written by owen on 2019-Jul-20.
How do you secure yourself on the internet? This question pops up almost everywhere with no real definitive answer. The short answer is nothing on the internet is secure. NOTHING. The internet is no more secure than the physical world. Information on the internet can be hacked, by-passed and subverted or exploited in several ways based on the "opt-in" nature of the internet. "Opt-in" on the internet mean you either agree to the terms/conditions or you will not be able to use any of the services at all.
Everything in internet technology is built on top of something else. Some things are secure temporarily secure, while other things are secure until a large company deems it to no longer be secure. Security is a matter of convenience in technology. A user either accepts the EULA (opt-in), leaves or gtfo. If your data gets lost or hacked/compromised be prepared to start over, enter a longer password, deal with customer service or basically be left outside in the cold.
Basically internet security depends on the angle of attack;
Internet security is a ratio of convenience
The internet is a moving target. Cars kill a alot of people but no one wants to ban cars because they are super convenient. Internet security is a similar situation - based on the percentage of people inconvenienced changes/laws are made to minimize the casualties. If the percentage of inconvenience(POI) is low then the feature is is not fixed. If the POI is high and affects company revenue then measures are quickly put in place to deprecate everything old/legacy. At one point it was considered good practice for social media websites to access your email contact list so they could spam your friends. On the modern internet this practice is now looked down upon by the tech community. Insecure, parasitic and exploitative practices will be allowed as long as it makes money - even if only a few benefit from it. The tech community hoping for favours at a later date. All you can do is use the services that are convenient to you and ignore everything else accepting the risks that come with said convenience.
Open vs Closed Source Security
The bigger an open source project gets the harder it is to fork and it eventually gets appropriated in the name of security. Tech companies wants to get bought out by one of the big 3. It is a proud accomplishment to sell out your user base. Most users will support open source if it means "freeness" or piracy hiding the fact that it is merely a way to "upsell" users into paid tiers. So you are only secure in a open source project until they find a buyer then you data is sold to the highest bidder. Plus large companies often offer open source APIs as a means to lure people into a wall garden and increase their monopoly control especially when adoption is low (see twitter).
Automatic Updates and Always online
This is a one of the primary hacks being used by modern software especially browsers. In the past when you install a piece of software you installed it for a specific purpose and a specific set of EULA conditions and features. There is no way to defend yourself against the internet if the internet is attacking you. Automatic updates side-step this agreement by implementing a method in which the software can change some, a part OR ALL of its internal operation without informing the user. The key point in the removal of choice is to provide security through perpetual updates.
Two factor authentication (2fa)
2fa is a way in which cloud companies collect phone numbers and location in the guise of authenticating a user's identity. It is like adding another card in the house of cards that is internet security. 2FA ties the user to another service (usually something they have to pay for). The idea is that you cannot be in 2 places at once. Unfortunately the other services are also on the internet and so are also hackable which means 2FA really only moves the hacking target onto the other service. 3 Factor Authentication is going to be the next a ring-a-ring-a-rosey dance.
Mobile operating systems have dwindled down to 2 major players which means that the hacking target area is so much easier since you can guess which operating system an individual is using simply by a casual glance at their screen or their emoticons. A smartphone can be hacked by simply introducing a rogue application onto a person's device with minimal social engineering. The constantly changing and updating phone app space is a train wreck waiting to happen. You never really know what you are aggreeing to when you install an application. Free wifi hot spots might be hacking your smartphone.
Password Length Attack
The length of the password you use DOES NOT MATTER. The most damaging hacks are attacks of entire websites and social media platforms. It does not matter what password you use or how many @%&#$@# symbols are in it. Password hacking is most effective in bulk or in the case of an individual administrator. Torturing yourself by using a 32 letter password is only wasting your own time. Sites which use your plain text email address as a username should be avoided because the email address ties you to your passwords on all the sites that use the same login.
Financial systems, credit cards and ATMs
Banks are hacked on a daily basis mostly through fraudulent documents, social engineering and unpaid loans. The magnetic strip debit cards, credit cards are probably their weakest link but one should not feel sorry for banks because they make WAY more profit than they lose via hacking. The only issue is the time you will waste when you lose access to your banking services because of a hack. The only way you can reduce your exposure to financial hacking is to keep your interactions with these systems to a minimum, stop visiting the ATM 6 times a week and ensure you real national IDs are always up to date.
Governments and Data Protection Acts
All governments are immune to Data Protection regulations - you cannot protect yourself from governmental data mining - they simply will not shackle themselves which such privacy rules. Data once handed off to a third party is basically a "park at your own risk" situation. Promises made on data protection are temporary at best. Governments will hack their own citizens when necessary for the good of the population/economy. Negative impacts on the economy are a no-no - no. Simply put: DPAs are only secure as long as the third party has not found a profitable business case to exploit you and your data.
They say you can lead a donkey to water but you cannot make it drink. What if you anonymize the donkey/data? In technology you can create a real time anonymous copy of a individual and run all your algorithms and mining on these cloned versions. Does data protection guidelines take into account cloned versions of people? If you can be maintain and track a perfect copy of everyone over months or years that data is even more useful than actually knowing that person's actually real name. Once your data is in the cloud there is no way to protect it or copies of it. You want to keep real people identifiable but their data anonymous so you can mine it. Avoid customized ads and recommendations.
Even if you are the most secure user on the internet you can still be hacked by the network. If you are travelling in a car with your location services turned off the network can still predict where you are based on the other people that are in the car with you. The weakest like are the other people who do not care about internet security. It only takes one other individual with the "find my phone" feature, logged in to a social network to snap a picture of you to create the correlation. The unique list of wifi, bluetooth hotspots available around you, etc. If both users were on the same wifi network at the start of the journey and one leaves but the other goes offline it is a simile 1-2 to determine if the other person is still in close proximity based on their social media activity, faces/buildings or items in the pictures they take can help to link them to you or you to them.
Apple recently combined its "find my phone" app with its "find my friend" app - this is a move to connect one popular security hole to another less popular but more effective security hole. This is a business case which benefits the network at the cost of user privacy.
Security does not always involve some kind of data leak - hidden information is just as troublesome. Silent platform exclusion aka shadow banning. Users of the internet often use services under the impression that they exist as open platforms that are providing complete and unfiltered information. News feeds, related videos and explore pages have become ways platforms manipulate users in ways which expose them to content which they would not naturally come across. Basically hacking their virtual world-view without informing them that they are being manipulated. Ignorance is bliss. Advertisement revenue is God.
Nothing is secure in internet technology. Many people will suggest that you dig yourself deeper into the internet hell hole because they want company online. The internet is like a drinking contest thrown by a liquor company. Users will always be blamed when they get drunk. We are living in a era where exploiting internet userbase for profit and entertainment is at an all time high. The most you can do is limit your exposure and dependence on internet services. Broaden your choices so that if one cloud service goes down you can hop onto another with minimum delay. Buy 3 cellphones. Backup everything on a flash drive or stone tablet. Print out some pictures and screenshots on paper so that you can remember how everything looked before the internet apocalypse destroys everything.