One of the things you quickly learn when you work for a data security company is that data security doesn’t work the way normal people think it does. For example, “normal people,” apparently, think that they can somehow get off the leaked Ashley Madison list, the latest data breach story du jour: Now that the hackers of Ashley Madison have released the full 9.7 gigabytes of information, some former patrons (and current victims/penitents) are searching for hackers that will scrub their info from the list. Which is crazy. And laughable. And not doable. The sitcom Newsradio explained it very well back in the late 1990s:
Like he said. It’s like getting pee out of the pool. Most people can probably appreciate the folly of even searching for a “solution” to this problem.
“once information has been sufficiently socialised and redistributed (which the Ashley Madison data has certainly been), the exposure is irretrievable”
But for those who don’t get it, and don’t understand what the above means (quote from this article), basically, it means you’re screwed because the hacked data isn’t found in a central depository
Many people have the information now: Security researchers. Journalists. Bloggers. The honestly curious. Hackers with some kind of agenda. Your girlfriend majoring in comp sci. Sure, a hacker for hire could delete your specific entry from one list. But that leaves a million other lists that are on other people’s computers.
Do you really think that a guy you’ve paid $2000 is going to be able to (and want to) track down all these founts of dismay?
It Extends to People in the Business
This lunacy of unachievable expectations, however, is not relegated to “normal” people. For example, in the course of this business, I have fielded more than a handful of inquiries where callers were looking for “NSA-proof encryption.” Such encryption exists…but also doesn’t exist.
Let me explain. As the Snowden disclosures have shown over the past couple of years, modern encryption tools like AES are definitely NSA-proof; that is, even the NSA has problems cracking particular encryption algorithms. Because of that, the NSA finds other weak points to exploit outside of encryption itself, such as the inherent weaknesses of passwords; man-in-the-middle attacks; the injection of customized malware; and other forms of procuring the data they need.
So, in this context, what exactly is “NSA-proof encryption?” This is my counter-question to the callers, and the often condescending response coming from the phone’s receiver is, “we don’t want the NSA to be able to get our data in any way or form.” As if it could mean anything else.
Now, as far as I can tell, these callers weren’t engaged in illegal activities. So, chances are that the NSA weren’t even looking to get their data. But let’s say that’s not the case. Do these callers really believe that a full disk encryption solution for their laptops will stop the NSA or any intelligence agency worth their salt from acquiring their data, especially when they have so many other tools at their disposal for extracting it? Including the possible use of physical pain?
I tell the callers that we use AES-256, that the disk encryption solution is FIPS 140-2 validated and certified, answer any questions they have, and let the chips fall where they may. If they ask pointedly whether we’re “NSA proof,”, I answer in the negative. On every single instance, I was given an unmeaning but not unfriendly thanks and never heard from them again.
The kicker: every single one of these people called in inquiring about the AlertBoot partnership program. They were people working in the data security sector. They supposedly knew about data security. They were not “normal” people. They knew better (or, at least, they should have known better).
I personally think of these instances as dodging particularly pernicious bullets. But, the observation remains that, if so-called professionals fail to understand the limits of the security tools that they use, does the general populace stand a chance? Perhaps facepalming shouldn’t be the immediate response to finding out that people are looking to extricate themselves from the Ashley Madison fiasco.
But then, the last ten years have shown us that no company or organization is immune to the ravages of hacking. If top-tier banks and security companies experience data breaches because they can only but curb attempts at stealing data, why would anyone believe that a peccadillo-peddling dot-com would succeed at stopping hackers?