THE PROBLEM
Intro: Open source + End-To-End Encryption + hardened devices + different hardware vendors
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

THE PROBLEM: OLD-SCHOOL IT SECURITY

Unverifiable solutions

Strings attached / Mothership

= Imaginary security

Because proof of trust is better than The cybersecurity level of any closed source or black box solution cannot be verified, hence their "cybersecurity level" is purely a created by the companies marketing department. Be careful.

, , , ...

Mothership(s) included. Third party server / backend solutions which are not under your control and physically located in a unknown place & country. Massive information leakage + Unknown usage of your data. Perfect for state and/or privately funded IT criminals.

,

CyberSecurity? Anonymity? Privacy? You. Your family. Your customers. Your clients. Blind trust required. These sorts of solutions costs a lot of money yet cannot ever form a truly trustworthy platform since they cannot be verified. So what have you really gained?

Imagine buying an apartment that has extra doors in each room which you are unable to open. Yet unknown persons travel through them all the time. Why worry?

Table of Contents

For our solutions to the problem, visit our Solutions page.

For more IT security and privacy related links, visit our Links page.

B2B: business to business

E2E encryption: End-to-end encryption

GSM: Global System for Mobile Communications

Haas: Hardware As A Service

Hardening computing: Making devices more safe & locked down

HW: Hardware

ICT: Information and Communications Technology

IDS: Intrusion detection system

IPS: Intrusion prevension system

MMS: Multimedia Messaging Service

PGP: Pretty Good Privacy

RTC: Real-Time Communication (multimedia and audio via VoIP)

Saas: Software As A Service

SMS: Short Message Service

SW: Software

VoIP: Voice Over IP

VPN: Virtual Private network

  1. Endpoint security
  2. Third party central server security
  3. Some words on trust
  4. Cybersecurity Breaches
  5. The problem, Part II (The long version)
  6. Next steps
The Problem - Part II: The longer and more in depths version

ENDPOINT SECURITY  

What do you think Mr Snowden is refering to by "endpoint security" and "terrifically weak" in the quote above? He is of course talking about most modern mobiles, laptops and personal computers (closed source & closed box unverifiable technology) .

These devices are only as "secure" as the producers of the devices say that they are (NOTE: Words are good, but words + proof would be even better):

How much do you think encryption can help if your adversaries can see / hear what you can after decrypting a message / voice call? Answer: no encryption in the whole world can help you if your platform is owned.

The highlevel solution to that problem is simple: make sure that you

  1. Own the HW +
  2. Keep it at a safe place-X / safe hands +
  3. Use open & verifiable solutions +
  4. Use secure passphrases and basic OPSEC +
  5. Keep an open eye on / monitor your devices

... And you should be on the right track.

    WARNING: crypto sandcastles

    Unless your secure solution consists of a...

    properly implemented strong crypto solution in combination with a...
    properly implemented endpoint system

    odds are that you are building crypto sandcastles on a beutiful beach....

    Rationale:

    Secure software-X + iPhone / Android / Microsoft Phone (which are doing XYZ behind your back) == Still not safe, too many unknowns!

    WARNING: THIRD PARTY CLOUD / VM SOLUTIONS = PRIVACY ISSUES

    We can also use your wanted cloud or VM solution for our server-parts but it is strongly recommended that you phycisally own that system!

    Rationale: Third party hardware solutions - Major security risk!

    • The one who owns the HW, owns the whole machine (cloud / VM / container)
    • Direct HW access, RAM & HDD/SDD (untraceable monitoring)
    • You are leasing your apartment and your land-lord has the keys to all of your doors (TM)
    Amazing scalable technology that comes with a catch...

    AWS / Azure / Google Cloud etc are amazing solutions which make it possible to quickly deploy massive virtual IT infrastructures for a small:ish price. Note however that what you gain in initial price & setup time - you loose in privacy. And the long time price for using a big AWS system might end up being bigger than running your own cloud / systems from the start. YMMV.

    Think: Where are your hosts physically stored? In what country? Under what ICT laws? who has access to your systems? Can you ever migrate somewhere else or is this a vendor lock-ins?

THIRD PARTY CENTRAL SERVER SECURITY  

The problem is of course a lot bigger than just endpoint devices. The number of endpoint devices is breath takingly huge and they vary a lot both in software and hardware. This quickly makes the surveillance / hacking very expensive and difficult to maintain.

The solution is simple, effective & beutiful:

Go for the central parts of the system, then zoom in on the devices that are of interested...

This pretty much summarized what has been going on since at least 2007.

For a quick brush-up on the subject, have a look at The Guardians old (2013) yet excellent article about the subject:

NSA Prism program taps in to user data of Apple, Google and others

  • Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook
  • Companies deny any knowledge of program in operation since 2007
To summarize:
  1. There's no such thing as a free lunch.
  2. If something is free, then you are the product.
  3. Actually, even if you pay for something, then you are still the product (err.. Customer ;-)

Hint: To see how deep the rabbit holes really goes, visit our Links page.

SOME WORDS ON TRUST  

So who and what can truly be trusted? The sad answer is very few things. There are at least two things that we can put our trust in, they are:

Mathematics / Encryption and

Open source.

The rationale for why mathematics, or more precisely encryption is mentioned is easy to understand:

  • It's a universal language which can independently be verified by anybody who understand the subject.
  • Encryption or ciphers algorithms can independently be verified to produce random output by analysing their logic and testing the algorithm in action...

To better understand why open source is mentioned as the other trustworthy thing (Verifiable solutions) we just need to compare it to it's counter part: closed source development (Unverifiable solutions).

Open source vs. Closed source development

Let's say that both of these developments models have produced a secure solution-X. And let's say that based on thoruough and extensive testing both of them seem to work as they should. So the questions is, in what way are these solutions different?

Mathematics + open source

Following the logic mentioned above we can conclude that: We can mathematically prove that a encryption or cipher algorithm does what it is supposed to do. When we combine that with the full source code of a given program (from start to finish) we get the complete package. In other words: We are able to prove that there are no backdoors or dark corners in a open source solution.

  • Everything can idempotently be verified by separate entities. Everything is auditable and repeatable.
    • Hence, the complete solution can independently be verified to be correctly implemented & secure.

Mathematics + closed source / black box solutions

A closed source or closed box solution that may seem to be working correctly, can in reality contain anything. Even if you would be allowed to audit the whole solution for a given release, the next release / update or that tool might (re-)introduce a new/old backdoor... You can never know.

  • If blind faith is what your looking for, then look no further...
    • Hence, the whole solution cannot be verified, since we are not allowed to see the complete implementation.

CYBERSECURITY BREACHES

Loosing data + Loosing face + Economical Damages

Do you value your companies reputation? Do you value your customers and the data that you store about them? What happens if the media learns of a possible information leak / system hack on your side?

As of september 2017 just on the Windows -related case: + multiple weeks of downtime, , , off-line for days / weeks. Companies where back to using faxes, pen and paper.

Few companies want to admit that they have been hacked. Even fewer want to provide economical damage numbers. Experiencing a major cybersecurity breach can be a "we just went out of businesss" kind of problem for many companies... And yet, so many companies are placing all of their cybersecurity faith on empty promises. That's bold, but asking for trouble...

BACKGROUND - PART II

THE PROBLEM - THE LONG VERSION  

To properly understand the problem area, we need to take a couple of steps back and objectively analyze what we are facing. Since at first glance, you may not realized how deep the rabbit holes goes... Let's start from the bottom and go up from there. First things first. Let's talk a bit about ownership. That is, who is the true master of a given system and why.

Modern mobile phone example

We will be focusing on a modern mobile phone example but the same:ish rules apply for most modern mobile device (pads, laptops etc).

The two rules of software & hardware ownership

SOFTWARE: The one who manages the software, owns the whole platform.

 

That's most likely not you, you mainly use it. Unless you are a developer, the real software manager is the phones OS + it's app store:

iOS / Apple Store, Android HW producer / Google play, Microsoft / Microsoft App Store, Blackberry OS / Blackberry Apps etc...

Think: They decide what is installed, how and from where. You just ask it to install/remove "something like that". So the true control is not in your hands even on this level. But more importantly...

HARDWARE: The one who owns the hardware, owns the whole machine.

 

Not you either, you may have paid for the mobile but it's a black box that you can't change... You don't even know what it's doing right now. The real HW owners are:

Apple, Android phone manufactures, Microsoft, Blackberry etc...

Think: If somebody has physical access to your hardware (or multiple processors in your mobiles SoC that you don't have access to), they can see & hear anything you can. No encryption in the whole world can save you if your hardware is "owned".

The same is true for any virtual machine (VM) or cloud technology as well. It can never be secure unless you (A) own the hardware AND (B) keep the HW in a secure place where (C) nobody BUT "you" have physical access to it.

Make no mistake: The owner of the VM hosting hardware and/or VM host application has complete control over your VM client (memory, cpu etc). same is true for any virtual machine (VM) as well. It can never be secure.

To summarize:

You are merely a user of you modern and fancy mobile. For most users on most systems: The real control is somewhere else.

Defining the current situation + main problems

PROBLEM I

American companies mobile phone dominance + Patriot Act + closed source + only few big players

  1. All American companies are bound by the Patriot Act and/or similar kind of pervasive laws.
    • NSA (and it's collaborator) can get access to any data which was generated by you, as long as the mother company of the product that you are using is from the states.
    • Think: iCloud, Facebook, Twitter, Skype, Instagram, Amazon Virtual machines, Amazon cloud, Gmail, Gdrive, Google calendar, Outlook, Windows365, Microsoft Cloud/Azure, and so on...

    • It does not even matter if your data "physically stored" in another country. The data is theirs for the taking. [ 1 ]
    • And if the data happens to be encrypted, the authorities will just try a little bit harder... [ 1, 2, 3, 4 ]
  2. The worlds most bought mobile phones run OS' which are produced by American companies. [ 1 ]
  3. The biggest CPU and System On a Chip (SoC) producing companies are American or British
  4. All of the above companies use closed source + patented "black-boxed" technology.
To summarize:

  Privacy on most modern mobiles is an illusion.

Since all of these big and amazing companies are from the US, they are naturally bound by American law. This gives NSA and it's associates a pretty scary opportunity: they can spy on the whole world... Completely "legally" of course™

It's also quite scary how few players are left on the mobile market these days. If you look at that from a diversity angle, creating a effective virus / malware or just finding a major bug / backdoor in one of these platform, can easily put hundreds of millions of users in harms way... [ 1 ]

Bugs will always happen, that's just a hard fact of life. But when the stakes are this high (a country may get easy accessing to machines around the whole globe) one can not rule out that closed source technology make it possible to have as many kinder-eggs / backdoors as you wish... without anybody knowing anything.

Goverments around the world (most specifically USA) are currently trying their best to create just that, "forced" backdoors in the biggest products. Or as they more nicely called it "secure golden key" model (Meaning, a backdoor which opens all doors in a selected product if a user has the "special encryption key"). Picture what happends when a single one of these "golden keys" leaks out in to the wild for any big product chain (Think: Apple / Google / Cisco etc)... [ 1, 2 , 3, 4 ]

PROBLEM II

Mobile Network Operators: Security holes / Bugs / Law officers + Non end-to-end encryption

The good news:
  • The data which is traveling in the air between your mobile and your mobile operator is encrypted (half of the encryption key is in your SIM card, the other half is in the possession of your mobile operator). For average Joe / Jolene this can still be considered quite safe. NOTE however that even this technology has been cracked / can be side stepped. [ 1, 2 ]
The bad news:
  • Once your data is traveling inside the safety of the "operators walls", it's all readable data again (No SIM card encryption anymore).
  • Meaning, anybody with the right access-rights to your operators "Internal Network Systems" can now view all your network traffic in "clear-text" (Unless it was e2e encrypted before they got the data).
Your GSM operators has full access to:
  1. your voice calls (received / called numbers + timestamps as well as live listening abilities).
  2. your sent / received SMS/MMS...
  3. your current & previous IP's (that your operator has given to you)
  4. your current location (GSM Localization) [ 1 ].
    • They can even look up your past location as far as their logs go back...
  5. Your GSM operator is also required by law to store much of this information for a selected time... [ 1, 2 ] And last but not least...
  6. Your operator has full access to all of your non-encrypted IP traffic that passes through their system
    • The web-pages that you visit, the files / torrents that you download, all e-mails, messages from tool X, images, ftp, usernames, passwords etc... everything which is not encrypted can be monitored and stored.
    • Even your encrypted data can provide usefule metadata to the operator. They may not see what you are "really up to" (since your IP packets data-part is encrypted) but they do see the IP end-points (your IP + remote IP) + packet time stamps and more... Even this data can be used against you.

Your operator is actively storing and view what you are doing all of the time. Be aware that they can connect everything back to you. If the right people with the right papers come knocking on their door, that data is their for the taking. Or even worse, somebody has illegally sneaked their way into the GSM operator systems... Be very careful how you use your mobile. [ 1, 2 ]

To summarize:

Your mobile operator sits on a lot of information about you. Be careful.

Conclusion: Is it game over?

For average Joe / Jolene who use everything "under the sun" without thinking:

 

Windows / Mac / Android, iPads / iPhone / iCloud, Gmail / Gcal / Gdrive etc, Outlook this and that, Facebook, Twitter, Instagram, adds location data to all images + videos + uploads them to cloud-X to spread the news even more...

 

Sadly, the present and future does look a bit dark (or very open for the criminals / authorities)... Warning: you are leaking incredible amounts of personal information!

For Zen-mode's customers / privacy conscious people:

 

Far from it. In fact, having bought your wanted zen-mode package and having taken our cybertraining to your heart, privacy and anonymity is right around the corner...

 

The future is bright, the future is open. And above all: the future is in your own hands.

Find your Zen