Dear friends,
The following is a follow-up to my recent post about communication security (ComSec). I decided to write it after reading the comments to the original post which clearly showed to me that there was a dire need of even basic information about ComSec. I am going to try to keep it very, very basic so please bear with me.
First and foremost – security is a threat-driven exercise. You cannot protect against “anything”. You cannot protect against something diffuse like “they” or “the powers that be” or even “the US government”. You can only protect against a specific threat. Let’s take an example: as soon as we discuss the protection of our computers we think of the NSA. This is normal, since the NSA is the arch-villain of the IT world and the US government the number one “rogue state” on the planet. However, what is missed here is that the NSA has no interest in most of us. But the US IRS (revenue service) might. What you have to realize here is that the NSA has means which the IRS does not and that the NSA has absolutely no intention of sharing any information with the IRS. In fact, the US IRS also probably does not care about you. The folks most likely to spy on you are your bosses, your colleagues, your family and your friends (sorry! don’t get offended; it’s more or less the same list for those most likely to murder you too). In fact, some people close to you might even want to report you to the IRS in order to get you in trouble. Once you understand that, you can also conclude the following
- All security planning must begin with the question “what is the threat?”
- Giving up on ComSec because the NSA can probably beat you is plain stupid, unless you are somebody really important to the NSA
Second, both spying and ComSec are cost-driven. Yes, even the NSA has a limited (if huge) budget. And yes, even the NSA has to prioritize its efforts: shall they use their supercomputers, translators, analysts, senior officers, etc. to spy after, say, the girlfriend of a senior Chinese diplomat or spy after you? It is true that all our communications are intercepted and recorded. This is especially true of the ‘metadata’ (who contacted whom and when and how and how often), but it is also true of our more or less ‘secure’ communications, be they protected by a very weak encryption algorithm or a military-grade encryption system. Once that data is stored, the NSA has to parse it (mostly looking at the metadata) and take a decision as to how much resources it is willing to allocate to your specific case. No offense intended, but if you are a small pot grower with a history of political activism who emigrated to the USA form, say, Turkey 10 years ago and if you are emailing your friends in Antalya, the NSA would need to decrypt your email. That would take them less than 1 milisecond, but somebody needs to authorize it. Then they would have to get a machine translation from Turkish into English which will be hopefully good enough (I am quite sure that the few Turkish-language translators they have will not be allocated to you, sorry, you are just not that important). Then some analyst must read that text and decide to pass it on to his boss for follow-up. If the analyst finds your email boring, he will simply send it all into a virtual trash bin. Conclusions:
- For the bad guys to spy after you must be worth their time as expressed in dollars and cents, including opportunity costs (time spend *not* going after somebody more important)
- It is exceedingly unlikely that the NSA will put their best and brightest on your case so don’t assume they will.
Third, security flaws are like bugs. Okay, this is crucial. Please read-up on the so-called “Linus’ Law” which states: “given enough eyeballs, all bugs are shallow“. This “law” has been paraphrased in Wikipedia as such: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.” I would paraphrase it as such: the most effective manner to detect and eliminate bugs (such as security flaws) in software code or mathematical algorithms is to have them available for review by experts and to insure that a maximal amount of experts have a strong stake in very carefully reviewing them. Now before proceeding I need to debunk a huge myth: the US government has more means than anybody else on the planet. That is absolutely false. Think of it: to work for the NSA, you not only need to have a US passport, but a high-level security clearance. Right there, you have rejected almost all Chinese, Indian or Russian candidates (along with millions of US Americans!). You might reply that the NSA has more money. Wrong again! Take a look at this article which begins with the following absolutely true, if amazing, statement:
The total development cost represented in a typical Linux distribution was $1.2 billion. We’ve used his tools and method to update these findings. Using the same tools, we estimate that it would take approximately $10.8 billion to build the Fedora 9 distribution in today’s dollars, with today’s software development costs. Additionally, it would take $1.4 billion to develop the Linux kernel alone. This paper outlines our technique and highlights the latest costs of developing Linux. The Linux operating system is the most popular open source operating system in computing today, representing a $25 billion ecosystem in 2008.
Let me ask you this: did you ever think that the free software community, using a de-centralized development model, would be able to produce a product with the corporate world or a government would need to spend more than TEN BILLION dollars to develop? Let me give you another example: Debian, which is the “ultimate” GNU/Linux distribution has over 1000 developers and package maintainers worldwide (including Chinese, Indians, Russians and Americans without a security-clearance) which are selected by showing the Debian community that they are the best at what they are doing. Do you really believe that the US government could hire that amount of top-level coders and then manage them? I remind you that the NSA is an “agency”, meaning that it is a bureaucracy, run by people who have reached risen to their level of incompetence according to the “Peter Principle“. Such agencies are slow to adopt new technologies or methods, they are inherently corrupt (due to their secrecy), they are permeated with the “where I sit is where I stand” mindset which leads to a strong opposition to progress (since if you are used to doing X you will lose your job or will have to re-train if Y is introduced) and which is hopelessly politicized. Buck per buck, brain per brain, the free software community is vastly more effective than this gargantuan mega-agency.
And then there is academia. There are superb technical institutes worldwide, many in China and India, by the way, which are filled by the best and brightest mathematicians and cryptologists who are not only competing against each others, but also against all their colleagues worldwide. The “eyeballs” of these people are focused with great attention to any new encryption algorithm developed anywhere on the planet and the first thing they look after are flaws simply because being the guy (or group) who found a security flaw in a previously assumed flawless algorithm is a guaranteed claim to fame and professional success. Most of these folks are far more driven than the bureaucrats at Fort Meade! But for them to be able to do their job it is absolutely crucial that the code of the encryption application and the actual encryption algorithm be made public. All of it. If the source-code and encryption algorithm are kept secret, than very FEW “eyeballs” care review them for flaws. The conclusions from that are:
- The assumption that the NSA is miles ahead of everybody else is plain false.
- Placing your trust in peer-reviewed software and encryption algorithms is the safest possible option
- The worldwide hacker and academic communities have superior means (in money and brains equivalent) to any government agency
Using sophisticated ComSec technologies only draws unwanted attention to you. This one was very true and is still partially true. But the trend is in the right direction. What this argument says is that in a culture where most people use postcards to communicate using a letter in a sealed envelope makes you look suspicious. Okay, true, but only to the extend that few people are using envelopes. What has changed in the past, say, 20-30 years is that nowadays everybody is expecting some degree of security and protection. For example, many of you might remember that in the past, most Internet addresses began with HTTP whereas now they mostly begin with HTTPS: that “s” at the end stands for “secure”. Even very mainstream applications like Skype or Whatsapp use a very similar technology to the one justifying the “s” at the end of HTTPS. We now live in a world were the number of users of sealed envelopes is growing where the usage of postcards is in free fall. Still, it IS true that in some instances the use of a top-of-the-line encryption scheme will draw somebody’s attention to you.
[Sidebar: I have personally experienced that. In the late 1990s I used to use PGP encryption for email exchanges with my Godson. Sure enough, one day my boss calls me into his office, presents me with the printout of an encrypted email of mine and ask me what this was. My reply was “an encrypted message”. He then proceeded to ask me why I was encrypting my emails. I replied that I did that to “make sure that only my correspondent could read the contents”. He gave me a long hard look, then told me to leave. This incident probably greatly contributed to my eventual termination from that job. And this was in “democratic” Switzerland…]
My advice is simple: never use any form of encryption while at work or on the clock. If your email address is something like $fdJ&3asd@protonmail.com your employer won’t even know that you are using protonmail. Just keep a reasonably low profile. For public consumption, I also recommend using Google’s Gmail. Not only does it work very well, but using Gmail makes you look “legit” in the eyes of the idiots. So why not use it? Conclusions:
- Using advanced ComSec technologies is now safe in most countries.
- The more private users and the industry will become ComSec conscious (and they are) the safer it will be to use such technologies
The weakest link in a chain determines the strength of the chain. The US government has many ways to spy on you. You can use the most advanced encryption schemes, but if your computer is running Windows you are *begging* for a backdoor and, in fact, you probably already have many of them in your machine. But even if your operating system is really secure like, say OpenBSD or SEL-Debian, the NSA can spy on you through your CPU, or through the radiation of your computer screen, or even by installing a key-logger in your keyboard or a simple camera in your room. Most so-called “hacks” (a misnomer, it should be “cracks”) are traceable to a human action, not pure technology. So you should not just blindly trust some advanced encryption scheme, but look at the full “chain”. However, while it costs Uncle Sam exactly *zero* dollars to use a backdoor preinstalled with Windows, it would cost him a lot more to direct a crew of humans to install a camera in your room. So fearing that the NSA will use any and all of its tools to spy after you is also plain stupid. Chances are, they won’t. You are just not that important (sorry!). The conclusions here are:
- Your ComSec depends on it’s weakest link and in order to identify this link you need to
- Acquire enough knowledge to understand the full chain’s function and not rely on one even very cool gadget or app.
Trust is always relative but, when carefully granted, beats distrust. I hear a lot of sweeping and nonsensical statements like “I will never trust any technology or corporate” or “I will never trust any encryption scheme”. These sound reasonable, but they are anything but. In reality, we don’t have the option of “not trusting” any more. We all use cars, computers, RFID-chips, smartphones, GPSs, the Internet, credit cards, etc. Those who say that they don’t ever trust anybody are just lying to themselves. The real question is not “trust vs distrust” but how to best allocated our trust. To go with open source code and public encryption algorithms is far more rational than to refuse to use any ComSec at all (we all know that the post office, and many other people, can open our mail and read it – yet we still mostly use sealed envelops and not postcards!). If ComSec is important for you, you really ought to ditch your Windows or Mac/Apple machines. They – like anything Google, are basically a subsidiary of the NSA. If you use remote servers to provide you with “software as a service” try to use those who have a stake in being peer-reviewed and who only use open source technologies (Silent Circle’s Silent Phone is an example). There are public interest and “watchdog” type of organizations out there who will help you make the right choices, such as the Electronic Freedom Foundation. Conclusions:
- We live in a complex and high technology world. While you can reject it all and refuse to use advanced technologies, you thereby also make yourself the ideal passive sheep which the powers that be want you to be. What the powers that be are terrified of are the cyberpunks/cypherpunks, free software hackers, folks like Assange or Snowden and institutions like Wikileaks. They are so terrified of them that they *reassure* themselves by claiming that these are all “Russian agents” rather than to look at the terrifying reality that these are the natural and inevitable reaction to the worldwide violation of human and civil rights by the AngloZionist Empire. It is your choice as to whether educate yourself about these issues or not, but if you chose to remain ignorant while paranoid the powers that be will give you a standing ovation.
- Placing your trust in X, Y or Z does not have to be a ‘yes or no’ thing. Place as much trust in, say, open source software as you deem it to deserve, but remain prudent and cautious. Always think of the consequences of having your ComSec compromised: what would that really do to you, your family, your friends or your business. It is a dynamic and fast moving game out there, so keep yourself well informed and if you do not understand an issue, decide whom amongst those who do understand these issues you would trust. Delegating trust to trustworthy experts is a very reasonable and rational choice.
The real cost of security will always be convenience: the painful reality is that good security is always inconvenient. In theory, security does not need to harm convenience, but in reality it always, always does. For example, to become more or less proficient in ComSec you need to educate yourself, that takes time and energy. Using a key to enter a home takes more time than to open an unlocked door. A retinal scan takes even more time (and costs a lot more). You might always spend a great deal of time trying to convince your friends to adopt your practices, but they will reject your advice for many more or less valid reasons. The key here is “is it worth it?” and that is a personal decision of yours to take. Also, you will also need to factor in the costs of not using high-tech. You can email a friend or meet him face to face. But in the latter case, you need to ask yourself how much time and money will it take for you two to meet, how easy it will be for the bad guys to eavesdrop on your whispered conversation, how fast you could transmit any information by such means or whether physically carrying sensitive information to such a meeting is a good idea in the first place. Conclusions:
- Going low-tech might be far more costly and less safe than intelligently using high-teach solutions.
- “No-tech” at all is usually the worst choice of all, if only because it is delusional in the first place.
Conclusions:
I tried to debunk some of the many myths and urban legends about ComSec in general and an agency like the NSA in particular. I had the time to do that once, but since this topic is not a priority for this blog, I won’t be able to repeat this exercise in the future. I hope that this has been useful and interesting, if not I apologize.
Starting next week, we will return to our more traditional topics.
Hugs and cheers,
The Saker
Thanks, Saker. I have been active on the net in Europe fighting the extremists in Ukraine for some years. Strange things started happening. My routers DNS was changed and I had to surf through a slow spamsite. I fixed it, updated the software and got myself a strong password. Then Windows started updating itself suddenly. One day some hundred updates were installed and the next day almost as many. My computer was effectively locked for several hours every time. Windows has also shut itself down a couple of times. My rather new Windows surfs like a very old version on an old computer. Somebody from abroad logged into my web email account and I found that out in the log. Other strange things also happened.
I was able, thanks to no small extent to the blog, to post information that drove somebody crazy. I posted information about Mirotvorets, the Ukrainian death list, for example. I fought almost alone and was insulted almost every time I posted.
Who was after me? Not the authorities in my country, but probably Ukrainian SBU or NATO:s Stratcom. Please everybody, pay attention to your router. That is something everybody can do.
Never give up if you are an activist. I will continue, but one thing I will never do. Visit Ukraine.
If a majority encrypts mail, we don’t stick out if we do it, but everything we write on social media can easily be monitored.
The first thing you absolutely MUST do before engaging in any political activity online is ditch your Windows OS. Keep it for gaming if you must, but use a separate machine for your political activities. Second, you need to install a 100% open source Linux distro specializing in security. I won’t tell you which one – there are many choices – that is a decision you will have to take for yourself just make sure a) the distro is fully open source and free software, that is has a strong and vibrant community supporting it and that it is actively maintained.
Second, don’t make assumptions about who is after you: yes, it could be the SBU, but it could also be Ukro-Canadian script kiddies or even locals.
Third, yes, router and DNS based attacks are very frequent. Either use commercial routers (which you don’t administer and thus which are not associated with you) or use public wifi. As for DNS, make sure to closely monitor your DNS settings and only access websites when you are sure it is the real thing.
Finally, you can also simply hide: use forums, or even MMPG games to communicate with your contacts. You can also separate the metadata from the message: use one means to tell your correspondent that there is a message and another one to deliver that message. You can hide messages almost anywhere on the Internet – this is easy. Just read up on these kind of “guerrilla techniques”.
Good luck!
You are right, Saker. Some computer savvy Ukie could have hacked my router and my computer. You are also right about Windows. I am taking steps to find a good Linux version. I am not sure I can trust SuSe anymore. Perhaps Debian is the best choice. Can I download a version on the net? How can it be installed if I run Windows, Win dowes? I am not up to date on that. I will ask one of my children to buy a version of Debian, a version on a DVD. I am not as mobile as before.
In the 90s, Usenet was a good place to post anonymous messages by using a chain of remailers. Now I don’t know if that is possible. Private Idaho was a good help then, but it is not updated anymore.
What really worries me is that my computer suddenly slowed down. I surf at the same speed I had when I used a 14.400 modem, except when I visit youtube.
Thank you for reporting that routers are often attacked. That is a wake up call for everybody. Please get a copy of your two DNS and learn how to communicate with the router. It took me only a couple of hours to get back on the net and protect the router.
Dear Saker,
The proportionality, calmness and realism of your analysis is GR8 !
A couple of points: open software can be compromised, a “million” eyes notwithstanding:
https://duckduckgo.com/?q=fbi+openbsd+backdoor+confession+&ia=web
and serious skepticism: https://www.schneier.com/blog/archives/2010/12/did_the_fbi_pla.html
Previously, you had recommended a net book based on google chrome. All things considered, is a Linux ( Debian ) on a used laptop more secure than relying on those who “do no evil” ?
To elaborate on what Anonius says below, pure bridging from a broadband router to a separate dedicated linux ( laptop ) that acts as a router and has it’s wifi set to act as an antennae (i.e. as a hotspot ) seems “in good taste.”
> Either use commercial routers (which you don’t administer and thus which are not associated with you)
they will be associated, by the traffic content.
it is like social networks – you may use “anonymous” nicknames there, but the mere structure of relations – to friends, relatives, collegues – would “de-anonimize” you fast if only anyone would need it.
Now, about routers and other home appliances.
1) yes, they can be cracked. That is the Internet-of-things disease. Like with industrial-control software (Iranian uranium enrichment facility, remember), but now in every home. They are rolled out, but as soon as end-of-production is reached they are no more supported. So all the bugs that were there will remain there.
With ISP-provided routers it only would get worse – you would have some el cheapo box, and all the routers of the ISP would have the same password, so that the Bangaloored helpdesk could, when your granma cries in the phone, just connect to the damn box and fix it themselves, rather than explaining basic tech to her.
IOW, ISP-provided routers are like cypher-wheel locked Safeboxes put into a public place and all having the same digital password. And their firmware would most probably stop being upgraded even earlier, than those their on-the-shelf alternatives.
2) security vs convenience – ooooh! ooooh! It is so a funny thing. Typically it is said that Windows trades security for convenience and Linux makes the opposite choice. Perhaps it is, but it is not same about users. Would you trust Richard M. Stallman? But then read his hysterical rant about C.U.P.S. – printing system. RMS goes crazy exactly because Linux dares to be secure and does not give away his resources to anyone. It is a well known paradox – when security is perceived complex – people just turn it off (maybe together with the hardware – routers, phones, laptops – just purchasing less secure ones), instead of learning and tuning. Again, was it worth it?
So, back to routers.
1) does your router have Wi-Fi ?
1.1) old routers had default non-encrypted Wi-Fi – basically anything could connect it. Yes, that was simple for owners. And for their neighbors. And for anyone playing “war-chalking”.
1.2) less old routers had WEP pseudo-encrypted Wi-Fi. And some still do. Because old iPhone phones can not do Wi-Fi real security, so it is left there to go on.
1.3) WPA encryption came, and W.P.S. came too. If W.P.S. is enabled with pin-code option ( convenience! ) – then one may say there is practically no encryption, again. Push-button-only WPS i think is secure.
2) Then, what about your computer itself? You can have a very secure (from outer perimeter) router, but using standard admin/admin password from-inside (convenience!).
2.1) As soon as your computer or phone got compromised, they would cut your router open from within the perimeter.
2.2) Yours are secure? What about guests – friends, relatives, friends of relatives, etc? They came to a party and you connect them and… You guess it. Especially with Windows 8+ having that feature of automagically sharing wi-fi connections with your friends/family. Convenient? absolutely. Secure? “weakest link of a chain” – and here you just incorporate any unknown chain your friends came with.
Now, there were routers who had telnet/ssh port alway open on the outer connector. You only could change official settings via WWW-setup from inside your home, but ISPs could just enter the root terminal inside your router and change ANY setting there. It was a bug, but how many people would upgrade their firmware?
So, basically, if you really want a secure router, then you by the router only to remove the standard firmware and install something like OpenWRT/DD-WRT (or BSD analogues). And then you bother with installing it (you woud have to recognize what router was really sold to you,official brand and title are not always informative), and seeing if it would be stable or buggy-dizzy (debugging OS freezes on routers is almost impossible, if comparing with desktop or laptop). Imagine it will, you read a lot and pre-selected your one true router firmware of choice, you purchased the recommended hardware for it, and it all installed like a charm. Or you purchased some semi-professional Microtic boards. Now you suddenly have to setup it. And since both open firmwares and Microtics are “by geeks for geeks” – you would have QUITE the learning curve. …And then one day people who – in their spare time – were making firmwares for your box would just purchase themselves a newer router and your model would become non-supported. No more updates, unless you became a Linux/BSD pro enough to make it yourself. So, see, no silver bullet. But granted that way you would get more features and more security and longer time withupdates than with stock firmware. But you would have to invest much more time also.
@ Anon
I second what Saker said above.
I was never involved in any activism, but I started using Debian when it was “in it’s infant stages”. The learning process was painful, but thanks to my son in law, who was a Unix guru I moved forward and never looked back. Two make things short, you have to invest into a small computer which you will use a your own firewall. IP-Tables, a part of Linux kernel will put a wall between you and any attempt to break in to your system. The basic rule is: block every port and open only small windows for the necessary things. Believe me, Linux logs tell you an incredible story of break-in attempts to your system. You do not need to use secure Debian, regular will do, but you must be firm on your security rules. Oh yes, Turn off all the options in your cable modem, set it for pure bridging. Everything should be done by your own equipment.
Have a safe internetting.
comparing IPChains and Windows local firewalls, the latter may have a head ahead.
IPChains only know which ports are used, but they don’t know which program.
Same about standalone separate-box firewalls.
Say, your computer is reaching port 25 SMTP service – is it legit or not?
Well, if your e-mail client program is connecting it – it is legit. If some other program – it is probably a virus bot, trying to send spam. But from outside it all looks the same.
About 15 years ago that was how i learned i caught a virus – in VIDEO file, guys, the Microsoft WMV format fo video provides means to download and install “DRM updates” from any place, and those “DRM updates” could be viruses. Microsoft said “it is your fault of downloading bad video from bad sources, we just gave tools”. But after i watched the video my firewall went nuts about some set of new unknown program reaching out to the network. And by doing it it not also set me on alert but also logged me the list of the virus instances to clean out.
Good windows firewalls, can (at least in theory) even snapshot process files and inter-process communications. Say, what about a virus, who would open Internet Explorer and send-receive information via it ? Good Windows local firewall would instantly get at you, that it is not how you usually run Internet Explorer. Did virus install a Microsoft Office add-on to communicate out every time you open a spreadsheet or a document? A good antivirus would cry out about unknown DLLs.
….and then your would fail to understand what this fuzz is all about and would just go into one of equally harmful “enable all” or “disable all” modes. Convenience, convenience….
But at least there is a way. With Linux IPChains – and more so, with a stand-alone firewall in the router or a dedicated box – you don’t have an introspect look. You only see that your computer opens the HTTP/80 or HTTPS/443 port, or SMTP, or XMPP, or IRC, or… an standard port. And you enable it because it is, well, standard. But you do not know WHAT was using those ports, a legit program or a trojan. If your virus is made like a XULRunner, that opens Gecko (Mozilla engine) to do all its communication for it, then how would IPChains tell the bot-originated HTTP traffic, from user-originated and from different software monitors doing their regular update syncs ( twitters, facebooks, browser add-ons checks, etc) ?
@Anon
One more thing, Never use Windows for anything on the internet. You can use Windows for internal things only and turn off any updates and upgrades.
I wrote about social media and forgot something. HTTPS encrypts with 256 bits, as I recall. Military grade was 512 in the 90s. 256 is nothing.
Even 512 is old. GNUpg uses up to 4096. Besides, this depends on the algorithm and the key: a symmetrical session key can be huge if it if fast, while the main asymmetrical encryption key will become slow if too big. One way to deal with that is to combine the two: encrypt your date with a symmetrical session key to go fast enough and then to encrypt that key itself with a much larger and slower asymmetrical public key.
SSL/TLS (the beast below HTTPS) it a hybrid thing. Diffie-Hellman, AFAIR,
It starts with slow “handshake” using asymmetric crypto to negotiate a random one-time key, then that key is used by a fast symmetric crypto for actually concealing your data.
So, basically, now matter how long your initial key is – it only makes a constant-time slow-down in the beginning of the session, then the dataflow itself – which can be for few seconds or few hours – is not affected by it.
This process, when a bit to much of “convenience” was added, lead to an infamous HTTPS “ReNegp” MITM attack.
Does anyone want to guess who is behind viruses?
If you guessed the security software vendors like Norton and McAfee you are correct.
90% of such malware is designed by people paid by these companies. This is just to make sure that people will keep buying their software (subscriptions these days). Of course, there are startups who want to get into the action as well. So there is plenty of money to be made and nothing works like fear mongering.
I hope everyone knows that the first virus started with an outright blackmail demand. After that people have become more sophisticated, however the the game is the same.
These days there are a lot f ways to do funny stuff. These include:
1. Hardware back doors which are incorporated at design level. However, when these same designs go for fabrication to the foundries (TSMC, Global foundries, IBM and other very few places in the world). The control and oversight is of the fabrication process goes out of house, sometime to a foreign land. This is where viruses are embedded in the hardware like Stuxnet.
These are meant to activate sometime after they are put into service. This is how Siemens controllers went interactive. Only a very few entities have the resources to add these extra circuitry and locate it. These are just malicious, will destroy things, but cannot be controlled by outsiders. Since they are not usually connected to any communication network. So no hackers in this case.
Fear, greed, patriotic leanings, and simple business calculations is the biggest motivators designers and/or fabricators to engage in such activities. There is no remedy for this type of evil: save for countries choosing to develop their own fabrication facilities. The virus does not have to hide in the big controller, it can be in any of the thousands of chips which are used in a circuit.
2. Companies are more than willing to get government contracts, establish their patriotic credential, and in the process if hey can beat their competitors that is just cherry on the top. I hope everyone saw what happened to Samsung Note 7, and as a double whammy their TVs were singled out as having the ability to spy on people, next it was their washing machines. Who benefited from this? Not Samsung! Japanese and American electronic producers? Perhaps. How about Chinese getting an opportunity to get in? Who knows. The point is that it was industrial espionage and sabotage. No one who knows the process can imagine that Samsung will make these stupid mistakes. Designing and making electronic stuff of this level requires an unparalleled scrutiny during the design and prototype testing.
3. Messing with systems (which are not properly configured) and which are not stand alone is easier for the people who know what to look for. Systems like Unix and Linux are pretty safe to protect. It is only when people change over to using menu driven user interfaces the security starts to become easier to screw with. Basic Linus kernel is pretty easy to configure, the more user friendly you make it by incorporating user interfaces, Ubuntu, Red Hat, Suse, and others. More libraries creep in with millions of lines of new code. Most people opt for compiled binary versions of the code. This can contain a lot of malicious code. In the end it is a matter of convenience verses security. Just by running properly configured servers, which do not run user interfaces the security can be increased to almost unbreakable (except for built in hardware in the components). MS Windows is the worst operating system. It has always been terrible, it was meant for convenience and mass sales. It is the crappiest. That is way you see patches to the system almost every day.
4. There has been a move to technical parlance; especially designed jargon to embarrass those who might want to ask questions is order of the day. There are so many acronyms that even I cannot keep track of all that garbage. However, the concepts are simple. Compute or communication security should not be such a nightmare.
I believe that all nations, develop their own operating systems (N Korea has their own version of Linux), Military hardware must have locally produced electronic circuits. Although it is not glamorous, material research, metallurgy, and small scale foundries for semiconductor manufacture for local electronic for sensitive equipment must be desired and obtained by all nations.
For example Russia must never depend on foreign sources for their military electronics. Granted that, it is expensive and it will not result in immediate results. However, that is the only way to true independence. I would say that these capacities are at least equally, if not more, important than getting control over local currency.
However, these things do affect common people as much. For day to day non-confidential work, the mass produced computers and equipment are still fine. For automated systems, consumers should insist on open source programs for their household applications.
Jenn
90% of such malware is designed by people paid by these companies
And your evidence for that claim is?
The claim is ridiculous. There are tens, if not hundreds, of millions of new viruses every year. The entire antimalware industry couldn’t produce that much if that was ALL they did. They are far out-numbered by the virus creation industry which consists of hundreds of thousands of hackers worldwide.
This is the kind of paranoid thinking that ruins serious discussion for everyone else.
Given the nature of the blog, I should not have used the 90% figure–it was meant to be ballpark. My mistake!
A few things to keep in mind when trying to figure out the exact percentage of industry created demand is to ask yourselves: how many time my computer has actually been infected? Compare this to the number of megabytes of new virus definitions you unloaded over the course of one year. You will find that typically you update you virus definitions to the tune of several hundred megabytes, while you did not actually get infected even once. This is the pattern. Over the course of my lifetime, I have only once been infected exactly onetime. That too happened when I was traveling outside the country, it was at CERN and on a UNIX system.
If you look at millions of virus definitions each year you should expect. About someone snooping on the compute it is hard to tell, those are big organization/government supported scientists, they are involved from the fabrication, communication lines, communication protocols, technology policy makers, this is the real brain trust. If they want to snoop no one can stop them. However, they focus on potentially useful target. Smut peddlers like Silkroad and petty thieves scamming people into giving up their own information are not interesting to national security issues.
Those who want a fully secure system, need to develop their entire system from scratch by their own people: hardware and software.
Anyway I state unequivocally that as long as people depend on a few foundries, people and states will be helpless against hardwired malicious code.
If a country or organization wants to be completely secure they have to make their own system. Anything less than that is wishful thinking. Granted a foundry costs billions of dollars and it takes perhaps a decade to train the workforce to be able to produce wafers at a reasonable efficiency. However, it is a huge investment in skill, infrastructure, and independence.
I thin when countries have a choice to buy a few squadrons of fighter jets, they should opt for a foundry instead. Last years V-day parade was impressive, but I would have been happier if just one person walked down the red square carrying a controller produced in Russia. That would have been scarier than all those tanks and planes. Russia had and has the greatest scientific minds in the world, if there is one country that can cast of these shackles with a bit of investment it is Russia. They are already great at materials research (alloys necessary for building plane engines etc.), composite materials (I believe they are producing carbon fiber fabric). They have to catch up in electronics.
People like Lev Landau and Vladimir Arnold, and others have setup a great technical education system. They just need a little infrastructure. I hope they will spend more money on technical independence and less on bling. The non-delivery of those helicopter carriers from France should have been a wake up call.
Regards,
Jenn
You carefully avoided mentioning the preeminent cyber-threat on this planet: the United States and its various spook agenices like the CIA and NSA.
Most recently, WikiLeaks “Vault 7” release of documents has exposed America’s massive cyber-hacking and surveillance operations around the world–including the dirty hands of the US CIA’s (Weeping Angel program) and Britain’s MI5/BTSS in the Samsung issue.
The only thing more mind-blowing than the planetary extent of America’s cyberwar/spying ops is the minimal political outrage from so-called democratic nations, organizations, and people who never fail to pimp themselves as champions of civil liberties.
Wikileaks Unveils ‘Vault 7’: “The Largest Ever Publication Of Confidential CIA Documents”; Another Snowden Emerges
http://www.globalresearch.ca/wikileaks-unveils-vault-7-the-largest-ever-publication-of-confidential-cia-documents-another-snowden-emerges/5578412
Wikileaks Reveals: CIA’s UMBRAGE Allows Agency to Carry out ‘False Flag’ Cyber Attacks
http://www.globalresearch.ca/wikileaks-reveals-cias-umbrage-allows-agency-to-carry-out-false-flag-cyber-attacks/5578786
Jenn:
I hope everyone saw what happened to Samsung Note 7, … The point is that it was industrial espionage and sabotage. No one who knows the process can imagine that Samsung will make these stupid mistakes. Designing and making electronic stuff of this level requires an unparalleled scrutiny during the design and prototype testing.
It’s not always sabotage. Don’t underestimate human stupidity. For example the Moose test of the Mercedes-Benz A-Class is an excellent example for shitty planning of Mercedes. To stay with the topic of Computers, consider the Intel 4.999999 (aka Pentium).
Very good compilation of arguments, I’m using linux systems since years now. (private and for my business)
Not always easy to show friends why they should drop windows/Apple systems, but the recent “hacking”
troubles worldwide help to catch their attention.
I’ve just found this last week. Maybe i can post it here.
(For the french readers only sorry) :
http://www.01net.com/actualites/les-techniques-du-roi-des-hackers-pour-surfer-le-web-anonymement-1157929.html
Merci bien, l’ami et a+
With increasing frequency, aggressive foreign policy moves by Washington have been palmed off by the media and political establishment as defensive responses to “hacking” and “cyber-espionage” by US imperialism’s geopolitical adversaries: Russia and China.
[…]
But the official narrative of a benevolent and well-intentioned US government coming under attack from hordes of Russian and Chinese hackers, spies and “internet trolls” was upended Tuesday with the publication by WikiLeaks of some 9,000 documents showing the methods used by the Central Intelligence Agency to carry out criminal cyber-espionage, exploitation, hacking and disinformation operations all over the world.
The documents reveal that the CIA possesses the ability to exploit and control any internet-connected device, including mobile phones and “smart” televisions. These tools, employed by an army of 5,000 CIA hackers, give the agency the means to spy on virtually anyone, whether inside or outside the United States, including foreign governments, “friend” and foe alike, as well as international organizations such as the United Nations.
The WikiLeaks documents expose the United States as the world’s greatest “rogue state” and “cyber criminal.” The monstrous US espionage network, paid for with hundreds of billions in tax dollars, uses diplomatic posts to hide its activities from its “allies,” spies on world leaders, organizes kidnappings and assassinations and aims to influence or overturn elections all over the world.
from:
The WikiLeaks Revelations and the Crimes of US Imperialism
https://www.wsws.org/en/articles/2017/03/09/pers-m09.html
Hi, Saker.
Very good reply overall, but I feel you might be losing the forest for tree. As far as I can see, the real problem is not the NSA spying on you but the governments using data mining techniques to mold social behavior.
Take China, for example, which started combining data from multiple sources (browsing history, electronic communications, purchasing history, medical records, public cameras with face recognition software, etc) to create psychological profiles for all citizens. The purported reason is to anticipate terrorists before they become terrorists.
«It’s “precrime” meets “thoughtcrime.” China is using its substantial surveillance apparatus as the basis for a “unified information environment” that will allow authorities to profile individual citizens based upon their online behaviors, financial transactions, where they go, and who they see. The authorities are watching for deviations from the norm that might indicate someone is involved in suspicious activity.» (https://arstechnica.com/information-technology/2016/03/china-is-building-a-big-data-plaform-for-precrime/)
Other countries or entities are probably doing similar things; Google, for example, is using its power to fudge the search results for various reasons, not excluding influencing the elections. (https://www.sciencemag.org/news/2015/08/internet-search-engines-may-be-influencing-elections)
What is scarier, however, is that the government is in the process of creating a publicly-accessible “social score” for each and every citizen with the purpose of molding public behavior. Say, for example, that you are communicating with people that the government does not approve; this will lower your social score, which will make other people avoid you. (https://www.bloomberg.com/news/articles/2016-03-03/china-tries-its-hand-at-pre-crime?utm_source=digg)
Given how technology makes this so temptingly easy, I have a feeling that this is only the beginning of woes: the preparation of the social landscape to accept the antichrist.
Thank you for writing this Saker.
I am retired now but worked in various Unix admin roles for 20 years. Everything you wrote here is correct in my opinion. This greatly increases my already high confidence in your blog. Generally, if someone can be sensible in an area I understand then I have a lot more faith in what they say in others. You are sensible on the subjects of religious faith and of Unix systems/internet security, so I guess you are pretty sensible on Russian military analysis too!
I just want to remind people that Apple OS is POSIX compliant operating system based on XNU kernel ( amazing intermarriage between true micro-kernel and monolithic ). In right hands it can be pretty robust system, equal to any robust LINUX distribution or better. And all that can be achieved with less frustration than Linux. Of course a programming knowledge is required. I would even add that networking layer in Mac OS X ( excl. 10.9-10.12 ) can be totally under your finger, it’s unique !
I use two boot systems (mac OS 10.6.8 and 10.11 ). The first one is a custom built by myself with a help of:
https://opensource.apple.com/release/mac-os-x-1068.html
and 10.11 solely to run some latest creative software only.
NOTE: With arrival of masOS 10.9, Apple makes harder and harder to tune OS.
I just want to remind people that Apple OS is POSIX compliant operating system based on XNU kernel ( amazing intermarriage between true micro-kernel and monolithic ). In right hands it can be pretty robust system, equal to any robust LINUX distribution or better
Not true. Apple did, indeed, use the BSD kernel to develop it’s own POSIX compliant system, but since the BSD license did not force Apple to reveal its code or even to contribute anything to the free software community (which at least Google did!), Apple products are NOT peer reviewable. And since OSX is opaque, it is far MORE frustrating to install and manage than a GNU/Linux based system. Basically, Apple is overpriced neo-BSD crap, with a huge opaque graphics layer on top of it and with a cult-like marketing and distribution system. I can’t think of a more freedom-hating IT ecosystem than Apple/Mac. If Linux is about freedom, Mac is about fashion, money and deception. Stay away from it!
My 2cts.
The Saker
@Saker
Excellent Reply.
Here is the thing which really pisses me off about Apple: why did they chose the BSD kernel instead of the Linux one which, frankly, is much more up to date (as seen by Google who chose it as the kernel basis for Android)? There is only one TRUE reason: the BSD license allowed the BSD code to be taken, modified and re-released in a proprietary model (closed source, copyrighting commercial license) whereas the the Linux kernel was licensed under the GPL which allows modification and re-destribution ONLY if the freedoms granted by the GPL license are preserved. Put in simple terms: Apple chose the kernel which first gave them a free meal and then allowed them to fuck their customers. Google did the exact opposite with Android. Not only that, but Google even contributes to the Linux kernel and organizes summers of code where talented hackers (in the real – non negative – sense of the word) can work on their free software projects. At least so far, Google has been a fair player in all this. Not so Apple who have always been and still are SOBs at least as evil as anything Microsoft.
The Saker
Apple chose the kernel which first gave them a free meal
You are forgetting 2 facts:
1. In the late 1980’s, Apple developed proprietary version of UNIX to run on certain Macs – A/UX. Sadly, A/UX was killed in late-1995, but not an experience – it was crucial in future development of hybrid XNU (better known as Darwin ) kernel.
2. In 1988 after Steve Jobs was ousted at Apple with some friends, he founded NeXT Computer company and rights to NeXTStep OS ( BSD 4.3 Unix implemented on a Mach micro-kernel ).
So not only does the core of OS X was never for free , but predate Linux by several years, it was more technically sophisticated and advanced for a long time as well.
Nobody said that Linux was older than Apple OS. I suggest reading about Linus’s project which started Linux.
Personally I never liked Apples, although I must admit it had a stronghold in publishing industry.
Anonius,
My prime argument was that Mac OS X kernel was not shipped from a open source “shelfs”. Jobs paid $400 millions to acquire NeXTStep, and A/UX was proprietary owned by Apple. Some people claim that Apple stole open source software and turn into commercial product, it is not true.
And please as I mention in previous post what’s my opinion about Apple, it’s all about technology.
Apple is very strong as well in music industry, the latency is simply stunning. Just to give you example German firm RME beat the record with USB2 audio interface (Fireface UC) that works with impressive buffer size of 14 samples. SOS magazine confirmed it on the off‑the‑peg Mac that has never been tweaked or configured for audio use, they recorded latency of 1.3ms. Unbelievable!, the result was close to some pro PCIe interfaces.
Saker,
In respect to your statement “Mac is about fashion”, I agree with you, at least that’s what Apple Inc wants. I hate their approach as much as you, especially after Jobs passed away. However from a technical point of view I suspect you know Mac only from a surface. I won’t go to details ‘cos I have no idea where to start from there is so much to say, and readers can “duckduckgo” for facts. Second, It would be more correct to say that Apple hardware is overpriced, not OS X. There is huge community that counter that , it is called Hackintosh ( like https://www.tonymacx86.com/ ). They are very active since Apple failed to deliver updated Mac Pro hardware.
And last Apple in fact has official UNIX® certification.
I did experienced Linux (Fedora) myself, it was fun ( yes with total freedom!) and at times frustrating especially when you mess something up maintaining your system. To fix it wasn’t my problem but to battle it’s effects: dropping performance over time. In Mac I had no experience of this nature. For that reason I’ve decided to stick with Mac OS X – my need for truly fast multi-core operating system each and every day, not just Sundays like in Fedora.
And I’ve forgotten to say the most important fact – programmers and coders love Mac OS X accordingly to “Stack Overflow” !
@AF
I hate to rain on your parade, but some of the Linux versions are designed for Windows/apple people. They are very hands off. But even Debian, while being called a geek version, can be pretty hands off. All you need to do is chose the type of machine you want: desktop, etc, etc.
Slow down in performance? And you measured it how? Programmers use Apple OS for programming? Perhaps for writing apple code? Otherwise you can install Linux that runs on Apple hardware, did you know that? You can free yourself.
Anonius,
I assume you are unfamiliar with a topic.
The Stack Overflow is a flagship question-and-answer website for coders of all programming languages: interpreted, compiled or curly-brace like widespread JavaScript ( incl. Command line interface languages that Linux distribution utilize) etc… It is not my statement but Stack Overflow Developer Survey that take place every year. And by the way you can program Linux binaries on Mac OS X, make no sense ‘cos its easier to simply boot into Linux but there some brave coders.
@AF
I really do not care about Stack Overflow, or ms differences, which in real life mean nothing.
Otherwise real stack overflow is caused by lousy coding.
Do you know what my boss used to say in the days when we used windows (the original) go and have some coffee while you are waiting for for the code to be compiled.
Today machines are thousands times faster, but because we load them with crap they do not seem any faster. So take chill pill and relax.
> Not true. Apple did, indeed, use the BSD kernel to develop it’s own POSIX compliant system
Actually not, Apple uses Mach3-derivative Darwin for a kernel.
Then they use BSD layer around the kernel, for interfacing it with hardware and user-interface software. In Russian it is called обвязка. In English?… Middle-layer?
Say, GNU/Linux and GNU/Hurd – the very Linux (or Hurd) is a rather small kernel. Then there goes GNU middle-tier software, that boots the kernel. configures it, lets it react to hardware configuration changes (like insertion of USB thumbstick or like connecting to Wi-Fi service). Then there also is Android/Linux.
And on top of those both levels – there is a “icons and mouse” user interface, “Desktop Environment” as it is called in Linux. For Windows and MacOs and Android one rarely changes stock DE so there is no special term, it is just usr shell or user interface or something.
So, it is roughly a three-levels building.
Kernel in the foundation, then basic techy wiring and plumbing in the cellar, then the fancy and eyes-candy living quarters above.
Linux / Android middleware / Android User Experience
Linux / GNU tools / KDE – or Gnome – or many others
HURD / GNU tools / KDE… etc.
Mach3-Darwin / FreeBSD-deribed plumbing / Apple proprietary user GUI
Apple does not use BSD kernel
Encouraging article. Tempts me to continue with Google even though I know they record every time I visit your site, and send the record to Uncle. Also an encouraging plug for Linux, free software as in free beer – a sign of good fellowship, our main protection against The Man from Uncle.
If you need to use a mobile phone choose a model where you can easily remove the battery.
Many android phones you simply use a fingernail to open the back and lift out the battery. Iphones you need time and tools.
This is particularly useful if you risk being harassed. Nothing like a good night sleep!
You will need to use something else for the alarm though.
If you go on cyber-space no matter how sophisticated you are if 2 GUYS decide to o after you then they always will be 2 steps in front of you.
Utah Data center
The planned structure provides 1 to 1.5 million square feet (90,000–140,000 m2), with 100,000 square feet (9,000 m2) of data center space and more than 900,000 square feet (84,000 m2) of technical support and administrative space. It is projected to cost $1.5–2 billion. A report suggested that it would cost another $2 billion for hardware, software, and maintenance. The completed facility is expected to require 65 megawatts of electricity, costing about $40 million per year. The facility is expected to use 1.7 million gallons (6,435 m3) of water per day (to cool down PROCESORS). An article by Forbes estimates the storage capacity as between 3 and 12 exabytes in the near term, based on analysis of unclassified blueprints, but mentions Moore’s Law, meaning that advances in technology could be expected to increase the capacity by orders of magnitude in the coming years.
Toward the end of the project’s construction it was plagued by electrical problems in the form of “massive power surges” that damaged equipment. This delayed its opening by a year.
https://en.wikipedia.org/wiki/Utah_Data_Center
Code-Breaking Supercomputer Platform
NSA Utah Data Center supercomputer
The Utah Data Center is powered by the massively parallel Cray XC30 supercomputer which is capable of scaling high performance computing (HPC) workloads of more than 100 petaflops or 100,000 trillion calculations each second.
Code-named “Cascade”, this behemoth was developed in conjunction with the Defense Advanced Research Projects Agency (DARPA) to meet the demanding needs of the Intelligence Community.
Our Ultimate Target: 256-bit AES
The Advanced Encryption Standard (AES) algorithm is used worldwide to encrypt electronic data on hard drives, email systems, and web browsers. Computer experts have estimated it would take longer than the age of the universe to break the code using a trial-and-error brute force attack with today’s computing technology.
In 2004, the NSA launched a plan to use the Multiprogram Research Facility in Oak Ridge, Tennessee to build a classified supercomputer designed specifically for cryptanalysis targeting the AES algorithm. Our classified NSA Oak Ridge facility made a stunning breakthrough that is leading us on a path towards building the first exaflop machine (1 quintillion instructions per second) by 2018. Since the capability to break the AES-256 encryption key within an actionable time period may still be decades away, our Utah facility is sized to store all encrypted (and thereby suspicious) data for safekeeping.
https://nsa.gov1.info/utah-data-center/
I use 5 laptops, one desktop, and 2 tablets designed for different purposes. Some for games (my 2 grandkids 2 1/2 and 41/2 years old use both tablets and one laptop, for games, my wife 2.
One I use for banking, and, has only 250GB HD, and using “Darik’s Boot and Nuke” to sanitize it. It takes 2 hours in DOS, using an extra Fan to cool down the processor, and after I Install windows using “Acronis true image” it is now free. I check the load of CPU and RAM, and it took me some time to realize that “Windows Automatic Update” was running nonstop in background taking 30 % of my CPU load, and forced my laptop to run Hot. Disabled “Windows automatic Updates” and the CPU, runs in Idle 2% to 5% and my laptop is cooling down.
I do not care if my government is spying to me. I care that their spy tactics are damaging my laptop, my KS8000 SUHD TV4K Samsung TV, and more. I was surprised finding out that my TV never turned off, so a put another switch and manually cutoff the power after I remotely turns it off, because I hate my TV to stay ON 24/7. It doesn’t cost you too much to cover with tape any camera in Laptop, refrigerator and more. The technology is there, and it my be taken by 3rd parties, and they my take out your privacy. And be careful what you say, because even if you are not doing anything wrong, the INFORMATION MAY BE MISUSED.
Dear Saker,
I have a question : Does Russia has an advanced semiconductor industry? (besides for military applications?) does Russia have an alternative to Intel, AMD, regarding fabrication of personal computers?
Could you give us a picture on hardware and software development at Mother Russia?
Thank you,
Enjoying all the recent articles on software security :)
Just made another small donation :)
alternative to Intel ?
Intel rules the world, however Soviet had talented people like Vladimir Pentkovsky, below is some article about him:
http://csef.ru/en/nauka-i-obshchestvo/306/sovetskie-korni-proczessora-intel-pentium-4912
They do, actually.
https://en.wikipedia.org/wiki/List_of_Russian_microprocessors
They’re a bit low on clock speed and won’t compete with the latest offerings from Intel or AMD but they’re certainly usable for office use and even some gaming. The problem is price and mass production.
Thanks to Saker!
Two observations to add…
Awareness in casual use…of electronic gizmos and also audio physically present actual speech – When I worked for the military there were microwave and land line, and HF Morse was just ending for ships and the USN. In those days TEMPEST type surveillance was easy, as the old teletypes transmitted the keyboard text pretty far, albeit unintentionally – we had most stuff in faraday cages with chokes on the inputs… I know because I worked on this stuff. But the point here is that all over the base every telephone handset had a sticker that announced “NOT A SECURE LINE” with slogans that varied – but that usually said something about opsec.. Like a lawyer once said to me: “if you say a thing then it’s not a secret anymore, is it?” Best opsec is silence – and the sticker can help a fella to keep that in mind. #1 is awareness. Put the reminders in-place. If you say it, it can be repeated…
If one were to write a program that created random code and randomly emailed small streams of code to various places, more or less at random, or simply published or posted them, perhaps here with this keyword: furfvd7ycvcv (for a random snippet-example) one would then have a machine that would create “meat” for the spooks to try to decrypt… And it takes far longer to “crack” crypto traffic that has only random content…as it cannot be decrypted if it’s actually random – hehehe . Saker speaks to the cost of decrypt efforts. The conclusions are obvious….one side grows in linear limited rate, other side grows exponentially like bacteria…outcome inescapable…”noise” in system drowns signal – to use radio term. Would become thunderstorm of noise. Actually I expect this is inevitable….
I advocate for good lawful behavior, not sabotage, of course…but the thing seems like it might become a kind of social protest – people passing such code ’round and in the fullness of time making effective decrypt a failed method of guiding social control. Of course there are nuances too – plainext words inserted in the cryptotext here and there, sometimes… The idea opens up strategies and hypothesis in several directions… Of course this “code” can also be not actual digital code, but simply the willingness to daily create random fakecrypto and squirt it out to your associates as they also do to or for you. You get “traffic and send traffic and resend traffic, but most of the time the traffic has some random stuff… Now what does that mean? Nothing of course, but how can they know this? They cannot. So it seems like as people get disgusted with stasi-world they might start mucking up their traffic in one way or another simply as the workers threw their shoes… So that’s not to advocate, but to predict…
And I thought it might be a good idea to add http://www.cryptomuseum.com/crypto/enigma/
ENIGMA is pretty good, by the way…and a non digital ENIGMA that’s fairly inexpensive can be kit-built or bought. I found both complete machines and kits for amounts I could afford… Understand, these use switches and transistors and IC’s but do not run any code beyond the “read only” hardcode that’s intrinsic to all logical machine, down to jackknives and shoelaces…they are unhackable except with wire cutters, so to speak…so the machine cannot be a trojan
And Simon Singh’s “The Code BooK” (1999)
Saker, I am perhaps incorrect? If so kindly say so… You know way lots more than I do..
Thanks!
LZ
It is time to dump Windows as Saker says. I have a Linux system on an old computer, but I need to find an old keyboard and an old mouse for it to work.
“WikiLeaks has published a new batch of the ongoing Vault 7 leak, detailing a spyware framework – which “provides remote beacon and loader capabilities on target computers” – allegedly being used by the CIA that works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
Dubbed Athena/Hera, the spyware has been designed to take full control over the infected Windows PCs remotely, allowing the agency to perform all sorts of things on the target machine, including deleting data or uploading malicious software, and stealing data and send them to CIA server.
The leak, which includes a user manual of Athena, overview of the technology, and demonstration on how to use this spyware, reveals that the program has two implications
Interestingly, one document also suggests that the CIA agents have been advised to make sure that the spyware should not get caught by antivirus software programs, especially Kaspersky AV software.”
http://www.blacklistednews.com/WikiLeaks_Reveals_%27Athena%27_CIA_Spying_Program_Targeting_All_Versions_of_Windows_%28from_new_batch_of_Vault_7%29/58537/0/38/38/Y/M.html
Google is the R+D arm of the NSA, just as the BBC is the public facing propaganda arm of MI5/MI6. These are ***not*** sarcastic labels, but statements of fact. Every BBC foreign correspondent is an ***actual*** member of MI6. Every major NSA computer facility uses hardware and software designed by Google.
While old school ‘tinfoil’ hat types claim the job of the NSA (and GCHQ) is mainly to search for individual ‘threats’, and people doing ‘suspicious’ things, the truth could not be more different. The focus of the NSA is as follows:
1) by capturing, recording, storing, translating, indexing and data mining the entire planet’s visible digital data communications, the NSA seeks to have a ***realtime*** understanding of the mindset of any definable group of Humans. This allows population prediction, and the perfection of ‘message propaganda’ based on the realtime response to such propaganda. In other words, perfectly ‘ordinary’ Humans are the no.1 target of NSA full spectrum surveillance.
2) the NSA seeks to identify ‘control’ information (blackmail) about each and every one of us, so that ***whoever*** reaches a position of significant power or influence in some future time can by ‘controlled’ by things they’ve done in their past life.
3) the NSA seeks to identify emerging grass roots organisations and leaders before they reach greater public prominence. This then gives the Demons the option to destroy or co-opt the same with minimal public fallout.
Major Empire Power intelligence operations have always had these three primary goals. On the other hand, sheeple have always been encouraged to think ‘spy agencies’ are about finding ‘terrorists’, ‘enemy’ ‘spies’ etc.
Everything you think you know about the motives of intelligence agencies like the NSA and GCHQ is wrong. They operate at a level so far above people’s paranoid thinking, it isn’t real. ‘terrorists’, ‘criminals’ and ‘foreign spies’ are no possible threat to a real Empire Power. 99.99% of real ‘terrorists’ are handled by the Empire power anyway, and the Empire is criminal beyond the nighmares of the Common Man. The ‘spycraft’ game of ‘spy vs spy’ does happen a little (that’s Human nature) but isn’t significant, and makes no real difference anyway- traitors, by definition, are almost impossible to spot in time when they are really useful to the other side.
Modern advances in computer hardware and software make the unthinkable wholly possible. And yes, ‘open source’ hardware and software solved the ‘final’ problem.
For the longest time the USA (and others) made surveillance a ‘military’ problem, and spent money on such as withy other military mega-projects. This meant that NSA solutions were late, massively over-budget, badly designed, obsolete when finally active- and most important of all totally ***non-scalable***. Oh, Britain (via the GCHQ) taught the NSA how to intercept any new form of communication since WW2. But it was the processing of this rapidly growing mass of data that was the main issue.
Britain had legions of (mostly women) listen, transcribe and index the info by hand- then computers helped a little with the indexing. But by the late 50’s the downside of such an approach was clear. Yet computers were decades away from actually making a difference- even as the USA spent billions of new computer facilities. Computers were all hype and no return- but IBM and others cared not so long as US politicians carried on greenlighting such projects.
The 70s, partially out of the US space program, saw advances in integrated solid state chip design lead to the first microprocessor- the first cheap mass produced general computing device- and just as important the solid state memory that would replace all the dreadfully hopeless memory systems of the 1950s and 60s. The microprocessor led to the ‘home computer’ revolution which was significant in massively increasing access to computers for the general population. IBM and Microsoft ‘accidentally’ invented the generic PC platform- on which I type this today.
Then came explosions in magnetic storage tech (the hard drive) and inter-computer communication (ethernet and the internet). And out of these extraordinary geometric improvements in computing, storage and communication came Google etc. Google was tasked by the NSA to try another route to processing the impossible amounts of surveillance data- namely using off-the-shelf commodity computer hardware to build NSA data centres. And these data centres would be indefinitely ***scalable***.
Now ‘civilian’ Google data centres funnel data to the NSA ones, but are ***not*** the NSA ones. And the NSA collects most of its own data. Call the NSA (and GCHQ and the ones in France, Germany, Israel etc) ***shadow*** Google complexes- built using the same Google hardware and sofware designs used for the Google we all know.
Why does Google data mine for ‘ads’, and spend effort on ‘translation’ etc. Cos all these software services are frontline needs for the NSA. Every phone conversation on the planet is recorded by the NSA. But to store only as audible data would be as good as useless. So first class voice recognition software is needed (ring a bell?). And first class translation and indexing software is needed. The ‘civilian’ software services from Google etc all are programs ever perfecting the ***real*** purpose of the software.
Spying on ***you*** for saying ‘naughty’ things about Clinton or Obama has never been the point of the NSA. Yes, you should care about your privacy- but more because how corporations will abuse their access to your private life in a million different immoral ways. And you may feel relaxed because despite the insane success of Google and the NSA, a wild card like Trump arose and proved unstoppable. But Google and the NSA are about the ‘long game’- rewriting the rules by which Mankind lives in ways that match “1984” and “Brave New World” exactly.
The SJW movement where “white males” are always depicted as the ‘problem’, and women are told that male ***heterosexual*** programming that cause males to be attracted to females ‘prove’ males are ‘dangerous sex criminals’ is very much a current NSA/GCHQ frontline method of social engineering. FUD (fear, uncertainty and doubt) is a great mechanism to turn against ordinary people at ‘the bottom’. Making men and women distrust each other (or adults vs their kids) inhibits people from pulling together and advancing natural Human desires (which are all decent and good). The Demons need hate and strife. And they need the intelligence tools to maximise the strategies that cause hate and strife.
Today, Britain is on the verge of voting into power a woman who promises to end Internet freedom in the UK – and GCHQ feeds the results of its research into the mindset of UK voters directly to the propaganda masters running Britain’s state controlled media outlets, like the BBC, ITV and all major newspapers. And unlike other nations, what winning British politicians promise (when bad) they deliver. The common Brit will cease to have access to the Internet in the form we’ve all grown to love and need. And ***no***, the UK government will care not one whit that a ***minority*** of Brits will use VPN’s etc to bypass the censorship- because the self-informed minority is never the target of crude blanket censorship- just the sheeple majority.
PS yes, the strongest algorithms used by free encryption like Truecrypt (which was ‘trashed’ when the NSA paid key developers millions of dollars to publicly ‘disown’ the project’, but whose algorithms are still just as unbreakable today) are the best imaginable for ordinary users. And taking a hammer to your HDD platters or SD-card will ensure that data is gone for good. And over-writing any storage device with enough random data (non-zeroes) to fill that device will permanently erase almost all your old data (the exception is ‘bad blocks’ on a card or HDD that the device has marked off against further use due to detected ‘faults’ on that part of the media- those blocks will hold fragments of old files, can be accessed with specialist software, and may be impossible to erase with available software).
But ‘paranoid’ thinking against government surveillance is usually faulty thinking, as I said above. For individuals your ‘enemy’ is your spouse, parent, child, computer fixing technician, boss, or any corporation that wants to extract money from you. People handle the ‘inner thoughts’ of other people close to them very badly. And the Demons, via the mainstream media propaganda, use the ‘distrust your neighbour- they may be up to something ‘bad’ ‘ strategy. Privacy is essential to prevent inappropriate ‘judgement’ of one another. Which is why the demons constantly attack concepts of privacy, and use the “only the guilty have something to hide” lie.
If ComSec is important for you, you really ought to ditch your Windows or Mac/Apple machines.
I’m not too sure about writing this but OK, I’ll stick my neck out and make a plug for Linux. Made the switch 6-7 years ago from Win 7, reason being I got tired getting my arm twisted, paying for upgrades and renewing my anti-virus ‘protection’.
First, let me say up front that I’m no computer expert; all the people who’ve made comments already (btw, is it just me or is there a bigger-than-normal number of anons here? :p) are way more tech-savvy than me. Second, I don’t mean to be presumptuous — I’m sure what I’m going to say may be old hat to lots of readers/lurkers out there. My keeping it simple does not mean I’m trying to insult the reader’s intelligence; it’s just that Linux has a largely unwarranted ‘geeky’ reputation which can be off-putting. My aim is to nudge the fence-sitters into trying and hopefully shifting to Linux or some other OSS like the BSDs. For those who were like me when I first started dipping my toes in the world of free software, keen to try but more than a little bit apprehensive that the venture may turn the machine into a rather large paperweight, this may be of some use.
There are lots of Linux distributions (Debian, Fedora, Linux Mint, Ubuntu,etc) that offer ‘live’ operating systems. This means that we can download the OS (for free), burn it onto a disc or USB stick, plug it into a computer running Windows, reboot and start using Linux off the disc/drive. The live distro won’t touch the Windows system while it’s operating. All your files are safe. You can do everything with it; get on the Net, send emails, write a report, watch movies, etc, etc. Once you’ve finished, shutdown and unplug. Restart and voila you’re back with your old familiar Windows machine. So it’s free to try and, hopefully, install.
Now to be sure Linux does require a bit of reading (‘RTFM’) in order for us to get the most out of it. But all of the documentation is free and available on the Net and indeed the applications themselves come with their own manual. No need to hunt around. All that’s needed is a bit of bravery with the command-line terminal (austere-looking thing, not unlike our comment box here) and a bit of typing.
Linux ‘comes with batteries’. Almost every distro or ‘flavour’ of it has lots of security tools included, eg Gnupg. The manual comes with the app, so it can be read offline. Most of us are busy folk, we don’t have time to read a dry manual but we don’t have to be experts in a day. A bit of reading, a bit of trying, and soon we’ll be able to use encryption effortlessly; then it’s time to move to another application. This is easy to do because most of them are there in the distro (and they’re free). At the very least, trying the tools makes us aware which app is doing what on our machines. Reading about the defence helps to make us understand how the attacks are made.
Finally have a look at ‘Tails’. It’s basically Debian (+ anonymity and privacy) on a USB stick/disc. And yes, Tails is free too.
https://tails.boum.org/
Thank you -again- for this excellent article, Saker.
The beauty of it, that it’s not thoroughly technical, but focuses on the personal choices of whatever threats one might to shield from.
You don’t have to convince me over the advantages of Linux systems. In fact, I’m an active Linux community member. And I know that roughly 80% of the servers on the www run on it. Do people really think, that critical systems like the ISS or the financial systems on the stock exchanges run on Windows? They don’t. Actually, the ISS runs on Debian and important financial systems run on Red Hat (the commercial variant of Fedora.)
However, in many discussions -and not only here- I found out that people want to install something rocksteady solid so that they have nothing to fear of. Sorry folks, that doesn’t exist.
The main security measure is you. Become active.
A few practical tips? Of course. First, place a duct tape over your webcam, and plug a jack in the microphone entrance of your laptop. You think ‘they’ won’t activate it? Think again. My smartphone is in a wallet that shields its camera and microphone. I know why.
I could get in a lot of details, but my guess is that’s not what this thread is meant about. My point is that to get more secure than average, you have to become active. If you want to shield yourself from malware, you have to think first like someone who would install malware.
Thanks for this Saker, you are setting off to answer many questions that I had been having.
For starters, ditching Windose is step zero. I have done that for several years now and am very happy about it. Using FOSS tools is also a no-brainer.
However, each of the technical solutions you propose make sense based on specific use-case scenarios.
E.g., regarding The Saker blog and community: a casual reader, or someone that may eventually post a few comments would not normally use Tails Linux booting from a USB stick, on a dedicated cash-bought computer, with MAC address spoofing, connected from a public wifi, having left his cell phone at home. If that was the case, you would have… exactly zero readers!
For this use, most of us (I guess) use our regular computer, from our home or even our work connection. Probably our true identity is known, or can be known very easily, but that should fall under the cost consideration you mentioned. In other words, we are not worth the effort based on our activity.
[May I point out that your blog is accessible both through straight http and https. Is that a server-cost based decision?]
Then comes the next level: we buy your or Scott’s books, or contribute financially. That is more involved and will leave more traces (credit card numbers on Amazon, cash movement on Paypal, bitcoin transactions on the blockchain). What do you consider a logical level of protection for such a use case?
Then there are those who are directly in contact with you. Then things start becoming even more involved and a stronger anonymisation is logical.
Finally, there is… you! You are the founder of this community, your true name is publicly known, you have published your face, the general location of your home and your family situation. I don’t know if you took all the precautions when you started the first Saker blog, but when your identity was publicised you didn’t stop. And you still live and work in the US and travel in and out of the country.
So, I guess, my practical questions are:
-what/who is the threat in each of these scenarios?
-what do you consider as reasonable convenience vs security trade-offs for each one?
Responding to comments on DNS attacks, I switched the past few weeks to Yandex as my default browser for banking and online transactions:
https://browser.yandex.com/desktop/main/
In their advanced settings, you can turn on their unique or very-difficult-to-find DNS Encrypt feature, which thus makes it very difficult to hack via the DNS method. I’ve been recommending Yandex to friends and family.
Otherwise, for anonymous browsing (slightly faster than TOR), I use Epic Browser.
Cheers,
Quintus Sertorius
A few TIPS to make that article richer.
– If you have a spare old computer why not to set up own private proxy server, it solves a myriad of network issues and add another line of defense
( WWW has many good step-by-step guides how to set up )
– choose a good router, and remember that DEFAULTS settings could mean – a WHOLE in your network the moment you turn on the router.
For paranoids, Flash it with own Linux based firmware ( yes you can do it) OpenWRT and DD-WRT is the easiest way to comply with new FCC rules.
https://wiki.openwrt.org/toh/start
My personal favorite is DrayTek.
My Computer has 2 HDD, one 500GB with windows for useless fun stuff and one 80GB (Linux need not much) with Ubuntu 16.4 with main stuff. To switch between both I use the bios boot menu (press F12 on boot).
There you go, simple as that.
How to Image and Clone Hard Drives in Linux?
1. Gnome Disk Utility.
2. Clonezilla.
3. DD.
4. TAR.
5. Tuxboot.
These programs are available to the public. There are more powerful programs not available to the public.
If someone breaks in your Network, and his computer temporarily is part of your network, then all your HD are cloned, no matter what OS you use, and more…
The best way is to use “dd”.
You can clone any partition or the drive. Even transferring Windows from smaller to larger drive works. The only difference between XP or Win7 is that you use Linux Disk Manager (gparted or KDE Partition Manager) to extend the partion, while in Windows 7 you need to use actual Windows to do it.
Any image copy from of a running system is pointless, just does not work.
So, since you can’t mess with running system:
you download Debian Live, boot from it, start Root Terminal, run dd. You are done.
I have been using DDG for about 1 year, I only use Google if I want to check ranking. I find everything in need on DDG, without Google ads and own promotion sites. Tired form Yahoo or Google Adds I have using DuckDuckGo, but trust and verify.
So what does that mean for privacy at DuckDuckGo, which has been a major selling factor for them? They say their ads are not tailored to users to protect their privacy but the ads have shown local content to me in the past via start page. Certainly now being a partner of Yahoo will lead to more such privacy erosion? I understand they need to grow but this would seem to be against their stated privacy policy would it not?
Hey Saker!
Thanks for the update and clarifications! When it comes to comSec I think at least in our community there is at least some degree of awareness about both the threats and some of the ways to protect oneself. However when it comes to opSec I find both badly lacking. One could of course argue that an average Joe need not worry about OpSec at all, but at the very least I would like to arrive at that conclusion after having reviewed possible threats and different methods to protect myself. After that I may still judge that it’s not worth the hassle.
Can you recommend any literature, books articles or blogs on that topic. It seems that the literature is very sparse. I’d be very grateful for any opportunity to learn more!
Kind regards
D
What’s the status of decompiler these days ? I mean those ones that are available to only few.
“The assumption that the NSA is miles ahead of everybody else is plain false.”
How do you reconcile this statement with the cyber-espionage tools that the NSA built? Are not these tools miles ahead of anything thought possible in the public sphere while utilizing zero-day exploits that seemingly only the NSA spotted for all this time?
Advanced toys and getting paid to do wild stuff are a strong incentive to draw the cream of the crop. Given the soft-ware results, it seems to be working?
A possibly off-the-wall comment (if judged worthless, my apologies) :
What strikes me after pondering this thread is the sense that the Saker is probably 100% correct in his assessment, but @twilight, who disagrees with him, point-by-point, is also ; like a coin, the information on one side does not invalidate what is on the other. Considering both together might generate further insights of value.
The Saker’s perspective is, it seems, that of an expert technician (a problem-solver focusing on process and the limitations it entails to employ it most effectively), while @twilight’s is that of a strategic-thinking oligarch determined to retain his previous political/economic/social control that the information revolution threatens).
At root, the question of what to use technology for determines the approach and conclusions reached : the mentalities of Dilbert vs. Boris Badenov — police work vs. KGB/CIA objective-based planning.
The end-to-end encryption currently in use on the Internet is flawed in both design and sometimes implementation. Ways to subvert it are numerous – from the various publicly known methods ( various versions of SSL stripping etc etc )
to known to you know who hardware backdoors to Tempest intercepts to the ridiculously easy ( and some more complex ) ways of security certificates forgery. One Time Pad is your best shot at any semblance of secure comms assuming the hardware is secure.