There is an illusion of digital privacy & security

Do repost and rate:

Everyone is anyhow connected to the world's internet of things (IoT). Giving the user possibility to deliver a message, share a thought, describe the experience, journeys, share data and more. It might be nudes, might be your activity of buying your first drug to try out. Or maybe – your business service is connected to processing or working on sensitive data from the Clients. In any case, we generate so much data nowadays online like never before. For generating so much information, everyone must feel responsible for it. There are also consequences for putting that information on internet. On IoT, you might think that your computer or mobile phone is safe to possess your data from other eyes. But you are far from that. There is currently just an illusion of how safe, secure, and private we are on the internet.

Big tech companies control most of the data—controls on what kind of Policy you should always agree with. And you, as a user and a business user, can be trapped. Why? Simply because everyone else around you is using the same thing! Depending on the large corporates& the brand. Depending on solutions that are by default "data mining machines" that turn your precious sensitive information into their business and power model.

There are a lot of ways on how to use the collected data. What are those ways? Before hopping into that, we need to understand that privacy is not only a human right but also a vital utility. Without privacy, users and companies are in danger of damaging their social presence and life, finances, data control, and identity control (impersonation risk), having the chance to blackmail or extort you.

After collecting raw data, it is being segmented and analyzed. After some quick reviews, they can already make the first conclusions out of it. These conclusions can lead to on how to:

  1. Manipulate the social masses
  2. Know what the pool intelligence is “thinking”
  3. Knows precisely what you like, dislike, would pay, not pay for, what is the interest of you and what is not
  4. Knows how to turn this into a political instrument
  5. Can amend the public info and even manipulate the truth
  6. Marketing material
  7. And much more!

The team at Altermail has done great work on creating this little research, based on facts and technological overviews from multiple resources, engaged into one that will serve as a blueprint for anyone who seeks an alternative in the wild-west of IoT.

We will be looking at the following topics:

  1. E2EE, PGP, and facts
  2. Protonmail study case
  3. Signal, Telegram, Whatsapp

E2EE / PGP and facts

According to Kahina Khacef , Guy Pujolle  Public Key Infrastructure (PKI) is a significant component in resolving network authentication and guarantees to trust a certificate signed by a certification authority (CA). A new concept named web of trust for his Good Privacy (PGP) encryption program uses PKI to provide confidentiality with encryption, authentication via the signature, and web of trust via identity validation from peers. The certificates authenticate the public keys and allow you to perform cryptographic operations, such as encryption and digital signing. As authentication and identity validation is centralized in the PKI, that creates single points of failure. A vulnerability called EFAIL turns encrypted emails into plain text. This method impacted PGP (pretty-good-privacy). Email: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels research was already carried out in 2018 by the Advanced computing systems association.

Thomas Ptacek researched PGP and how unsafe it is. Email is insecure. Even with PGP, it’s default-plaintext, which means that even if you do everything right, some reasonable person you mail, doing reasonable things, will invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen). PGP email is forward-insecure. Email metadata, including the subject (which is message content), is always plaintext.

Another significant aspect is the encryption itself. Already in late 2013, there were warnings not to use RSA encryption. Amidst all of the confusion and concern over an encryption algorithm that may contain an NSA backdoor, RSA Security released an advisory to developer customers today, noting that the algorithm is the default in one of its toolkits and strongly advising them to stop using the algorithm. According to this article:  RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm.

PGP conflates non-repudiation and authentication.

"I send Bob an encrypted message that we should meet to discuss the suppression of free speech in our country. Bob obviously wants to be sure that the message is coming from me. Still, maybe Bob is a spy… and with PGP, the only way the message can easily be authenticated as being from me is if I cryptographically sign the message, creating persistent evidence of my words not just to Bob but to Everyone!"

TL;DR: I don't care. I've got nothing to hide.

So you think PGP is enough for you since you aren't saying anything confidential? Nobody cares how much you like to lie to yourself, stating you have nothing to hide. If that was the case, why don't you do it and show all your personal information on the street, as John Lennon used to ask?

It's not about you; it's about your civic duty not to be a member of a predictable populace. If somebody can know all your preferences, habits, and political views, you are causing damage to a democratic society. That's why it is not enough that you are covering naughty parts of yourself with a bit of PGP, if all the rest of it is still in the nude. Start feeling guilty. Now.

It's also about your entire social environment. Your friends, your family deserves better than to end up in XKEYSCORE. You have no right to waive away their privacy. Each time you log in to Facebook or Whatsapp, you are committing a felony against them.

The Bootstrap Fallacy: But my friends already have email! But everyone I know already has email, so it is much easier to teach them to use PGP. Why would I want to teach them new software!?

That's a fallacy. The truth is, all people that want to start improving their privacy have to install new software. Be it on top of the super-surveilled email or safely independent from it. In any case, you will have to make a safe exchange of the public keys, and email won't be beneficial at that. In fact, you make it easy for Mallory to connect your identity to your public key for all future times.

So installing a brand new software that only provides safe encrypted communications is a less complicated change of habits than trying to fix the email system and then learning how to use PGP without messing it up. If you think your email consumption set-up is so unique and you don't want to start all over with a completely different kind of software, look out for tools that let you use other alternatives on top - not the other way around. You can learn more here on other reasons why PGP and SMTP/TLS are not safe.

And about some fun facts?

  • Impact: 763 million users - In February 2019, email address validation service verifications.io exposed 763 million unique email addresses in a MongoDB instance that was left publicly facing with no password. Many records also included names, phone numbers, IP addresses, dates of birth and genders.
  • March 2014. Impact: 91 million users - A dump of 91 million accounts from Rambler ("Russian Yahoo") was traded online containing usernames (that form part of a Rambler email) and plain text passwords
  • 2021, Microsoft, at least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group exploits four newly-discovered flaws in Microsoft Exchange Server email software. It has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total remote control over affected systems.
  • January 22, 2020: 250 million customer service and support records were breached all the way back to 2005. Microsoft has said that only email addresses and IP addresses were exposed, but security researchers believe it goes beyond that. According to Microsoft, the records were not publicly available as they were stored on an internal database and were only exposed for just under a month.
  • In June 2019, a new vulnerability was found in 57% of the world's email servers, allowing attackers to run commands on the server as an admin. Simply an attacker could run any command they wanted, such as downloading all emails, or all attachments in emails.
  • Phil Zimmermann, the cryptographer who invented PGP, stopped using it years ago. Zimmermann tried to use it once again a few months ago but was put off by the fact that his email client on macOS wasn't able to import his old keys, for some reason.
  • “When something goes wrong with WhatsApp, WhatsApp fixes it”. “When something goes wrong in the amorphous PGP community, no one puts their hand up to fix it. Individually, people think about the security of their tools. They don't think about the whole system."
  • We could start thinking that E2EE is the ultimate solution to our security needs. However, that may not exactly be the case at the moment. E2EE has its limitations. Users of E2EE (and client-side encryption) can no longer use the Big Data services offered by certain providers. For example, service providers like Gmail or Facebook provide additional services instead of just being a box that holds email or other communication. Gmail reviews the inbox and runs a spam filter to determine whether a given message is junk or spam. Gmail also indexes your email so you can quickly perform a search. It looks at an email's content in order to understand its importance and lets users create filters that automatically perform actions based on the content. All of these features rely on having access to, and being able to understand, your email.

Protonmail study case

The recent events in Belarus led to the question of the Protonmail stance on security and privacy. The Belarusian authorities on May 23 received a warning in an email from Switzerland about a bomb on a Ryanair flight from Athens to Vilnius. The plane was then escorted by a Belarusian fighter jet to Minsk. When the plane landed, a journalist critical of Lukashenka and his girlfriend were immediately detained by police. No bomb was found on the aircraft, which hours later traveled onward to its original destination. "We haven't seen credible evidence that the Belarusian claims are true," ProtonMail, a division of Swiss-based Proton Technologies, said in a May 27 statement, adding that the email was sent after the aircraft had been forced to change course.

ProtonMail said it will assist European authorities in investigating the incident, which has sparked global outrage.

In light of the above, ProtonMail's neutrality seems to be quite questionable. That lets me doubt that its service and products are as secure as it claims. You might want to read the full story here on what happened exactly that day in Belarus landing.

There have been other Swiss providers of encryption technology and services who had made false claims about their neutrality. Their claims about the security of the encryption services they provided turned out to be false.

Last year this led to headlines like these:

  • CIA and German intelligence agency secretly owned Swiss encryption company used by 120 governments– Telegraph
  • Swiss report reveals new details on CIA spying operation– MSN / Washington Post
  • Report Claims CIA Controlled Second Swiss Encryption Firm– AFP / Barrons

Do people realize what kind of services they are using? I doubt so. This proves that there is an illusion of privacy and security.

 

Signal, Telegram & Whatsapp – what all they have in common?

Let's start with the E2EE that we supposedly mentioned is not safe and has many vulnerabilities.

All these applications have a lot of things in common. You need to add your phone number. There might be a possibility just to use new phone number and dump it. But do you think most of the users are doing that? Not really. Connecting your phone number to any service already connects your possible profile and identity on IoT.

What about security protocols?

Let's have quick due diligence. Signal uses TextSecure Protocol. Open Whisper Systems developed this protocol. Later this protocol was developed and used for Signal. Furthermore, the same protocol is used for Whatsapp, Facebook Messenger & Skype. Ok, so what? If someone can break through Whatsapp, they can do the same on the other solution providers (again, it depends, and we should follow up on this later on).

Let’s see the funding side: all of these messengers are for free. Where then they monetize the business to give the service to millions of users? In 2018, Acton invested $50 million in Signal Foundation. This case is understandable, but the money burns heavily, and relying on donations can be a questionable business model, and the long-term perspective is not safe for the users. Why? Stopping the services, somewhere, the files will be dumped. Who will have the access? What will happen in the future? You can only ask the magic 8'ball. The Whatsapp - The way WhatsApp used to make money was through a subscription model. At first, it cost like one dollar. Facebook eventually removed the $1 fee and did WhatsApp a free service, with the idea that users would communicate with businesses through it, and companies would pick up the cost. But the business costs are only the service to support customers' inquiries and chatting with them. Also, being reliable from Facebook funding is questionable. After Facebook–Cambridge Analytica data scandal, the reliability of Facebook decreased, and public trust in handling the data.

Connecting the dots, Facebook does not care about privacy. They bought Whatsapp. Then Whatsapp loans zero-interest loans to Signal, etc. Are they mining the data from other users? We can not prove it yet, but you understand where it is going. ;)

Is there any other alternative? Yes, there are. One of them is Altermail, A Decentralized Messaging Service dApp on Secret Network. You can read more about us on Secret Network published blog post here.

Shhh..... it's a secret!

 https://www.publish0x.com

Regulation and Society adoption

Ждем новостей

Нет новых страниц

Следующая новость

All content provided by the site, hyperlinks, related applications, forums, blogs, social networks and other information is taken from third-party sources and is intended for reference only. We make no warranties with respect to our content, including but not limited to accuracy and timeliness. No part of the content we provide is financial advice, legal advice or any other form of advice intended for any of your personal purpose. Any use of our content is entirely at your own risk. You should conduct your own research, review, analysis and verification of our content before relying on them. Trading is a very risky activity that can lead to large losses, so consult your financial Advisor before making any decision. No content on our site is a public offer or invitation to action.

This resource may contain 18+materials

© 2016-2024