Cutting Edge Computing

Cybersecurity, Past and Future June 23, 2021

I just returned from helping drop off my grandnephew at Space Camp in Huntsville, Alabama, where he is taking a weeklong camp in cybersecurity.  Before dropping him off, I asked him if he knew what SQL injection and buffer overruns were.  He didn’t, but he’s only twelve, and I hope he does before returning at the end of the week.

This got me thinking about cybersecurity in general, and what seems to have become a backwater in encryption in particular.  I’m going to start with the Clipper chip, a hardware integrated circuit promoted by the US government, that provided for a secret encryption algorithm with a backdoor for the government to access encrypted communications.  This chip, announced in 1993, was found to have at least one security flaw, and because the US government did not or could not mandate its use, disappeared entirely later in the decade.

There was a particularly tense period in computing where it looked possible that the government would be able to impose Clipper on computer manufacturers (as well as phone manufacturers), which would have allowed the US government a back door into every single one of our systems.

I can’t count the number of problems, nor the extent of arrogance, with this approach.  First was the security flaw, which had nothing to do with the algorithm, which is secret, and everything to do with how it transmits the keys, which is simplistic enough to be hacked fairly easily.  Plus, while the government said it would never read anyone else’s mail or files without serious reason and a court order, no one believed them.  Despite the obvious use in helping to fight crime, it is ripe for government overreach and abuse.

At about the same time (1991), computer scientist and software engineer Phil Zimmerman introduced an algorithm called Pretty Good Privacy (PGP), which arguably provided a far superior encryption approach that Clipper.  Rather than attempt to profit from it, Zimmerman released it and the source code as open source, meaning that anyone could download, modify, and use it.  He let the cat out of the bag, so to speak.

The amusing thing (not for Zimmerman) was that at the time encryption technology was considered a munition by the US government.  Yes, that’s right; a weapon (it still is, although now at a higher level of encryption than PGP).  As a result, Zimmerman was hounded by the FBI, the Customs agency, and the NSA for making a controlled weapon available outside of the US.  Zimmerman was never arrested, but he was harassed mercilessly by the authorities, before that case was finally dropped.

Today, I’m not sure where encryption is in the general population.  The problem was that these approaches, known as private key/public key encryption, required users to go through multiple steps in order to decode their own documents, and to send email to others.  Using it in a phone is potentially easier, and that may be where it has found a home.  No one wants to go through those extra steps.  Clipper has been completely dead for over 20 years.

Our major issues with cybersecurity today involve hacking through more traditional attack techniques (SQL injection and buffer overruns are still popular), rather than trying to read files.  The truth be told, whatever is encrypted today is unlikely to be read by anyone soon.  The random algorithms simply take too long to crack.  And individuals aren’t going to go through the extra steps in order to encrypt and decrypt files.  While personal encryption may be an important technology, it is also an intellectual backwater.

Back to my grandnephew.  It is too early to tell whether cybersecurity will attract his attention span, but he could do worse.