archive for November, 2013

26 Nov 2013

Giving Thanks for Decryption

The year was 1621.  The place was Plymouth, Massachusetts.

I know what you’re thinking, but don’t worry.  No, of course I wouldn’t try to draw a connection between Thanksgiving and encryption.  That would be silly and far-fetched.

It’s actually about decryption.  So there.  Now back to the story!

The Pilgrims had suffered a great deal since the establishment of Plymouth Colony, and may have perished or given up, if not for improved relations with the Wampanoag tribe nearby.  Their chieftain was Massasoit, whose greatest contribution to history was his decision to embrace an alliance with the colonists and appoint an ambassador.

TisquantumTisquantum, or Squanto, as he has been immortalized in our American lore, was the key to the survival of the Pilgrims.  He was the spokesman for the Wampanoag, although he was in fact Patuxet, a traditionally allied but distinctly separate tribe.  So why was Tisquantum allowed to be the liaison and represent a tribe that was not his own?  Because he was the decryption key between the two ciphers.  He spoke both languages, as a result of spending the bulk of his young adulthood in England and Spain.

In truth, the Wampanoag tribe’s survival depended as much on the Pilgrims as vice versa.  The tribe had been threatened by attacks from the inland Narragansett, and suddenly the colonists and the Wampanoag found their goals aligned.  If Tisquantum had not been able to translate and broker an alliance, both groups would surely have perished.

My point is that ciphers, such as an isolated foreign language, provide security just like a modern algorithm.  As long as you don’t need to access the information, it is completely opaque and safe.  Think about that for a second – if information was encrypted to the point where decryption was no longer possible, it would be infinitely secure and infinitely useless as well.  To be valuable, information requires collaboration, and that requires authorized decryption and the ability to share the right keys with the proper people.  Without Tisquantum acting as the decryption key, each group would have remained effectively secure – but isolated, divided, and vulnerable to attack and attrition.  Encryption is only as successful as your ability to decrypt and leverage the information.

So whether you prepare the turkey roasted, or just hashed and salted, remember that Thanksgiving is really a story about decryption keys, translation, and cooperation.  Be thankful for our ability to obfuscate private data, but be even more thankful for our ability to decrypt, share, and collaborate.  Without the latter, we wouldn’t be able to use crypto at all.  And those decryption skills are particularly useful when you’re trying to decode your in-laws’ backhanded compliments.

Happy Thanksgiving from all of us here at SafeLogic!

BlogFooterWalt

20 Nov 2013

We Don’t Play Favorites. WTF Yahoo!?

In last week’s blog post, I was surprised, disappointed and generally ticked off to learn that Microsoft had publicly admitted that their server-to-server data was still unencrypted.  Their corporate message was an empty promise to evaluate “additional changes that may be beneficial to further protect our customers’ data.”  319 words of blog therapy later, the best summary of my feelings on the topic was simply the title of the post: “WTF Microsoft?”

On Monday, I got a message with a link.  I could not ignore it, since I already called out the boys of Redmond, so here goes.

WTF Yahoo!?Yahoo_Logo

In a corporate Tumblr post on Monday, Marissa Mayer wrote that Yahoo will “encrypt all information that moves between our data centers by the end of Q1 2014” and “offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014.”  But all I understood was “Yahoo is currently not encrypting our server-to-server data.”  Just like Microsoft.

So despite my appreciation for your “Commitment to Protecting Your Information”, Marissa, this was nothing more than a guilty disclosure disguised as a positive announcement.  Lots of heavy spin on this one.  Nice work, Yahoo! PR team.  I hope you didn’t spend too much time picking out the proper shade of lipstick for that pig, because it didn’t cover up anything.

End of Q1 2014 is too late.  Tomorrow is too late.  In fact, yesterday was too late, but at least it would be in place already.

I said it last week and I’ll say it again.  Implementing world class cryptography is within the reach of every vendor, product, solution, and app.  No more excuses.

BlogFooterWalt

15 Nov 2013

WTF Microsoft?

MSFT_logo_pngThis week brought a variety of news, but one headline in particular caught my eye.  It was from the UK and didn’t get a ton of press here in the States, despite the significance and repercussions for all of us.

‘We still don’t encrypt server-to-server data’ admits Microsoft to EU Committee

In the context of a European Parliament committee hearing on NSA and GCHQ (the British counterpart) access to communications, this is rather perturbing.  Dorothee Belz, EMEA VP for Legal and Corporate Affairs for Microsoft, joined peers from Google and Facebook to testify on the privacy issues when she conceded a lack of server encryption.

Wired.co.uk’s Chris Baraniuk pinged Microsoft’s official spokesman and came up empty except for a boilerplate (and ineffective) reassurance that “[Microsoft is] evaluating additional changes that may be beneficial to further protect our customers’ data.”

Well, we would hope so!  It’s not like this newfangled encryption technology just arrived on the scene.

I know this blog is inherently pro-crypto, but this should be drawing mainstream outrage.  You don’t need PETA to tell you that animal abuse is wrong, and you don’t really need SafeLogic to tell you that Microsoft has dropped the ball.

These tech giants, like Microsoft, Google, Facebook and others, have a fiduciary responsibility to safeguard the data of the users.  There is an expectation of privacy, safety, and trust.  If Microsoft cannot rise to the occasion and put reasonable measures in place, users should talk with their wallets and eschew products such as Outlook, Skydrive, and Office 365.  Why place personal information within Cloud products proctored by a company demonstrating disinterest in proper stewardship?

Implementing world class cryptography is within the reach of every vendor, product, solution, and app – SafeLogic has proven that.  There’s just no excuse for one of the biggest innovators of our lifetime to be lagging behind.

So Microsoft – if you need help, drop us a note!

BlogFooterWalt

7 Nov 2013

The Blackberry Vacuum

BlackberryLogoBlackberry is back!  …In the news, that is.  This week brought new twists to the saga of Waterloo, including the collapse of the Fairfax buyout bid, the unceremonious exit of CEO Thorsten Heins, and the sudden announcement of a $1 billion cash infusion from Fairfax instead.

As Sara Angeles wrote in BusinessNewsDaily on Monday, “BlackBerry business users may as well be left in limbo.”  That’s a pretty polite way to say that things look ugly.  Those business users are just the tip of the iceberg as well – don’t forget that Blackberry has a significant market share in the US federal government that will be up for grabs.

Back in February, Gartner analysts reported significant client inquiries surrounding concerns about Blackberry’s long term viability.  As a result, the research giant published a migration guide for enterprises that were reliant on the former RIM, detailing steps towards a multi-OS mobility strategy.  Again, this was a polite way to recommend hedging.  I can’t imagine that Gartner (or any other analyst) was actively suggesting that iOS-only shops should add Blackberry to the mix.  This was an exodus, plain and simple, no matter how diplomatically stated.

As I related to Angeles in the BusinessNewsDaily, there are Enterprise Mobility Management (EMM) solutions available that are viable alternatives to Blackberry, satisfying even the most security-conscious enterprises.  When that competitive edge evaporated, it was just a matter of time until Android and iOS encroached on Blackberry’s market share, powered by these solutions.

So what is the take away here?

There is no upside to stick around for the bitter end, so many remaining Blackberry shops are planning their transition.  Since these stalwarts include some major deployments in the federal government, you can imagine the upside for the EMM providers who are positioned to compete for that market share.

The vacuum created by Blackberry’s displacement will generate significant business – enough to separate the leaders from the pack.  For the EMM solutions not yet validated for FIPS 140-2, the pressure is on to make a judgment call.  There is no better time to make the leap into the fray and begin bidding for government contracts.

Further, the solutions that dominate in government will have the edge in the private sector as well.  The obvious play is to parlay the credibility earned in federal RFPs into more business.  That FIPS validation will certainly be a differentiating factor.

So the question is: Will you be grabbing big handfuls of Blackberry’s market share?  Or will you be sitting on the sidelines?

If you’ve been waiting for the right time to pursue FIPS, this is it.

BlogFooterWalt