Key takeaways for are:

1. Surveillance (and/or sousveillance) irrespective of the the details, e.g. tracking, storecards, whether you care or not, ultimately causes human beings to change their behaviour. The act of observing, the consequences have a severe impact on innovation and thinking doing things that are not conforming to society norms.

2. Do what is right, what you believe in, not what others want/expect you to do. Social media is a median to cause you to not act as is natural, but what you think others will be pleased with.

3. Surprisingly for a European, I have discovered that there is a strong privacy movement in the US, and in many ways they are ahead of the EU, which is rather odd, and I’m still trying to get my head around this!

I am sure it is no news to any of us that Anonymous the infamous hacktivists movement are taking up cyber arms against extreme militants following the horrific attack on Charlie Hebdo

Love them or hate them they are here to stay and cannot be ignored.

In fact the more I read on this the more I imagesstart to speculate on the place of cyber activists in the future of our global digital verbose and connected world that we are all a part of today?

And you know you don’t even need to be a hacker to be a part of their attacks on institutions or/and people that restrict the human right of freedom of speech. All you need to do to be a part become a sympathiser and become a part of their movement is visit their chat rooms, see what is the latest target, click on the appropriate icon, and lo-behold you will be one of the millions of PCs to launch a DDOS attack. See how Geoffrey ‘Jake’ Commander a 66-year-old British rock guitarist who’s worked with George Harrison, Elton John and Electric Light Orchestra, who participated in the December 2010 Operation Payback, an Anonymous campaign that brought down many financial websites including VISA, MasterCard and PayPal by launching massive distributed denial-of-service (DDoS) attack.

Crowdsourcing, crowdfunding, the crowd movement enabled by todays connecting technologies is bringing a new energy to the people, and experienced world-wide power, bottom up with the Arab Spring. There have always been activists fighting for what is right, fighting against greed and corruption, what has changed now is that it has not only become a force in the digital world with cyber activism with hacktivists on the forefront, but the linkage with the empowering capabilities of social media, such as Twitter, Facebook, Instagram, and Google Maps to bring people together to protest on the streets coordinated across the world.

Power to the People‘ is taking on a new guise, and this is for real!

I was about to write an email to someone I respect deeply about how my thinking on information security had changed since we last met in the summer of 2013. Then I wondered if I’d actually written a blog post on this? I searched and found nothing, so surprised that it is not here. It is pretty straight-forward, on the verge of  “obvious my dear Watson” ;-)

Clearly security is broken, however hard we work, our security programs interlaced with security technologies are not effective. Our security programs are not watertight.

So here we go:

1. Security is only as strong as the weakest link – an obvious deduction even for the non-security geeks amongst us ;-)

2. The weakest link in the chain is the Human Factor of Information Security, something David Lacey wrote a whole book on in 2009.

3. If the identity thing, you know the technology aspect of ‘the human aspect of information security’ had been architected correctly from the start, we wouldn’t be in the shit that we are today when it comes to a water-tight security programmes!

This article was anonymously co-authored, as he is still living in China today.
Since late 2005 Western media have been filled with reports of Beijing’s increasingly heavy-handed attempts to silence dissent and block references to politically sensitive topics such as democracy and human rights. The so-called Great Firewall of China is managed by nine state-licensed internet-access providers that use technologies and an army of censors to patrol the gateway between China and the rest of the world. This army of censors are referred to as ‘net nannies’, and their numbers are thought to be in the tens of thousands that monitor computers in every home and over 100,000 internet cafés in China every day [i].

This is why anonymity is important. Without anonymity you cannot see the truth in China, because you will be blocked. According to the co-author of this article, living in China feels like being on the front line of the anonymity battle. Anonymity in internet cafés is almost impossible. People have to buy credits via an internet cafés account that is linked to their ID card, everyone’s online activities, are tied to a workstation and are monitored. Surfing from home is similar. It was after the network connection of the co-author of this article was cut off for the umpteenth time that he started researching ways of anonymizing his online activity using The Onion Router (TOR) which is an anonymity-enhancing network. After he had installed Tor, he had unrestricted Internet access. He had in effect found one of the many holes in the Great Firewall of China. He was seeing the truth as it was, he was looking at China’s underbelly, and China’s net nannies couldn’t see his for once!

This article is about anonymity, why it is needed, TOR and how it works, and the co-author’s experiences with TOR and his what he found in the darkweb.

Why online anonymity is difficult

Even if you are living in a country whereby freedom of speech is not inhibited true online anonymity is not easy. The reason being is that the Internet was not designed to provide anonymity; all Internet endpoint systems, machines, routers, wherever your communications travel are identified uniquely on the Internet by an IP address. This is because the Internet assumption is that you are going to create some sort of a record of the path that the data took, i.e. the IP address that originated the data so that you’re able to send something back. So as a consequence, the Internet is about being non-anonymous. Not necessarily identifiable to an individual or a corporation, but certainly traceable to the physical source of the data.

Basically Internet data packets have two parts: a data payload and a header used for routing. The data payload is the contents of the packet, whether that’s an email message, a web page, or an audio file. This could be likened to the letter in the envelope when you send something by snail mail and the header can be likened to the envelope. On the envelope is the destination address and a stamp, and on the back could be optionally the address of the sender. The stamp will be marked with the ink stamp from processing post office. The difference with the Internet is that the header is appended with the stamp (IP address) of every Internet endpoint that the packet travels over. This offers a basic problem for those wanting anonymity in that the recipient of your communications can see that you sent it by looking at headers, likewise applies to authorized intermediaries such as Internet service providers. A very simple form of traffic analysis might involve sitting somewhere between sender and recipient on the network, looking at headers and this is what the Chinese net nannies are doing.

Even an anonymizing proxy doesn’t give complete anonymity, although it will not add those optional headers because it will make the request just as if it was making it on its own behalf, and then turn around and send the response back. So although there is anonymity being provided the vulnerability is that the IP address of the sender is stored in cache on the service that can be retrieved by those parties whom have access to the proxy and this can be matched to actions. Although you cannot see which user is doing what unless you have just one user using a proxy when it’s obvious who they are and what sites they’re visiting because anything they do is being done on their behalf by the proxy. Now when two users are using the proxy it becomes more difficult. However by looking at the timing of the arrival and departure of packets and the relative sizes of the packets, you could still probably disambiguate the actions of two users across a single proxy. Increase the number of users on the proxy to four and five and six and so on then it becomes increasing complicated to disambiguate queries, but it’s not impossible. Whoever has access to the proxy could just capture a huge blob of traffic and then take it offline for analysis to any level of detail needed in order to make determinations on about who was making queries where. In effect a single proxy cannot guarantee anonymity.

The Onion Router (Tor)

The Onion Router, is a programme “massive network of nodes controlled by all kinds of distributed entities all over the globe and foreign countries” “anonymous secure private tunnel” (or some such) that is designed to give you an individual complete anonymity. As of the end of April 2014 Tor was comprised of 4500 relays and of these 1000 are exit relays [vii].

Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by the military, journalists, law enforcement officers, activists, and many others. For example journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. EFF has also previously funded the development of Tor[ii]. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Law enforcement uses Tor for visiting or surveying web sites without leaving government IP addresses in their web logs, and for security during sting operations[iii].

The beauty of this massive network of nodes controlled by all kinds of distributed entities all over the globe and foreign countries, and the need not to trust individual nodes is that no government is a sole controller. This means that no government can issue a subpoena and demand to know who is using the service. Tor will never be forced legally to do something they would rather not do[iv]. . Governments can be pretty persuasive.

How does Tor work?

To use Tor you need to first install the Tor client. TOR software allows access to the TOR network. Once installed you can see a world map displaying all currently active publicly broadcasted Tor entry nodes. You only have to connect to one of these to be able to use the internet securely.

Your client searches for a Tor entry node, and you choose exit node, and the number of hops. The route is chosen automatically. What happens next is that you start at the selected last Tor node (exit?) and build what is referred to as an onion.  An onion because the encryption is created in layers and decryption can be likened to peeling off the layers of the onion. If you are familiar with how a VPN works, encryption of the payload with a randomly generated symmetric key and encryption of the symmetric key using an asymetric (public) key and in order to decrypt the payload you first need the private key pair in order to decrypt the symmetric key.

All Tor nodes have a public key pair, their own private key that only they know, and a public key. This key pair is created using a special one-way algorithm. Encryption can be done by using their publicly available key which everyone can know, and once encrypted, that data can only be decrypted using the matching private key that each specific Tor node keeps secret. Tor is effectively building nested tunnels that provide at each layer origin authentication, along with confidentiality and integrity of data.

To create a private network pathway with Tor, your client incrementally builds a circuit of encrypted connections over Tor nodes. The circuit is extended one hop at a time, and each node knows only which node gave it data and which node it is giving data to. No individual node knows the complete path that a data packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop cannot trace these connections as they pass through. This is nested multilayer encryption, each layer encrypted with a successive Tor node’s public key, which only that node knows how to decrypt, and each layer containing a symmetric key which was generated randomly by the user’s client.

FNhRK

When you have finished creating the onion using your Tor client, you give it to that first Tor node in the chain to decrypt the outer layer. The Tor node uses its private key to decrypt the outer layer of the onion and finds a symmetric key which it will use for decrypting the outer layer of the packet and the routing instructions for the next Tor node. The packet is still encrypted N times minus one, using keys it has no knowledge of because those keys were buried in layers of the onion which were encrypted using the public keys of the other Tor nodes that can only be decrypted using their private keys.

There is no way to know by looking at the onion what the path will be. Only the Tor node that decrypts its layer knows the identity of the next node in the chain. It knows nothing about any other nodes in the chain. It doesn’t even know how many other nodes there are. So this onion then moves through the Tor network, basically informing each node only the information it has to have: how to decrypt what you receive, who to send it to.

Other factors that enhance the anonymity provided by Tor is the number of people who use Tor, this actually makes it more secure[v]. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.

What’s more is that Tor actually pads out the packet to a fixed size. This is to make traffic analysis based on packet size as shown in the simple proxy example impossible. No matter how big the packets actually are, Tor pads them out to full size so that all packets moving among the routers within the onion router system are the same size.

Tor however, is slow. It will turn a fast broadband connection in to a pre-millennium dialup connection. Websites take a long time to load, and pictures reveal themselves a nail biting line at a time. What’s more is that some research has been done on identifying vulnerabilities in Tor, and this is shown in the following diagram in the Exit relay. If this is owned by malicious parties, there is a chance of a Man-in-the-Middle (MitM) attack. Find more here.

tor

.onion and the rabbit hole

Tor also has a .onion pseudo domain which is Tor’s intranet. Hosted on Tor servers, links to these sites, will be encrypted from beginning to end. The web surfer is completely anonymous. Nobody knows who you are, and you don’t know who anybody else is. Many .onion domain names are very difficult to find. It requires patient searching on the Internet to find one. And when one does, ones perception of the Internet instantly morphs. Like Alice in Wonderland, tumbling down the rabbit hole, the route from one’s computer to the final Tor exit node changes into a long dark corridor with many many locked doors running along it. Except, you can only see the doors that you know about, then, those doors might also be locked. If one taps on a stretch of wall long enough another door might appear. Tor is the portal into what is known as the darkweb, or deepnet (Freenet[vi]).

Navigating through feels like playing an old text based adventure game, if you don’t know exactly what command to write, you aren’t going to be able to turn left, turn right or put the silver key in the brown door. Now jump over a few walls to a quieter part of town, and knock on a nondescript door leading to a much darker, seedier underworld. For those that find the doors and the pass codes, there are forums where they practice complete freedom of speech; forums where the rules of our physical world don’t apply. Places where you can say whatever you want about whatever topic you can think of without fear of recrimination. This concept of complete freedom of speech feels liberating in a very fundamental way. As you dive deeper into the rabbit hole, you will discover that it is liberating for other people too. Not just for those like yourself: those trying to escape Government monitoring in repressive regimes, searching for the truth, but also for those with criminal intentions, and for those looking for places to release their abnormal desires. The .onion network is a breeding ground for pedophiles.

These specific forums are buzzing with activity in a perverse way. It is an upside-down world, where paedophiles who have created these meeting places to exchange child pornography and tips on how and where to find victims, advice on successful ‘grooming’ techniques, basically fulfilling the role of what we would associate as a peer support group in the physical world. The impact of these groups is profound in that paedophiles are able to ‘normalise’ abnormal desires, enabling them to view their behaviour as socially acceptable and possibly lowering their inhibitions to act on impulses that would otherwise remain fantasy. If you had unexpectedly ended up in this rabbit hole, you will not be able to resist making yourself heard, tell them they are sick, cyber YELL at them that they are not normal, or you can threaten that you will “report them to the TOR administrator,” to which they will reply “Fool, we run TOR!”

Freedom of Speech vs. darkweb

TOR and .onion network make it possible for those living in repressive regimes a glimpse of the truth, and a freedom of speech that would otherwise be impossible. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Nonetheless if you go there and end up down one of those rabbit holes you will find that there is the dark side of TOR, the darkweb. how does one end up there?

It is the distributed nature of Tor that indicates that no single organisation, legal or not, country, or person can claim to run Tor completely. Although some entities they may feel that they do. Finally the question that begs to be asked is: Are those ethical organisations and persons that support Tor both financially and otherwise, are to all intents and purposes fuelling the darkweb and all it represents, even if this is unintentional?  This is also a question that begs to be answered…

[i] Oqvist, K. (2009), Virtual Shadows: Your Privacy in the Information Society, ISBN 978-1-906124-09-0, British Computer Society

[ii] Tor development is coordinated by the Tor Project, Inc., a 501(c)(3) notforprofit organization. See http://www.torproject.org/ (last accessed 16 March 2010).

[iii] Tor (2009) http://www.torproject.org/torusers.html.en, (last accessed 16 March 2010).

[iv] Gibbons, S . & Laport, L. (2006) Security Now! Podcast transcript episode #70, Achieving Internet Anonymity http://www.grc.com/sn/sn-070.htm, (last accessed 16 March 2010).

[v] Acquisit, A. Dingledine, R. & Syverson, P., On the Economics of Anonymity http://freehaven.net/doc/fc03/econymics.pdf ((last accessed 16 March 2010).

[vi] Freenet users basically share unused hard drive space to participate in a distributed Freenet database, what this means is that each user gives up a chunk of their hard drive in return for being able to use chunks of everybody else’s hard drive in this network.

[vii] Spoiled Onions: Exposing Malicious Tor Exit Relays, http://www.cs.kau.se/philwint/spoiled_onions/

images-6I’ve been thinking more about the Sony Pictures story…. it has been mentioned that it could be an insider job… what this means is that all information needs to be protected, not just within the organisation, but between each individual, identity.

Every business process in an organisation should be protected cryptographically, there should be a thread of traceability leading to the originating source. Only authorised parties involved in any digital interaction should have access to information being moved around, or as a matter of fact, information at rest. All email communications should also be encrypted.. and only the creator of the content and recipients should be able to read communications, and attachments. Creators of information should have absolute traceability in every one of their digital interactions, that could be a part of a business process.

But how to do this? Like an elephant… you know how to eat an elephant? Eat a small piece at a time so you don’t get indigestion. So the answer is that one should take, and work with one business process at a time, building piecemeal a secure water-tight shield across an organisations information assets, including their people.

 

 

 

anonymous___power_to_the_people__by_alleyismine-d64q904It’s been a chilling experience for Sony Pictures, and a little surreal for those observing. It could be one of their movies….

Bruce Schneier has some thoughts. The hacking incident has shocked many, although any of us in information security may not be particularly surprised.

After many years in information security I am continually disappointed by the lack of focus there is in securing an organisations information assets. This includes intellectual property (IP), and anything information that needs to be protected in generating IP. The focus on being ‘compliant’ and finding ways to get that tick-box without really being really serious about doing what is right, is worrying. I wrote a post in April this year that dives into this subject.

Of course if an organisation is not serious about protecting its IP, how can you expect it to protect your personal information, as employees, customers and partners? The lack of measures taken to secure employee personal information brings home the fact that when it comes to securing our personal data, and anything we generate, i.e. digital footprint, it is up to us all individually to take control. It seems that we can’t trust anyone else…

But how is this possible? Well take a look at Lequinox, they have turned the identity paradigm upside-down. See if you can get your head around this way of thinking? They are empowering the individual, each one of us is to take control over what belongs to us.  You control (and legally own) your digital identity and your digital footprint, and every identity in the world controls their own identity.  It is the Lequinox technology with its cryptographic black box of magic that makes this possible. If you understand this, you will see that in the future, potentially it is you that is in control…

Great read from Panopticon blog… they provide essential legal insights into issues pertaining to personal privacy. Read about what they have to say here.

Follow

Get every new post delivered to your Inbox.

Join 162 other followers