Well, I suppose if we are talking about Signalgate, we should talk about Signal.
Signal is, essentially, a texting program. It uses the Internet, rather than the texting channel for telephone service. At least, for the most part. You may be fairly familiar with Signal: you may use it under another name. If you use WhatsApp, WhatsApp is basically identical to Signal, with one difference.
So, if you have used WhatsApp, you know all about Signal. You know that it is primarily about text messages, and you probably know that you can use it to create groups, and send text messages to a number of people in the group. You can also use it for audio and voice calls, but most people are just using it for the texting. And, particularly, the group text chats.
(I suppose that I should mention the one difference between them. WhatsApp is owned by Meta, which is, essentially, Facebook. Therefore, it is Facebook which is managing the connection and setup of all communications done over WhatsApp. The text chats, and even the voice and video calls, are encrypted. Therefore people think that they are secure. By and large that is probably true. However, since Facebook sets up all the calls, it would, theoretically, be possible for Facebook to listen in on all WhatsApp calls and chats. Signal uses the same technologies, and even the same protocols, as WhatsApp. They are basically identical. However, whereas Facebook manages all the calls for WhatsApp, Signal allows you to choose different hubs to manage your calls. Therefore, while it would be possible for a single hub to listen in on the calls managed by that hub, no single hub would be able to listen in on all calls that are made through Signal.)
I suppose that it might be possible that this point, that simply having encryption doesn't guarantee you privacy, could be lesson 3A. It certainly is important to know what encryption does do, and what it doesn't do, and the fact that encryption has to be managed properly in order to do the things that you want it to do. But that actually isn't the lesson that I want to emphasize in this particular lesson.
No, what I want to emphasize, as lesson three, is identity. Actually, when we in security talk about access control, we talk about IAAA: that is, identification, authentication, authorization, and accountability. We will talk about authorization and accountability in later lessons. Right now I want to talk about identification, and authentication.
First of all, somebody on the Signal channel wanted to add someone else. We don't know who it was that they wanted to add. Nobody is saying much of anything, and when they do say anything, most of the time they lie, and most of the time the lies conflict with each other. So we don't have a lot of reliable information about this whole mess. But we do know that they wanted to add someone to this channel, and that they weren't careful about the actual identification of the person that they added. The person that they actually added was, in fact, a reporter that the Trump administration did not particularly like. And, of course, there was absolutely no reason in the world that the people running the chat would want to add that reporter.
As a matter of fact, when the reporter was first added to the channel, and started seeing traffic on it, the reporter thought that it was some kind of hoax. In fact, the reporter, initially, when he saw the initial messages going out on this Signal channel, felt that it was probably set up by someone in support of the administration, and was an attempt to fool the reporter into reporting on a story that was false, and then be made to look like a fool when the story was proven false.
However, as the messages went on, it looked more and more like this was, in fact, real communication, between real members of the Trump administration. Who were, in fact, discussing planned attacks on Yemen. And, so it proved to be. Information about war planes being dispatched on bombing missions was given, prior to the aircraft taking off, and was, thereafter, confirmed by military reports of the activities, after the fact.
But back to the identification. As I say, the people who added the reporter to the channel were not careful about the identification of the person that they added. Additionally, they did not take the further step, which, in terms of information and access control would be an absolute minimum necessity, of doing the authentication. This is verification, very often by something you know, or something you have, or something you are, that you are, in fact, the person that you're identification says you are.
So, neither the identification, nor the authentication, were done correctly. In fact, the authentication wasn't even done at all.
So what does this mean to you, as an ordinary person, wanting to keep yourself secure or safe? Well, the first thing to do is be careful with identification. Identification, really, never can be trusted. It is always simply asserted. I say that I am Rob. For the purposes of normal social conversation, this is probably sufficient. But, if you wanted to do any business with me, you probably would want to know that you were dealing with Robert Slade. And, indeed, since there are a great many Robert Slades in the world, you would probably want to know which Robert Slade you were dealing with.
As a matter of fact, if you wanted to do any significant business with me, you would probably want to verify, somehow, that I was, indeed, Robert Slade, and not just somebody *saying* he was Robert Slade. You would want to authenticate the fact that I was Robert Slade. If you are dealing with me over the Internet, and can't demand to see my driver's license (or something like that), then you might want to set up an account somehow with a coded username, which would be a form of identification that we might agree to, and then, every time we wanted to deal with each other, have a form of authentication. The authentication might be something that I know: for example, a password. It might be something that I have: such as the aforementioned driver's license, or possibly my cell phone number, to which you could send a text, with a pin, and then ask me to confirm what the pin was. Or we could get really fancy and have fingerprint readers, or send pictures of each other, and that would be something that we are: otherwise known as biometrics.
Authentication is the really important part. That's why those of us in information security keep on yammering on about the fact that you should choose long passwords, and strong passwords, and use a mix of upper and lowercase letters, and throw some numbers in there too, and even some punctuation marks. Making the password hard to guess means making the authentication more reliable. And, as I say, authentication is the important part.
And authentication is the part that these military geniuses Signally failed to do.
No comments:
Post a Comment