Goodness speaks in a whisper, evil shouts.”
~Tibetan Proverb

Approaching security from the other direction

Google+ Pinterest LinkedIn Tumblr +

We already know that Congress doesn’t use the same insurance we do, and if you do some research you see that interns and other junior positions are on the short end of the stick “for the sake of public service” while those at the very top can afford much better insurance than the majority.

Blackberry was in fact the most heavily surveilled device on the planet, but not for businesses; they had their own Blackberry Enterprise Servers / BES with internally generated keys.  For businesses and governments Blackberry was the most secure device on the planet and people (public and criminals alike) were under the impression that those security measures somehow applied to them, too, but that wasn’t true unless they ran their own internal server infrastructure and their devices registered to that instead.

Blackberry from Verizon out of the box?  Everything you did was monitored, from emails and IM’s to calendar items.

Did you know that in many businesses, executives – board members, C-levels – have different insurance packages than their staff?  I’ve seen it firsthand, it’s very common. What the average staff pay for insurance is often more with less return than the C-suite.  What makes you think the security measures applied to staff are the same as to them?  Staff are often told businesses have to decrypt their traffic for corporate security, they install what are called Man in the Middle security devices such as those made by Bluecoat / Symantec that decrypt all encrypted traffic (such as emails, bank logins…) to “look for threats”.  Staff are told it’s part of their insider threat programme and is a condition of their employment, and since the businesses own the hardware the staff are using, they can do that.

“Did you  hear the one about the Chief Security Officer who told the CEO and COO that in order to secure the company, he had to read their emails and know the bonuses of everyone, including his superiors and the board?” – yeah, that’s a wind up for a joke alright.  After he’s gone his successor might be allowed to install such monitoring devices but only for separate subnets, specifically the ones the senior staff don’t use.

Security can be – and is – applied as a privilege granted to the wealthy and powerful.   Any time a security measure is pitched by “leadership” (business or government alike), when considering whether you agree with it, research whether those same security measures apply to those up top.  If it’s too invasive for them it’s too invasive for anybody.  Do you really think Las Vegas has a successful insider threat programme that involves decrypting the communique of the casino owners?  Obviously there’s no way they’d stand for that, and the real secret is that nobody has to – it’s not a tradeoff.  You can have both security and privacy which those in power prove every day while telling citizens the opposite.  

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations. – Attorney General Jeff Sessions

In the above quote and all the ones like it, they pitch a mythical solution that allows them to read citizens’ secrets yet still remain secure against the citizens they monitor and nation state adversaries – unidirectional, top-down, “us” versus “them”, and in most cases “them” means “you and me”. 

We get encryption certificates from Comodo, Verisign, Thawte, etc.  The government doesn’t and neither do many big businesses – they have their own keys and internal certificate authorities.  What’s wrong with the public (and very expensive) products that they don’t use what everyone else does?

Do you think the Clinton-era Clipper Chip would have been installed in the White House?

The NSA has been pushing “If you have nothing to hide, you have nothing to fear”, putting up the argument “which is more important, security or privacy?” as if it’s some trade-off.   This tradeoff is a fallacy as evidenced by the fact that the elite who refuse to be eavesdropped on are comfortably secure – if the measures they’re pitching don’t apply to them, what makes We, The People think they’re okay to apply to us?

Share.

Leave A Reply

Secured By miniOrange