[opendtv] Re: F.C.C. Proposes Privacy Rules for Internet Providers - The New York Times
- From: Craig Birkmaier <brewmastercraig@xxxxxxxxxx>
- To: opendtv@xxxxxxxxxxxxx
- Date: Sat, 19 Mar 2016 08:22:56 -0400
Regards
Craig
On Mar 18, 2016, at 9:15 PM, Manfredi, Albert E
<albert.e.manfredi@xxxxxxxxxx> wrote:
So, within this iCloud, it is encrypted, *BY APPLE*. It's hardly secure,
Craig. Apple has access to it.
So? It is secure from deep packet inspection. It is secure from hackers. It is
secure from nosy politicians, at least until they can get a warrant.
Apple does not sell my data. It is one of many reasons I choose their devices
and services.
It might be secure from "unauthorized" hosts on the iCloud, but it is not
secure end to end. You have no guarantee that someone isn't reading it,
either Apple, or when it goes outside the iCloud. You are blindly trusting
Apple and other ISPs to not snoop.
Other ISPs cannot read my mail. Several years ago iCloud mail was only secure
between iCloud users. In 2014 Apple started making it secure with all e-mail
servers. How your e-mail server deals with encryption between their server any
your client is not something Apple can control; thus it is on you to choose a
provider who protects your privacy.
But all of this still ignores the "mountain of data" reality. There is little
commercial value in e-mail with grandma, or your drinking buddies. The contents
of e-mail may become "valuable" to law enforcement if they suspect you of doing
something illegal. And the contents of your corporate e-mail may contain
sensitive information of value to competitors.
That is why DPI is used in many firewalls, to keep employees from inadvertently
(or purposely) making sense native information available to prying eyes. It is
supposed to work that way with government employees too...
Unless they believe they are "above the law" and can depend on implied
immunity, or plausible deniability. But that never happens...
Right?
The same happens if an ISP claims to encrypt your email. You might naively
think, aha, they encrypt my email, so DPI won't work. Really? If the ISP is
encrypting that email, they can just as easily decrypt it. And never mind
when that email leaves the ISP network.
A rather fuzzy area. It is very possible to build encryption that the builder
cannot decrypt. That is the purpose of the secure enclave in Apple iOS devices.
This capability lies at the heart of the current FBI request that Apple write
an OS to disable the self destruct protection against password guessing, so
that the FBI can run a brute force attack on a iPhone 5c.
I would think you might be a bit more knowledgable in this area as it has many
implications in your professional work...
In short, unless you have laboriously set up your own email client, and those
you want to communicate with, your email is not secure. If you do encrypt
properly, end to end, then Apple, or the ISP, will not be able to snoop.
As the experts in cyber security tell us, nothing is impenetrable. This is a
very old truism about security...
That's why castles has moats and thick, high walls. It is why commercial
building codes require 5 hour burn through ratings between adjacent businesses
and apartments.
The whole point is to resist attacks. To make the cost of overcoming the
security barriers so high as to provide protection. And it is important to note
that security is constantly evolving. Moats and walls are of little value in
modern warfare.
It is a bit ironic that the strong password protection now being built into our
smartphones was REQUESTED by law enforcement agencies. Not many years ago
(2013) smartphones were a huge target for thugs on city streets and subways.
They could be turned into cash very quickly and easily. So law enforcement
asked the manufacturers to help:
http://missionlocal.org/2013/04/police-to-phone-manufacturers-help-stop-theft/
Another example of the law of unintended consequences?
Under normal circumstances, you, the user, do not have control
over what is encrypted properly. Sure, if you go to your bank's
web site, you'll see the content is encrypted end to end. If
you go to a search engine, it won't be. Any site you browse
that does not require credit card payment will generally be
unencrypted.
All true.
Finally! So there you have it. Allowing ISPs to use deep packet inspection is
giving them carte blanche to tap into your broadband comms.
Sorry, as Spock would say...illogical!
Exactly like wiretapping your telephone. If you happen to be using iCloud,
perhaps your local Cox ISP won't be able to use DPI effectively, but Apple
can, as can any other DPI-using ISP hosting any non-iCloud servers or
subscribers you're dealing with.
Get a life.
Regards
Craig
----------------------------------------------------------------------
You can UNSUBSCRIBE from the OpenDTV list in two ways:
- Using the UNSUBSCRIBE command in your user configuration settings at
FreeLists.org
- By sending a message to: opendtv-request@xxxxxxxxxxxxx with the word
unsubscribe in the subject line.
Other related posts: