Background: Didn't Go to College, Does Some Basic Database Stuff

Home , PlayStation Network

Background: Didn’t go to college, does some basic database stuff (seems like MS Access: mentioned macros + database management)

I: My first question is: what comes to mind when I say the word “encryption”?

The first word you said?

I: Oh, no, just what kinds of things come to mind.

Um, secretive. That is tricky. When I think of encryption, I just immediately think that it’s keeping information from any user except the end user.

I: So do you have any experience using encryption?

Not too much. There’s been a slight use of encryption, mostly just like base-64 to send full private messages to somebody else that I don’t want anybody else to see or stumble upon a chat log and be like, “Hey, what’s this?” Mostly just to send a specific message to one target.

I: If you had to define encryption or explain what it is or how it works, what would you say?

To explain encryption, I would say that it would use an algorithm that would multiply out your original message. And on the other side, it would have the exact problem to figure in to decrypt your message. So one side would multiply the letter A by 64 and the other side would divide it by 64 to decrypt it.

I: So when you think about encryption or hear that word, what kind of imagery comes to mind?

With encryption, more just alphanumeric. Just letters and numbers in what appears to be a random string. Maybe email.

I: Why would you say email? Why did that come up?

Email mostly because email uses HTTPS like in, say, Outlook. From what I understand, Hotmail encrypts my email under the HTTPS, so if there was any software on my computer that would be scraping anything off my computer, it would not scrape my email.

I: That’s pretty much the questions I had on that topic.

[Diagramming exercise]

--Excerpt-- Just any encryption? I just basically have to build a cipher?

I: Entirely up to you, whatever you imagine it looks like.

I: Okay, can you explain what’s going on in that first picture?

Okay, on that one, I did a simple algorithm for it. The original, the first variable, has 4 letters attached to it. So if the original letter is “T”, that’s the first variable, it’ll add four letters, so it’ll go “U”, “V”, “W”, and end on “X”. And then every letter after that, continue to add 4 to each. The cipher is “+4” basically.

I: And how did you decide on that +4?

It’s just kind of easy, and it wasn’t a +1 like the second stick figure guy that’s coming up. I figure +4 made it look not exactly like the original message; it was enough off that you would have to know that—well, I guess you could easily work it out on your own, but—but not easily able to determine that “XLMW” is “This”.

I: Okay, yeah. So can you explain what’s going on with your stick man there?

So the stick man is kind of the same concept. The original, I used variable 1. I will say this is much harder to figure out a sequence to encode it because it’s a regular everyday object, not quite like a word. So the stick figure guy, I did the same, I did a clockwise rotation +1. So where his head would be, his arm ended up, and his left arm ended up where his left leg was.

I: So you kind of scrambled the stick man?

Yeah, but scrambled in a configurable manner so that he can be unscrambled.

I: Okay, couple questions here. First, that stick man. The end product here, where you kind of reconfigured him, do you imagine the output looks like what you have there? I can make out bits and pieces of him, but can’t quite tell what the original was?

The stick figure you can probably figure out what he originally looked like *laughs*

I: I guess I meant like a jigsaw puzzle. Is that kind of what’s happening here? Breaking it into pieces and scrambling it up?

Yeah.

I: Okay. With the message from the first part, my next question is: imagine you’re going to encrypt that same message multiple times, is the output the same each time?

What do you mean?

I: For example, you have that sentence that you’ve encrypted and added the four letters, etc. Now, imagine tomorrow, you’re going to encrypt that same message. Is it going through the same process?

Would I choose the same process?

I: Imagine that a computer is encrypting it as opposed to you doing it by hand. Do you think it comes out the same each time?

Uh, in the example I did, yes. Because it’s a static encryption. It’s just +4. It would be static, come out the same every time.

I: So it depends on that pattern that you’re using?

Yeah. Now, it would change if you made it dynamic as the day. I just didn’t want to do a really complicated one for the sake of time, but it could have been +4 and then add on the day of the month. So then each day would be dynamic. Well, for 31 days.

I: My next question is: imagine you’re—and you mentioned before sending a base-64 encoded message to a friend. So imagine a similar scenario, you want to send an encrypted message to your friend. So your friend gets this message and it’s gobbledygook, how does he know what to do with it? How does he get back the original message?

Just in that exact example? There would already be a decoder that he would know. It would be the same, backwork the multiplying factor.

I: I guess that’s my question: how does he know what he needs to do? If all you gave him was the message.

If I all gave him was a mash of numbers and letters, I would assume he wouldn’t know *laughs* Without the cipher or decryption code, you would just assume that I don’t know.

I: Sorry, I guess I’m asking a little vague here. My real question is how do you get him that cipher?

Oh, that would be established previous to sending the message. That would be “Here is the special key for me and you, here is the backwork stuff.” It’d be like “I sent you a message, wink wink, why don’t you check your email? Everything is +4.” So you’d just minus 4 essentially. I’d tell him the cipher code way ahead of time so any message we had between us, you’d have to know that it was +4. That’s the elementary version, I guess.

I: That makes sense. Now, imagine that you’re a hacker or maybe you’re the government and you’ve intercepted the message. So you have the coded version but not the cipher, you didn’t capture that part. How hard is it to recover the original message, if all you have is the coded part and not the cipher?

If you just had a pen and paper, that would take years *laughs* If you had even a regular computer, that would probably still take years. But if you had like a quantum computer, that could maybe take seconds. That would depend on what you were using to decipher the message.

I: Okay, so imagine the NSA has the message. Whatever you imagine their capabilities to be, how hard do you think it would be for them?

Probably not hard at all. I imagine they have quantum computing, so I assume they’d be able to figure that out fairly quickly. It’s kind of like WWII with them cracking the dynamic ciphers for the cipher typewriters.

I: You’re talking about Enigma?

Yep.

I: Okay, great. So let’s move on to the next part of the interview. We’ve been talking about what encryption is and how it works, now I want to talk about how encryption gets used. Do you think encryption plays any role in your daily life?

Yes, definitely. Email. Anything with HTTPS, so pretty much most of the web, especially with Chrome. Most passwords, there’s encryption for it, like 2-step verification. LastPass, they encrypt it to where they don’t even know your password, they don’t give themselves the encryption key.

I: Okay, few things there, you brought up a bunch. One, you mention LastPass and an “encryption key”. So what is an encryption key?

An encryption key is kind of like a cipher, it’s the solution to what you multiplied out by. It’s either like 128 or 256 encryption. The solution for whatever the gobbledygook if somebody were to look in their files or if they were to look in the files, they’d see the gobbledygook. But they’re not storing your solution to make the gobbledygook into regular English or whatever language you’ve typed in.

I: So what form do you think a key is? Is it a list of operations? A list of numbers? What is it?

From what I understand about it, some of it is multiplying primes, and I guess that’s why they gave out cash awards to people who find new prime numbers for encryption.

I: You mentioned HTTPS, and you also mentioned that at the beginning. Can you explain what role you think encryption plays in HTTPS?

I think it’s somewhat similar in that it’s taking your ordinary code—when you’re visiting an ordinary website and you’re seeing the raw source code—it’s taking the same as what a password would do and doing the same over the entire field submitted. Where your email and password would be getting the same treatment as what LastPass would be doing to your stored password.

I: So the fields being transmitted or the website itself? What exactly is being encrypted?

I’m not the absolute expert on that. I would assume it would just be the blank fields so that way it would save resources. ‘Cuz anybody can use the website so it’s not like that needs to be protected; that’s public. So I assume it would just be the form fields being submitted to the server.

I: Okay, yeah, that makes a lot of sense. Another question: you mentioned two-step verification, what do you think that has to do with encryption?

Yep. It would send a randomized key, which would be a dynamic key generated. Like say Google Authenticator. It would send a timed key with expiration. It would be a randomly generated key that would match the randomly generated key sent to you from the site you were going to login to. So it’d go directly to you but the message being sent to you would be encrypted, but Google Authenticator and the website would use the same key and so Google Authenticator and the website would have the same answer.

I: Oh, okay, yeah, I see. Now, not talking about institutions like a website or company or something, do you think there are people who personally use encryption on a regular basis?

By just sending each other encrypted messages?

I: Something like that. Just using it personally.

For nefarious reasons? Or personal?

I: If you think there ARE people …

I absolutely believe there are people doing it for nefarious reasons. I would say encryption would be more on the lines Not that my friends and I messaging each other would be for nefarious reasons or … that we’d be talking about things that are bad, but the things that we’re sending each other are Eyes-Only or about investment or sensitive information. But other than sensitive information like banking information or “Hey, I’m going to send you my SSN” for whatever reason, and I’m going to encrypt it so that somebody doesn’t plaintext that. But other than that, I’d say it was mostly for nefarious reasons. Like terrorist networks using Playstation Network. They were using encrypted messages, junk encrypted messages, but encrypted messages.

I: Okay.

Short answer, yes.

I: Now I have a few examples of where encryption might get used by normal people and I’d like to talk about those. The first one is smartphone encryption.

Right.

I: Are you aware that iOS and Android provide that capability?

Yes. iOS from what I understood is more, and they’re kind of like LastPass, in the example I used. That they are offhands encryption as well, they don’t store your encryption. Like the San Bernardino situation where they said, “Hey, we don’t even have it.” So they’re a hands off, you can’t get it from us because we don’t got it either. Your guess is as good as ours. So that I do know. Android, yes and no? It depends if you use public wifi. I know if you use public wifi, you can get red hatted. If you log into your Facebook or your Outlook, and someone’s using red hat on the same network, they can intercept your packets before it goes. Yes and no, I guess *laughs*

I: So from the perspective of what is actually being changed. In your pictures that you sent me, you added some letters and the stick man got rearranged. When you encrypt your smartphone, what do you think is the thing that’s actually being changed?

What do you mean?

I: When you’re encrypt your smartphone, what is being encrypted as the encryption process? It’s not the physical phone itself, right?

Well, encrypting with smartphone technology, most of it’s web-based, so I don’t see it being different than encrypting a computer. It’s kind of just a personal computer in your pocket. As far as the technology in your phone and computer, I don’t believe they’re much different, as far as my knowledge is. Encryption already is crazy hard so they’re not going to make a separate one for your phone. It goes back to what you are using your phone for. Pictures being sent? I don’t think has that much encryption or any. That’s how a lot of people are getting their photos leaked. Text messages? I don’t think are much encrypted. But web? It just uses the same as the computer, HTTPS encryption. Phone calls? As far as I know, aren’t encrypted at all—I don’t see how that’s possible. Well, I guess it could be possible, but I doubt it. I don’t know. It just depends how you’re using it.

I: I asked it poorly, but that’s what I was asking. My next question is: we’re talking about sensitive information. Remember, we’re talking about who uses encryption and you said like financial information or something nefarious, you’d want to encrypt it. On your phone, though, what kind of data do you think there is that’s worth encrypting? Why does this functionality exist?

I think most should be encrypted. Even as far as text messages, there’s a lot of complaints of the metadata of who you’re sending messages to, how often you’re sending messages, how long you’ve been on the phone, how many messages have you sent to this exact person. Even just as far as who I’m texting should be texted. But I think that’s technology that wouldn’t exist yet because if my cellphone provider doesn’t know the encryption key, it’s gonna be lost who to send that message to. I don’t know how that would work, but if possible, it would be nice if it was all encrypted. It’d be nice if nobody was reading any of your personal or even impersonal—data you don’t find sensitive at a given moment but would be nice if it was encrypted because it’s no business of anybody to look at any of your data.

I: That’s a very interesting point that we’ll get to in a second. First, I wanted to ask if you encrypt your smartphone, since you seem to be quite a proponent of encryption in this scenario.

Yeah.

I: You do encrypt your phone?

Yeah. So if I lose my phone, my two-step verifications aren’t screwed. ‘Cuz then it’s taking all your security and dumping it into something that’s handheld and can be lost. So instead of you having your Coinbase, for example, and then you lose your phone and then the guy at the bar has all your stuff now.

I: He has all your money *laughs*

Yeah *laughs* You made it easy on him.

I: So now, what you just brought up about messaging, this is actually the last example I want to talk about. First of all, can I ask if you use WhatsApp, Facebook Messenger, Signal, Telegram, anything like that?

Sometimes I do use a public messenger just for “Hey, how’s it going?” That’s more like Facebook Messenger. I don’t use Skype. I don’t use AIM, I think they’re gone now. There’s not too many public messengers that I use.

I: Yeah, AIM, I remember using that. So what I want to talk about is a specific set of these messaging apps that have become popular recently. For example, you’ve probably heard of WhatsApp.

Mm-hmm.

I: So these are secure messengers. Essentially, they’re the same instant messaging functionality as you see in like AIM or Facebook Messenger, except they come with the added functionality of encrypting all your communications on the app. For example, if you were using WhatsApp or Signal, you’d be using the same sort of texting functionality but the communications over the app would be automatically encrypted. So my first question is: why do you think people create these apps? What is the purpose of encrypting daily communication? Is there anything sensitive there?

There could be and there couldn’t be. I think it’s a good idea to begin a messenger is already encrypted. You don’t have to go anywhere else. I don’t have to send my friend that. Just talk about whatever. If we want to share passwords with each other, if we want to share a secret that we don’t want out. If we just want to say anything, it’s easier. It streamlines everything that you don’t have to go to another app and you don’t have to manually encrypt or decrypt anything. You can just say it blatantly and I don’t have to say “Hey, go on to that one messenger, and then we’ll talk.” I can just say it blatantly right then and there.

I: Okay. So when we were talking about sensitive information and financial information, it’s easy to see who might be after that. But when it comes to daily communication, who do you think would actually be trying to steal that information?

Daily communication? I would say honestly the people that seem like the least likely candidate would be people like Pepsi or Hewlett Packard or Dell. More on an advertising basis because we’re their products. We’re the ones that they’re trying to sell their products to. We are their consumer base. Now that you bring it up, there was a long argument on it for Facebook Messenger is using anything that you’ve talked about. So if you’ve talked about, I really love goldfish. I really want to buy some goldfish, that would make my life complete. That’s the pet I want. And then the next thing you’d see in your news feed, all of a sudden, you’re seeing advertisements for fish tanks, for fish food, and goldfish crackers maybe. To the point that it seems very suspicious that your communications for your quote-unquote free messenger that you’re using is being used as a tool to sell you products or to sell advertising to you.

I: Does that bother you? When that stuff happens?

Yes. It takes away your free will of purchasing what you actually want and not what’s marketed to you.

I: Yeah, I can see that. My last question, then is, you were saying a second ago that you’d like to have the ability to encrypt communications and stuff, and now I’m telling you that these messengers do exist. The apps look and function, from a user’s perspective, exactly the same as Facebook Messenger or just texting, but they do encrypt communication. So my question is: do you think you will now look for and try to use one of these now that you know they exist?

Uh, well, I’ve known they exist but it’s still more along the lines of say Snapchat deleting your messages after they’ve been viewed. I guess it would be that the longer the company has been available and the more looked into by watchdog groups. I probably still wouldn’t say my deepest darkest secrets on a messenger just because they’ve told me that it’s encrypted and my information is safe?

I: So what would it take? To trust an app to that extent?

That I made it *laughs* That’s about it. I don’t think I would ever fully trust anything that somebody just told me. That’s even the same as other programmers reviewing other programmers work or watchdog groups, there’s people that are reviewing the code and saying “Hey, hey, hey, this is not encrypted; this part is being ponied off.”

I: That’s pretty much all the questions that I had.