Perhaps you are aware of this ongoing stupidity from the government. There’s no real debate, of course, just government figures ignoring the obvious. The motives may vary among themselves, but not a single one of them honestly serves your interest.
At any rate, the US government for one has been pushing for backdoors to encryption systems and software so that they can snoop at will. What they aren’t telling you is that it’s not just about snooping, but the authority to plant malware at their whim. Techies might tell you there is a difference between breaking encryption and breaking other kinds of security, but I assure you it’s all one package. The government admits to wanting a secret key that allows them to break encryption. They don’t admit to demanding the authority to plant malware, but they do it frequently enough for folks to notice and report on it. Keep your eye on encryption but never forget that the government is using this merely as a starting point for having complete access to monitor all computer activity.
But while this stupid government kvetching carries on, getting particularly loud when anything “bad” happens anywhere in the world (like the mass murders Paris), you have to know that the major private industries are complying without telling you. That is, they are going along with the government demands in secret. All this noise about resisting and trying to come up with systems to protect their customers is just noise — they are lying through their teeth. Not all of them in quite the same way at exactly the same time, but you can bet they want to keep their foot in the door on big government contracts, so they will find ways to give the government what it wants.
There is a network protocol most users don’t know about that has to do with issuing certificate numbers to certain players on the Internet. Those certificates are collected and cataloged and placed in computer operating systems and in browser packages so that when you visit a certain website, it can offer a certificate that your browser or operating system can recognize as valid. Then you can negotiate for a temporarily encrypted connected that excludes eavesdropping. That way you can do your banking, log into various other kinds of services, and feel comfortable that it will be safe and secure.
Awhile back, Lenovo caught hell from technicians because they were selling laptops with a certificate that went into the operating system itself, and it was issued by Lenovo on behalf of third party advertisers so that they could slip their ads into your browser even when it was supposed to be an encrypted connection. That’s because the ad certificate overrode the safeguards. This was darned near a criminal act.
Just recently, Dell was caught doing something equally stupid. No, it was even stupider. It took advantage of a weakness Google intentionally built into the ultimate standard of certificate security, and Google adamantly refuses to fix it. And while Dell is fixing their part of this stupid mistake, it comes with a second similar certificate blunder that Dell refuses to even talk about.
Granted, this Dell crap only works if you are running Windows, but the huge freaking doorway Google put into the certificate process itself touches everybody online. In effect, Google has created a permanent weakness so that anyone with the ability to plant a certificate on your computer can gain access to all your connected, encrypted or otherwise.
That includes every connection you might use to download stuff, like maybe even computer updates. Granted, most Open Source operating systems use a different system for protecting their updating process that doesn’t require using encryption certificates. And most Linux distributions are always discussing ways to make it even more secure, but I have zero confidence in the way Windows gets its updates. That’s where the government malware comes in. And if a frequently bumbling incompetent government agency can do it, what’s to keep other agencies from using that system?
It just keeps getting crazier.
