Folks at Wachovia recently decided that all the confidential information they exchange with contractors and field examiners via email and the internet must be encrypted using at least 128 bit AES. Good for them! I applaud this move but then I realized that human stupidity can turn even best security practices to a mere farce.
I think that Wachovia really evaluated this problem realistically and chose the the method that was easiest to implement without forcing their contractors to spend a lot of money on software and/or training. Both 128 bit and 256 bit AES implementation is built into WinZip. That of course means you need to buy WinZip at the $20 a pop, but surprisingly enough most businesses do. It always amazes me that the company forces us to install WinZip on new machines despite the fact XP has a built in zip file support. At least we now have a reason why to use it. :P
It’s a good policy, but there is a problem here:
Hey, here is the file you requested. I encrypted it with winzip like you asked. I set the password to be “password”. In case you can’t open this file, I’m also attaching the original word document.
This, ladies and gentlemen is why the suicide rate among IT professionals is so high. Also, this is why you should be terrified when someone asks you to give them your personal information. Think about it – that at some point your social security number, address and credit record will be handled by this guy above. There is no way around it. A person like that works at almost every company – even yours. Dangerous information handling practices are commonplace, and data leaks are imminent. It scares the living shit out of me, but there is not much I can do about this. Or rather I can only try to improve security practices at my company, and hope others will do the same (they wont).
There are two ways you can handle encryption. The easy way is via symmetric encryption like AES which requires little or no infrastructure or forethought. To send data between Bob and Alice they both simply need the encryption/decryption software and the key in a form of a pass phrase that can be exchanged over the phone for example. Of course exchanging pass phrases for each document is a pain in the ass, so Bob and Alice will likely use the same one for all their correspondence. Since Alice will need to share this data with her coworkers, they will probably all use the same password for all correspondence with just about everyone. So whether they are working with Bob, or Eve or someone else they will use the very same common password.
What is that password? You have 3 guesses!
The password naturally is Alice’s company name written as one word in lowercase. If Alice’s boss is especially security conscious it will be the company name followed by a single number. And no, I’m not making this up. I actually seen this happen. Given a choice, lusers will pick a password that is easiest to remember or figure out, and by that virtue the least secure. This is the huge problem with symmetric encryption. You can educate the users, you can beat them up, threaten them or reason with them. But when you are not looking they will invent new clever ways to circumvent company security policies – or at least make them ineffective. And it’s not like it is some kind of secretive “fool the sysadmin” club. That would actually be cool – that I would respect. But no, this is just like an impenetrable wall of stupidity that shields them from common sense and reason.
The alternative of course is asymmetric encryption which removes the password choice from the equation. But it has it’s own limitations – namely, it is a pain in the ass to implement, deploy and train your stuff. Optimistically speaking I think we can get somewhere within 50-60% of our staff trained to use the winzip AES properly within a few months if we get a go-ahead for rapid forceful insertion of knowledge into the cranial cavity using blunt tolls. It would be faster if I was training orangutans for example, because they are not inherently afraid of technology. Humans unfortunately are – they seem to consider it a mysterious mystical force that cannot be comprehended by anyone sans a super-intelligent and yet socially inept nerds. Learning technology is naturally out of the question. Not only is it not possible to understand this stuff without the born-in nerd gene, but forcing that knowledge upon you apparently can cause severe brain damage.
So you can clearly see why blunt tools are necessary. We need to convince them that the brain damage will take place either way. Learning simply hurts less.
But public key encryption is such a foreign and incomprehensible subject. It’s like a high level arcane magic. Hell, for that stuff you need to have like a PHD in Jedi Mastery to even begin to understand it. When you start talking about public and private keys, exchanging and signing them, key rings and key servers you can see your user’s expression change from “LOL, they be trying to teach me magic but it wunt work” to “OMG! My head is about to explode”. By the time you are finished you can see pure fear in their eyes. Most go into catatonic for hours afterwards. Some never recover.
And of course after you spend many many hours configuring everyone’s email, generating keys and training people to use them, without fail someone will send their private key company mailing list.
Generally speaking I believe that an asymmetric public key approach is intrinsically less prone to human error (like for example choosing a weak password) but it is also more costly to implement. Costly both in man hours, as well as licensing. If you choose to go with PGP you are looking at around $200 per license. You could go with GnuPG naturally but it does not have the brand name weight, and it is slightly rougher around the edges – which ends up being a huge deal when you hand it to users who are terrified of computers as it is.
Don’t you just love it how this is a fucking never ending struggle. We really need policies like that, but the policies are half the battle. The other half is the long and painful process of IT beating the users into submission to enforce them.
[tags]encryption, aes, rant, wachovia, pgp, gnupg, cryptography[/tags]