buying illegal drugs on the internet

I suppose that headline is also found in quite a bit of spam. Oh well. I read with interest this story in Forbes about how the Silk Road site is facilitating about $2 million a month in illegal drug sales over the internet, using technologies such as Bitcoin for payment (which apparently is untraceable) and Tor to serve the site (which apparently is also untraceable). As an aside, the only reason I say “apparently” is because it always seems that no matter how airtight any electronic security measure seems to be, there always eventually seems to be someone who comes along who is sufficiently clever and/or dedicated to bypass it.

My initial thought on this story was that it was rather a shame that such useful technology would be put to such notorious uses, and wondered how long it would be until someone called for government control or prohibition of such technologies. Yes, yes, I know, this hearkens back the now somewhat dated debate regarding controls over crypto and the release of the rather poorly received Clipper chip. And yet, I still encounter those who feel that this is the proper approach to such technologies, and the only way that criminals who use such technologies can be pursued and apprehended with any reasonable measure of efficacy.

Perhaps needless to say, but I don’t quite agree with such an approach, largely for the same, very practical reasons that Clipper did not succeed (which I’ll leave to you and Google to find). That being said, I’m fully expecting the dialogue around this story to broach this debate once again.

 

internet e-mail is not secure

From time to time I have moaned and groaned about the lack of security regarding e-mail. Oddly enough, many people who use e-mail on a daily basis for sensitive business communications don’t realize that, generally speaking, e-mail is, by default, not secure. Nothing is magically encrypted when you send or receive e-mails and, to the extent someone can intercept an e-mail, it can be read very easily. I don’t recall who said it, but I do remember the phrase that e-mail should be considered no different than sending a postcard – anyone along the way will be able to read it.

Oddly enough, for some reason, most folks in the business world – including lawyers, bankers, VCs, as well as very smart technology folks – either are not aware of this issue or, if they are, don’t consider it to be much of a risk. To illustrate – I was talking with someone the other day about the marvels of Blackberries. One reason, I was told, that Blackberries have gained such widespread acceptance is their bulletproof security. From what I understand, transmissions to and from the devices is encrypted using some very serious, very heavy duty technology. I pointed out, however, that the encrypted communication was only between the Enterprise Server and the device. So, while it was great that no one could pick up the wireles signal and eavesdrop that way, it would be quite possible once the e-mail made it back on to their mail server and was transmitted via SMTP, at which point it would no longer be encrypted at all (unless other measures had been taken) between their mail server and to the recipients mail server. So although it might be quite secure for e-mails within the organization, for external e-mails, not so much. That being the case, I questioned the value of a partial encryption path for external e-mails. To me, it seemed like armor plating your body, except for your head and chest. I ruminated that it is a question of when, not if, lawsuit or some other form of liability would attach due to someone exploiting this lack of security.

So I read with interest an article on reportonbusiness.com about insider trading as a result of IT folks hacking e-mail:

Regulators revealed yesterday that an information technology analyst working at TD Securities Inc. in Calgary was reading the personal e-mails of investment bankers working on the deal, and bought Synenco securities using undisclosed information about a pending offer from French energy giant Total SA.

While it appears no senior officials involved in any of the recent cases knew their companies’ confidential information had been breached, regulators say firms are responsible for ensuring critical e-mail is not intercepted.

I didn’t see anything in the article about the consequences for the companies. It will be interesting to see what happens. Then again, according to the article, this isn’t the first time this sort of thing happens.

All that being said, there are tools to ensure that e-mails and other communications are made security. There are built-in encryption tools in Outlook. There is PGP. There are services offering encrypted e-mail and other communications through access to secure websites. The fact of the matter, however, is that they’re all an incredible pain in the ass to use. You need to securely exchange public keys. You need to sign up for the web service. You need to go to the website to read and reply. And so on. So, in the meantime, not much is done and millions of unencrypted, easily read e-mails with highly sensitive and confidential information continue to flow through the ether. I imagine at some point something on a much larger scale will occur, and at that point, the imperative will be much stronger to implement security measures for e-mail (at least sensitive/confidential e-mails) or to replace it with something stronger altogether. My suggestion would be that firms exchanging sensitive information by e-mail seriously think about adopting such measures before that. Or run the risk of being the poster-boy for that imperative.

arbitrary electronic search & seizure + us border = ok

I imagine its not much of a surprise given the current environment in the states (as well as, to some extent, similar past rulings in the US). Wired reports arbitrary searches of electronics are OK:

Federal agents at the border do not need any reason to search through travelers’ laptops, cell phones or digital cameras for evidence of crimes, a federal appeals court ruled Monday, extending the government’s power to look through belongings like suitcases at the border to electronics.

Needless to say, consideration should be given to taking some steps to protect confidential or sensitive records that you would not want to be seized. And no, I don’t mean nudie pictures or the like, but things such as confidential information of your business, or that of third parties who have entrusted you with confidential information, or personal information. That being said, Wired also made this observation:

The 9th’s ruling did not, however, clarify whether a traveler has to help the government search his computer, by providing the login information, or what would happen when the government decided to search a laptop with encrypted data on the drive. The defendant in the case can appeal the decision to the U.S. Supreme Court, but the Court is unlikely to take up an issue that two separate appeals courts have agreed upon.

Alternatively, better to leave all sensitive data at the office and, if required, connect through a VPN, retrieve, then erase before crossing.

Well, at least we can thank our stars that the ruling doesn’t apply to “highly intrusive searches of the person”. Yet.

Update: The EFF has published an article on possible ways to minimize the risk of laptop searches. They point out that encryption might not be all that handy:

If, however, you don’t respond to CBP’s demands, the agency does have the authority to search, detain, and even prohibit you from entering the county. CBP has more authority to turn non-citizens away than it does to exclude U.S. persons from entering the country, but we don’t know how the agents are allowed to use this authority to execute searches or get access to password protected information. CBP also has the authority to seize your property at the border. Agents cannot seize anything they like (for example, your wedding ring), but we do not know what standards agents are told to follow to determine whether they can and should take your laptop but let you by.

Elaborating on my suggested approach, they point out the following:

Another option is to bring a clean laptop and get the information you need over the internet once you arrive at your destination, send your work product back, and then delete the data before returning to the United States. Historically, the Foreign Intelligence Surveillance Act (FISA) generally prohibited warrantless interception of this information exchange. However, the Protect America Act amended FISA so that surveillance of people reasonably believed to be located outside the United States no longer requires a warrant. Your email or telnet session can now be intercepted without a warrant. If all you are concerned about is keeping border agents from rummaging through your revealing vacation photos, you may not care. If you are dealing with trade secrets or confidential client data, an encrypted VPN is a better solution.

Anyway, worth a read if you do cross the border with sensitive information.

Another update: More advice from Bruce Schneier on how to deal with customs (both in the US and elsewhere) and also safeguard sensitive information. I particularly like this suggestion (which he offers after also suggesting the VPN approach that I mentioned above) though it does require a little white lie:

If you can’t [use a clean laptop and download via secure VPN], consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it’s easy to lose something that small. Slip it in your pocket, and it’s likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: “I don’t know what’s on there. My boss told me to give it to the head of the New York office.” If you’ve chosen a strong encryption password, you won’t care if he confiscates it.

Further update: US customs, presumably emboldened by the court’s decision, have published their official policy (PDF) describing arbitrary search. The good news is that the reaction, at least in some corners, is somewhat less than favourable. From a recent article in the Washington Post:

“The policies . . . are truly alarming,” said Sen. Russell Feingold (D-Wis.), who is probing the government’s border search practices. He said he intends to introduce legislation soon that would require reasonable suspicion for border searches, as well as prohibit profiling on race, religion or national origin.

There’s also some description of what the good folks at Customs would do, including treatment of privileged materials, etc. If you frequently travel to the US with sensitive business materials, you would do well to review the policy. I may post a summary at some point…

Also, another less than enthusiastic op-ed piece in USA Today.

Thoughts on Quantum Computing

Interesting article in Wired News where they interview David Deutsch who they refer to as the Father of Quantum Computing. He has a kind of low key but interesting take on the recent demonstration of a real, live 16 qubit quantum computer by D-Wave, a Canadian company based out of Vancouver.

Low key insofar as he doesn’t seem particularly enthused about the potential of quantum computers, other than perhaps their ability to be used to simulate quantum systems and of course encryption:

Deutsch: It’s not anywhere near as big a revolution as, say, the internet, or the introduction of computers in the first place. The practical application, from a ordinary consumer’s point of view, are just quantitative.

One field that will be revolutionized is cryptography. All, or nearly all, existing cryptographic systems will be rendered insecure, and even retrospectively insecure, in that messages sent today, if somebody keeps them, will be possible to decipher … with a quantum computer as soon as one is built.

Most fields won’t be revolutionized in that way.

Fortunately, the already existing technology of quantum cryptography is not only more secure than any existing classical system, but it’s invulnerable to attack by a quantum computer. Anyone who cares sufficiently much about security ought to be instituting quantum cryptography wherever it’s technically feasible.

Apart from that, as I said, mathematical operations will become easier. Algorithmic search is the most important one, I think. Computers will become a little bit faster, especially in certain applications. Simulating quantum systems will become important because quantum technology will become important generally, in the form of nanotechnology.

(my emphasis). Interesting thought about being retrospectively insecure. Particularly given spy agencies have, in the past, been sufficiently bold to transmit encoded messages on easily accessible shortwave frequencies.

I imagine the spook shops already have their purchase orders in for quantum crypto stuff (or have developed it already internally). Was a bit surprised by the statement above regarding existing technology for quantum computing. I had heard of some demos a while back, but didn’t realize that there are actually several companies offering quantum cryptography products.

A Real Quantum Computer – This Week!

Sorry, been off sick. One very quick entry from Techworld, about a BC company, D-Wave, that will be debuting a real Quantum computer this week!!

Twenty years before most scientists expected it, a commercial company has announceda quantum computer that promises to massively speed up searches and optimisation calculations.

D-Wave of British Columbia has promised to demonstrate a quantum computer next Tuesday, that can carry out 64,000 calculations simultaneously (in parallel “universes”), thanks to a new technique which rethinks the already-uncanny world of quantum computing. But the academic world is taking a wait-and-see approach.

If it turns out to be true, this will be revolutionary news. I mean, truly revolutionary. If it works, well, say goodbye to most of the cryptography industry, as a quantum computer should easily be able to defeat the most sophisticated encryption methods currently known by simple brute strength. Amongst other things. This is nearly unlimited computing power in a box. Stunning. Assuming, of course, it actually works.

Rapleaf

Interesting article on Techcrunch about a company called Rapleaf. The nub:

Rapleaf will allow anyone to leave feedback for anyone they’ve transacted with. Others can use this feedback to help them determine if they are doing business with someone who’d likely to engage in fraud. Rapleaf is eBay feedback for the rest of the web, and the offline world.

Very interesting idea. Of course, there have been various solutions that people have tried to address the curse (and perhaps sometimes blessing) that, on the internet, no one knows if you’re a dog. I always thought encryption and the whole public key infrastructure thing would go somewhere, you know, with PGP and all being used, then of course the various bodies around the world setting up certification authorities, and then related legislation, etc. etc. That could have solved a lot of problems, including, amongst others, spam. And of course fraud. Surprisingly enough it never got off the ground all that well and in its stead we find reputational markers such as this.

Interesting how the internet has enabled the scaling of these sorts of reputational mechanisms. Where it was once a couple of neighbours chatting about the best butcher, its now millions of folks spread across dozens of countries having their opinions on thousands (or more) vendors. Talk about network effects.