If you think the Internet is “Secure”, you are blinded, lied to, delusional, ignorant (which is OK, nobody could know everything in the world, especially if you are focused on non-tech area), or just plain stupid. I am also not saying that you should stress yourself about security more than some bare minimum.
As an end user consuming Internet Sites, Services, Applications – there is one thing you could do, that – after it, you should be very very calm and relatively secure – having a (complex) password for your computer changed once in a while, pin code or fingerprint for your phone, different complex password for every site and two pass authentication for services that offers it (the temporary 6 digit code) required for login or some special operations within the sites. After that – even the passwords leak – you should be OK.
If your not doing anything illegal, or even if you are doing something illegal, but on small scale, or you are not interfering with high powers, local politics or global politics, you more or less should not care about the technical illusions that I’ll describe below. They are the holes that are used by the hackers and the secret services to get into your “house”. If you are application or internet security guy, or a hacker, you are probably using some of does.
Internet Service Provider – The Internet comes to your home through a company that is licensed to do so – provide Internet access. You may get it via cable or through the low Earth orbit satellite (GSM Providers). The type of the connection doesn’t matter. This company is the starting point that floods all your activity to the “ocean”. It is theoretically and in practice a weak point. If someone at that node has access to the hardware or software there, he could attach himself to all the traffic you “produce”. In China, the state monitors all the Internet traffic. That's why, as I heard, an app that uses Bluetooth is becoming popular in areas with civil uprising, because with it, all the communication is truly (on software and on hardware level) Peer to Peer.
Network around the world – The zeros and ones travel all around the world through the satellites or through optical or LAN cables. It may be just bigger Internet Providers or just hardware or/and software that is owned by the governments or build and contracted to be used by many corporations. This again is a weak point. Just an example, recently I read that Russian submarines where trying to attach to the optical cable goes between Europe and America.
DNS – to be user friendly and usable to non-technical people, there are services that translate names to IP addresses. If someone hacks them or just is ill-advised, he could place themselves between the consumers and the sites.
SSL – the same with the encryption between the users and the sites/services/servers. If the web platforms don’t have installed a certificate, all the traffic goes trough the pipes readable by anyone without additional effort. So, the thing is, for your browser to interpret the certificate as valid, it must be purchased from intermediate authorities. If you are big enough and have enough money, you could be / or build such authority. If not you (as a site owner or user) are open to third party organization that could potentially leak the keys that will make decrypting much, much easier.
Operating System – with closed sourced Operating Systems like Windows and MacOS, there is a theoretical probability that Apple and Microsoft have placed some loophole for the secret services or for themselves. For Open Source OSes – there were such rumors for Ubuntu, and there is very big chance that using the source of Android – the Smartphone providers from all around the world are putting some additional software on the devices. Having Americans afraid of Chinese phones and other type of devices should turn your lamp on that probably all embed some hole servicing some secret political and even above political interest.
Applications – The Application layer probably could be compared to a Swiss cheese full of security issues. There are ton of holes depending on programming languages (+versions), application server, database server versions, insecure administrator setups, application developer bugs and craters etc.
Browser – one of the most used type of applications are the browsers and they are very big weak point for making security impossible. Besides hackers, there could be theoretically communication between the installments and the creator of the browsers (as in the final – non-encrypted result is displayed to the users, by the browsers).
There was an information that even the hardware vendors provide some very low level software that runs below whatever operating system the users have installed - that has holes in it. You can follow the best practices, have fortress strong firewalls, monitoring tools, employees, etc, and when your hardware is bridged, you are just like Achilles from the Trojan War.
Encryption – There is an endless battle between very, very smart individuals trying to transform the data in such a way that only the desired people be able to open it. There is also an advancement in hardware that make the decryption easier. You know, it is all zeros and ones, heavy mathematical operations that given enough chips – nothing is impossible.
For a small end user, it may take an year to uncover simple message, but the same message could be theoretically made readable in 10 minutes because of – governments or corporations that have a lot of money to buy computers and even services outside of any government control, that have the technology, the power, the resources – like smart individuals or money to do whatever they want. Remember, the Internet itself was born in the US Military research department. Who knows what type of hardware and software they are having now?
Just one simple example that whoever, whatever says is nothing – Mark said that there is an End-to-End encryption of messages in his apps, and on the news leaked the information that voice recording were given to contractors. You can read about Brute Force attack vulnerability of the asymmetric keys, the SSL – the basis of Internet Security, even the Signal Protocol that should have been secure is hack-able with enough hardware. Even the Bitcoin is hack-able, but what is saving it is that it is distributed and checked and prevented from harmful modification by the network all around the world.
Another driver of insecurity is the dominion of money over principals. In recent years some weak points were found in popular encrypting libraries (heartbeat etc). While all the research is driven around some corporation looking for profit, or non-profit that will die without someone else's money, because, even the developers with values, principals and dignity need to eat, and cannot do all of it themselves, all the good hackers, the guardians are fighting against the wind.
So, All security is an illusion. It is just a matter of how important you are and what are you doing, to get knowingly or unknowingly hacked. There is a Saying in Bulgaria: If you were sitting peacefully, you wouldn’t see a miracle. Nobody is going to the caves so to not live with technology. But if you are not doing anything deeply illegal or harmful, and have some basic security in place, you should be not afraid.
Latest comments (0)