I've been glued to articles from The Guardian and The Washington Post for a couple of weeks. The revelations from Edward Snowden, a former NSA contractor, have caused an earthquake in the industry that we're still unable to process. Reading the leaked slides about the PRISM program and seeing how intelligence agencies have direct access to the servers of giants like Google, Facebook, Apple, or Microsoft left me frozen. Although there's always a conspiratorial side to our heads that says "we already knew this".
But beyond politics, this hits us computer scientists right in the face. We are the plumbers of this ecosystem. If the NSA or any other actor can read our users' data, it's largely because we've made it too easy for them.
The plaintext problem
Until now, we focused security almost exclusively on the perimeter: protecting the network with firewalls and preventing SQL injections so nobody steals our database from the outside. We assumed that if the data was stored on our server, it was safe.
Snowden has proven that premise false. If you are legally forced to hand over a hard drive, or if the fiber optic traffic between your datacenters is tapped, the firewall is useless. We need to start applying encryption at rest at the application level.
Imagine that reviewing your application you see that bank account numbers and addresses are stored in normal text columns like VARCHAR. If someone copied the .mdf file from SQL Server, they had everything. Changing this at the database level is not as complex as it seems:
-- Ejemplo en MySQL usando funciones nativas de cifrado AES
-- OJO: La clave debe gestionarse fuera de la BD en un entorno real seguro.
-- Inserción de un dato sensible cifrado
INSERT INTO ClientesSensibles (Id, Nombre, TarjetaCreditoCifrada)
VALUES (
1,
'Carlos',
AES_ENCRYPT('4500-1234-5678-9012', 'mi_clave_maestra_super_secreta_256')
);
-- Lectura del dato desencriptándolo al vuelo
SELECT
Nombre,
CAST(AES_DECRYPT(TarjetaCreditoCifrada, 'mi_clave_maestra_super_secreta_256') AS CHAR) as TarjetaPlana
FROM ClientesSensibles
WHERE Id = 1;
For passwords, please, we should have long left behind fast algorithms like MD5 or SHA1. Using something like bcrypt with a good salt should be a non-negotiable standard.
Reflection: The ethics of retaining data
This scandal has made me reflect on a vice we have in Big Data and Business Intelligence environments: digital hoarding syndrome. We tend to save absolutely everything in our logs ("just in case it's useful for a predictive model in the future"). We record IPs, connection times, clicks, locations.
The Snowden case teaches us that the data you retain is a toxic liability. If you store a user's location history for five years in plaintext, you are building a ticking time bomb against their privacy. As computer scientists, we have a brutal ethical responsibility. Our new motto shouldn't be "save everything", but "collect only what's strictly necessary, encrypt it strongly, and delete it as soon as it's no longer useful". If we don't have readable data, no one can demand it from us.