Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
Because proof of trust is better than blind faith. The cybersecurity level of any closed source or black box solution cannot be verified, hence their "cybersecurity level" is purely a vision / illusion created by the companies marketing department. Be careful.
Mothership(s) included. Third party server / backend solutions which are not under your control and physically located in a unknown place & country. Massive information leakage + Unknown usage of your data. Perfect for state and/or privately funded IT criminals.
CyberSecurity? Anonymity? Privacy? You. Your family. Your customers. Your clients. Blind trust required. These sorts of solutions costs a lot of money yet cannot ever form a truly trustworthy platform since they cannot be verified. So what have you really gained?
Imagine buying an apartment that has extra doors in each room which you are unable to open. Yet unknown persons travel through them all the time. Why worry?
For our solutions to the problem, visit our Solutions page.
For more IT security and privacy related links, visit our Links page.
B2B: business to business
E2E encryption: End-to-end encryption
GSM: Global System for Mobile Communications
Haas: Hardware As A Service
Hardening computing: Making devices more safe & locked down
ICT: Information and Communications Technology
IDS: Intrusion detection system
IPS: Intrusion prevension system
MMS: Multimedia Messaging Service
PGP: Pretty Good Privacy
RTC: Real-Time Communication (multimedia and audio via VoIP)
Saas: Software As A Service
SMS: Short Message Service
VoIP: Voice Over IP
VPN: Virtual Private network
What do you think Mr Snowden is refering to by "endpoint security" and "terrifically weak" in the quote above? He is of course talking about most modern mobiles, laptops and personal computers (closed source & closed box unverifiable technology) .
These devices are only as "secure" as the producers of the devices say that they are (NOTE: Words are good, but words + proof would be even better):
How much do you think encryption can help if your adversaries can see / hear what you can after decrypting a message / voice call? Answer: no encryption in the whole world can help you if your platform is owned.
The highlevel solution to that problem is simple: make sure that you
... And you should be on the right track.
Unless your secure solution consists of a...
odds are that you are building crypto sandcastles on a beutiful beach....
Secure software-X + iPhone / Android / Microsoft Phone (which are doing XYZ behind your back) == Still not safe, too many unknowns!
We can also use your wanted cloud or VM solution for our server-parts but it is strongly recommended that you phycisally own that system!
Rationale: Third party hardware solutions - Major security risk!
AWS / Azure / Google Cloud etc are amazing solutions which make it possible to quickly deploy massive virtual IT infrastructures for a small:ish price. Note however that what you gain in initial price & setup time - you loose in privacy. And the long time price for using a big AWS system might end up being bigger than running your own cloud / systems from the start. YMMV.
Think: Where are your hosts physically stored? In what country? Under what ICT laws? who has access to your systems? Can you ever migrate somewhere else or is this a vendor lock-ins?
The problem is of course a lot bigger than just endpoint devices. The number of endpoint devices is breath takingly huge and they vary a lot both in software and hardware. This quickly makes the surveillance / hacking very expensive and difficult to maintain.
Go for the central parts of the system, then zoom in on the devices that are of interested...
This pretty much summarized what has been going on since at least 2007.
For a quick brush-up on the subject, have a look at The Guardians old (2013) yet excellent article about the subject:
NSA Prism program taps in to user data of Apple, Google and others
- Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook
- Companies deny any knowledge of program in operation since 2007
Hint: To see how deep the rabbit holes really goes, visit our Links page.
So who and what can truly be trusted? The sad answer is very few things. There are at least two things that we can put our trust in, they are:
Mathematics / Encryption and
The rationale for why mathematics, or more precisely encryption is mentioned is easy to understand:
To better understand why open source is mentioned as the other trustworthy thing (Verifiable solutions) we just need to compare it to it's counter part: closed source development (Unverifiable solutions).
Let's say that both of these developments models have produced a secure solution-X. And let's say that based on thoruough and extensive testing both of them seem to work as they should. So the questions is, in what way are these solutions different?
Mathematics + open source
Following the logic mentioned above we can conclude that: We can mathematically prove that a encryption or cipher algorithm does what it is supposed to do. When we combine that with the full source code of a given program (from start to finish) we get the complete package. In other words: We are able to prove that there are no backdoors or dark corners in a open source solution.
Mathematics + closed source / black box solutions
A closed source or closed box solution that may seem to be working correctly, can in reality contain anything. Even if you would be allowed to audit the whole solution for a given release, the next release / update or that tool might (re-)introduce a new/old backdoor... You can never know.
Do you value your companies reputation? Do you value your customers and the data that you store about them? What happens if the media learns of a possible information leak / system hack on your side?
As of september 2017 just on the Windows EternalBlue-related case: Maers est. €300m + multiple weeks of downtime, TNT express: data loss + over one month of downtime, NHS hospital off-line for multiple weeks (they where even unable to operate on patients that req. equipment which uses Windows), major Banks & Oil companies off-line for days / weeks. Companies where back to using faxes, pen and paper.
Few companies want to admit that they have been hacked. Even fewer want to provide economical damage numbers. Experiencing a major cybersecurity breach can be a "we just went out of businesss" kind of problem for many companies... And yet, so many companies are placing all of their cybersecurity faith on empty promises. That's bold, but asking for trouble...
To properly understand the problem area, we need to take a couple of steps back and objectively analyze what we are facing. Since at first glance, you may not realized how deep the rabbit holes goes... Let's start from the bottom and go up from there. First things first. Let's talk a bit about ownership. That is, who is the true master of a given system and why.
We will be focusing on a modern mobile phone example but the same:ish rules apply for most modern mobile device (pads, laptops etc).
SOFTWARE: The one who manages the software, owns the whole platform.
That's most likely not you, you mainly use it. Unless you are a developer, the real software manager is the phones OS + it's app store:
iOS / Apple Store, Android HW producer / Google play, Microsoft / Microsoft App Store, Blackberry OS / Blackberry Apps etc...
Think: They decide what is installed, how and from where. You just ask it to install/remove "something like that". So the true control is not in your hands even on this level. But more importantly...
HARDWARE: The one who owns the hardware, owns the whole machine.
Not you either, you may have paid for the mobile but it's a black box that you can't change... You don't even know what it's doing right now. The real HW owners are:
Apple, Android phone manufactures, Microsoft, Blackberry etc...
Think: If somebody has physical access to your hardware (or multiple processors in your mobiles SoC that you don't have access to), they can see & hear anything you can. No encryption in the whole world can save you if your hardware is "owned".
The same is true for any virtual machine (VM) or cloud technology as well. It can never be secure unless you (A) own the hardware AND (B) keep the HW in a secure place where (C) nobody BUT "you" have physical access to it.
Make no mistake: The owner of the VM hosting hardware and/or VM host application has complete control over your VM client (memory, cpu etc). same is true for any virtual machine (VM) as well. It can never be secure.
You are merely a user of you modern and fancy mobile. For most users on most systems: The real control is somewhere else.
American companies mobile phone dominance + Patriot Act + closed source + only few big players
Think: iCloud, Facebook, Twitter, Skype, Instagram, Amazon Virtual machines, Amazon cloud, Gmail, Gdrive, Google calendar, Outlook, Windows365, Microsoft Cloud/Azure, and so on...
Privacy on most modern mobiles is an illusion.
Since all of these big and amazing companies are from the US, they are naturally bound by American law. This gives NSA and it's associates a pretty scary opportunity: they can spy on the whole world... Completely "legally" of course™
It's also quite scary how few players are left on the mobile market these days. If you look at that from a diversity angle, creating a effective virus / malware or just finding a major bug / backdoor in one of these platform, can easily put hundreds of millions of users in harms way... [ 1 ]
Bugs will always happen, that's just a hard fact of life. But when the stakes are this high (a country may get easy accessing to machines around the whole globe) one can not rule out that closed source technology make it possible to have as many kinder-eggs / backdoors as you wish... without anybody knowing anything.
Goverments around the world (most specifically USA) are currently trying their best to create just that, "forced" backdoors in the biggest products. Or as they more nicely called it "secure golden key" model (Meaning, a backdoor which opens all doors in a selected product if a user has the "special encryption key"). Picture what happends when a single one of these "golden keys" leaks out in to the wild for any big product chain (Think: Apple / Google / Cisco etc)... [ 1, 2 , 3, 4 ]
Mobile Network Operators: Security holes / Bugs / Law officers + Non end-to-end encryption
Your operator is actively storing and view what you are doing all of the time. Be aware that they can connect everything back to you. If the right people with the right papers come knocking on their door, that data is their for the taking. Or even worse, somebody has illegally sneaked their way into the GSM operator systems... Be very careful how you use your mobile. [ 1, 2 ]
Your mobile operator sits on a lot of information about you. Be careful.
For average Joe / Jolene who use everything "under the sun" without thinking:
Windows / Mac / Android, iPads / iPhone / iCloud, Gmail / Gcal / Gdrive etc, Outlook this and that, Facebook, Twitter, Instagram, adds location data to all images + videos + uploads them to cloud-X to spread the news even more...
Sadly, the present and future does look a bit dark (or very open for the criminals / authorities)... Warning: you are leaking incredible amounts of personal information!
For Zen-mode's customers / privacy conscious people:
Far from it. In fact, having bought your wanted zen-mode package and having taken our cybertraining to your heart, privacy and anonymity is right around the corner...
The future is bright, the future is open. And above all: the future is in your own hands.
For a quick intro what Zen-mode is all about visit our our Home page.
To watch our solutions come alive, checkout our Products page.
For our price list or to get more information, visit our Contact page and let's talk some more.