Re: Pakistan to ban encryption software

sid wrote:
On 31/08/11 22:25, Norman Wells wrote:

While a VPN isn't something I use for personal things,

Exactly.

I do use it for connecting to networks such as universities and
colleges, I don't see why that information should be unencrypted
either. Should personal emails sent across academic or business
networks be public? Should corporate or academic information which
is often highly confidential be made public? Of course not, and you
are not suggesting it is,

Then why raise it?

Because what is proposed will make using VPNs a quick ticket to a
visit from the police, and not all users of VPNs are corporate office
to office, I'd say a lot of them are work related say for working from
home, or academic working from home. It is in Pakistan, that does not
particularly bother me immediately, but should that idea become
popular in the EU it would bother me. If I use VPNs, I don't see why that
should invite police investigation.

No-one's saying that legitimate uses don't exist in business or academia, or that they'll be banned. What are under threat are personal communications where there is no such justification but serious abuse.

Try doing some packet capture in promiscuous mode on a medium sized
network you have access to (and of course, permission to packet
capture, which is illegal without said permission). Email logins,
passwords, the content of the email itself, all quite easy to
capture and reconstruct. You are relying on everyone with access to
any network inbetween the sender and the receiver being honest and
technically illiterate.

No you're not. It's not like a letter, which can be stolen and
opened at any point. Email is divided and sent in many different
packets.

Right, and when you have enough packets you can reassemble them, with
a few clicks, actually 2 clicks last time I used some packet capture
software, which was about a week ago.

There's always a criminal element around. But the point remains that general email is at least as secure as a letter, and that greater security than that is not generally warranted.

Look, I'm not arguing that commercial transactions and communications
shouldn't be secured, just that private individuals in the normal
course of events have no legitimate need to use encryption, so there
is little to be lost if they're not allowed to. If there are
significant advantages to be gained by generally not allowing it,
it's a small price to pay.

So who decides what is the legitimate need?

It's what we elect governments for.

I'm asking again, should
all your communications be open to inspection at all times? At what
level do you think the power to inspect should cut off? How many
people and for what reason should be able to inspect it? This kind of thing is
already well regulated, for phones, post, and email as it is

Then it is sufficient. No-one's proposing anything less.

Failure to divulge encryption keys carries a penalty already, if people are
hiding something really obnoxious, they will of course not reveal the keys
for encrypted hard drives let alone emails. Making VPNs restricted
will do nothing to solve the problem of that kind of encryption.

But it will make non-disclosure punishable in its own right, hopefully to the same extent as if something serious had been kept hidden.

Sadly I think that is not so, and the
distance between sender and receiver just increases the chances of
it being read.

Nonsense.

The more servers it traverses the more points where someone malicious
can access the server or the server has some other issue, such as
being compromised deliberately in such a way that it will harvest
data.

It's still as secure as people with no criminal intent need. If it wasn't no-one would ever use ordinary email systems.

It is nothing to do with my email personally, those
engaged in that activity capture everything they can and sift
through it later.
You may think my personal life is uninteresting, and I am sure the
intimate details of it are, but things like names, dates of birth,
places I visit, who my relatives are can all be used to build up the
required information for identity theft. It's much safer than trying
to rummage in my bin, and far more information can be gleaned.

Of course it isn't safer. It's also a lot more difficult.

It's safer for someone in Russia to collect data on me by collating it
online than it is for them to send someone around to rummage in my
bins or break into my house, obviously.

But much more difficult.

There have been cases of fake ATM machines fitted in the morning and
within hours of people using the fake machine (and the fake machine
still being in place, so the data was retrieved over wifi) the same
card details used in one of the former Soviet states. Presumably the
card details are sold in batches as quickly as possible. There is far
far less risk for the person buying those card details and using them than
coming along and stealing the card. The end buyer is not even directly
connected to the theft, so where is the risk of being caught for the
theft??

And what has that to do with VPN? It's just normal criminal behaviour.

Something as innocent as sending happy birthday email along with
some travel plans, perhaps with hotel dates.... you get the idea.

I get the idea you're paranoid, and perhaps don't understand as much
as you should.

Not at all, it's normal practice in certain jobs to avoid any such
information being given out. Even in low grade governments jobs things
like notebooks (the paper kind) are supposed to be locked in desks
when you go for a tea break. There is a reason for those precautions, I've
sat through enough lectures on data security from employers training
programmes and academic lectures as well, to take them seriously. If
you want to call me paranoid when a lot of money is being spent
training people to think about these things and NOT treat email as secure,
then I think it's you who might not understand as much as you could.
I don't say should, because in most areas people don't need to be overly
cautious with their data, but in some areas they do, and unencrypted
email is not reliable in a lot of those cases.

Ordinary email is perfectly secure enough for individuals to use for personal communication. It's only if they have something they desperately want to hide that they turn to systems like VPN.

.

Relevant Pages

  • Re: What security package for SBS?
    ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Wifi Security
    ... Then add in good practices and secure those endpoints! ... I have changed the security to WPA2 with a 128bit ... and attempt to break into her wireless internet connection. ... part of her network cannot do WPA2 but you actually want her network to ...
    (microsoft.public.security)
  • RE: One computer two different networks
    ... Internet connection and one an internal secure connection tempts one ... You have a private network with no Internet for the reason that you ... in Information Security. ...
    (Security-Basics)
  • RE: Home wireless free hotspot
    ... Those and the fact that as it is your connection, you're responsible for what T&C breaches happen from people using your open and/or shared Wi-Fi. ... I have a home wireless network that I'd like to make available to ... Would it make more sense for my secure network to be subservient to the ... install and use a thawte Digital Certificate on your Apache web server. ...
    (Security-Basics)
  • RE: unidentified DOS "bad traffic"
    ... (although we haven't been able to capture as much detail). ... it takes down the source network instead. ... My Snort ... > Take back your personal time. ...
    (Incidents)