Introduction
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
Table of Contents
B2B: business to business
E2E encryption: End-to-end encryption
GSM: Global System for Mobile Communications
Haas: Hardware As A Service
Hardening computing: Making devices more safe & locked down
HW: Hardware
ICT: Information and Communications Technology
IDS: Intrusion detection system
IPS: Intrusion prevension system
MMS: Multimedia Messaging Service
PGP: Pretty Good Privacy
RTC: Real-Time Communication (multimedia and audio via VoIP)
Saas: Software As A Service
SMS: Short Message Service
SW: Software
VoIP: Voice Over IP
VPN: Virtual Private network
- The problem - Old-school IT security
- The solution - Verifiable cybersecurity
- High-level description
- Verifiably secure standards
- Detailed description
- Secure RTC overview
- Secure Infrastructure overview
- Useful ISO/IEC information security links
- Useful cybersecurity & monitoring tools
- Useful links on IT privacy
- Next steps
1. THE PROBLEM: OLD-SCHOOL IT SECURITY 
Unverifiable solutions
Strings attached / Mothership
= Imaginary security
Because proof of trust is better than blind faith. The cybersecurity level of any closed source or black box solution cannot be verified, hence their "cybersecurity level" is purely a vision / illusion created by the companies marketing department. Be careful.
Yahoo leak (+1bn), Equifax leak (+143m), Android Judy malware (+36m), Unicredit leak (+400k)...
Mothership(s) included. Third party server / backend solutions which are not under your control and physically located in a unknown place & country. Massive information leakage + Unknown usage of your data. Perfect for state and/or privately funded IT criminals.
NSA. GCHQ. Patriot Act. Snowden. Wikileaks, Intel's AMT remote control issue, NSA's "EternalBlue" backdoor...
CyberSecurity? Anonymity? Privacy? You. Your family. Your customers. Your clients. Blind trust required. These sorts of solutions costs a lot of money yet cannot ever form a truly trustworthy platform since they cannot be verified. So what have you really gained?
Imagine buying an apartment that has extra doors in each room which you are unable to open. Yet unknown persons travel through them all the time. Why worry?
A fresh approach is needed to properly fix the problem
Most of our target customers are addressing their cybersecurity problems via:
- Choosing a non-verifiable & closed source platform-X (Windows / Apple / Android etc.)
- Adding more security layers + non-verifiable & closed source applications on top of (A)
- Paying licence fees to both (A) and (B). The bigger the company, the bigger the licence fees usually are.
- (blindly) Placing their cybersecurity trust in big companies with big promises (As opposed to being able to verify the security of the whole chain by themselves).
- Tying themselves to the providers backend solutions (As opposed to owning & hosting the whole solution by themselves). And thus automatically leaking company internal information as well. Think: username & password data, login/logout times, call/message meta data, with whom you called/messaged with, from where and when. Possibly even the raw data. You can never know.
This is pretty much the standard how big companies go about solving their cybersecurity needs in todays world. In short: You pay a lot of money to get a system that is not yours to begin with. You are not able to verify the market departmens big cybersecurity promises + the server part is missing from your corner.
The attack vector that these solutions contain and the unverifiable security promises that these tools make cannot form a verifiably trustworthy platform. This is clear from both a philosophical standpoint and from looking at the never ending stream of breach/bug reports coming in on a daily basis.
Let reality speak for itself (visit the external links...)
2. THE SOLUTION
Verifiable Solutions
No strings attached
= True security
All Zen-mode solutions can be verified by a third party, even by you yourself (thanks to our all open source approach).
Our standalone solutions can be hosted at the customers site(s) or at our secure sites. The Customer decides.
Trust your devices and work Anonymously & Securely from anywhere. We can prove it. Anytime. Anywhere.
3. HIGH-LEVEL DESCRIPTION
The best design is the simplest one that works.
Putting You In Charge
By placing all Software & Hardware under customer control: The customer holds all the keys.
No mothership and no strings attached. All our solutions are verifiably secure and self-hosting. Your end-devices are only talking back to your / our secure servers using multiple layers of encryption.
Secure solutions accompanied by our OPSEC training = Intelligently behaving IT users using secure tools = Verifiable privacy.
Verifiable Open Source Solutions
What you see it what you get. Anybody can verify that we have no backdoors and that our secure solutions are correctly implemented.
All our code is available and recompilable to form the same end product, bit by bit. All packages are gpg signed and hashed. Any unwanted changes will not go unnoticed.
No Easy Way In
Removing attack vectors. No black boxes or leaky & unverifiable solutions. No Microsoft / Apple / Google / XYZ proprietary products and none of their App stores or update services.
No unknown thirdparty cloud / hardware provider with direct hardware & software access (possibly even clear-text access)...
No commercials and no meta-data slurping. Hence, disabling all easy ways in + most exploits. Your data is safe by default.
Hardened Solutions + CyberSec Consultation
Via hardened and verifiable open source solutions shipped & maintaned by open source specialists.
Since we are not using any closed source solutions (only verified open source solutions coming from us), the normal bugs / exploits won't work on our systems (Windows / Mac / Android etc), thus disabling most exploits right off the bat. To further minimize the exploit vectors we harden the OS, use strict Intrusion Detection and Preventions Systems (IDS + IPS) accompanied by Tripwire rules + active monitoring.
Encrypt Everything
All of our solutions use the best available end-to-end + filesystem encryption + a tailored stealthy communication suite.
Thus preventing any man in the middle / eavesdroppers from listening or getting access to your private communication / data at rest.
In other words, it does not even matter how
you got connected: Work securely through any network on the
planet
(LAN, LTE, 3G, 4G, WIFI etc).
Secure Site & Infrastructure
Via using your existing infrastructure or hosting your server(s) at our secure site(s).
If you choose to place your server(s) at our site(s), then you are also protected by the Finnish ICT laws.
Sane ICT laws + our secure site(s) + encrypted filesystems = your server's cannot disappear from under your feet + your data is safe. For more information see our Secure Infrastructure overview
Zen-mode VPN
Secure Network Presence
Via encrypting & anonymizing your network activity using Zen-mode's VPN.
Hide your real IP and network actions via using Zen-mode's fast & secure VPN. Your ISP / adversaries can only see that you have a secure connection to our VPN, after that your trail goes cold...
Zen-mode VPN + Tor
Mui Anonymous Network Presence
- Via Tor you can also hide the fact that you are using Zen-mode's VPN. And on top of that...
- Via using our VPN as your Tor entry node you are also disabling the Tor nodes from ever giving away your real IP (Your IP trail starts & ends at our VPN).
Simple & Nice GUIs
Q/A: So are these secure system hard to use? No
Our tools are as easy to use as any Android or Windows device. Normal GUIs with normal work flow. Minimal learning curve required.
However, to stay secure you might need to update your way of working. Meaning basic Operations security (included in our Cybersec training programs).
4. VERIFIABLY SECURE STANDARDS
X.509 Certificate
X.509 is an cryptography standard for a Public Key Infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the Transport Layer Security protocol used to secure web and email communication but it's also used in offline applications (electronic signatures etc).
The X.509 public key contains information like: the domain(s) which it is certifying (which must match where it is being used), the validity period of the public key, the issuer and the organization / invidudal who it was generated for etc.
For more info see the X.509 Certificate Wiki page.
TLS/SSL protocols
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide communi- cations security over a computer network (commonly referred to as "SSL").
SSL is the defacto standard for web related
security.
It is used by a wide range of
applications such as web browsers (securing your
bank access via https etc), e-mails (encrypting
your user & password data while sending &
receiving your mail), instant messaging, and
voice-over-IP (VoIP) etc.
For more info see the TLS/SSL protocols Wiki page.
RSA
RSA is one of the oldest and most well tested Public-Key Cryptosystems which is still in use today (Published in 1977).
A Public-Key Cryptosystems is
build up from two halves:
(A) a
public-key and (B) a secret key (both
containing a large prime number). To
successfully decrypt / encrypt data one must
have access to both of these halves
(which together form the key)
RSA was created by Ron (R)ivest, Adi (S)hamir, and Leonard (A)dleman.
For more info see the RSA Wiki page.
AES
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a subset of the Rijndael cipher which can use different key and block sizes. NIST selected three key lengths: 128, 192 and 256 bits, each with a block size of 128 bits.
The Rijndael cipher was developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen.
For more info see the AES Wiki page.
PGP
Pretty Good Privacy (PGP) is an encryption solution that provides (A) cryptographic privacy and (B) authentication for data communication. PGP is the defacto standard for signing, encrypting, and decrypting e-mails and other data.
For PGP to be really useful one needs to have some form of a Public Key Infrastructure in place (to receive, send and verify your recipents public-key(s)) + a secure host to store your secret key(s) on.
PGP was created by Phil Zimmermann in 1991.
For more info see the PGP Wiki page.
ZRTP
ZRTP (Zimmermann Real-time Transport Protocol) is a cryptographic key-agreement protocol to (a) negotiate the keys for encryption between two end points and to (b) check for possible man-in-the-middle attacks in a Voice over Internet Protocol (VoIP) applications.
ZRTP was developed by Phil Zimmermann, with help from Bryce Wilcox-O'Hearn, Colin Plumb, Jon Callas and Alan Johnston (Published 2006)
For more info see the ZRTP Wiki page.
5. DETAILED DESCRIPTION
- Mapping your cybersecurity requirements & needs.
- Finding the right solutions & HW for your needs.
- Keeping your safe & secure via (A) our secure solutions + (B) our cybersecurity training.
- Via using open source solutions (Hardened Linux, Android Open Source Project) +
- Strict air-gapped and clean-room development +
- Controlled SCM rules (Git)... and lasty
- Tying it all together with a conservative and controlled change managment.
- Via using verified & highend e2e ciphers for our voice, e-mail and our message app, we are preventing any man in the middle or eavesdroppers from listening in on your conversations / private messaging.
- VPN (Hiding your true IP behind us + Encrypting all network traffic between you and the VPN server)
- TLS/SSL (2048/4096-bit, X.509 Certificate)
- PKI
- ZRTP
- AES (128/256-bit)
- Twofish
- Threefish
- PGP (4096-bit,RSA-RSA) etc.
- Making it as hard as possible to fall victim of bad / backdoored hardware.
- Rationale: backdooring some major vendors HW may be possible but backdooring all HW vendors is a lot harder...
- In short: Minimize the "all eggs in one basked" flawed hardware scenario of a easy way in...
- Via encrypting your HW's root filesystem we protect all of your data from falling into unwanted hands.
- Unless the user provides the correct root filesystem password upon boot, nothing will start. Your data is safe.
- Unless the user provides the correct unlock password for a powered-devices, nothing will happen. Your data is safe.
- Solution is 100% in customers hands.
- The only servers that our tools are talking back to are your own servers (mail, calendar, RTC etc.)
- All mobile devices are in your hands.
- All required servers are kept at your / our site (real HW or cloud). You choose.
- Own: mail, calendar, RTC and package servers etc which are only accessed via encrypted channels
- This also means "old school" stealth. No more easy data leakage (or even metadata leakage). Your companies internal data stays internal, since you are no longer using another companies cloud / infrastructure for your companies internal affairs.
- And via avoiding using third party / commercial "central server solution" like Facebook, Skype, Gmail, Yahoo mail, outlook etc your private data is no longer passing through known entry points in clear-text...
- This trivially minimizes the "let's just tap-in" surveillance / data leakage scenario on your part.
- Which make the devices non-standard, hence default exploits + "easy ways in" won't work.
- Strict IDS, IPS and tripwires rules.
- Possible breaches will not go unnoticed + will be traced and reported to the corresponding authorities.
- All apps & packages are generated in air-gapped + clean-room (No network connections)
- All apps & packages are shipped from read only media
- Tamper safe: All software packages have a:
- sha256 checksum file: a single bit change in a file will be noticed
- .gpg signature file: which can only be generated by Zen-mode staff
-
idempotent builds: All packages can
idempotently be recompiled.
Bit by bit, even by you yourself (recompilable with same end-result). The sha256 checksum of your "home made Tool-X" using our build chain should be identical to ours. - Thus making it as hard as possible for non-wanted changes to be included in our SW development chain (backdoor / viruses etc).
- Secure and local mail & calendar servers hosted by you or us
- Your secure network meeting system
@ your company which is completely under your
control.
All that you need is an up-to-date browser. No third party central server are involved. - Second most anonymous alternative (Our VPN IP will be the "starting point" the normal Tor system), but most secure one.
- Even if an external could trace your IP throught the Tor network all the way back to your starting point (our VPN), we will not provide any information about who is using our system (multiuser pool host from different companies). We got your back.
- Second most anonymous alternative (Our Zen-mode Tor Bridge / Node name is included in your Node list), but most secure one (our VPN + our Relay == your safe).
- Externals can see network activity coming Zen-mode's Tor Bridge relay, but the buss stops there.
- Even if an external could trace your IP all the way back to our Zen-mode Tor Bridge, we will not provide any information about who is using our system (multiuser pool host from different companies). We got your back.
- Even if an external could trace your IP throught the Tor network all the way back to your starting point (our VPN), we will not provide any information about who is using our system (multiuser pool host from different companies). We got your back.
- Fast & secure + VPN level Anonymity
- Externals can trace you back to Zen-mode's VPN IP space but no further.
- We will not provide any information about who is using our system.
- Our VPN network speed should be as fast as your network speed (odds are that your part of getting to our VPN is the speed bottle neck, since we are directly connected to Finland's core network).
- We have multiple users from different companies behind same IP so externals can only see network activity coming from Zen-mode's VPN.
- We can setup a VPN at your own company as well.
- Externals will see that somebody at your company is producing some network activity.
- Most likely less anonymous than Zen-mode's VPN since we have multi-user-pool from different companies (higher random users entropy), where as your companies private VPN only consists of your own workers...
- Your comany VPN network speed is the same as your companies network speed (hence the 2.x).
- Besides making your network activity more anonymous & safe, the VPN technology also makes it possible for you access office tools even from home (printers, office only software-XYZ).
- Good: Most likely the most anonymous alternative.
- You entered the Tor network from some-IP and....
- are you are bouncing from any randomly chosen Tor Nodes...
- Main weaknesss: Your real IP will be starting point for the normal Tor system. Think: Your ISP/ Mobile operators IP range / Coffee house-X
- Enough of your randomly chosen Tor nodes, they can figure out your current IP
- Your ISP operators system / approach them with the right pappers, they can trace your IP directly to you (home / current location).
- Use Alt. 1-4 == Problem solved. (use our VPN-X solutions)
- Most likely the fastest network connection but your real IP is visible.
- No anonymity, you are completely traceable!
- Direct network access == Your adversaries have you in their sites...
Open source
End-to-end encryption
Different hardware vendors
Goal: Zero third party leakage via open source and self-reliance
Zen-mode's VPN, your companies VPN, Zen-mode's Tor Bridge relay
We have multiple ways to preserve your IP security & anonymity, all with different good / bad side effects. You can trivially switch between the different network modes depending on your needs.
A VPN is great way to help secure your network presence but is a VPN all that need to stay secure? No.
For you to be as safe as possible your whole platform + tool chain should be verifiably safe (think: verified open source solutions). The more closed source or unverifiable tools you have, the more questionable you whole tool chain is. This is why we are Zen-mode only use open source solutions.
6 alternatives to network Speed, Anonymity and Security:
Scale: Worst 0 Medium 2 Best 3
6. SECURE REAL-TIME COMMUNICATION OVERVIEW
7. SECURE INFRASTRUCTURE OVERVIEW
To summarize: Zen-mode's got your back
8. USEFUL ISO/IEC INFORMATION SECURITY LINKS
- ISO/IEC 27000 - International Organization for Standardization - Information security management systems: wiki:ISO/IEC 27000, iso.org: 27001 information Security
- PCI-DSS - Payment Card Industry Data Security Standard: wiki: Payment Card Industry Data Security Standard
- KATAKRI - Kansallinen turvallisuusauditointikriteeristö: defmin.fi/katakri, PDF-file
9. USEFUL CYBERSECURITY & MONITORING TOOLS
- Linux Kernel Security: Linux Security Modules, AppArmor, Grsecurity, SELinux, Smack, Tomoyo
- Intrusion Detection Systems (IDS), Intrusion Prevention systems (IPS), Security, Logs and data integrity monitoring tools, Firewalls: AFICK, AIDE, OSSEC, logwatch SAMHAIN, snort, tripwire, Comparison of firewalls
- Graphical monitoring tools with history: cacti, monitorix, mrtg, munin, nagios, netmrg, ntopng, smokeping, zabbit
- GUI system / network monitoring tools (real-time): conkey, etherape, gkrellm
- GUI packet analysing tools: wireshark
- CLI network monitors: bmon, bwm-ng, collectl, dstat, nload, slurm, speedometer, vnstat
- CLI magic tools: git, gpg, hping, lsof, nmap, ping, sar, snmpwalk, tcpdump, traceroute
- Bandwidth per socket connection: iftop, iptraf, pktstat
- Bandwidth per process: nethogs
- Network Statistics (tcp & udp + whatnot): netstat
10. USEFUL LINKS ON IT PRIVACY
- The Intercept.com: Edward Snowden Explains How To Reclaim Your Privacy
- Freedom.Press: Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance
- FirstLook.org: Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You. (2014/10/28)
- The register: The Edward Snowden guide to practical privacy: NSA whistleblower talks turkey about personal surveillance
- Torproject: Mission Impossible: Hardening Android for Security and Privacy
- Android platform PRISM break - The good, bad and the unsecure…
- The Register: A Guide to data security when entering US
NEXT STEPS
For more information / price list give us a call or use our Secure Web Contact and we will call you back.
For a quick intro what Zen-mode is all about visit our our Home page.
To watch our solutions come alive, checkout our Products page.
