dslreports logo
site
spacer

spacer
 
   
spc
story category
Verizon: 'Don't Look at Us to Protect Your Data'
by Karl Bode 02:09PM Tuesday Oct 01 2013 Tipped by Blockfire See Profile
Verizon had been dead silent about the NSA spying revelations, and their role in it. That was until recently, when the company broke their silence to accuse companies like Google and Yahoo of "grandstanding." The problem is those companies at least tried to stand up to the government on things like PRISM and national security letter gag orders, whereas leaks suggest Verizon chose to go above and beyond what was asked of it by government, despite the program's tenuous legal footing.

Click for full size
Not helping Verizon's image much last week was Marcus Sachs, Verizon's VP of national security policy. While seemingly well-intentioned, Sachs informed attendees of a security conference last week that securing your information really isn't Verizon's problem. From Tom's Guide:
quote:
"If you're worried about it, do something about it. Take security on yourselves, and don't trust anybody else to do it. Don't look at us to protect your data. That’s on you," he told Tom's Guide at the Cyber Security Summit 2013, held on Sept. 25 in New York City. "There are services out there [that offer privacy] up to a certain point," Sachs said. "You want encrypted phone calls? There's an app for that."
While looking out for your own security is rather obvious advice, Sachs just floats over the fact that Verizon has historically made this as difficult as possible.

Self empowerment on the privacy front has already never been more difficult, as the NSA warrantlessly taps into nearly every shred of data (encrypted or not), while the FBI uses malware to attack services like Tor. But Verizon's total failure to stand up to government on any front, their sale of location data to anyone and everyone, and their fighting tooth and nail against consumer privacy protections of any kind aren't exactly what one might call helpful.

view:
topics flat nest 

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

1 recommendation

Google stands for privacy?

OK
andre2

join:2005-08-24
Brookline, MA

He's right, though

Well, what he says is true. In light of retroactive immunity, laws and contracts (including those with Verizon) are worthless, so end-to-end encryption is the only way to ensure privacy. Of course, it's also necessary to find all the ways the NSA has compromised said encryption, and fix those.

bigstar

@comcast.net

Re: He's right, though

said by andre2:

Well, what he says is true. In light of retroactive immunity, laws and contracts (including those with Verizon) are worthless, so end-to-end encryption is the only way to ensure privacy.

And even if you do a one off end to end encryption of your phone call, the NSA gets all the info they need to put you at the head of their list of suspicious people. And that info is the number calling and the number called.
Rakeesh

join:2011-10-30
Mesa, AZ
Reviews:
·Sprint Mobile Br..
·Cox HSI

2 edits

1 recommendation

What he says is true

Actually what he says is very good advice. Even if your ISP or whoever were to provide security or privacy services to you, how are you to know whether or not they are worth a shit? The truth is, you really can't unless you've audited it yourself, and the reality here is that cloud service providers don't give you this ability.

Likewise, Verizon is right in saying that when it comes to your personal privacy, it is really upon you to make sure that the information you want to keep private stays private. You yourself wield the greatest power over controlling the flow of where your information goes.

Look at Cox who provides "secure backup" services for example, and when you examine it with wireshark you can see that the client software transmits your username and password in plaintext. What a joke.

Karl Bode is kind of an idiot here when he downplays the idea of encryption (I'm guessing because he fundamentally doesn't understand it) - the Verizon guy suggested an app for a secure phone call, which is actually the best way to do it. Just use a stronger cipher rather than anything PKI. It is by far more secure as a peer to peer session where both peers control the cryptography and privacy aspect rather than having a backend server handling it and then connecting the two, because if the backend server was compromised you may very well have no idea, and no CA ultimately holds any kind of certificate that can be compromised.

Encryption isn't as broken by the NSA as you might think, rather it's just PKI with root authorities that can be compromised by government mandate. If you want proof, go look at The Silk Road - several prominent politicians have demanded their heads on a platter, yet for years haven't been able to do shit to touch them, mainly because they have no idea who the hell they are. If the cryptography they use wasn't NSA proof, they'd be long gone by now.

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: What he says is true

said by Rakeesh:

Encryption isn't as broken by the NSA as you might think,

The NSA doesn't have to break the encryption; they are given a back door to "protect the children". Please think of the children.
Crookshanks

join:2008-02-04
Binghamton, NY

1 recommendation

Re: What he says is true

The NSA is the organization that APPROVES encryption standards for the United States Government. I doubt they are approving ciphers used for Top Secret material with known flaws. The opinions of the tin foil hat brigade notwithstanding, one of the NSA's most important missions is to secure the communications infrastructure of the United States, primarily for the Government, but they've also lent their expertise to the private sector on multiple occasions. They've even contributed to the development of open source (SELinux) software, which benefits everyone on Planet Earth, not just American citizens/corporations.

It's well known how the Government bypasses encryption during criminal investigations, and it doesn't involve any secret backdoors. They use side channel attacks, i.e., keystroke loggers, cameras positioned to observe your keyboard, social engineering to discern the password, etc. Half of the time they don't even have to bother with that, because most people's idea of a secure password is their birthday and/or pet's name.
Rakeesh

join:2011-10-30
Mesa, AZ
If you're suggesting that common block ciphers like AES256 have a backdoor, I'm sure somebody would have found it by now. Just use something like that and you're pretty much golden.

JimThePCGuy
Formerly known as schja01.
Premium,MVM
join:2000-04-27
Morton Grove, IL

Why do they need a VP of something they don't do?

VP of national security policy?
Security isn't their problem?
I want a job like that.

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: Why do they need a VP of something they don't do?

said by JimThePCGuy:

VP of national security policy?
Security isn't their problem?
I want a job like that.

quote:
Marcus Sachs is Verizon’s Vice President for National Security Policy, with responsibility for directing Verizon policy development and advocacy on issues ranging from critical asset protection to cyber security and emergency preparedness. As part of his duties, Sachs works with Congress, administration officials and the security industry on national security policies and issues. He was previously Verizon’s executive director for national security and cyber policy.

Within Verizon, Sachs assists all business units with the integration of national security policy matters into network operations, support to critical infrastructure owners and operators, and the protection of Verizon’s global corporate assets. In 2007 he was named a member of the CSIS Commission on Cyber Security for the 44th Presidency. From 2003 to 2010 he volunteered as the director of the SANS Internet Storm Center.

morbo
Complete Your Transaction

join:2002-01-22
00000
Reviews:
·Charter

Verizon can't offload responsibility for their actions

I agree that it is personal responsibility for keeping your personal data safe, but when Verizon gives all your data to spy agencies (without a warrant) it's a bit unfair to expect ordinary citizens to keep their data safe.

Verizon is not blameless in their role in spying on U.S. citizens without warrants. Verizon knew they were breaking the law but still chose to do so. Verizon took the easy route of asking for forgiveness (retroactive immunity) instead of asking for permission.

Simon707

@bell.ca

BUT

It's not our job... until we figure out we can get away with charging an extra for securing it and count it as double on your planned monthly caps and get you to buy a new modem with an extra fee for security that will support the new security and charge the websites wanting to send secure data an extra for using our network and... well, you get the idea.

Probitas

@teksavvy.com

coming soon

Secure your internetz for $10 a month. We'll encrypt everything (subject to letting the NSA in on the security so they can break it). So much for that idea....
elray

join:2000-12-16
Santa Monica, CA
Reviews:
·Time Warner Cable
·EarthLink

Works for me!

Nice to see at least Verizon is forthcoming.

VZ and ATT derive their status from the government. No matter how much bloggers and activists rally and complain, these entities have no reason nor motive to resist the government's desire to collect your data. You're barking up the wrong tree.

Accusing AT&T and friends of privacy violations on behalf of the three-letter agencies is just plain silly, since even if such charges held water long enough to get to court, the fix would be in, from the highest levels.

Your beef is with Washington; unfortunately, both the mainstream media and their amateur (per Senator Feinstein) cousins in blogosphere tie themselves in a pretzel to keep the focus on the "evil" corporations rather than dare criticize Dear Leader.

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: Works for me!

said by elray:


Your beef is with Washington; unfortunately, both the mainstream media and their amateur (per Senator Feinstein) cousins in blogosphere tie themselves in a pretzel to keep the focus on the "evil" corporations rather than dare criticize Dear Leader.

But "Dear Leader" is now one of her ilk and not a word. Nothing has changed and it is business as usual.

MxxCon

join:1999-11-19
Brooklyn, NY

3 recommendations

So get the hell out of my way!

If you want me to take privacy into my own hands, STOP RELEASING LOCKED CELLPHONES!
GIVE ME FULL ACCESS TO MY PHONE'S BASEBAND WHERE I CAN ENSURE THAT YOU BASTARDS DON'T HAVE ANY BACKDOORS!
--
[Sig removed by Administrator: signature can not exceed 20GB]

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: So get the hell out of my way!

said by MxxCon:

If you want me to take privacy into my own hands, STOP RELEASING LOCKED CELLPHONES!
GIVE ME FULL ACCESS TO MY PHONE'S BASEBAND WHERE I CAN ENSURE THAT YOU BASTARDS DON'T HAVE ANY BACKDOORS!

Why should/would they if people keep signing contracts to get them. Who do you want to save you from yourself?
kanstin

join:2001-05-21
Albuquerque, NM

1st amendment

Okay fine; It's not their job to protect our data. But they also should NOT be arguing to the courts that they have a 1st amendment right to GIVE user data to the government. No way can them giving user "meta-data" to the NSA be free and protected speech. That is just asinine.

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: 1st amendment

said by kanstin:

Okay fine; It's not their job to protect our data. But they also should NOT be arguing to the courts that they have a 1st amendment right to GIVE user data to the government. No way can them giving user "meta-data" to the NSA be free and protected speech. That is just asinine.

What courts when; source?

MxxCon

join:1999-11-19
Brooklyn, NY

Re: 1st amendment

»www.theguardian.com/world/2013/j···rt-order
--
[Sig removed by Administrator: signature can not exceed 20GB]

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: 1st amendment

That was a secret court, how do you know if Verizon fought the order or not? Where can I find a transcript of the hearing? It appears Verizon was following the law; please think of the children.
kanstin

join:2001-05-21
Albuquerque, NM
»arstechnica.com/tech-policy/2007···-speech/

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: 1st amendment

A blog with no source is not a source.

That is s six year old blog about a seven year old suit against AT&T, Bell South and Verizon. It was thrown out; Bush said they did nothing wrong as they were merely obeying orders. Quest refused to protect the children, think of the children, and their CEO is still in jail.

Anyway that has nothing to do with Verizon obeying a court order the subject at hand.