The Power of Passwords

Encryption technology has just become a political battleground. It should have been obvious that, like powerful weapons, it can be used to do bad as well as good.

Here is the stark reality of this technology. One of the two radical Islamic terrorists in the Garland, Texas incident, who attempted to massacre participants at a “Draw Mohammed Contest” (and who were not known terrorists then) communicated with another, known terrorist using encrypted messages. As part of its criminal investigation after the fact, the FBI wanted to read those messages. A federal judge allowed the FBI to retrieve these messages, but because of encryption, such order by the judge was meaningless. The FBI could not read the encrypted messages. Even the NSA, with all their computing capability, could not read the messages. Neither could the company that built the phone used by the terrorists. In fact, not even the programmer or chip designer himself, who built the encryption program or chip, can read the messages. NO ONE could read the messages except the two terrorists who exchanged the encrypted messages.

Why? Because modern encryption is designed to be so: unintelligible except to individuals who have the decoding key. That key, that password, if kept secret and known only to you, grants you enough power that not even the most powerful country in the world can take from you. May be in the future we can invent a computer powerful enough to crack your password, but for now it’s practically impossible.

The downside is that this thing, this encryption technology that grants you such power, is also available to terrorists.

The only chance that the FBI can read encrypted messages exchanged among terrorists is to somehow obtain the password or key used to encrypt such messages. People often make the mistake of writing passwords somewhere, may be in a note app, because difficult passwords (by definition) are difficult to remember. Terrorists can make this mistake also. If I were an FBI agent given the task of deciphering the messages, the first thing I am going to do is look for any password in the notes files stored in the smart phones used to encrypt and transmit the messages. May be such password was not used directly to encrypt the messages; it could be a shorter password used to the encrypt or hide a longer key or password, but the point is that any password found in the notes files or other kinds of files written by any terrorist should be useful.

We are all scared because what happened in San Bernardino is just too close to home. Politicians are fooling us by implying that the government can “work with” technology companies to prevent terrorists from encrypting their messages. The are implying that this technology, which you and I use whenever we sign-in to our bank accounts using the internet, can be kept away from terrorists. Here is the bad news: the Apples and Microsofts and Facebooks of the world cannot do it. How can they determine who, among their billions of users, are terrorists? Even the government cannot determine beforehand who the bad guys are, how can we expect high tech companies to be able to do it? There is nothing in a terrorist’s account that would indicate that he is a terrorist, unless it’s a Facebook account and he announces his intentions or allegiance to ISIS.

When modern encryption technology was just being standardized, there were certain camps who wanted to add a second decoding key to any encrypted message, kind of a “god key”. So called because whoever has this key can decipher any message. In practice, of course, each encrypted message can have a unique god key. Before internal use, such key can be produced by the encrypting machine itself (in addition to the user key), according to some algorithm, and the idea was to give the capability only to the authorities to know this algorithm. The idea eventually did not win out because it introduced more problems than it solved. Chief among these problems was the question: what if the algorithm was leaked? Then the whole encryption scheme would be “open” and useless.

The public needs to understand that modern encryption standards are designed to be almost impossible to decipher by anybody except the individual who  encrypts and sends a message, or by the intended recipient who can read such message (using their respective passwords). Encryption is a powerful weapon; and, just like any other weapon, it is available to both ordinary citizens and terrorists alike. Powerful weapons in the hands of bad guys make it very difficult to fight them, and there’s no magic bullet that can keep these away from the hands of terrorists. We just have to fight more intelligently because these days, what appears to be asymmetric warfare may not be so.


About ctapang

I am a Software Design Engineer. I have just abandoned the huge army organized to make .Net programming the one dominant programming system. I now program in Typescript which (surprise) is also from Microsoft. Aside from my day job as a programmer, I am also involved in a movement ( to correct the Philippine constitution. It's an ambitious undertaking in itself, and there's no guarantee that improving our constitution will improve things. However, one thing is certain: if we don't establish a rational constitution, we will continue on our path of self-destruction. What kind of government is best? For me the best government is that which governs the least. We need the government not because it can provide for us but because it keeps us from running into each other. The proper function of government is that of a traffic light: it prevents us from bumping each other, but it does not tell us where to go.
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to The Power of Passwords

  1. ctapang says:

    This gives us a new perspective on the dictum that “knowledge is power”: only you can know your password unless you disclose it. Knowledge of your password is sealed in your brain, unless you make it known to somebody else. That’s why tech companies like Microsoft has this number one rule for individuals who gain access to their systems: do not disclose your password to anybody, not even your loved ones. I follow the same rule for my kids: they cannot share their passwords with anybody, not even with their own parents. Their password gives them a lot of responsibility with regards to their own person, an area that not even their parents can take over. This does not mean, of course, that I cannot monitor them. I use Microsoft’s parental control infrastructure to monitor my under-aged kids.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s