YOU'RE NEVER ALONE
INTROHi! What’s most important to you when it comes to your computer? That it works and, of course, that it’s fast...at least when it comes to the things that are important to you. That could be Facebook, Instagram, Twitter, and sometimes even an office package. If you’re a person in the IT sector, then most likely there’s also your IDEs and various applications, perhaps even games. At some point, you would perhaps install a cleanup utility in order to improve your PC’s performance. Your PC probably has a lot of personal data...and I’m not just talking about music and films. I’m talking about photos and videos from family vacations, birthdays and other moments in your life. There may also be various private documents.
Have you ever asked yourself whether that data is truly private? Are you really the only one who has access to all the personal data on your PC?
Do you ever think about your online privacy and security? Many of us are not aware that online privacy is just as important as “real life” privacy. It’s about time we stopped separating “virtual” from “real”. Would you leave the doors of your home unlocked? Your car? Would you go to work and leave the windows of your house wide open?
Online illegal activities probably happen more frequently than in the physical world. Who are the targets? Everyone! Most viruses and other malware are programmed to search specified criteria, which are related to specific software, not individuals. Therefore, the target in question could be your operating system, some application that you are using, your web browser, or even your movie player. Sometimes the goal is to incapacitate your computer or some application, but other times it could be to insert spyware which will live on your computer and collect your confidential information.
Unfortunately, it’s not until this actually happens, that your data is stolen and misused, that you start thinking about this. But isn’t it better to prevent than to treat? Funnily enough, laziness is the biggest problem for most people. For example, if I tell a person that there’s a super nifty application that will generate passwords and that they won’t have to remember passwords by heart because the app will store and encrypt them, a common answer is something like this: “I don’t need another application in my life and...how am I going to memorize a randomized password for my Facebook?”
I hope it’s clear that we’re talking about people who don’t really think much about their online privacy, possibly people who may be IT-oriented, but maybe not in that sense.
STAGE 1At the first stage of awareness: somehow you hear (maybe someone has told you, or maybe you’ve read online) that there is really dangerous ransomware out there. This motivates you to install, in addition to your indispensable software and favorite games, something for security. Of course, there is various antivirus software, firewall, and anti spyware to choose from. If you’re an OSX user, you probably only install the antivirus. You quickly notice that your computer is slower, that the firewall asks for every new application to allow for outbound and inbound connections, you receive a message for every system update and for every avp database update, etc... Oh, what a pain, just because you heard about this dangerous ransomware...
At this stage you’ve probably started thinking about passwords as well. Maybe someone has explained to you what a brute-force attack is and it becomes clear to you that it’s not enough to use your name backwards and add a number to create a password. The consequences of this are exemplified in these two stories, where a few months ago there was a massive leak of Linkedin account credentials and of yahoo credentials, which were posted on pastebin and shared on forums.
STAGE 2The next stage of awareness is when you start to be more cognizant of your privacy. Imagine that you’re surfing the web at your favorite cafe, drinking an americano and eating a delicious pastry. While you’re doing this, you may start looking for whether a site you’re visiting has a green lock. In other words, whether the information transfer is httpS...does it have an SSL encryption? If it doesn’t, a malicious user (who could actually be sitting at a table next to you) could see everything you’re doing, which may not seem scary if you read the news (actually, even then it’s scary), but could be very serious and scary if you’re, for example, registering in some portal where you’re entering your personal information and/or credit card information.
There’s ongoing discussions about the issue of operating system security. Is it beneficial to switch to the Linux operating system, if you’re not already a system admin or a developer who uses Linux? Of course it is. No one can guarantee that there won’t be security issues, but it’s widely known that it’s significantly less likely when compared to Windows OS, and even OSX. Although anti virus software exists for Linux, users confirm that it’s completely unnecessary, and Linux comes with firewall by default.
Let me be clear, Linux is a free and open source operating system which is more secure than both Windows and OSX, but no one can confirm 100% that privacy on it is guaranteed, especially since privacy isn’t only dependant on the operating system, but also on the applications that are running on it. If a security issue exists in, let’s say, the Chrome web browser, then all users will be vulnerable regardless of their operating system. The important thing to note is that open source software doesn’t guarantee security, but it gives you the ability to confirm your security by checking the code, if you’re so able.
Maybe even more than our laptops or desktop computers, we use our mobile devices. For now, let’s assume we trust the OS on our phones. When you’re using your mobile device for communication, you may ask yourself, “Is it secure? Can someone view what I’m texting to my best friend? Are the photos and videos I send to my friends and family only going to them?” You can find a list of messaging apps and their secure messaging scores here. Additionally, there are many applications like Jitsi and Ring, which use the XMPP protocol, OTR and various encryption protocols that provide message security, with the help of which we can stay anonymous.
Where does this lead to? To paranoia? Who is following me and eavesdropping? Why use all this? Does it make sense?
STAGE 3All of this leads to the conclusion that absolute online privacy doesn’t exist. Over the past few years, super-secure operating systems have appeared (of course, they’re mostly Linux distributions) but with additional security measures. The leader is QubesOS (a reasonably secure operating system), then projects like Subgraph OS and the like. They use encryption by default and isolate each application into a separate virtual machine so that an application's failure cannot affect the other. There are also non-permanent distributions, such as Tails, that guarantee anonymity. But one wonders if that’s really the case. Even Mr. Snowden once wrongly thought he could remain anonymous, but you might be better off watching the movie to delve further into that.
Let's get back to the subject of mobile phones. It’s not enough to use secure apps if the OS they’re running on is vulnerable. There are a lot of articles that tell us that the Android OS has more flaws than we think - intentionally (despite the fact that Linux makes up its base). As a solution, perhaps you decide to put some custom rom / firmware on your phone. Until recently, this solution would have been in the form of Cyanogen Mod, now called Lineage OS. However, we also have to consider our hardware. Do we know what’s on our SIM card? A very interesting story was told at the Defcon conference - The Secret Life of SIM Cards, exactly on this topic.
What do we know about hardware? And I don’t just mean phones. I’m referring to our computers, but also to our smart TVs. Is there a dedicated backdoor on our network adapter? Something else? A processor? Open source hardware solutions enter the scene! Although there is no need to single out specific solutions (most are open source), I will mention dev board BeagleBoard and education open source hardware OLinuXino. The only thing that open source hardware lacks is open source CPU. This is unfortunate, since there have been many announcements about random and * deliberate * failures in the CPU, and since the CPU processes * all * information and * everything * that our system processes. These are not new topics and suggestions. This was talked about quite a long time ago , but only recently has this news come to 'ordinary' users (of course through WikiLeaks).
If you think that the solution is to only use your computer offline, I hate to disappoint you. Even then, you cannot be sure because there are techniques for stealing data in offline mode. Maybe the main question here should be - are you a person of interest? Mr. Aluc spoke about this at the BalCCon Conference in 2016, and he gave many examples. Unfortunately, his speech is not available online.
We must keep in mind that everything that a man has programmed can be hacked. I hope that after this (gentle) introduction you have not remained fearless. I don’t want to scare you, I just want to warn you - you are never alone.