The man ( E.S.) did us all a favor. If there was ever one that should receive a Nobel or some high achievement medal , he's the man.
Anyone following the fortunes of the world’s biggest technology companies will have noticed a trend: every one of them has gone potty for privacy. This is not out of some sudden moral urge but because their futures depend on proving that they are good at protecting people’s personal data. The Edward Snowden leaks, in …
Snowden... was simply granted too much access to valuable NSA information. That he was a contractor and not a true insider is even more worrisome for the US government.
Welcome to today's government. There are many more contractors than direct government hires. They have to go through the same vetting process as guvies and follow the same rules and get the same certifications. If there is a problem, it isn't civilian or military versus contractor, it is the environment under which all work.
On the other hand, only allowing the "true insider" into the bastions of power is pretty much the definition of an oligarchy. That particular form of US government - which appears increasingly to be "the environment under which all work" - really needs to be a great deal more worried than it is.
Unfortunately, I suspect that efforts to prevent data being taken by stealth will only increase the appetite for taking it by compulsion. It's not that long since encrypting your data was illegal: those days could soon return.
The issue that makes this moot is the encryption itself. Strong encryption is banned by the US Dept. of Commerce and only "approved" encryption methods can be used in American electronics.
In a post-Snowden world, who thinks this is because the approved encryption is safe from gov't snooping?
Not being involved in commerce, I am not aware of any restrictions on use of strong encryption. As a somewhat interested (US based) observer I would be interested to know which strong encryption methods are either banned for use or not permitted in American electronics. The Wikipedia article on export doesn't indicate any, although Wikipedia is not an authoritative source. The DoC web site appears to have been created by bureaucrats from Hell intent on making it difficult to find this or any other useful information.
My impression is that AES and 3DES are (a) generally regarded as "strong" and (b) generally permitted for use, and for export to most countries.
Breaking encryption with brute force is all about time and resources. The more time and resources an attacker must devote to their attack, the harder it is for them to succeed.
The added "strength" of two layers is that it is already difficult to break one layer of encryption, so breaking two layers will be even more difficult. Remember that encryption is just one (important) link in the security chain. No rule prevents you from having more than one chain around your safe.
If we apply the "inner fortress" principle, the very hardest encryption or defense layers will be on the inside. The assumption is that attackers are more easily detected (or worn out) as they attempt to penetrate increasingly difficult security perimeters. Medieval castles were built on similar principles as are most secure installations. First the moats, pikes and outer walls, then the hot pitch and finally the fortified, elevated keep. With luck, your re-inforcements will arrive before everyone is slaughtered by wet, bleeding, exhausted, scalded attackers.
Of course, all this good practice goes right out the window as soon as a trusted insider (like Snowden) goes rogue or is compromised.
This is why organizations that really CARE about security (you'd think the NSA would be on top of this list) spend as much (or more) time managing their staff's access as they do managing physical and logical access. Sadly, many banks, Home Depots and Targets lack this best practice approach or else can't/won't pay for it.
Two factor authentication (something you know, something you have) can also greatly slow down or prevent unauthorized access.
Likewise, insisting that two authorized humans are present before giving access to confidential data (think bank safety deposit boxes) reduces the risks presented by the weakest links in the security chain, AKA meatbags with USB keys and global access rights. The next time your PHB insists on having admin privileges and global access, try to explain that little conundrum.
The problem most organizations will have with proper security is that it is complex to administer, can be hard to use, expensive and typically requires specialized, disciplined people and tech. Security policy must also be valued and adhered to by the rest of the organization's meatbag stakeholders. This is why good security so often remains a hard sell, until it is too late.
And best practice security procedures, process and constant vigilance are equally vital, because the security boundaries, vulnerabilities and goal posts will always be shifting. If you don't keep repairing and fortifying the castle walls or fail to keep an eye out for the latest marauders, eventually you will fall.
“And second, who would really give a damn about what we hold on our disks anyway? Sure, there may be personal, identifiable information on there but the NSA won’t really care about that, and if there are credit card details, then both we and the cloud provider would need to be demonstrably PCI DSS compliant anyway.”
--Quocirca analyst Clive Longbottom.
Have added Clive Longbottom to my list of "utterly worthless self important asshats who absolutely will never understand security or privacy".
Why is it Americans and Brits never seem able to grok privacy? Something cultural? Are they all Clockwork Oranged at birth? Inquiring minds want to know...