Facebook “joins” Tor – good-bye, privacy!

Multiple publications are touting the announcement by Facebook of a Tor-enabled version of the social networking website as nothing short of a breakthrough for anonymous access from “repressed nations”. They think that the people around the world who wish their identity and activity online to remain hidden will now have a great time of using Facebook through Tor.

In my point of view, the result is just the opposite. The users of Facebook sign in and are tracked across a multitude of collaborating sites. Using Facebook through Tor will actually disclose completely the identity and the activity of the person using it. This information will become available across several user-tracking websites. The user will completely lose the anonymity they so strongly desired.

Mozilla Firefox Lightroom-578-80
Lightbeam for Firefox shows tracking of the user through different websites and tracking networks and how they share information with each other.

Facebook previously denied access to its social network through the Tor network citing security concerns. Surely, you do not think they decided to provide Tor access because they decided to be nice to those few who use Tor? Facebook is a commercial company under control of United States government and don’t you forget it. The move to bring in a few thousand Tor users is unlikely to have any positive impact on their business but will require to provide additional infrastructure. Therefore, Facebook is acting selflessly and causing themselves trouble for no commercial gain. I view such a move as extremely suspicious. Most likely, the company’s network will be used in online operations to unmask the identity of Tor users.

Of course, the proper way to keep your privacy online is to never use any social networks of any kind and discard every session after a short period and when switching activities. Searching for movie tickets? Use a session and discard it when done. Looking up the hospital’s admission hours? Discard when done. In any other case, the network of tracking sites will connect the dots on you. If you are to use the Facebook in the same session, your identity is revealed instantly and all of that activity will be linked to the real you.

We released too much of our privacy to the Internet companies already. They are now slowly dismantling the last bastions, one of which is the Tor network, under the pretense of fighting online crime. Facebook, having a history of abusing its customers, should not be trusted on these matters. Their interest is not in protecting your privacy, they will betray you for money, rest assured.

Dark alleys of cybersecurity

polar-bear-facepalmThe security of the so-called “cyberspace” has deteriorated beyond belief. Some people tell me that my stories are far-fetched and that I view the security and computer industry with some sort of a depressing negativism. I disagree. The problem is, I am trying to stay positive and optimistic. My tales rarely go to the full extent of what is happening. The reality is much worse and scarier. Why do we tend to think then that Internet reality is all cheerful and pink? Because our judgement is severely distorted by our perception of the Internet world.

When you walk around town, you come across various parts and you are usually able to assess the dangers in a valid way. You walk on a wide street, there are sufficiently many people around but not too many to invade your personal space. The street is well lit or it’s day time. There is a policeman on the corner… What do you feel like? Your body tells you it is all safe. Your image recognition and other parameters are assessed automatically and provide a relaxing feeling of “it’s all right.”

Now imagine you are walking at night through a dark part of town. Small streets, poorly lit, the people are scarce. You are approaching a dark alley, it smells funny, there are some indistinct shadows moving ahead. A police siren wails in a distance… How do you feel? You tense up, ready your “fight or flight” reflex you inherited from stone age that keeps you alive in situations like this. Your body sends a clear signal: this place is dangerous. You have assessed your situation correctly.

dark alleyLet’s now go onto the Internet. We can do it from various places with various devices but let’s stay traditional for the this example. You sit at home, at your desk, wearing comfortable home clothes, your slippers are on, the evening is outside but inside it is all warm and cozy, you have your cup of coffee at your elbow and you visit a website. A bad one. One from the dark alleys of the Internet.

What do your senses tell you about the website you are visiting? Or even about the state of your own computer? Well, basically, nothing. Your standard human senses are dealing with the standard stone age parameters: you are at home, in safety, it’s warm, you feel protected, there is food, no danger. The body is sending you the signal to relax. However, that signal has nothing to do with what you are doing at the moment. You assessment of the situation may be completely wrong.

And therein lies the problem. We are not equipped to recognize the dangers of the Internet. Whatever we do at the computer screen, our feelings of comfort and safety are not influenced at all by our actions. Therefore, we cannot rely on those most basic instincts of whether something is safe to do or not anymore. Not when we are in cyberspace.

The only way to assess adequately the dangers of the Internet is to learn to think about them logically. To perform a logical assessment of the danger of entering a website you must intentionally exclude the cozy bodily feeling from your equations. The equations will also require education and practice. You must learn logically what a good behavior is, what a bad site might look like, what a suspicious activity is and so on. Just the way you learn to drive a car. It takes knowledge, training and cool logical thinking to drive the car without causing accidents all the time. Training and education will over time result in a new kind of situational awareness that will allow you to assess your situation and your actions on the Internet correctly.

Failing that, think of the Internet as a dark alley full of indistinct but dangerous looking shadows. It might help. Or, better, ask someone who knows to help.

Strategy towards more IT security: the road paved with misconceptions

The strategy towards more IT security in the “Internet of Things” is based a little more than entirely on misconceptions and ignorance. The policy makers simply reinforce each other’s “ideas” without any awareness of where the road they follow is leading.

As I listened on in the K-ITS 2014 conference, it became painfully obvious that most speakers should not be speaking at all. They should be listening. The conference is supposed to discuss the strategies towards more IT security in the future industry that will have both factories and cars connected to the Internet. That future isn’t bright, far from. We are fighting battles on the internet for the web servers, personal computers and mobile phones now. We will be fighting battles for refrigerators, nuclear power plants and medical implants in the near future. We definitely need to have some better ideas for those battle plans. Instead, we hear, if anything, the ideas on improving the attitudes of buyers, i.e. “how can we convince the customers that our security is okay and they should pay more?”

I detail here five different misconceptions that were very obvious and widespread in the conference. Even security management at the top level shares this, though they should know better. And the worst part is, they all seem to believe that it will be all right if they throw some important sounding names and acronyms at it.


Divide security into “levels”

A prominent theme is the division of the industrial landscape into various “areas” of differing security requirements. There is nothing wrong with the concept itself, of course, except that it is applied in a context where it will do more harm than good.

The policy makers seem to think that they can divide the industry into ‘critical infrastructure’, ‘things that need security’, and ‘things that do not need security’. Right, for the sake of an argument, assume we can. Then what? And then, they say, we will invest in security where it matters most. That, on the surface, looks like a sound plan.

The problems start when you try to apply the said concept to the software development. How do we distinguish between software written for ‘secure’ and ‘insecure’ applications? How do we make authors of libraries and tools to write their software to the highest standards to satisfy the ‘most secure’ part of the industry? What about the operating systems they use? What about people that wander from one company to another, bringing not only expertise but mistakes and security holes with them?

Once you start thinking about this approach in practical terms, it quickly becomes untenable.

The only way to improve the security of any software is to improve the security level of the whole software industry. The software not written specifically for a high security environment will end up there whether we want it or not. Developers not skilled and not trained for writing secure software will. It’s unavoidable.

But that is only one side of the problem. Why have the division in the first place? Yes, critical infrastructure is critical, but that stupid mirror with a network interface will also end up in a secure facility and how do we know what the next attack path will look like? The noncritical infrastructure will be used to attack critical infrastructure, isn’t it obvious? All infrastructure, all consumer devices need protection if we want to have a secure Internet of Things.

The software for all purposes is written by the same underpaid people that never had proper security education everywhere. The general tendency for software quality and security is, unfortunately, to get worse. As it gets worse everywhere it does, of course, get worse for the critical infrastructure as well as for consumer electronics.

Investment should be done into the state of software in general, not into the state of some particular software. Otherwise, it won’t work.

Security should not prevent innovation

Says who? Not that I am against innovation but security must sometimes prevent certain innovation, like tweaking of cryptographic algorithms that would break security. There is such thing as bad or ill-conceived innovation from the point of view of security (and, actually, from every other point of view, too). Wait, it gets worse.

‘Innovation’ has become the cornerstone of the industry, the false god that receives all our prayers. There is nothing wrong with innovation per se but it must not take over the industry. The innovation is there to serve us, not the other way around. We took it too far, we pray to innovation in places where it would not matter or be even harmful. Innovation by itself, without a purpose, is useless.

iot-construction-c13-3We know that this single-minded focus will result in security being ignored time and again. There is too much emphasis on short-term success and quick development resulting not only in low security but low quality overall.

Finding ways of doing things properly is the real innovation. Compare to civil engineering, building houses, bridges, nuclear power stations. What would happen if the construction industry was bent on innovation and innovation only, on delivering constructions now, without any regard to proper planning and execution? Well, examples are easy to find and the results are disastrous.

What makes the big difference? We can notice the bridge collapsing or a building falling down, we do not need to be experts in construction for that. Unfortunately, collapsing applications on the Internet are not that obvious. But they are there. We really need to slow down and finally put things in order. Or do we wait for things to collapse first?

Convince the customer

iot-fridgeWe are bent on convincing the customer that things are secure. Not making things secure but convincing everyone around that we are fine. Engaging in plays of smoke and mirrors that is. Instead of actually making things better we announce that pretending things are better will somehow make them better. And we try and succeed to convince ourselves that this is okay somehow.

Well, it is not okay. We all understand the desire of commercial companies to avoid security publicity. We know that eventually people do catch up anyway. There is such a rush to convince everyone and their grandma that things are going to be better precisely because people will be catching up on this foul play soon.

The market will shrink if people think that there are security problems but the market will crash when people find out they were lied to and your words are not worth the electrons they use to come across the internet. The deception of ourselves will lead to a disaster and we have no way of controlling that. This is simply a fast track to security by obscurity.

Secure components mean secure systems

There is a commonly shared misconception that using secure components will somehow automatically lead to secure systems. When confronted with this question directly, people usually quickly realise their folly and will likely fervently deny such thinking but it is sufficient to listen to a presentation to realise that that is exactly the assumption behind many plans.

Secure components are never secure unconditionally. They are what we call conditionally secure. They are secure as long as a certain set of assumptions remains valid. Once an assumption is broken, not met, the component is not any longer secure. Who checks for those assumptions? Who verifies whether the developers upheld all of the assumptions that the developers of underlying components specified? Who checks what assumptions remained undocumented?

When we combine the components together we create a new problem, the problem of composition. This is not an easy problem at all. By having two secure components put together, you don’t automatically obtain a secure system. It may well be. Or it may be not.

This problem of secure composition is well known to the developers and auditors of smart cards. And they do not claim to have a solution. And here we are, developers of systems orders of magnitude more complex, dismissing the problem out of our minds like if it’s not even worth our consideration. That’s a folly.

We need those things on the internet

Who said that factories need to be on the internet? Who said that every single small piece of electronics or an electric device really needs to be on the internet? Why do we think that having all of those things “talk” to each other would make us all suddenly happy?

The industry and the governments do not want to deal with any of the real problems plaguing the societies world over. Instead, they want to produce more and more useless stuff that allows them to appear like if they do something useful. They will earn lots of money and waste a lot more resources in the progress. Should they be worried?

iot_talking_carsTake “smart cars”, for example, cars that communicate to each other over some wireless protocol to tell about accidents, road condition, traffic jams. Think about it. A car cannot communicate very far away. On a highway, by the time you get news of a traffic jam from your neighbour cars, you will be standing in it. In the city, this information will be equally useless, because you will see the traffic jam and do what you always did: turn around and go look for another street around the block. What of accidents? Again, that information is not much use to you in the city, where you basically don’t need it. They say, cars will inform each other of the accidents but this information cannot be transmitted too far away. By the time your car has information about an accident on the highway ahead, displays it and you read it, you will be staring at it. The civil engineers are not that stupid, you know. They make highways so that you have enough time to see what is around the corner and react. Extra information would only distract the driver there. So this whole idea is completely useless from the point of view of driving but it will require enormous resources and some genius security solutions to artificially created problems.

And all of it is like that. We don’t need an “internet of things” in the first place. We should restrict what gets on the internet, not encourage the uncontrollable proliferation of devices arbitrarily connected to the network simply to show off. Yes, we can. But should we?

TrueCrypt disappears

truecryptQuite abruptly, the TrueCrypt disk encryption tool is no more. The announcement says that the tool is no longer secure and should not be used. The website provides a heavily modified version of TrueCrypt (7.2) that allows one to decrypt the data and export it from a TrueCrypt volume.

Many questions are asked around what actually happened and why, the speculation is rampant. Unfortunately, there does not seem to be any explanation forthcoming from the developers. For the moment, it is best to assume the worst.

My advice would be to not download the latest version, 7.2. Stick to whatever version you are using now if you are using TrueCrypt at all and look for alternatives (although I do not know any other cross-platform portable storage container tools). If you are with 7.1a, the version is still undergoing an independent audit and you may be well advised to wait for the final results.

More on the subject:

Update: there is a Swiss website trucrypt.ch that promises to keep TrueCrypt alive. At the moment, most importantly, they have the full collection of versions of TrueCrypt and all of the source code. There will probably be a fork of TrueCrypt later on.

Fraud Botnet Controls Sales Terminals

Ah, the humanity. ArsTechnica reports that researchers came across a proper botnet that controls 31 Point Of Sales (POS) servers with an unknown number of actual sales terminals connected to them. The botnet is operational, i.e., it is running and collecting the credit card data. The data is transmitted during idle times in an encrypted form to the command center. The software running the botnet is apparently available for sale worldwide in the black market. There is another report by Arbor Netowrks that follows the widespread attack campaign mostly in Asia. So much for credit card security…

Can I interest you in more security, sir?

nsa-eagle-200x197The last week’s meeting of the IETF discussed security of the Internet and the recent revelations that the NSA turned the Internet into a giant surveillance machine. While the sentiment was clear that the Internet should not allow itself to such abuse, there is little evidence that anything at all could be done about it.

The problem is not that it is technically impossible to introduce more encryption and build better protocols. The problem is that it is not in the current interest of the companies to do so. The Internet was conceived for use in academia, so it was not a commercial thing from the start. The principles on which it is built are idealistic. But it is commercial from the hardware to the applications, through and through now. And it is not in any company’s commercial interest to introduce better security. It is quite the opposite, in fact: most companies are interested in less security even if they claim otherwise.

Me and you, as people, as independent human beings, can introduce better security because it is in our interest. I would not rely on companies to do so.

Dump anti-virus and move to secure-by-design?

I stumbled across an article this morning that analyses the threat to the mobile devices from malware and comes to the conclusion that it is not likely a good idea to  have an anti-virus on your mobile.

mobiliesecurity01The premises are that only a very few of the mobile devices are currently infected, so the conclusion is that the infection is unlikely, plus that anti-virus software is terribly ineffective at catching the malware. The author concludes that the industry is best off to dump anti-virus on mobile and move to secure-by-design hardware and software.

I wholeheartedly agree that moving to secure-by-design devices would be excellent. I personally prefer an old trustworthy Nokia rather than any new fashionable smart phones for making calls and reading RSS. On the other hand, there is a couple of problems with the analysis and the proposition itself.

First, the apparent absence of the malware infection on the phones says nothing about either the actual infection or the possibility of infection. The mobile malware may get better tomorrow and the levels will jump overnight. Or perhaps we do not analyse it properly. The likelihood of infection is not a function of the current rate of infection.

Moreover, asking the mobile industry to make secure devices is vain. This is the same as asking the software industry to make secure software. They are just not going to. Security costs money, security is a cost for the manufacturer and they will reduce it through the floor if they can.

Secure-by-design is only going to happen when the costs of security breaches stop being externalities for the producer. As long as customers bear the costs, security remains the problem of the customer.

User Data Manifesto

Having a confirmation that the governments spy on people on the Internet and have access to the private data they should not sparked some interesting initiatives. One of such interesting initiatives is the User Data Manifesto:

1. Own the data
The data that someone directly or indirectly creates belongs to the person who created it.

2. Know where the data is stored
Everybody should be able to know: where their personal data is physically stored, how long, on which server, in what country, and what laws apply.

3. Choose the storage location
Everybody should always be able to migrate their personal data to a different provider, server or their own machine at any time without being locked in to a specific vendor.

4. Control access
Everybody should be able to know, choose and control who has access to their own data to see or modify it.

5. Choose the conditions
If someone chooses to share their own data, then the owner of the data selects the sharing license and conditions.

6. Invulnerability of data
Everybody should be able to protect their own data against surveillance and to federate their own data for backups to prevent data loss or for any other reason.

7. Use it optimally
Everybody should be able to access and use their own data at all times with any device they choose and in the most convenient and easiest way for them.

8. Server software transparency
Server software should be free and open source software so that the source code of the software can be inspected to confirm that it works as specified.

In the news

I do not often want to comment the news so today is a special day.

The first piece is an article on the popular subject of NSA Web Surveillance quoting some well-known people starts off on a good direction but gets derailed somehow into recommending obscurity for security. Strange as it is we really should consider anonymizing our access to the Internet. The problem is though that we cannot anonymize the most important part of our Internet access where we real need our real identity and that is the part that delivers most information about us. Sorry, it is not going to work.

I was wondering earlier what the situation of Canada is in relation to the NSA scandal and the article on Canada’s part in NSA plan revealed that we cannot count on Canada to be impartial in the matter. They are in on it and quite likely Blackberry is no better choice than other U.S. controlled mobile phones.

I cannot remember when was the first time I heard that “passwords are dead”, it must have been years and years ago but this same mantra is repeated over and over again every year. Now the passwords are dead at Google. Well, tell you what, long live passwords!

And suddenly Vint Cerf, one of the guys at the beginnings of the Internet, is preaching for the devil. He is working for Google, of course, so his opinion that we all should “give up a degree of privacy in order to be protected” is likely Google’s, not his own. On the other hand, if you ask me I would say he should watch what he says, people believe him more or less unconditionally and his moral obligation is to not peddle the loss of privacy for all of us.

Here you go. I seem to disagree with nearly all of the news today. Which is good news!

Nokia is gone. So is mobile security.

The recent acquisition of Nokia by Microsoft stirred up investors and Nokia fans. But, the question goes, what does it have to do with security? (Not) Surprisingly, a lot.

Working in security makes people slightly paranoid over time, that is a fact. On the one hand, without being suspicious of everything and checking all strangeness you would not get far, so that makes you extra attentive to possible security issues. On the other hand, witnessing how everything around us turns from impenetrable walls into a Swiss cheese variety when poked makes you doubt every security statement on the planet. Looking at Microsoft buying Nokia, I cannot resist putting my security hat on.

So what does the acquisition of Nokia by Microsoft bring us on a large scale of things? You remember, of course, that some governments, and in particular USA, listen to all our conversations on the Internet and collect all possible information about us, right? Okay, for those who forgot, I will remind that Microsoft, Google and Apple are on the list of companies sharing information with NSA. Just keep in mind it is likely not limited to NSA and USA, other governments are not likely to refuse the temptation.

lock-nokia-transpNokia was not on the list. And I will hazard a guess that the Finnish company refused cooperation with NSA. That means people who have the good old Nokia phones are probably more safe from surveillance compared to people with those Microsoft, Google and Apple phones. We can probably assume that it was not exciting for NSA and the like to know that (5 years ago) half of the people with mobile phones will not be under surveillance. I can imagine they were rather disappointed. I would not be surprised if they lent a hand to Microsoft in the plan to acquire Nokia or even orchestrated the whole thing.

Now, Nokia is Microsoft. What does it mean? There is no phone any longer that is not under surveillance. Think of any mobile phone, it is going to be Microsoft, Google or Apple, committed to collaborating with NSA on surveillance. There is no alternative.

We still can use our good old mobile phones, of course (and I do). Telephone networks change though, new protocols come into play, old ones are phased out. In time, the good old phones will simply stop working. And this process can be accelerated if desired. There will be no choice.

I really wonder about Blackberry now …

Posts navigation

1 2 3