ContraRisk Security Podcast 0017: encrypted comms and BYOD

» Listen or download now on the podcasts page »

Silent Circle offers secure voice and text communications using peer-to-peer encryption. Until recently, it also offered secure email, but shortly after we interviewed Jon Callas, the firm’s CTO and co-founder, Silent Circle followed the lead of another secure email provider, Lavabit, and shut down that service.

This was a reaction to the revelations about the NSA’s surveillance programmes, including Prism. Email, said Callas in a blog post, leaks too much via its metadata, making it difficult to maintain privacy. Its voice and text services, however, are relatively immune to FISA courts and government snooping because no information is kept on the company’s servers. If you receive a warrant demanding that you turn over all the information you have, and if you don’t have any, it’s easy to comply.

In this interview, Callas explains that everyone has a need for privacy at some point in their day-to-day business, and we all use encryption at some point, even if it’s just an HTTPS connection. And data privacy laws and various security regulations either mandate or strongly advise the use of encryption.

But is encryption still under-used? Callas believes part of the problem lies in usability issues. The ‘network effect problem’ means that some encryption technologies will only become useful once they are the norm – and reaching that point can be tricky. And a lot of people don’t seem to be interested: even after the Prism revelations, a lot of people don’t care about privacy or security. So what would it take to change their minds?

Meanwhile, are people doing mobile security wrong? Seth Hallem of Mobile Helix thinks they are. They simply aren’t asking the right question, which is: what are you trying to protect? Hallem believes it shouldn’t be the device.

If you look at the laptop world and the heavy software stack used to provide a defence that’s often still inadequate – that’s just not going to translate to smartphones and tablets, he says. It’s not just that the hardware and software isn’t up to it – these devices are used differently and present different problems. So you need to focus on the data and the user and build a security model around them.

Encryption has an important role to play, but it’s tightly bound to the concept of user identity. Basically, it comes down to authentication, authorisation and data protection. And while this doesn’t call for a radical change in infrastructure, it might require a change in thinking.

Hallem says that we should stop thinking about some intermediary, like AV, that transparently tries to intervene. Instead, we need to think about the apps that you deploy and ensure that they secure the data by default. If the protection is in the app, you don’t have to worry about the device

Security built around identity and encryption is a good model for security on all platforms, not just mobile devices – and this could be the up and coming model for security generally.

» Listen or download now on the podcasts page »

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.