Always consult your investment professional before making any investment decision
Howe Street Week
Our weekly recap of media
Receive Howe Street Week FREE
email:

Information Security: Why You Need It & How to Get It

(Paul Rosenberg, Interviewed by Louis James, Editor, International Speculator)

L: We are talking today with one of Doug Casey's favorite cryptology technologists, a once-shadowy figure named… um… I'm never sure with cypherpunk types. What name can we use? We're on the record here.

Paul: [Laughs] Paul Rosenberg is fine, Lobo. We won't be breaking any laws today.

L: All right then. Paul Rosenberg. Paul is a longtime friend of Doug's and the author of… well… is there anything you'd care to admit to being the author of?

Paul: I'll go on the record and say that I'm the author of A Lodging of Wayfaring Men and a bunch of other books as well.

L: That's a book Doug has commented on favorably and recommended a number of times. It's full of interesting ideas, with perhaps those on information privacy – and private commerce – being among the most discussed. Paul's company also publishes the annual Electronic Police State rankings. In related news, there's been a lot of commentary – we've mentioned it in Casey's Daily Dispatch – about the school district in Pennsylvania that spied on its students in their homes via the cameras in the computers they gave the kids.

Paul: Yeah. Pretty horrifying.

L: Horrifying, but it seems a lot of people are blasι about it. We were talking earlier about how, in my rabble-rousing days before joining the respectable Casey Research team, I was hip to Internet security, I was trying to encourage everybody to use PGP, or at least Hushmail, and trying to get people to secure their communications – to use virtual envelopes rather than postcards for their online communication.

It was like pulling teeth to get anyone to even consider it, and nowadays it seems like even fewer people have a clue, let alone care about this issue. Here we have this slap-in-the-face example of exactly why people should take electronic privacy seriously, but people are more interested in whether or not Sarah Palin's daughter will get married.

What do you think? Do people care? Enough?

Paul: Certainly not enough, but more people care than you might guess. A lot of the focus is on the commercial side now. Many companies are setting up their own encrypted "tubes," for lack of a better word, between themselves and their clients, and between themselves and their employees. Commercial espionage is a huge, huge field – lots of important designs, sales plans, and documents are stolen all the time. These are extremely valuable assets.

A lot of doctors, lawyers, accountants, and investment people are starting to wake up to the fact that they're handling important, valuable information of their own and other people's, and that they need to protect it. It's hard for me to say how many individuals "get" that their information is being taken from them, but it's a large and growing number.

L: There's a lot of talk about identity theft these days – not so much about concerns of Big Brother, which we can come back to later. Identity theft does seem to be in the news a lot – is this threat what might finally wake the average Joe or Josephine up?

Paul: I doubt it, not until it happens to them. Average folks might be more likely to learn about it through their employers, as companies move more and more to secure their data.

L: We've probably already gone over most of our readers' heads, so let's pause and go over some basics. What kind of problems could the average person face who hasn't taken any steps to secure his or her information? And how big is the problem – is it rare like a lightning strike or more common? Should the average guy or gal worry about this?

Paul: First of all, people's information is being gathered without their knowledge or consent every single day. Every email you send, personal information on you is being gathered. Every time you visit a web site, you reveal your IP address, which can be tied to you very easily.

L: And you're not just talking about governments…

Paul: Right. There are people who grab this sort of information, and they sell it. That makes it easy to build a dossier on somebody; a file listing exactly what web sites they go to, how long they spend there, where they go next, and whom they relate to.

L: Who does this?

Paul: Your emails are saved a number of ways by a number of parties. Certainly, Google and Yahoo and all such services save emails. They save drafts, not just emails – the systems save automatically every two minutes or so, and they save everything. Once they've got it, they keep it.

L: And those guys can be hacked – or subpoenaed, which is just a legalistic hack. But can anyone really use such a chaotic mish-mash of data?

Paul: Yes and Yes. It used to be that people would think in terms of word searches – people might worry, for example, about including the word "bomb" in an email. But the searchers are way beyond that. They have programs that can read the context of what you're saying.

L: I didn't know that – so much for being able to hide in the massive volume of global communications.

Paul: Hiding in the open was never a very secure strategy. But now they can keep track of what you're saying and whom you're communicating with. They can see how often you communicate with them, and whom they're communicating with – two, three, and four layers deep – and this is going on every single day. And these people are selling it to other people.

L: Let's be clear here. I can imagine Google selling demographic information on users to advertisers, or at least the ability to target certain groups of users without giving the data away. But I can't see them selling dossiers on whom their Gmail users are communicating with. Do you mean that third parties collect this same information as it flows by on the Internet?

Paul: I do. There are large markets, not only in raw data but in refined data. Much of it is fully legal.

L: Can you give us an example?

Paul: Sure. A friend of mine was online with one of the big stock brokers – a well-known company I won't name – to change an address or something like that. They required my friend to fill in a security page. The page asked, "Is your brother's name so-and-so and is his address such-and-such?" The guy ignored the question and clicked through. Then it asked, "Does your family come from such-and-such a place, and were you raised at such an address in such a year, and then you bought a house at this place at such a time?"

My friend was shocked and called their office. "I never gave you that information," he said, "what is this?" Their reply was: "We got it all from public sources. Nothing's illegal about what we're doing; we're just keeping you safe by trying to verify your identity."

This kind of information is being bought and sold every day, all over the world.

L: By whom?

Paul: All the governments, for starters, which is really, really dangerous. There are private parties as well, ranging from companies like Google and Yahoo, to Eastern gangsters. The hackers gather information and send it to data refineries that in turn link it to other data sets, and sell that to the guys who steal identities and seize bank accounts, and other things like that. It's a big, big deal.

L: I can see this happening, but is it really possible for this to be happening to everybody? How could anybody possibly have computers big enough to store that much information on all the hundreds of millions of people online all around the world?

Paul: Well, I'm sorry to say that it's not that hard anymore. It's certainly out of range for you and me, but if you run an intel bureau for any medium-sized nation-state, it's not that hard. For two or three billion dollars a year, you can surveil just about everything on the Internet. You need an intelligence network in place that can place sensors in key spots. Gathering the data is not that hard. The issue now is searching the data and analyzing it – taking this fire hose of data and finding important bits in it that you need. That's still a problem, but with computer technology increasing according to Moore's Law, it's getting easier all the time.

L: When this threat first came up, it seemed to me that there was no way a federal bureau of information processors could keep up with all the seventeen-year-olds in the world who are constantly creating runarounds and hacks for things. But it sounds like I was being too optimistic.

Paul: I'm sorry to tell you that I think you were.

L: I don't know if you can answer this, but is there anybody out there selling packages of fake identities? Not stolen ones, but, for example, a computer with a pre-installed history of cookies and addresses that have been browsed, etc. – something that gives you a virtual history like what we might guess Mother Teresa would have generated.

Paul: I'm not aware of it happening, but it has been talked about. People have talked about buying computers, using them for a while, and just trading them among themselves every few months.

L: Hm. All this data gathering and compiling, and making use of people's information – it all relies on people being ignorant about the process and not doing anything about it. If lots of people start spoofing the system, or misdirecting it, or hiding from it, then the whole problem comes into question.

Paul: Right. But the system can survive as it is, even with a lot of people choosing to evade it, shall we say. The system can still go on, it'll just be missing more and more people. They won't stop. Data theft is a gigantic business. According to some fairly good estimates, the whole industry made more profit than illegal drugs last year.

L: Wow!

Paul: I can't verify those numbers, but it was a pretty good organization that did the research; and the numbers seem solid.

L: How often does a person suddenly find their credit cards all maxed out, their identity and banking info being used by somebody else, and such? Is it one in a thousand, one in a million?

Paul: I don't have proper numbers, but it's way more than one in a thousand. It's more like one in a hundred. It's often small – somebody gets a credit card number and a couple of charges show up on your statement. You notice it, you call, and eventually it gets straightened out. It isn't always the full, flaming identity theft.

Sometimes they'll take over a bank account, which they'll use for laundering money. They take over an account and send it money, then send it to another, and another. Eventually they take it out on the other end via Western Union.

L: So, it's happening pretty frequently. And even if you haven't been hit directly, you should be concerned because, at the very least, your and everybody else's privacy is being violated. Odds are, every single person reading this interview has information being collected on them, and being passed around.

Paul: No question. It happens everywhere, every day.

L: What can the average person do, then? I remember when I was trying to get people to use PGP encryption software. They had to figure out how to use the software, and even though it was pretty intuitive (and got more so over time), nobody wanted to bother. Even if it was just one click integrated into their existing email client, it was too much. They didn't want to have to take a single extra step. How do we deal with that?

Paul: There are actually two sides to that. One is that it's always easiest to do nothing. If people don't care about their most intimate communications, then there's not much you can do to change that. I think a lot of people really don't want to know, because life is so complex already and there are so many things going wrong in the world. Maybe they are out of work. Maybe their brother is sick. Politics chatters 24/7 on the TV, and it's very confusing – always another emergency. There's just too much, and people don't want to add more to it.

L: Yes… And this is a huge problem. It's not just the neighbor's tree growing over the property line; it's a serious, potentially life-altering threat. And worse, it doesn't have a simple solution – press this button and it's taken care of. Who wants to take on the gargantuan task of protecting all this technology most people don't really understand to begin with? Your hard drive, your email, your Internet browsing history, and more – it's just overwhelming.

Paul: Yes, it is. There are people who are working on it, though. We have a service called Cryptohippie. It's pretty easy and provides really, really good protection. My partner is one of the top computer security guys in the world. It requires 15-20 minutes to set up. It's harder than doing nothing, but it's not that bad. A few minutes to set up, $275 a year, and then you can relax.

L: I looked at your web site, and it seemed the focus was on businesses; is there a service for individuals too?

Paul: Our main product is called Road Warrior. It's something any individual can install on his or her computer. Whenever that machine is connected to us, you're protected.

L: What does that mean? Does it route communications securely, or does it do anything to what's on your hard drive?

Paul: We protect traffic. Having a firewall on your computer is also good, and everyone should have one. There's a really good – and free – way to protect your hard drive called TrueCrypt. It'll take about half an hour to 45 minutes to install it, but once you do, you can very easily protect your hard drive. That leaves your traffic, the thing we protect.

And it's important because even if you secure your machine, every time you send an email, information is leaving your machine. The smart thieves just pick up the data that's in transit – that's much easier and cheaper than breaking into your hardware.

What we do to protect that data is set up an encrypted connection from very deep in the guts of your machine to our network. Once in our network, we have, for lack of a better word, a "mixmaster" for data, and then it comes out the far side of our network with the telltale information entirely removed. Our system is jurisdictionally aware, which means that if you are in the United States, for example, you won't go into our network in the U.S. – you'll enter in Canada, or Panama, or somewhere else, and come out from a third jurisdiction. It breaks the chain that can lead back to you.

L: So, between my computer and, say, your Canadian entry point, it can't be intercepted? The message is still going to need to have my email address on it, so the recipient can hit reply and get back to me.

Paul: That's pretty well solved. The connection between us and you is a very highly encrypted connection. Let's say your ISP – Verizon, AT&T, whoever it might be – they can see that bits are going back and forth between you and the front door of our network, but they have no clue what they are. It's just a fast stream of gibberish. Is it email? They don't know. Is it web surfing? No one knows. Is it an FTP upload? No one knows – not even us.

L: And on the other end? It still has to have my return address, if nothing else.

Paul: We have a setup for email that's included with all the accounts; it strips the headers. So your email address is visible, but the route back to where you are stops at our network.

L: Okay. What about the content? Do you do anything about the content, or do you encourage people to use PGP or GPG or something like that?

Paul: Well, we obviously can't encrypt the last link of an email, or the recipient won't be able to read it. There are two ways to handle that. One, if the other person is also a member of our system, the email never leaves our system; the communication is thoroughly encrypted between you and the recipient. The other way is to use an encryption program like PGP. GPG is a free version. Both are excellent programs that work really well. And they're not that hard to use. It's like anything with a computer – you need to pour yourself a cup of tea and sit down for about 20 minutes and get it set up. But then you're done, and all it'll take is just a few clicks to use it. And we highly recommend that people do.

L: What would you say to users who are concerned that they may secure their traffic via a service like yours, but still be vulnerable when they shop online and enter sensitive info, or have credit checks, etc. Is there any point in communicating securely with an insecure world?

Paul: At password-protected sites, you consciously disclose certain data for certain purposes. So long as you know what data you have shared, you are able to mitigate the risk. It is where everything you do or say is available who-knows-where that you lose all control. That said, there is no perfect security. The answer is to protect what you can, as best you can. And thankfully, you can protect a great deal. Throwing up your hands pretty much guarantees that you get creamed, sooner or later.

L: But don't the phishing experts concentrate on sites that collect such data? What fraction of Black Hat efforts would you say focus on such attacks, vs. the stream of data you secure?

Paul: I can't put figures on it, but I'd say attacks were the old model, and mass surveillance is the new model. Both exist and will continue to exist.

L: Okay, but to be fair, are there any other online anonymity services people might want to consider? You obviously aren't going to think they are as good as yours, but are there any that at least aren't known to be data-collection points for Russian hackers, the IRS, or other thieves?

Paul: [Laughs] That's a hard question. There are many that are not known to be black hats, but that doesn't mean they aren't. There are several quality outfits, best I can tell. Anonymizer is one. There's one called Net Privacy, I think, and several others that don't seem to be crooks. I don't think their level of protection is up to ours, but I've never heard anything bad about them.

L: This brings us to the question of trust. I know you – or at least I think I know you. Why should anybody else trust you?

Paul: There are actually a couple of reasons. First, we do have a track record in this business. People like you and Doug know who we are and think of us as reliable human beings. Second, our organization is set up so that you don't really have to trust us all that much. We don't keep all of your data in any one place.

Cryptohippie isn't just one firm, it's several firms. One company operates the network, and they do not have any customer information – never. The other company is the sales company; and they have the basic customer information, such as contact and billing information. But the network never gets that.

So let's say that one of us gets tossed in jail, and we're ordered to give all the information "or else." It won't do the Bad Guys any good, as it takes three different people to decrypt critical information in our system, and each of them is far away on a separate continent. All the primary people are scattered on different continents. I suppose anything's possible, but it'd be pretty tough to get any information out of us.

L: Is your setup transparent to cypherpunks and others who can independently verify it? What you're saying sounds good to me, but I'm not a programmer; I can't tell if what you're telling me is true or is just a sales pitch that some government agent told you to tell me.

Paul: If we had somebody who was a real serious security guy – a guy like Bruce Schneier or similar well-known security expert – call us up and ask to look at our systems, we'd let him look at everything. That would not be a problem to us.

L: Fair enough: I guess you can't just put the software out there, because then you'd just create your own competition. But what about Big Brother? When governments turn bad, even good people have reason to fear. Is your system government-proof?

Paul: It's almost government-proof. There are certain really expensive, really hard attacks that are able to trace somebody, but it costs so many millions of dollars that it isn't going to be used against anybody except the single most valuable targets to them. It's simply not feasible to put that much effort into tracking everyone, or even lots of people.

L: Let's clarify that – you mean it costs millions to track a single person's emails when they use privacy systems like yours?

Paul: Right. To track a single person who would be protected by a system like ours – thankfully we're unaware of having any serious bad guys in our system, and we sure don't want 'em – it'd be very, very difficult for them. They'd have to do some real exotic technical stuff, they'd need a worldwide surveillance network, and lots of computer power.

L: If that's true, then in this environment in which the government has everybody scared about money laundering and terrorism and all the wars they're engaged in, how is it that they allow a service like yours to exist?

Paul: What we're doing is not illegal, and they haven't bothered us. I suppose if we grew to millions of subscribers that might change, but so far, what we do is entirely legal.

L: So far. I suppose that if systems like yours grew large enough to be perceived as a threat by governments around the world, they might coordinate and try to round you all up and break into the system – but that'd be a huge undertaking and would require the cooperation of some governments that don't get along that well. Not likely anytime soon. And even if it did happen, the system would still keep information out of the hands of private-sector Bad Guys.

Paul: Agreed.

L: Well, I have to say that I'm a little uncomfortable with the way this interview has shaped up a bit like an infomercial. But this is an important topic, and Doug and I knew you knew more about it than either of us, so here we are. Let me go on the record saying that we have no business relationship with Paul or Cryptohippie, and that if any readers want to buy his service, we won't get a penny from the sale.

At any rate, thanks for your time, Paul – it's been a very sobering but important talk.

Paul: My pleasure.

----

In addition to being a well-known speculator in real estate and natural resources, Doug Casey is a technophile of the first order. He keeps track of important trends in the technology sector, always with an eye towards investment, and has hired one of the best, more well-rounded "geeks" in the sector to head up our tech service, Casey's Extraordinary Technology. Alex Daley, former software exec who made a killing by investing in Google at its IPO, is now advising Casey subscribers on the best investments in cutting-edge technologies. Learn more here.

Bookmark and Share

Information contained is obtained from sources believed to be reliable, but its accuracy cannot be guaranteed. The information is not intended to constitute individual investment advice and is not designed to meet your personal financial situation. The opinions expressed are those of the publisher and are subject to change without notice. The information in such publications may become outdated and there is no obligation to update any such information.

Doug Casey, Casey Research, LLC, Casey Early Opportunity Resource Fund, LLC and other entities in which he has an interest, employees, officers, family, and associates may from time to time have positions in the securities or commodities covered in this publication. Corporate policies are in effect that attempt to avoid potential conflicts of interest and resolve conflicts of interest that do arise in a timely fashion.
Advertising Inquiries            Contact Us            Terms and Conditions .          Privacy Policy .
© 2002 - 2010 Howe Street Media Inc.             ALL RIGHTS RESERVED.