Friday, 24 November 2017

Internet Security

Jung uses the term synchronicity as a synonym for magick.
A friend recently posted to Facebook a link to an article on the wall of lava lamps responsible for security for an estimated ten percent of the world's internet traffic.


The lava lamps provide entropy, a source of true randomness, vital to encryption at heart of internet security. The lava lamp story is a true story and only about as weird as we have come to expect from reality.

As a software engineer who has spent part of his career developing web applications I have to know the basics of internet security, and actually it is a wondrous thing.

The two most important things to know about internet security, as a software engineer, is first that it's important and second that you don't write your own security code. Or at least you don't write your own versions of the standard algorithms and you definitely don't create your own.

The next most basic thing every developer should know is that you never (ever) store user passwords. Instead you store a salted one-way hash. So every time you hear of a website breach revealing usernames and passwords it's very likely the company behind the website wasn't using even basic  security measures.

The standard security protocols and algorithms (the ciphers) are designed so that even knowing how a message was encrypted it shouldn't be possible (without thousands of years of computing power) to crack the cipher and decrypt the message. This means that the *best* code for providing encryption is open source code where anyone can look at it. You might think that this would make the code less secure as anyone can examine it to find vulnerabilities (ways to break the code), but the principle of "many eyes" means that thousands of people scouring the source code are much more likely to find the problems and fix them.

There is a whole industry of ethical "white hat" hackers, practising responsible disclosure, who try to find ways to break into systems and are determined to keep the internet safe. They stand in opposition to "black hat" hackers, many of whom are government agencies unfortunately as proven by the Snowden leaks, who also try and find security vulnerabilities and weaken us all by keeping them secret in order to use them.

Have you ever wondered about the basics of internet security? The internet is inherently insecure, any information sent across it can be "sniffed" anywhere along the way. If two computers wish to talk to each other securely then the messages between them must be encrypted. But if encryption and decryption requires a key, how can computers give each other keys across an insecure connection?

The answer is beautiful math. Assymetric key encryption allows one machine to give another machine a "public key" that can be used to encrypt messages. The only thing that can decode messages encrypted with that key is the corresponding "private key" which the computer keeps secret. So the public key can be sent "in the clear", and even knowing the encoded message, how it was encrypted and the public key used to encrypt it, it is *still* impossible to decrypt it without the private key.

The heart of cryptography is math. Math is purely abstract, it has no objective reality beyond human imagination and is a construct of our minds helpful in understanding reality. Yet whilst it doesn't really exist, at the same time it is constantly facilitating conversation and commerce all around you.

The Darknet

There's been an interesting shift in the darknet in the last few months or so. The darknet is a version of the internet operating over something called "Tor". Tor is a technology originally developed by the US navy for secure communication that allows internet sites to operate with their location and visitors untrackable by normal means.

The black market, for all manner of things, took to the darknet with gusto. Large markets for illegal products took to operating via the darkenet, using cryptocurrencies (digital currencies) like bitcoin for transactions. Bitcoin is not anonymous, it is highly trackable, but there are technological ways round this via coin tumbling. Tumbling effectively launders your bitcoin to make them untraceable. PGP (Pretty Good Privacy) encryption is used to protect messages from prying eyes.

In recent months the major markets have been taken down by law enforcement agencies, usually exploiting browser vulnerabilities and the idiocy of market operators to find them. First Silk Road was taken down, with AlphaBay and HansaMarket next including the feds running Hansa for a while to find the sellers. Particularly the sale of firearms, child pornography, identity theft and narcotics are traded on the darknet and of interest to those who have a reason to be interested in such things. Individual buyers of narcotics are of no interest, but finding the sellers and shutting down the markets are.

One of the last major marketplaces, Dream, seems to be down and untrusted by those who know. The alternative that has sprung up in place of the large markets seems to be individual vendors selling directly via their own sites or encrypted messaging systems. As perceived risk for sellers has gone up so have prices, although still well below street prices for those able to navigate the technological maze.

One of the major functions lost with the markets is escrow for buyers. Escrow is a system intended to permit buyers to purchase with safety against scams or intercepted deliveries but also how several market runners have attempted to exit their risky trade by absconding with all bitcoin held in escrow - the so called "exit scam". Along with escrow the reputation system (similar to ebAy) is also lost, leaving buyers with a much riskier path. For those who know where to look, and reddit isn't a bad place to start, reputation and vendor lists are still curated and available but this is an ever shifting landscape. One of the frontiers of the new wild west.


"One of the common objections to Christianity is that it would seem to permit the truly evil to repent. If the truly evil really could repent, and change, I don't think that would actually be a bad thing."

No comments:

Post a Comment