Search This Blog

Tuesday, June 26, 2012

Morality and Respect for the Key

RSA SecurID keys - most anyone with a corporate affiliation, whether as a employee, customer, client, etc. - are as ubiquitous as water.

Basically large organizations have their IT departments set up "secure" VPNs so that outsiders (or remote employees or departments) can access their systems.

But RSA keys are not all that secure -  a paper described in this Ars Technica article (link to Crypto 2012 paper as PDF here) - offers to bypass the key in as little as a few minutes.  Similar techniques are applied in the PDF to many other forms of secure IDs.

Now all of these cracks are basically tricks involving ways to "get around" the fact that factoring large numbers which is the basis of the RSA encryption scheme.

But that's not the point of this post.

Instead I have been wondering for quite a while now when technological "devices" and "security" became a substitution for morality.

Fifty years ago the notion of security was quite different than it is today.

If you had private documents, money, photos, stocks, bonds, and so on you kept them in a safe.  Usually a large, heavy metal box with an old fashioned dial on the front that you turned back and forth to a specific set of numbers in order to open it.

If you didn't want a safe the local bank would rent the equivalent to you in the form of a safety deposit box.

Beyond that most things were "locked up" in a cabinet or desk drawer.

Computers, networks, routers, VPNs and all the rest had yet to be invented.  If you did have a computer it was likely simply inaccessible outside the locked room where it operated.

Locks and keys were fairly ineffective and the basic idea was that "locks kept honest people honest."

This meant that if you had integrity and were "tempted" to forgo that integrity to pry into something not yours the fact that it was locked up served as a reminder that it was not yours to view.  The goal of a having something in a locked drawer was not that the drawer could not be penetrated (most desks from those times had simple locks which could easily be forced) - instead it was to let others know that the content was private.

The fact that something was "private" was taught in childhood.

You learned to respect the property of others.  If you forgot, the lock served as a reminder.

Of course, things left lying around in the open might be available to prying eyes...

The UNIX crypt command was the first commonly available encryption software that I am aware of.  It was part of the Bell Labs UNIX distributions available in the 1970's.  It was a software implementation (as far as I know) of the German Enigma encryption device from World War II.  It could encrypt and decrypt a UNIX file.  Since the only things on such files in those days were geek stuff there was little reason to take it too seriously (that and the fact that the Allies had broken the Enigma code in WWII anyway).

There were of course military encryption technologies at that time but even knowledge of them was thought to be a crime.  The CIA was thought to have the worlds largest computers and a staff of cryptographers.   Basically all this was reason to "stay away" from military encryption.

The invention of the RSA public key encryption in 1978 changed all this.

The RSA model makes it easy for anyone to create and use a two part cypher.  RSA has a "public" key and a "private" key.  Everyone is allowed to know your "public" key, no one but you the "private" key.  The keys are related as factors of very large integers.

RSA messages are based on "signing" with either the public or private key.

If I want to send you a message I can encrypt it with your public key.  Only you can decrypt it because only you have the "private" key.  To ensure the message came from you you can encrypt it with your private key first.  Then, after I decrypt it with my private key I decrypt it with your public key and I know the message can only be from you.

This differed significantly from having "keys" which had to be exchanged before messages could be sent.

But all this technology aside something changed over perhaps the last decade or so.

The ubiquity of computers has created boundless opportunity for people to access others private material - whether on a desktop computer or the internet.

And, it would seem, because private materials and data are seen as so "available" the old notions of respect for privacy have vanished.

Access to any number of things, personal and otherwise, are now most likely a simple password away.

No longer are their moral strictures tell you that accessing someone's private data is wrong.

Instead there's an endless parade of ever-stronger cypher-based technologies and ever-more-invasive laws specifically targeting "hacking" - which today has come to mean for the most part breaking into a digital system and stealing password data.

No longer is this considered to be counter to common morality.

Hacking to discover the "evils of US Imperialism," as is the case of Julian Assange, is considered heroic.

It seems to me that we have replaced the notion of traditional morality with strong cryptography.

The assumption is that someone will steal your private data unless you actively work to prevent it.  Conferences like Crypto 2012, in the name of openness, actively publish ways to crack security at public companies that store your banking, credit card, stock and investment, and other personal information.

But this means as a race (of humans) and as a society we have discarded the notions of "privacy" and "respect for the property of others."

Every ore clever lawyers have found ways to allow those perpetrating these crimes escape justice - mostly by using clever legal tricks to circumvent traditional laws, e.g., simple theft, when applied to electronic hacking.

So law makers have retaliated, so to speak, with ever more specific hacking laws.  Of course, these turn out to be overly general in ways not imaged and have the effect of actually making legal behavior a crime.

Today the law and crime are involved in a every-expanding dance to see which side can outdo the other.

Leaving those of us outside this world as the victim.

And the strictures against "cruel and unusual punishment" leave the criminals with virtual no punishment - after all isn't punishment cruel by definition?

So the result is that these crimes are met mostly with non-punishment punishment - such as not using a computer for live - and which are, of course, unusual and unenforceable.

No comments:

Post a Comment