In this series of blogs we examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, it’s even better to let other people make the mistakes for you.
Videos covering the recapture of international drug kingpin Joaquín “El Chapo” Guzmán are sensational to say the least. What video hasn’t captured, however, was the intricate web of deception, misdirection, and subterfuge that the Justice Department says would have been rendered ineffective if large tech companies would be willing to work with them in creating backdoors in the same encryption designed to protect consumers. Add to the situation an Academy Award-winning actor and guest reporter for Rolling Stone and his attempts to conceal a secret interview and, needless to say, this is going to cover some serious ground.
The Notorious C-H-A-P-O
The rabbit hole that you could tumble down when beginning an online search for information on Guzmán is deep and seemingly endless. In the interest of brevity, you can rest assured that Guzmán’s empire was large enough for him to hit Forbes’ Most Powerful People list three years in a row in addition to being only the second person since a certain Alfonse Capone to be the city of Chicago’s Public Enemy Number One. Oh yeah, that dubious distinction persists in spite of Guzmán never actually having ever set foot in Chicago. What does all this mean? It means that Guzmán is a bad dude, with world’s-richest-caliber deep pockets, and that there were huge international agencies working overtime to stop and catch him. So how then did Sean Penn get to sit down with him for Rolling Stone Magazine?
Let Investigators Handle Investigative Reporting
Let’s get it straight, I love Sean Penn as an actor and believe that he could make any on-screen depiction of a spy or undercover journalist come alive in a convincing and compelling fashion. However, any person who describes himself as, “the single most technologically illiterate man left standing,” is probably not going to successfully cover his tracks while navigating an elaborate web of coded messages, burner phones, and encrypted emails. Plus, I’m no expert but come on, he’s Sean Penn, and someone might recognize him. To take it back to where we began, Penn and Rolling Stone got their interview and (gasp) the DEA and Mexican Authorities got Guzmán. What isn’t immediately evident is how this whole process affects the privacy of the everyday communications of us non-billionaire drug kingpins or Hollywood actors.
The Government Squeeze
The bad news is that we live in a world where terror attacks are planned and executed using many of the same tools that working folks are familiar with. The good news is that we have truly massive networks of surveillance monitoring suspicious activity to try and hunt these people down before they can act. And the not-yet-clear-how-it-will-fall news is that there’s another battle being waged over the creators of that technology and the government agencies that are tasked with tracking down the bad guys over who gets the keys to the car. Members of the Justice Department, Attorney General Loretta Lynch, and representatives from the biggest technology companies in the world including Apple CEO Tim Cook are in Silicon Valley discussing encryption. Specifically being debated is how secure is too secured for how we share our data?
Obviously, the government wants to be able to listen in on what’s going on in the world. Heck, if it weren’t for those pesky Fourth Amendment rights of ours, we wouldn’t even need the controversial USA PATRIOT Act to argue over the rights versus safety debate, but we do and the argument is spilling off of the phone and into the computer at these talks. The government wants for tech leaders to create back doors to all of the modern encryption methods being used by everyone from banks to students and, yes, even to those on the other side of the law. This is all basically a way to have encryption methods be, by design, less encrypted. Sure it would make it easier to snoop on people who have been identified as threats, but it would also make data security inherently less secure for the rest of us. A sticky wicket indeed.
For anyone in IT or Customer Support, this is an oldie but a goodie and it stands for “Problem In Chair, Not In Computer,” and is also an interesting argument against softening encryption standards. Additionally, the tech companies aren’t alone in their defense of their technology with former NSA and CIA Director Michael Hayden actually arguing against the creation of back doors to our data. The point Hayden makes is simple monitoring is not what being an intelligence agency is all about. Our clandestine services have available to them all manner of advanced tools and techniques to combat narco-terrorism like Guzmán’s, and therefore they aren’t hamstrung to relying on only sift through digital communications alone. What are some of those advanced techniques, you ask? Some of them aren’t as impressive as you may expect from the sweet ejector seat-equipped Aston Martin of James Bond, unfortunately, but suffice to say mostly it involves the single consistently imperfect aspect of data encryption- the people using it. In Guzmán’s case, relying on an actor to handle the sensitive information in how to contact and meet with his organization (much less having him cross the border undetected) wasn’t a good first step.
How Does This Affect Me?
Just like we have warned about plenty of times before, the majority of threats that we face as daily users of technology are crimes of opportunity, meaning that if we don’t make ourselves easy targets, the criminals tend to move on to easier prey. The first thing I would recommend to protect yourself from any third party or governments listening in on your conversations is to not be a terrorist or drug lord, after that step things get a lot easier. The next thing to focus on, and it’s ridiculous how frequently we need to mention this, is maintain proper password protection protocols at all time. We have some easy to follow password best practices to go by but start off by thinking about passwords as phrases, not single words, never use pet or family names, and don’t reuse them for multiple accounts. And if you ever use “password” as your password, I really hope you’re also running a terror cell because you’ll be pretty easy to catch. All kidding aside, please take care of yourselves and each other out there. With just a little bit of effort you can protect your information from folks who would want to do you harm (or violate your privacy!), so do yourself the favor and put these best practices to good use.
Stay safe out there and remember to Protect ya Neck!