recentpopularlog in

robertogreco : malware   4

Seeing Like a Network — The Message — Medium
"Practical privacy and security is just a part of digital literacy. Right now, for most people, learning how their computers work seems hard enough, learning how the network works seems impossible. But it’s not, it’s just learning a new perspective about the world we live in.

A lot of us are scared of computer threats, networks, and the internet, but we don’t have to be. The new tools we use every day should be scary exactly the same way being handed a free Ferrari is scary. Kind of intimidating, but mostly awesome. And you’ll have to learn a thing or two in order to not end up wrapped around a tree.

Digital literacy is getting a sense of your networks. It’s like learning a new city, invisible but beautiful, and baffling when you don’t know how a new city works. But then, as you roam around, it can start to make sense. You get more comfortable, and in time, your rhythms come together with its, and you can feel the city. You can cross the street safely and get what you need from the city. You can make friends there, and find safety, and love, and community. We all live in this common city now, and we just need to learn to see it.

We live in an age of networks, and it’s an amazing age."



"The internet and its constant signals are based on a simple way of passing around information. It’s called packet switching and it’s a lot like passing notes in 8th grade homeroom — it can take a while, and go through a lot of hands. From the moment you start your computer, it’s reporting in with all sorts of things on the net, but instead of one long note, computers pass out many tiny notes called packets. You don’t want to look at all those notes, either on the net or even the ones your own computer is sending and receiving anymore than you want to study whales by looking at their cells. (Which is to say sometimes you do, but you don’t really see the whole whale that way.)"



"The main tool computers have to communicate privately is cryptography. It’s taking things and scrambling them up (encrypting them) with a mathematical key, which only the computer on other side of the net which you’re sending the message to can decrypt.

It’s exactly like writing things in code, but codes you only share with the person or machine you want to be able to read them, or that you want to be able to read yours.

You use encryption all the time, you use it whenever the browser address is given in https instead of http. (We call this SSL, because computer scientists are terrible at naming things.) Just like 8th grade homeroom, on a network where everyone shares the same space, encryption is the only way to ever be private. (Encryption is largely based on something else you discovered in school: some math is really easy to do, but undoing it is really hard. Remember how you got the hang of your multiplication tables, but then along came division and factoring, and it was much harder and just sucked? Turns out computers feel exactly the same way.)

Every message you send out, whether it’s one you see or one you don’t, has your identity tied to it, and every one you get also tells the story of where it’s from and what it’s doing. That’s all before you get to the message you care about — that’s still all metadata. Inside of messages is media, the words and pictures we think of as our information.

What do passwords have to do with cryptography?

Nothing. In fact, if you go back to passing notes in class, passwords can get passed around in the clear text like anything else. Passwords authenticate you, they tell the computer that you are who you say you are, but they don’t encrypt or hide or secure you in any way. That’s why you need your passwords to be encrypted before they go online. Authentication is very important for getting things done on a network, since anyone can say they’re you, and because computers are fast, they can say it 6 million times in a row until they get believed. This is why we talk about multiple factors of authentication. A password is a thing you know, but when you turn on two factor authentication on Google, Facebook, Twitter, etc — which you should do — the other side of the network replies on both something you know and something you have, like your cellphone. That means in order to break your security and privacy, a thief would have to know your password and have your phone. This is a lot harder, and make the majority of attacks go away.

Why do we constantly tell people not to reuse passwords? Because you have to trust the people who save it on the other side of the network to not screw up, and the network not to expose the password in transit. That’s a lot of trust, and your casual gaming site isn’t going to work as hard to protect you as your bank is, so don’t use your bank password to save your Bejeweled scores."



"You are the immensely powerful Master of the genie in your life, your computer. You are a magic person to your computer, which we call the administrator, or sometimes superuser, or root, instead of Supreme Master of the Universe, as it should be. (Again, computer scientists missed the ball on naming things) You have the right to do anything you want on your computer, which is fantastic. You can take pictures and talk with people and record everything you do and tell the world everything you want. You can use it to paint and talk and record your innermost thoughts and even make another computer inside this computer, because you still have infinite wishes. This is one of the most powerful things humans ever created, and you’re currently surrounded by them, and the total master of yours.

But that means that anything that pretends to be you also has the right to do all those things. That’s where problems come in — where things come to your computer and pretend to be you. We have many names for these things, they are viruses, trojans, spyware, malware, etc. They can record everything you do, take pictures, tell the world, and even make another computer inside your computer — but only because you can do those things. They can only steal your power by imitating you."



"Your computer is a powerful genie of copying and calculating that you are the absolute master of, talking to a world full of other genies, connecting you to all the information and people in the world. Our networks are literally awesome — so huge and powerful and inspiring of awe that it’s a bit scary. It’s a cool time to be alive.

The End of the Beginning
The best part of learning to deal with all the scary threats scaring these days isn’t that you learn how to avoid threats, it’s that you learn how to use these amazing, outlandish super powers being part of networks gives you.

It’s the first days of the internet, but the truth is, that this is better for normal people than for the megapowerful. The network is ultimately not doing a favor for those in power, even if they think they’ve mastered it for now. It increases their power a bit, it increases the power of individuals immeasurably. We just have to learn to live in the age of networks."
quinnnorton  2014  networks  networkliteracy  literacies  multiliteracies  infrastrcture  internet  online  privacy  fear  security  learning  digital  copying  phishing  malware  viruses  trojans  passwords  cryptography 
august 2014 by robertogreco
The Nightmare on Connected Home Street | Gadget Lab | WIRED
"I wake up at four to some old-timey dubstep spewing from my pillows. The lights are flashing. My alarm clock is blasting Skrillex or Deadmau5 or something, I don’t know. I never listened to dubstep, and in fact the entire genre is on my banned list. You see, my house has a virus again.

Technically it’s malware. But there’s no patch yet, and pretty much everyone’s got it. Homes up and down the block are lit up, even at this early hour. Thankfully this one is fairly benign. It sets off the alarm with music I blacklisted decades ago on Pandora. It takes a picture of me as I get out of the shower every morning and uploads it to Facebook. No big deal.

I don’t sleep well anyway, and already had my Dropcam Total Home Immersion account hacked, so I’m basically embarrassment-proof. And anyway, who doesn’t have nudes online? Now, Wat3ryWorm, that was nasty. That was the one with the 0-day that set off everyone’s sprinkler systems on Christmas morning back in ’22. It did billions of dollars in damage.

Going back to sleep would be impossible at this point, so I drag myself into the kitchen to make coffee. I know this sounds weird, but I actually brew coffee with a real kettle. The automatic coffee machine is offline. I had to pull its plug because it was DDOSing a gaming server in Singapore. Basically, my home is a botnet. The whole situation makes me regret the operating system I installed years ago, but there’s not much I can do. I’m pretty much stuck with it.



I sit down with my coffee and fire up the short throw projector embedded in the kitchen table. The news is depressing, so I flip through a Redfin search I started last night in bed. There are these houses up in Humboldt County that are listed in the inundation zone, so they were never required to upgrade. That was a cartography error; even if sea levels go up another 20 feet they would still be above the water line. They’re rustic, and don’t even have high energy automobile docks. But the idea of getting off the grid really appeals to me, even if it’s just a fantasy.

The skylights open up. The toaster switches on. I hear the shower kick in from the other room. It’s morning."
automation  iot  mathonan  2014  speculativefiction  smarthomes  malware  technology  caution  internetofthings 
july 2014 by robertogreco
Everything Is Broken — The Message — Medium
"It was my exasperated acknowledgement that looking for good software to count on has been a losing battle. Written by people with either no time or no money, most software gets shipped the moment it works well enough to let someone go home and see their family. What we get is mostly terrible.

Software is so bad because it’s so complex, and because it’s trying to talk to other programs on the same computer, or over connections to other computers. Even your computer is kind of more than one computer, boxes within boxes, and each one of those computers is full of little programs trying to coordinate their actions and talk to each other. Computers have gotten incredibly complex, while people have remained the same gray mud with pretensions of godhood.

Your average piece-of-shit Windows desktop is so complex that no one person on Earth really knows what all of it is doing, or how.

Now imagine billions of little unknowable boxes within boxes constantly trying to talk and coordinate tasks at around the same time, sharing bits of data and passing commands around from the smallest little program to something huge, like a browser — that’s the internet. All of that has to happen nearly simultaneously and smoothly, or you throw a hissy fit because the shopping cart forgot about your movie tickets.

We often point out that the phone you mostly play casual games on and keep dropping in the toilet at bars is more powerful than all the computing we used to go to space for decades.

NASA had a huge staff of geniuses to understand and care for their software. Your phone has you.

Plus a system of automatic updates you keep putting off because you’re in the middle of Candy Crush Saga every time it asks.

Because of all this, security is terrible. Besides being riddled with annoying bugs and impossible dialogs, programs often have a special kind of hackable flaw called 0days by the security scene. No one can protect themselves from 0days. It’s their defining feature — 0 is the number of days you’ve had to deal with this form of attack. There are meh, not-so-terrible 0days, there are very bad 0days, and there are catastrophic 0days that hand the keys to the house to whomever strolls by. I promise that right now you are reading this on a device with all three types of 0days. “But, Quinn,” I can hear you say, “If no one knows about them how do you know I have them?” Because even okay software has to work with terrible software. The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when.

Look at it this way — every time you get a security update (seems almost daily on my Linux box), whatever is getting updated has been broken, lying there vulnerable, for who-knows-how-long. Sometimes days, sometimes years. Nobody really advertises that part of updates. People say “You should apply this, it’s a critical patch!” and leave off the “…because the developers fucked up so badly your children’s identities are probably being sold to the Estonian Mafia by smack addicted script kiddies right now.”



Recently an anonymous hacker wrote a script that took over embedded Linux devices. These owned computers scanned the whole rest of the internet and created a survey that told us more than we’d ever known about the shape of the internet. The little hacked boxes reported their data back (a full 10 TBs) and quietly deactivated the hack. It was a sweet and useful example of someone who hacked the planet to shit. If that malware had actually been malicious, we would have been so fucked.

This is because all computers are reliably this bad: the ones in
hospitals and governments and banks, the ones in your phone, the ones that control light switches and smart meters and air traffic control systems. Industrial computers that maintain infrastructure and manufacturing are even worse. I don’t know all the details, but those who do are the most alcoholic and nihilistic people in computer security. Another friend of mine accidentally shut down a factory with a malformed ping at the beginning of a pen test. For those of you who don’t know, a ping is just about the smallest request you can send to another computer on the network. It took them a day to turn everything back on.

Computer experts like to pretend they use a whole different, more awesome class of software that they understand, that is made of shiny mathematical perfection and whose interfaces happen to have been shat out of the business end of choleric donkey. This is a lie. The main form of security this offers is through obscurity — so few people can use this software that there’s no point in building tools to attack it. Unless, like the NSA, you want to take over sysadmins."



"When we tell you to apply updates we are not telling you to mend your ship. We are telling you to keep bailing before the water gets to your neck.

To step back a bit from this scene of horror and mayhem, let me say that things are better than they used to be. We have tools that we didn’t in the 1990s, like sandboxing, that keep the idiotically written programs where they can’t do as much harm. (Sandboxing keeps a program in an artificially small part of the computer, cutting it off from all the other little programs, or cleaning up anything it tries to do before anything else sees it.)

Certain whole classes of terrible bugs have been sent the way of smallpox. Security is taken more seriously than ever before, and there’s a network of people responding to malware around the clock. But they can’t really keep up. The ecosystem of these problems is so much bigger than it was even ten years ago that it’s hard to feel like we’re making progress.

People, as well, are broken.

“I trust you…” was my least favorite thing to hear from my sources in Anonymous. Inevitably it was followed by some piece of information they shouldn’t have been telling me. It is the most natural and human thing to share something personal with someone you are learning to trust. But in exasperation I kept trying to remind Anons they were connecting to a computer, relaying though countless servers, switches, routers, cables, wireless links, and finally to my highly targeted computer, before they were connecting to another human being. All of this was happening in the time it takes one person to draw in a deep, committal breath. It’s obvious to say, but bears repeating: humans were not built to think this way.

Everyone fails to use software correctly. Absolutely everyone, fucks up. OTR doesn’t encrypt until after the first message, a fact that leading security professionals and hackers subject to 20-country manhunts consistently forget. Managing all the encryption and decryption keys you need to keep your data safe across multiple devices, sites, and accounts is theoretically possible, in the same way performing an appendectomy on yourself is theoretically possible. This one guy did it once in Antarctica, why can’t you?

Every malware expert I know has lost track of what some file is, clicked on it to see, and then realized they’d executed some malware they were supposed to be examining. I know this because I did it once with a PDF I knew had something bad in it. My friends laughed at me, then all quietly confessed they’d done the same thing. If some of the best malware reversers around can’t keep track of their malicious files, what hope do your parents have against that e-card that is allegedly from you?"



"Security and privacy experts harangue the public about metadata and networked sharing, but keeping track of these things is about as natural as doing blood panels on yourself every morning, and about as easy. The risks on a societal level from giving up our privacy are terrible. Yet the consequences of not doing so on an individual basis are immediately crippling. The whole thing is a shitty battle of attrition between what we all want for ourselves and our families and the ways we need community to survive as humans — a Mexican stand off monetized by corporations and monitored by governments.

I live in this stuff, and I’m no better. Once when I had to step through a process to verify myself to a secretive source. I had to take a series of pictures showing my location and the date. I uploaded them, and was allowed to proceed with my interview. It turns out none of my verification had come through, because I’d failed to let the upload complete before nervously shutting down my computer. “Why did you let me through?” I asked the source. “Because only you would have been that stupid,” my source told me.

Touché.

But if I can’t do this, as a relatively well trained adult who pays attention to these issues all the damn time, what chance do people with real jobs and real lives have?

In the end, it’s culture that’s broken.

A few years ago, I went to several well respected people who work in privacy and security software and asked them a question.

First, I had to explain something:

“Most of the world does not have install privileges on the computer they are using.”
That is, most people using a computer in the world don’t own the computer they are using. Whether it’s in a cafe, or school, or work, for a huge portion of the world, installing a desktop application isn’t a straightforward option. Every week or two, I was being contacted by people desperate for better security and privacy options, and I would try to help them. I’d start, “Download th…” and then we’d stop. The next thing people would tell me they couldn’t install software on their computers. Usually this was because an IT department somewhere was limiting their rights as a part of managing a network. These people needed tools that worked with what they had access to, mostly a browser.

So the question I put to hackers… [more]
quinnnorton  privacy  security  software  2014  heartbleed  otr  libpurple  malware  computers  computing  networks  nsa  fbi 
may 2014 by robertogreco

Copy this bookmark:





to read