Intro: Open source + End-To-End Encryption + hardened devices + different hardware vendors
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
THE PROBLEM: OLD-SCHOOL IT SECURITY
Unverifiable solutions
Strings attached / Mothership
= Imaginary security
Because proof of trust is better than blind faith. The cybersecurity level of any closed source or black box solution cannot be verified, hence their "cybersecurity level" is purely a vision / illusion created by the companies marketing department. Be careful.
Yahoo leak (+1bn), Equifax leak (+143m), Android Judy malware (+36m), Unicredit leak (+400k)...
Mothership(s) included. Third party server / backend solutions which are not under your control and physically located in a unknown place & country. Massive information leakage + Unknown usage of your data. Perfect for state and/or privately funded IT criminals.
NSA. GCHQ. Patriot Act. Snowden. Wikileaks, Intel's AMT remote control issue, NSA's "EternalBlue" backdoor...
CyberSecurity? Anonymity? Privacy? You. Your family. Your customers. Your clients. Blind trust required. These sorts of solutions costs a lot of money yet cannot ever form a truly trustworthy platform since they cannot be verified. So what have you really gained?
Imagine buying an apartment that has extra doors in each room which you are unable to open. Yet unknown persons travel through them all the time. Why worry?
Table of Contents
For our solutions to the problem, visit our Solutions page.
For more IT security and privacy related links, visit our Links page.
B2B: business to business
E2E encryption: End-to-end encryption
GSM: Global System for Mobile Communications
Haas: Hardware As A Service
Hardening computing: Making devices more safe & locked down
HW: Hardware
ICT: Information and Communications Technology
IDS: Intrusion detection system
IPS: Intrusion prevension system
MMS: Multimedia Messaging Service
PGP: Pretty Good Privacy
RTC: Real-Time Communication (multimedia and audio via VoIP)
Saas: Software As A Service
SMS: Short Message Service
SW: Software
VoIP: Voice Over IP
VPN: Virtual Private network
- Endpoint security
- Third party central server security
- Some words on trust
- Cybersecurity Breaches
- The problem, Part II (The long version)
- Next steps
The Problem - Part II: The longer and more in depths version
ENDPOINT SECURITY 
What do you think Mr Snowden is refering to by "endpoint security" and "terrifically weak" in the quote above? He is of course talking about most modern mobiles, laptops and personal computers (closed source & closed box unverifiable technology) .
These devices are only as "secure" as the producers of the devices say that they are (NOTE: Words are good, but words + proof would be even better):
- A single program which is installed by default on these devices can make all other endpoint security worthless (easy way in / known bug / backdoor) [ 1, 2 ... ].
- What if your CPU's or it's random generator, Wifi, modem etc is buggy/backdoored? That's on a level below what any OS has access to / can see. Meaning all actions done here will go unnoticed. In short: The ultimate backdoor [ 1, 2 ... ]
How much do you think encryption can help if your adversaries can see / hear what you can after decrypting a message / voice call? Answer: no encryption in the whole world can help you if your platform is owned.
The highlevel solution to that problem is simple: make sure that you
- Own the HW +
- Keep it at a safe place-X / safe hands +
- Use open & verifiable solutions +
- Use secure passphrases and basic OPSEC +
- Keep an open eye on / monitor your devices
... And you should be on the right track.
WARNING: crypto sandcastles
Unless your secure solution consists of a...
odds are that you are building crypto sandcastles on a beutiful beach....
Rationale:
Secure software-X + iPhone / Android / Microsoft Phone (which are doing XYZ behind your back) == Still not safe, too many unknowns!
- The one who owns the HW, owns the whole machine (cloud / VM / container)
- Direct HW access, RAM & HDD/SDD (untraceable monitoring)
- You are leasing your apartment and your land-lord has the keys to all of your doors (TM)
WARNING: THIRD PARTY CLOUD / VM SOLUTIONS = PRIVACY ISSUES
We can also use your wanted cloud or VM solution for our server-parts but it is strongly recommended that you phycisally own that system!
Rationale: Third party hardware solutions - Major security risk!
Amazing scalable technology that comes with a catch...
AWS / Azure / Google Cloud etc are amazing solutions which make it possible to quickly deploy massive virtual IT infrastructures for a small:ish price. Note however that what you gain in initial price & setup time - you loose in privacy. And the long time price for using a big AWS system might end up being bigger than running your own cloud / systems from the start. YMMV.
Think: Where are your hosts physically stored? In what country? Under what ICT laws? who has access to your systems? Can you ever migrate somewhere else or is this a vendor lock-ins?
THIRD PARTY CENTRAL SERVER SECURITY
The problem is of course a lot bigger than just endpoint devices. The number of endpoint devices is breath takingly huge and they vary a lot both in software and hardware. This quickly makes the surveillance / hacking very expensive and difficult to maintain.
The solution is simple, effective & beutiful:
Go for the central parts of the system, then zoom in on the devices that are of interested...
This pretty much summarized what has been going on since at least 2007.
For a quick brush-up on the subject, have a look at The Guardians old (2013) yet excellent article about the subject:
NSA Prism program taps in to user data of Apple, Google and others
- Top-secret Prism program claims direct access to servers of firms including Google, Apple and Facebook
- Companies deny any knowledge of program in operation since 2007
To summarize:
- There's no such thing as a free lunch.
- If something is free, then you are the product.
- Actually, even if you pay for something, then you are still the product (err.. Customer ;-)
Hint: To see how deep the rabbit holes really goes, visit our Links page.
SOME WORDS ON TRUST
So who and what can truly be trusted? The sad answer is very few things. There are at least two things that we can put our trust in, they are:
Mathematics / Encryption and
Open source.
The rationale for why mathematics, or more precisely encryption is mentioned is easy to understand:
- It's a universal language which can independently be verified by anybody who understand the subject.
- Encryption or ciphers algorithms can independently be verified to produce random output by analysing their logic and testing the algorithm in action...
To better understand why open source is mentioned as the other trustworthy thing (Verifiable solutions) we just need to compare it to it's counter part: closed source development (Unverifiable solutions).
Open source vs. Closed source development
Let's say that both of these developments models have produced a secure solution-X. And let's say that based on thoruough and extensive testing both of them seem to work as they should. So the questions is, in what way are these solutions different?
Mathematics + open source
Following the logic mentioned above we can conclude that: We can mathematically prove that a encryption or cipher algorithm does what it is supposed to do. When we combine that with the full source code of a given program (from start to finish) we get the complete package. In other words: We are able to prove that there are no backdoors or dark corners in a open source solution.
- Everything can idempotently be verified by separate entities. Everything is auditable and repeatable.
- Hence, the complete solution can independently be verified to be correctly implemented & secure.
Mathematics + closed source / black box solutions
A closed source or closed box solution that may seem to be working correctly, can in reality contain anything. Even if you would be allowed to audit the whole solution for a given release, the next release / update or that tool might (re-)introduce a new/old backdoor... You can never know.
- If blind faith is what your looking for, then look no further...
- Hence, the whole solution cannot be verified, since we are not allowed to see the complete implementation.
CYBERSECURITY BREACHES
Loosing data + Loosing face + Economical Damages
Do you value your companies reputation? Do you value your customers and the data that you store about them? What happens if the media learns of a possible information leak / system hack on your side?
As of september 2017 just on the Windows EternalBlue-related case: Maers est. €300m + multiple weeks of downtime, TNT express: data loss + over one month of downtime, NHS hospital off-line for multiple weeks (they where even unable to operate on patients that req. equipment which uses Windows), major Banks & Oil companies off-line for days / weeks. Companies where back to using faxes, pen and paper.
Few companies want to admit that they have been hacked. Even fewer want to provide economical damage numbers. Experiencing a major cybersecurity breach can be a "we just went out of businesss" kind of problem for many companies... And yet, so many companies are placing all of their cybersecurity faith on empty promises. That's bold, but asking for trouble...
BACKGROUND - PART II
THE PROBLEM - THE LONG VERSION
To properly understand the problem area, we need to take a couple of steps back and objectively analyze what we are facing. Since at first glance, you may not realized how deep the rabbit holes goes... Let's start from the bottom and go up from there. First things first. Let's talk a bit about ownership. That is, who is the true master of a given system and why.
Modern mobile phone example
We will be focusing on a modern mobile phone example but the same:ish rules apply for most modern mobile device (pads, laptops etc).
The two rules of software & hardware ownership
SOFTWARE: The one who manages the software, owns the whole platform.
That's most likely not you, you mainly use it. Unless you are a developer, the real software manager is the phones OS + it's app store:
iOS / Apple Store, Android HW producer / Google play, Microsoft / Microsoft App Store, Blackberry OS / Blackberry Apps etc...
Think: They decide what is installed, how and from where. You just ask it to install/remove "something like that". So the true control is not in your hands even on this level. But more importantly...
HARDWARE: The one who owns the hardware, owns the whole machine.
Not you either, you may have paid for the mobile but it's a black box that you can't change... You don't even know what it's doing right now. The real HW owners are:
Apple, Android phone manufactures, Microsoft, Blackberry etc...
Think: If somebody has physical access to your hardware (or multiple processors in your mobiles SoC that you don't have access to), they can see & hear anything you can. No encryption in the whole world can save you if your hardware is "owned".
The same is true for any virtual machine (VM) or cloud technology as well. It can never be secure unless you (A) own the hardware AND (B) keep the HW in a secure place where (C) nobody BUT "you" have physical access to it.
Make no mistake: The owner of the VM hosting hardware and/or VM host application has complete control over your VM client (memory, cpu etc). same is true for any virtual machine (VM) as well. It can never be secure.
To summarize:
You are merely a user of you modern and fancy mobile. For most users on most systems: The real control is somewhere else.
Defining the current situation + main problems
PROBLEM I
American companies mobile phone dominance + Patriot Act + closed source + only few big players
- All American companies are bound by the Patriot Act and/or similar kind of pervasive laws.
- NSA (and it's collaborator) can get access to any data which was generated by you, as long as the mother company of the product that you are using is from the states.
- It does not even matter if your data "physically stored" in another country. The data is theirs for the taking. [ 1 ]
- And if the data happens to be encrypted, the authorities will just try a little bit harder... [ 1, 2, 3, 4 ]
- The worlds most bought mobile phones run OS' which are produced by American companies. [ 1 ]
- Android, iOS, Windows Phone...
- The biggest CPU and System On a Chip (SoC) producing companies are American or British
- ARM, Intel, Qualcomm, Texas Instruments, (Even Samsung (South Korean comp.) uses Qualcomm in some of their SoC's)
- What if your CPU would have remote execution holes in it? Your adversaries could be using your systems right now without you even noticing anything (Think: the bugs/backdoors are below OS level, hence out of our reach).
- What is your CPU's random generator is buggy/backdoored?That would mean that any secure solutions would "stop working" once a secret string is sent to your device. Combine this with the bullet above...
- All of the above companies use closed source + patented "black-boxed" technology.
Think: iCloud, Facebook, Twitter, Skype, Instagram, Amazon Virtual machines, Amazon cloud, Gmail, Gdrive, Google calendar, Outlook, Windows365, Microsoft Cloud/Azure, and so on...
To summarize:
Privacy on most modern mobiles is an illusion.
Since all of these big and amazing companies are from the US, they are naturally bound by American law. This gives NSA and it's associates a pretty scary opportunity: they can spy on the whole world... Completely "legally" of course™
It's also quite scary how few players are left on the mobile market these days. If you look at that from a diversity angle, creating a effective virus / malware or just finding a major bug / backdoor in one of these platform, can easily put hundreds of millions of users in harms way... [ 1 ]
Bugs will always happen, that's just a hard fact of life. But when the stakes are this high (a country may get easy accessing to machines around the whole globe) one can not rule out that closed source technology make it possible to have as many kinder-eggs / backdoors as you wish... without anybody knowing anything.
Goverments around the world (most specifically USA) are currently trying their best to create just that, "forced" backdoors in the biggest products. Or as they more nicely called it "secure golden key" model (Meaning, a backdoor which opens all doors in a selected product if a user has the "special encryption key"). Picture what happends when a single one of these "golden keys" leaks out in to the wild for any big product chain (Think: Apple / Google / Cisco etc)... [ 1, 2 , 3, 4 ]
PROBLEM II
Mobile Network Operators: Security holes / Bugs / Law officers + Non end-to-end encryption
The good news:
- The data which is traveling in the air between your mobile and your mobile operator is encrypted (half of the encryption key is in your SIM card, the other half is in the possession of your mobile operator). For average Joe / Jolene this can still be considered quite safe. NOTE however that even this technology has been cracked / can be side stepped. [ 1, 2 ]
The bad news:
- Once your data is traveling inside the safety of the "operators walls", it's all readable data again (No SIM card encryption anymore).
- Meaning, anybody with the right access-rights to your operators "Internal Network Systems" can now view all your network traffic in "clear-text" (Unless it was e2e encrypted before they got the data).
Your GSM operators has full access to:
- your voice calls (received / called numbers + timestamps as well as live listening abilities).
- your sent / received SMS/MMS...
- your current & previous IP's (that your operator has given to you)
- your current location (GSM Localization) [ 1 ].
- They can even look up your past location as far as their logs go back...
- Your GSM operator is also required by law to store much of this information for a selected time... [ 1, 2 ] And last but not least...
- Your operator has full access to all of your non-encrypted IP traffic that passes through their system
- The web-pages that you visit, the files / torrents that you download, all e-mails, messages from tool X, images, ftp, usernames, passwords etc... everything which is not encrypted can be monitored and stored.
- Even your encrypted data can provide usefule metadata to the operator. They may not see what you are "really up to" (since your IP packets data-part is encrypted) but they do see the IP end-points (your IP + remote IP) + packet time stamps and more... Even this data can be used against you.
Your operator is actively storing and view what you are doing all of the time. Be aware that they can connect everything back to you. If the right people with the right papers come knocking on their door, that data is their for the taking. Or even worse, somebody has illegally sneaked their way into the GSM operator systems... Be very careful how you use your mobile. [ 1, 2 ]
To summarize:
Your mobile operator sits on a lot of information about you. Be careful.
Conclusion: Is it game over?
For average Joe / Jolene who use everything "under the sun" without thinking:
Windows / Mac / Android, iPads / iPhone / iCloud, Gmail / Gcal / Gdrive etc, Outlook this and that, Facebook, Twitter, Instagram, adds location data to all images + videos + uploads them to cloud-X to spread the news even more...
Sadly, the present and future does look a bit dark (or very open for the criminals / authorities)... Warning: you are leaking incredible amounts of personal information!
For Zen-mode's customers / privacy conscious people:
Far from it. In fact, having bought your wanted zen-mode package and having taken our cybertraining to your heart, privacy and anonymity is right around the corner...
The future is bright, the future is open. And above all: the future is in your own hands.
NEXT STEPS
Want to get off the grid? Give us a call or use our Secure Web Contact and we will call you back.
For a quick intro what Zen-mode is all about visit our our Home page.
To watch our solutions come alive, checkout our Products page.
For our price list or to get more information, visit our Contact page and let's talk some more.
