Limits of security

.. the one we’re looking for in technology. There is no limit, mainly because we’re dealing with an illusion – we are fascinated by big words and the latest encryption protocols, meanwhile they already have their hands in our pockets.

               I’ve done a bit of homework almost two decades ago on the matter of security. Shady places, I know. I’ve done research on malware propagation, I’ve designed hiding methods – hell, who remembers how to break an asm debugger? I did that, back then. Assembler code, designed to confuse the hell out of whoever would be looking – it’s now called code obfuscation. I never did know there was a word for it, back then, must have slipped my mind. I gave up on that around the turn of the century. People don’t want to know anything except what helps them directly, now. Not in the future, but really… like now.

               There are things I understand now that didn’t make much sense back then. Not many understand that even now – everybody is vulnerable, when it comes to either privacy, security or any kind of communication. There is no other kind. Everybody is vulnerable, from the US government to the lowest ranking Somali hijacker, but there are layers on top of layers of shades and degrees of vulnerability. There is a somewhat less known way to quantify vulnerability by the type of damage it can create – but even that is not really helpful if one fails to properly identify the less obvious types of damage. Let’s hear it for desk-jockeys.

               There is catastrophic damage due to loss of proprietary “recipes”, sort of like having your plans stolen a few days before trying for a patent registration – and somebody else gets the patent. You can get it back, but it could take years – and your competition ain’t waiting for you. There is catastrophic damage due to loss of trust – like a company who relies on secrecy discovering their customer list online. There is catastrophic damage due to active sabotage – like having a virus add or remove a digit to the amount of a randomly chosen wire transfer or industrial calculation. I obviously removed lots of other types, no point of drowning you in stuff you don’t care about.

               It’s really important to notice one thing – to me everything is catastrophic when I talk about vulnerabilities – I couldn’t care less about having your flirting messages or your granny’s recipes for corn bread. Vulnerabilities aren’t something tangible, they’re just probabilities. A hole in your system can mean you get your email contacts stolen or it can transform into something the size of Sony resorting to pen and paper. It’s easy too, but quite expensive. It’s not something your everyday hacker does unless you’re really wealthy, a celebrity or you pissed off the wrong revenge-obsessed guy. That’s why individuals usually get targeted by organizations and organizations usually get targeted by individuals. It’s more efficient to steal a million credit card numbers from a store than one from an individual.

               Nothing is ever secure because everything is now digitized. Everything leaves a trail, and one trail is all it takes to uncover the real you. You think you’re safe because you’re not doing anything dangerous? It’s not the government you should fear, it’s the store where you buy your clothes or food. It’s marketing you should fear. Governments can’t use much of that, but if it isn’t put somewhere safe you’re going to be sorry, I guarantee it. Stores also target you for things you crave in secret – but by doing so they may put your secret out in the open. All it takes is the wrong line of code or the wrong kind of people and your pregnancy, your fetish or your semi-secret preferences might end up in your employer’s hands. Think of a manager working for Coca Cola who finds out one of his workers hates the stuff and loves Pepsi.

               Never trust others with things that can be used against you. Think about it – to your boss, to your coworker, to the random person on the street, you are only as important as either what you give them or what they can use you for. Now imagine that everything you do online can be traced back to you. TechInt ain’t about governments no more.

               You think whoever considers you a target cares only about what you actually do or say online? That they’re interested in the messages that pass to/from you? Think again. What you “like” online, from fashion to various articles, can describe your inner workings – but only as part of your conscious choice. They see what you say you like, how you say you think. But all that isn’t really relevant, because what you like and how you think changes all the time, it may not be relevant or true. You may be gay or racist and not know it. Sort of like knowing your crush stalks you on Facebook so you’re acting in a way you think he/she would find attractive. It’s not you, it’s fake – it’s an act. They can’t sell you stuff you don’t want, even if you write a few articles praising it. What they know and you don’t know is – you are never the person you think you are.

               Think different for a bit – reading your Facebook likes, your texts and your emails is not exactly relevant if they want to know who you are. You can send a message one friend praising the lord jesus and whatever, but if your phone contacts are 90% Muslim there’s something else to consider. Who you talk to, what websites you visit, and so on. It’s not enough, though. So, traffic analysis comes into play – they look for patterns in what you use to communicate or see online. They look to connect your location, your IP, your usernames, even emails – to various places. They create a map of your life. Forget about privacy, it’s dead and buried. Banners, advertising – wherever you find a link to a place, from AdSense to big banner exchange websites – they got your IP. No cookies needed. No login required. You can clear your browsing history and cookies after every website and you’re still screwed. All it takes is to visit a website containing a remote picture, the way all banners are. A website doesn’t host images, it takes up too much space – they don’t show you images with links, they embed them which means the images are retrieved on use, from somewhere else. When you access the website, the browser you use tries to retrieve the remote picture, the banner embedded into the code of the website – effectively telling the advertiser your IP and the website this IP visited. Do this for 99% of the websites and you’ve got yourself a clear picture of individuals and their browsing history. They know the hours of visiting certain websites or online stores, the time of the month, possibly even the previous cookies if you haven’t deleted them. They can link that to your work hours and see if you’re the one using the computer or your spouse, or even your children. They can advertise toys to your kids if you’re at work and vodka to you when you’re at home. They can see exactly who you are – not the person you pretend to be in front of others. They see exactly what you’re trying to hide, and it’s rather interesting.

               Imagine Google selling your browsing habits to your internet provider who then inserts relevant advertisements into your data stream. Imagine submitting a job application and getting rejected because somebody did a background profile on you and didn’t like your leather fetish or thought you might become a liability if they hired you. Imagine wanting a loan and being told you’re too risky, because their risk management software put you in some group based on what you tweeted or shared. Scary, innit?

               You can’t ever think you’re safe. You think that lock on your browser means your connection is encrypted? SSL is broken. Your laptop manufacturer thought you wouldn’t mind a spyware advertisement to intercept your connection (even encrypted) by falsifying secure certificates and “suggest” things for you to buy. They can use self signed certificates and if your browser doesn’t warn you (security to minimum, or medium-low, because who wants to keep clicking things all the time, right?) you’ll have no idea the website is really what it claims to be. They don’t really need that, all they need is access to a database with a few things – IP address, website visited, referrer, cookies present at visit. They can do a cross-check and a consolidation, it’s easy. They can even identify individuals by generating a fingerprint of your browser and operating system, not even proxies and VPN-s can protect you from that. Hell, the modem you use creates a cookie with superpowers, one you can’t delete and can’t turn off. And they don’t think you ought to turn it off. It’s just the tip of the iceberg, it’s really only the visible part.

               How do you know the random number generator used by the website you visited isn’t bugged? Or that the encrypted connection doesn’t become plain-text after 5 minutes? As such, your connection that’s encrypted with the strongest encryption one can use just lost 90% of its cryptographic strength because the public/private key set they generated to secure the connection is subject to some limitations or hidden rules you have no idea of and is, as such, easily broken. Forget about NSA, fear marketing. The amount of money in your wallet is the real reason you’re being tracked, to maximize sales and the money they trick out of you.

               Elliptic curve crypto, prime factoring, chaos theory and qubit/qutrit calculus – all make very nice intellectual exercises. They’re like holy water, they won’t hurt but won’t help you either. If you’re a commodity, a product to somebody – your life will be an open book to them. The alternative is unthinkable – even your phone comes with a “mandatory” data plan and a GPS tracker. Even your photos you uploaded on your “free” cloud storage have geotagging inserts. Ever used Location History on your phone?

               The only way to block trackers is to disable remote content and cookies and their code is so well integrated that by blocking remote content you also screw up the design of the website or even its content. And even then, you’re not completely safe. It’s in the privacy policy of most websites, look it up. You get things for free, information, guides, maps, music – but free stuff just means the other side gets you. The real you, the hidden you. And you might get a “congratulations on your pregnancy!” card by mistake. Security is a placebo – privacy is dead, it’s been dead for years. They know you, in detail – and you ask for more. I mean, you like the concept of IoT, right? In a few years you’ll be complaining about the advertisements your fridge keeps displaying or wonder why your telly interrupts your wedding movie to tell you about the virtues of Pepsi. Oh wait, that already happened. Scared yet? Wait until your toilet interrupts your morning crap ritual to tell you all about that new toilet paper, oh so soft…

Post scriptum:

               Everything I write about is true in my opinion or it happened to me. This time I’m really bugged by some spyware that got installed and Kaspersky didn’t catch. It was my fault too, I really gotta make more local accounts with limited priviledges for my family – it’s not Kaspersky’s fault if crap comes bundled with useful software (not the other way around).. Top security suite on the market, antivirus, hardware firewall, router firewall, inside knowledge on spyware, top rootkit detection, custom made tracking filters, custom TCP/UDP filter – and all it takes is somebody else clicking yes on some crap. Looks like my neurons took a break. It only took me a week to find it, too.

Advertisements

2 thoughts on “Limits of security

  1. Pingback: Oh, yes, I’m perhaps a tad paranoid – In Vino Veritas

  2. Pingback: Food for random thought(s) – In Vino Veritas

Well? Post a comment:

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s