Security through obscurity is not a good idea
The researchers say that they’ve spent nearly the past year warning companies and agencies whose sensitive data they found exposed in satellite communications. Most of them, including T-Mobile, moved quickly to encrypt those communications and protect the data.
This is cool of T-Mobile, who I would generally expect to not really care.
It’s not cool they designed it so poorly in the first place, but technical debt is hard in big organizations like that.
“Last year, this research helped surface a vendor’s encryption issue found in a limited number of satellite backhaul transmissions from a very small number of cell sites, which was quickly fixed,” a T-Mobile spokesperson says, adding the issue was “not network-wide” and that the company has taken steps to “make sure this doesn’t happen again.”
Interesting.
Encrypt everything, all the time.
Amen.
I don’t understand why we’re not already there. And encryption isn’t just about confidentiality - it’s also about integrity. It’s just good practice.
Albeit I’m assuming this is a rhetorical statement, the reason is like most things in this privacy space is awareness and the awareness for the necessity of it. People don’t get why it’s important. And end up learning or living with the consequences the hard way. And then the disheartened still don’t know what exactly to do (which I think is the another tragedy here).
Almost all of our comms today use some app or device, and those apps and devices are created by engineers. Encryption should be built in and enabled by default. It should be difficult for you and I (consumers) to not have encryption - at least point-to-point encryption, certainly over the air encryption.
I do know what you’re saying and I agree that regular people still don’t understand why encryption is crucial. But as a software engineer, this stuff angers me. There’s no excuse for any product or service made today to not have basic encryption. The algorithms are well known and free to use, including implementations you can just plug in. Hardware today is plenty fast enough, even cheap IoT hardware. NIST in fact just released specs for this.
Today, there’s no just no excuse - or none that I can fathom.
Engineers working at companies who don’t have the right set of priorities. Sometimes, it may also be that some engineers may not possess the right skillset to prioritize and do encryption properly.
100% agreed! And yet, here we are. People and companies simply don’t have the right priorities. That’s the big “should” in your statement which is the operative word.
My bet is even engineers not realizing the full necessity of doing encryption and doing it well. Also like I said, priorities. And especially when it is a “for profit” product and a business, customers come first only on paper. Their revenue streams are always first however unless you’re business model itself is providing privacy at a reasonable cost if you must.
Well, I certainly know from decades of experience that engineers don’t always get to set priorities. That’s always been true but getting worse today with the job market pendulum swinging in favor of layoffs and trying to replace some engineers with “AI”. And I’ve known several engineers that are just happy to get a paycheck and don’t look beyond that.
So… I’m angry and I’m arguing for the way it should be here because there’s no technical reason we can’t have encryption everywhere today. And we’ve also had enough data leakage that we should absolutely understand the harms and should therefore be addressing them immediately and decisively. But I also understand how capitalism works and that encryption still doesn’t drive revenue… which probably is the result of your first point that regular people don’t appreciate what encryption does for you, and therefore the market isn’t demanding it.
Sigh.
New video on the same: