Is It Really Encrypted When the Key Is Public and Automatic?

scottalanmiller

So you will ask "why would they bother to do any of this?" Good question, and the answer is actually pretty easy. There are two parts:

Firstly, sales. They want to say that they have this "insert security buzzword here" that their customers don't actually understand so they do the simplest thing that allows them to reasonable claim that they attempted to do the thing. In a casual argument, they can demonstrate that one file on the disk is "encrypted" meeting the English language usage of the word, but not the intent of it.

Secondly, obfuscation. By encrypting the core data that their customer's use, they make it extremely cumbersome for the customers to back up and use their own data making them effectively dependent on the vendor for expensive backup services and data migration services. The vendor can't legally stop the customer from owning their own data, but they can make it so hard to access it that they won't bother. It's a form of lock in. Anyone can casually extract data to hurt the customer, but the customer can't easily get their data en masse to leave the platform. So the encryption is actually an attack on the customers only, and in no way a form of protection of their data. It's purely malicious.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

es and data migration services. The vendor can't legally stop the customer from owning their own data, but they can make it so

The lawyers be having a field day with this one - would reset solely on the judge or jury.

Obsolesce

False advertisement maybe at best IMO.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

At best? Isn't giving YOUR keys away to other people fall under hacking laws? It's definitely not legal for them to keep, let alone distribute, your key.

scottalanmiller

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

Imagine if a company sold you a secure VPN solution. Then publicly gave away your key so that anyone could hack into your communications. That would be a crime.

flaxking

Another reason is ignorance. Thinking that's 'secure enough' without adding additional complexity to deployments.

DustinB3403

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

Imagine if a company sold you a secure VPN solution. Then publicly gave away your key so that anyone could hack into your communications. That would be a crime.

You mean like NordVPN losing their private keys?

flaxking

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

scottalanmiller

@DustinB3403 said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@Obsolesce said in Is It Really Encrypted When the Key Is Public and Automatic?:

False advertisement maybe at best IMO.

Imagine if a company sold you a secure VPN solution. Then publicly gave away your key so that anyone could hack into your communications. That would be a crime.

You mean like NordVPN losing their private keys?

Losing isn't the same as giving away knowingly.

scottalanmiller

@flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

You client is running into that issue now?

and how did the vendor find out?

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

@flaxking said in Is It Really Encrypted When the Key Is Public and Automatic?:

It's a bad sign when questions about security from your clients have to go through your lawyer every time.

Sadly, if their customers try to access their own data the vendor sues them. They claim that the customers don't have the right to use the public keys that they give away.

You client is running into that issue now?

and how did the vendor find out?

We know a client that is having this issue. He posts about it. They found out because he let others know how to access their own data and exposed that the encryption wasn't unique: that they all shared a single key.

The knowledge can be used, obviously, to sue the vendor out of existence (and it ties back to EMR stuff, so while this one key isn't HIPAA related, the company is) and can be used to migrate customer data off of their platforms (the real reason that they are trying to encrypt the data - to extort the customers for migration fees.)

scottalanmiller

So in this case, while not nearly as bad as most, it's actually ransonware, right?

G I Jones

In this case would the definition of "encryption" be relevant? It's pretty vague as is. This is super fucked at any rate. I hope all the bad things in life happen to that company and only that company.

scottalanmiller

@G-I-Jones said in Is It Really Encrypted When the Key Is Public and Automatic?:

In this case would the definition of "encryption" be relevant? It's pretty vague as is. This is super fucked at any rate. I hope all the bad things in life happen to that company and only that company.

I think it does because the Fed defines encryption in all kinds of things like HIPAA.

Dashrender

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

So in this case, while not nearly as bad as most, it's actually ransonware, right?

Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

scottalanmiller

@Dashrender said in Is It Really Encrypted When the Key Is Public and Automatic?:

@scottalanmiller said in Is It Really Encrypted When the Key Is Public and Automatic?:

So in this case, while not nearly as bad as most, it's actually ransonware, right?

Wouldn't that apply to any system that prevents you from extracting your data, unless you pay a fee?

If it does so by maliciously encrypting your data to their benefit, not yours, yes. Generally that's considered illegal. Hence the term "ransomware". It refers to using encryption to make you unable to access your own data so that you have to pay a ransom to get it back.

scottalanmiller

And, like a lot of ransomware, it also means that someone else has access to your data that you do not.

Kelly

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

DustinB3403

@Kelly said in Is It Really Encrypted When the Key Is Public and Automatic?:

In the state of Colorado the law is written such that if an encryption key is obtained the data is considered compromised.

Obtained by whom? The customers, the vendors, someone else?

Does that mean if the rightful customer has the key, that they must consider their system compromised even though they should have the key?