Sunday, July 24, 2016

State Actors Up The Ante?

One of the fastest changing landscapes on the planet isn't even a tangible one. It's more of a concept: security. Before we go on, for dear readers confused by modern hacker security terms, check out Kaspersky.

I'm a proponent of good encryption. The reason is simple: everybody needs security. You need to keep your banking passwords secure. You don't want malicious actors (trolls) taking over your Facebook account and somehow ruining your life.

You especially don't want anyone to rootkit your computers! Once that's done, they can steal your identity, install malware for collecting passwords and account names, and so forth. Now go to the next level: your computer might then be used as part of a DDoS attack against Homeland Security. Your computer could wind up as the storage location for the malicious actors' illegal data ... without your knowledge. You become their fall guy.

Yes, there are plenty of good reasons for all of us to keep our passwords safe and distinct.

But encryption is not all black and white, is it? And that's the rub. Enter the relativistic observer, to tell you some of the latest. Things are changing too fast to blink, after all.

It's long been known that people outside the law use the Dark Web to organize, proliferate, distribute, and communicate. And the Dark Web is run using the Tor network. Tor, short for The Onion Router, is a volunteer network of servers running special protocols that relay your browsing history and other data through virtual tunnels.

To be fair, the Tor project has lofty goals. And gets used by "family & friends, businesses, activists, media, and military & Law Enforcement", according to their web site. The US Navy uses Tor for open source intelligence gathering, for instance. The EFF suggests using Tor for maintaining secure correspondence and keeping our civil liberties intact.

For people operating outside the law, the Tor network also maintains their OpSec. The Dark Net is called this because the communication within it has "gone dark". Surveillance doesn't work there.

The Tor network and the Dark Web must be a real pain to law enforcement. Given enough desperation, it might be something they would seek to infiltrate.

So what law enforcement would do is this: create their own honeypot counterfeit Tor server (or relay). But put in their own undetectable flavor of malware. Then they can watch the criminal's Dark Net traffic. And watch the crime happening. Collect the privileged conversations.

These really exist, as doctored Tor relays. There are over 100 malicious relays that have been detected. And who could they be? My guess is state actors like the US, China and Russia. If not them, then who? The criminals themselves? This is a game of spy vs. spy, updated for the 21st century. Could the FBI be doing this? Their arrest of child pornography criminals in January 2016 was supposedly accomplished by cracking Tor.

There is a question as to how invasive such investigations should be allowed to be. I'm not saying that the FBI shouldn't go after child pornographers; they totally should. I just think that *everybody* is too broad a target for law enforcement. Privacy is a basic human right.

5 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Mark in a draft I am writing about Anonymous Cryptocurrency & Blockchains, I linked to this blog of yours for the term “powerful adversaries” in the point about plausible attacks on Chaum mix-nets such as Tor and I2P.

    ReplyDelete
    Replies
    1. It seems that Tor is not as secure as it used to be. Companies now advertise that they listen to the dark net. It's really interesting in a way. My question is simple: why do we have to go somewhere to be secure?

      I believe that hacking, privacy, and security of the IoT are the biggest issues we have today. Aside from water rights, and leaders like Maduro that are literally killing their countries. And then there's Kim Jong-Un. The only people who really know for certain how bad he is are dead. Anyway, ...

      Mobile devices need to be secure. And through them, our purchases.

      Our homes need to be secure. Obviously medical devices need to be secure. Our medical files.

      What we don't need are companies who make us their product; who spend all their time and energy collecting data about us.

      Delete
    2. I very much agree with your statement as written. This is why we need strong encryption. The problem with Apple and Google having too much power is that the government can (probably already has) sent them a national security gag order letter. Well Eric Schmidt is apparently a globalist @$&^($%. Centralization of power is a vulnerability.

      We do need a balance of top-down organization and decentralization. The top-down control ideally should be decentralized enough that subverting our rights becomes a Whac-A-Mole futility.

      Although strong encryption also aids the bad guys too, the government has the means to track them down with rubber hoses, counter-intel, etc.. We should not subjugate the rights of the majority of good people to the totalitarianism of a clusterfuck of absolute top-down control, because winner-take-all power vacuums corrupt absolutely. These are the lessons of history. If the West does not change course, it MUST dis—integrate. We are at a very critical juncture in the history of the USA (and Armstrong’s computer models backtested to a $billion of data say the USA is going into civil war circa 2022ish and will break apart by about 2032 - 2040).

      Mark both you and I have some German ancestry (your family name Zimmer and my grandfather’s Hartwick):

      National styles in hacking

      I think we need to resist our ancestral heritage to over control things seeking a non-existent perfection— the perfectionists that we Germans are.

      Delete
    3. As has been demonstrated, a lack of security has the ability to create bad problems for governments, for consumers, for companies, and so forth. Securing personal identity and preserving privacy is the number one problem we have.

      With multi-million user data breaches, point-of-sale systems leaking like a sieve, banks suffering billion-dollar losses to cyber thieves, it seems clear we need better standards. There's no oversight for router makers, web cameras, IoT devices. And as Mirai demonstrated, we desperately need this.

      It's incumbent on the companies selling this hardware to completely secure their devices. This is why HomeKit requires strong encryption, and why it's so hard to pry open an iDevice to get the data.

      Payment systems are way out of date, with credit cards being the number one vulnerability. We need completely secure anonymized payment. This preserves or security and our privacy. This is why Apple Pay exists. Whoever can do it should do it and as soon as possible.

      Even blockchain is not perfectly anonymizing, since it's been possible to extract who paid what and when. So a modified Bitcoin approach is required, as I'm sure you know.

      Your criticism of the west is premature. You are simply Internet-misinformed. It's easy for this to happen. You just have to follow some huckster.

      But about cyber security, we must be perfectionists. Just not the kind that become Big Brother.

      Delete