Where national surveillance programs are omnipresent and digital technologies by default, are built to fail, it's not always clear what we need to know and what's overkill. I chat with Mark Kim, a graduate student of mathematics at New York University's Courant Institute of Mathematical Sciences about his thoughts about how much cryptography an average person should know.
Dorothy Howard: Based on your background, why is it important for people to know about cybersecurity?
Mark: Cybersecurity issues are everywhere. Did you know, for example, that people can hack into your car remotely via a 3G network and mess with the brakes or the transmission? How about gaining access to all your private data on your Android phone by simply sending you an MMS message? Both of those were recent discoveries. A bit of digging will unearth a lot more issues that are just as pertinent to our lives. A slightly older example would be the CryptoLocker incident, centered around a form of malware that locks down your files with virtually an unbreakable encryption scheme and demands money in exchange for the unlocker program.
Two major issues from late July, 2015 tell this story:
1. Hackers Remotely Kill a Jeep on the Highway - With Me in It, wherein a method of hacking into a car via a 3G network and gaining access to the car's basic functions is discussed.
2. Researchers have found a new texting vulnerability in Android, wherein a method of hacking into an Android phone via a malicious MMS message (that the target user need not even open) and compromising the phone's microphone, camera, etc., is discussed.
I think that everyone should know what encryption is: cybersecurity issues are omnipresent, and contribute to significant malady for those who are targeted.
What do you think would be helpful for everyone to know about encryption?
It is important to understand what it means to protect one's privacy - just how wide the scope of "privacy" can be.
Also note that most cybersecurity issues are problems of implementation, rather than those of the theory - it is far easier to exploit unintended bugs than to research inherent weaknesses of a cryptographic system.
On the other hand, I am not sure if there is any technical detail about encryption that everyone needs to know. Consider, that people with no knowledge of mechanical engineering (myself included) have been driving cars just fine for over a century.
It would be time poorly spent to talk about implementation details to those who do not play an active role in maintaining a cryptographic system.
What would you suggest we do about the dilemma that fixing major cryptographic loopholes might hinder the technologies which we rely on?
I see two major ways to answer this question:
1. The issue of "a stronger cryptosystem would be harder to deal with when it is used against us" (cryptolocker, etc.) is absolutely unsolvable, and the only thing we can do about this is to be mindful of how security breaches can affect seemingly non-internet parts of our lives.
2. The issue of implementation failure (jeep hacking, android, etc.) is more fixable. A lot of these cybersecurity issues come from the companies simply not caring enough about our privacy--and our lives. So, we, as consumers, can force these companies to do a better job.
While we can't fix the basic, fundamental problem of "there will always be problems", we absolutely can, for example, demand car companies to hire security experts so that a random person can't break into our cars and kill us so easily.
Similarly, the most pertinent problem with the Android cybersecurity issue isn't that Google (who develops and maintains the Android operating system) can't fix these security issues, but that mobile service providers are notoriously bad at pushing out these updates in a timely manner - because it is in their interest not to fix old phones and drive the customers to buy new phones. Push companies and governments to fix the fixables.
Editor's note: Cryptography is yet one of many new skills that are increasingly required to protect ourselves from the government, constituting an added digital labor where those that have the privilege (time, education, etc.) to learn security techniques, are privileged in being safer. Still, rather than work ourselves to exhaustion or develop the idea that we "need to learn programming," a more sustainable and healthy path might be to first ask whether having technical knowledge would inform our lifestyle and working conditions currently, and learn what we need to know up to that point, and no more, without feeling guilty or the need to pursue opaque technologies that in the first place shouldn't be required of us.
Some further resources on cyber security that we recommend:
Safe Hub Collective's DIY Feminist Guide to Cyber Security
Wikipedia page on encryption