Society, Hacking, Anonymity, Mystification, and Hysteria

Hello fellow readers,
This post is a refresh on correlated subjects I’ve discussed in the past.

I’m revisiting them considering the recent media coverage.
Social awakening is at the door.

Recommended, but not mandatory, before reading this article:

• A view on social changes in 2015
• Social Networking
• Evolution of security
• Obscurity of Communication
• What is programming

2015 was a year with phenomenal hacks and password leaks.
Let’s list some of those:

• We continue to have our minds blown by new data brought by whistle-blowers like Edward Snowden. Since 2013 the astonishing content reveals and confirms assumptions we had about worldwide surveillance.

• The start of the San Berdardino case was in 2015. The US intelligence agency is requesting Apple to create a master key to open any iphone, so they can inspect the data on one of the shooter’s phone. If this happens, it will have significant repercussions.

• Female celebrities have been shamed publicly in a scandal named “The Fappening”. It consisted of cracked iCloud accounts that contained naked pictures later released to the public.

• The remains of 2014’s Heartbleed , shellshock , and other high risk 0days are still here. With high internet speed, hackers are scanning the entire internet for those vulnerabilities and building empires of minions.

• We suffered Ashley Madison, Slack, and many others database breaches. How is the information of people still stored with weak hashes or no encryption remains baffling.

• The largest DDoS attacks have been launched. A Distributed Denial of Service consists of “taking down” a website by initiating huge amount of connections from multiple machines all across the internet.

• Some attacks were directed at Github, Linode, and the last massive at BBC and presidential candidate Donald Trump.

On the bright side we’ve had advances in the computer field. Artificial intelligence having majors step forward.

• AlphaGo, powered by Google’s DeepMind, finally beats the Go world champion. Go being a game that was thought to be too complex to compute.

• We can now train recurrent neural networks in a small amount of time using our powerful graphic cards (GPUs). Google’s DeepDream is an example of its implementation.

• A computer program, Eugene Goostman, claim to have passed the turing test for the first time (even if it doesn’t seem like it’s really doing a great job.)

• The self-driving cars are ready to be released, Google’s self driving car too.

• Cryptocurencies are taken more seriously by brokers.

• Virtual Reality sets are there: Valve HTC Vive, Sony VR, Microsoft HoloLens, Oculus Rift.

• Drones, miniature computers (Rasberry pi for instance), and embedded devices are now cheap and common. It’s the beginning of the internet of things (IoT).

Socially many changes are happening, we’ll discuss them in a bit.

What is information?

Everything is information.
Information is everything.

You access, transfer, manipulate, and protect information.

Not only the information needs to be protected, all that revolves around it too. The so called “metadata”.

Metadata can be used to make assumptions about individuals.
For instance, the browser’s user-agent, the IP, the location, the default language, the internet provider, etc.. All those are metadata that can be read without accessing the information itself. Trackers, such as Google Ads, gather them to classify your interests. Combining all the metainfo together creates a unique identifier of your browser.

Information needs to be protected for multiple reasons. One of the idea that frightens people is information monopoly — being able to control an entire population, knowing their past and directing their future.

Some corporations affirm that they secure your data using “safe” protocols and encryptions. However, they resort to the “security through obscurity”, hiding your messages with proprietary softwares that only they have access to. No one else can confirm their true motives and actions.

This means that probably no “attacker” can access the data but that big corporations can.(Here we go with the fear of big corporation, but this time it’s true! No paranoia please.)

What is encoding, encryption, obfuscation, and hashing?

For a long answer see.

• Encoding:

Think of encoding as a translation from one language to another. It’s the process that converts data so it can be understood by another program. And like human language it’s reversible once you know the tongue.

• Obfuscation:

Obfuscation is the “Where’s Waldo” game. The information is there but it’s hard to find. You have no indication of where it is and how it is constructed — “security through obscurity”.

• Hashing:

Hashing is metadata. It’s the unique fingerprint of your information. You enter the information in the input pipe and you get an identifier on the other end. You cannot get information out of an identifier, a so called “one way encryption”.

This is used to confirm users passwords on the internet. Instead of storing a clear-text version of the password you store its unique identifier and compare it to the identifier of what the user enters.

There certainly are more secure practices but it goes out of the scope of this article.

• Encryption:

Encryption is the lock safe. This is what is used to make the data readable by the intended parties only. Most of strong encryptions use a public and private key mechanism.

The public key of your friend is used to encrypt the data you want to send him and your friend uses his private key to open it. No one in the middle has the private key, so no one can open it. There’s a password on the private key so that it doesn’t get stolen.

However, there are always flaws.

What is end-to-end encryption and what is server side encryption?

One of the flaws of key-based encryption is the man-in-the-middle attack.

Let’s say someone gave you a wrong public key pretending to be your friend. You encrypt the data using that key, the person intercepts it, decrypt it, save it, encrypt it back with your friend’s public key, and finally send it to him.

This scenario is real, sslstrip is an implementation. You need to wire tap the communication for it to work.

It can also happen on the server itself.

When all communications pass through the same node (the company’s server), it makes the manipulation easier.

That’s why when using key-based encryption you should always confirm the public keys of the participants so that they haven’t been tempered.

Centralized networks have too much power.

For example Verisign controls most of the SSL (secure socket layer) certificates of the internet, used to make secure connection to websites.

Moxie Marlinspike created a solution to this issue called convergence. Instead of asking one authority about certificate you have many decentralized ones and a local cache on your machine. Very similar to certificate pinning

A better way to use a service is to have it de-centralized.

Peer-to-peer networks distribute the load between all the users in the network, making it secure against attacks where the path of information should be known.

But breaches happen, and databases are leaked. Your passwords and data are released.

Or worse, weak passwords that can be guessed.

Even when the password is hashed, which as you remember is the fingerprint of the password, crackers can find what your password was.

They hash-crack, they compute all passwords’ hash as fast as possible, and check if it matches the hash.

This is faster when using pre-computed hashes and GPU processing, it’s a matter of minutes.

There are public databases online listing billions of precomputed hashes.

How can we resolve this?

The best way would be to stop using passwords and switch to key-based authentication.

Another solution is to use multiple factors authentication. After inserting your password you have to enter another information that only you could have, such as a USB key or passcode sent to your cellphone.

This is hardly enough.

There will always be entry points in the system. The system is “exploited” by attacking the openings that interacts with the real world. Anything in a system that accepts external outputs can be vulnerable.

This normally requires a high level of skills unlike the other methods that any “script-kiddie” could use to impress his friends.

Those flaws are ways to get access to your machine. In many cases it happens humanly, the social engineering attack. People entice you into downloading or visiting their malicious software or page.

Interestingly, DARPA is working on an AI that would automatically detect those flaws, 0days, and patch them. They called it the Cyber Grand Challenge

More on it here

In the past, things you’ve said could’ve been erased and forgotten. Today’s surveillance is more dangerous because of our jump into the digital age.
All utilities are getting connected to the global network, the internet of things is being built.
We can now trace back years of conversations and online habits.

It would be hypocrite not to acknowledge that surveillance is taking place and that governments wouldn’t try to develop this technology — the surveillance state.

Carnivore project, PRISM, 5Eyes, XKeyscore, and other mass surveillance systems are there. They track behaviors on the internet and on cellular networks.

Analysts crave this amount of data. With enough, you can accurately deduce and predict the direction in which a society is heading. A Godly power with unlimited potential.

This can be used for so much good or so much evil depending on whose hands it has fallen into.

From now, know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route, is in the hands of a system whose reach is unlimited but whose safeguards are not. Your victimization by the NSA system means that you are well aware of the threat that unrestricted, secret abilities pose for democracies. This is a story that few but you can tell.

On its way to destination the packet of data can be stored anywhere. From internet providers, to search engines, to certificate authorities like Verisign, to domain name servers, to trackers like Facebook and Google Ads, and to any centralized service.

Imagine the training set that a neural network or artificial intelligence, has been fed with. All of that used for classification of individuals, marketing, intelligence, and influence.

Is it possible to have privacy and anonymity in this kind of world?

Joe Cicero discussed this topic at Cyphercon 2016. The conclusion was disapointing; to have privacy you have to let go of your own self, to detach yourself from everyone else, to cut contact even with your personality.

Privacy and anonymity don’t rhyme with freedom.

There are alternative distributed networks that offer more security.

Using proxies, VPN, TOR, I2P, other P2P networks, Freenet, operating systems made towards privacy such as Tails, etc..

Here’s an overview of how the TOR network works.

Layers of encryptions mean nothing if you are using a non-secure connection, non-SSL, at the exit node. All in all, it means nothing if you are giving away metadata.

You contact your domain name server, giving it the list of websites you visited. The platform you are using might give out your location. Someone that uses TOR to browse anonymously can be tracked if it’s the only person in the area to use TOR.

We’ve even reached the level where we can associate back the writing style to the person. Projects suchs as anonymouth and JStylo implement the method and counter-method.

And we didn’t talk about the flaws in those networks yet!

It’s hard but not impossible to be out of the “system”.
As I’ve said before to have privacy you have to let go of your own self.

You should never trigger a flag that would insert you in the “database”.

The solution revolves around being normal, to fit in the crowd and not attract attention.

I’ve discussed this technique in an older post. It uses popular crowded places and the power of steganography. Sort of like communicating through spams but safer.

It’s strange when you notice how after sensational events media companies overused it, sucking as much money as they can.

People love the sensational, it’s addictive!

There are subtilities on the topic inserted in what you see in movies, read in articles, and hear on radio.

What I’ve mentioned in the first section of this post has been well covered by them.

However, like Chinese whispers, the facts and what is presented differ, for example by editing pictures, or just plain media manipulation.

Sometime the reason for manipulation is curruption, sometime brainwash, sometime misinformation/uneducation of the presenters, sometime about personal ideals.

This contributes to the mystification and hysteria, the legions of paranoid citizens believing what they’ve seen in the multimedia.

An average person isn’t well-informed on many subjects and doesn’t have the curiosity of fetching the information. Or worse, when researching a topic, the results of his research are manipulated.

The fear and demonization of what is strange and unknown is part of the basics of human psychology. We all look for the “big bad guys” trying to take over the world and have nightmares of world cataclysm.

The misinformation on hackers started a decade ago along with the hype on sci-fi but the fantasies are now redirected on real persons.

This lead to a many having no knowledge of the internet and technology as a whole. Why should they?

Common misconceptions are:

• “Hackers” are bad (From people who confuse the term hackers with cracker).
• “Hackers” are wizards that can break into anything in seconds.
• “Anonymous” is a group of individuals (as in it’s always the same peopl and they all have the same opinions).
• “Linux” is for thieves.
• “Viruses” are like body viruses.

And more..

Today’s frightening one is:

• Encryption is a device used by terrorists, an illegal math.

Blame it on the bad coverage of the San Bernardino case.

Hopefully, there’s still hope, a British show has taken the step to inform people about what is happening.

The next target is the Whatsapp chat platform, which they want to remove encryption from. It partnered with Open Whisper, an encryption company lead by Moxie Marlinspike, last year.

As I’ve said in other articles:

All the human knowledge is available online but with a mindset of laziness it’s hard to overcome the step needed for brighter days. It’s undeniable that the capacity to search anything has helped scientists, developers, and the geniuses of the next generation.

Shamefully, most are satisfied and find self affirmation on online social media, memes networks, and porn websites. Children have brains like sponges, they absorb all the liquids, all the propaganda. And hek we got a pollution of propaganda on the internet.

News have never spread so fast in the entire history of mankind. News have never been as altered from the objective truth. And it doesn’t stop with news, it’s manipulation all the way down.

Talk about crowd manipulation on a giant scale, a brainwashing. The problem is that people don’t take a propaganda for a propaganda until they realize it’s propaganda. It’s a group movement. The entity takes over the individual. We’re driven by something we can’t control. Add to this that it moves so fast that it’s unstoppable and unjudgeable.

In conclusion, if we want to extract the dirt from the next generation it’s going to be the self-satisfaction by technology instead of dream for a future.

Their social media is:

The place where everyone already has accounts, receives notifications and visits on a daily basis

The Truman Show is happening, The Matrix is happening.

How many times should we listen to Plato’s Allegory of the Cave to understand it.

The next section will deal with the people who have seen the sun.

There’s more to the internet than what the casual person does with it. It’s not just about marketing, Facebook, Twitter, and social media.

That’s not even the tip of the iceberg, the web is deep.
It has many sub-cultures, and phenomena.

The internet has far more to offer.
It contains most of human knowledge.

You can spend a day discovering what you’ve always been wondering about, jumping from website to website, from definition to definition, ad infinitum.

On your quest you meet strangers with the same interests, persons that you wouldn’t be able to meet in your daily life because of distance, both physical and social.

The internet gives people back their freedom, a shame that we are having it taken from us.

It is a second life.
After discussing with the earlier strangers for months you won’t consider them strangers anymore. After working on projects together, discovering the world, and arguing on multiple subjects.

From forums, to image boards, to blogs, to custom-built websites, to irc gateway, to exotic chat rooms, to shell accounts, to forgotten softwares.
You can have your own “niche” in your own corner of the internet, away from the mainstream influence.

There is place for imagination.

There’s no term for the people that do that but I like to refer to them as cyberpunks, going against the current trends in cyberculture. They are very passionate persons seeking more and internet is just an extension of that passion.

The idea media is the internet.

Some of them have been using the internet since its beginning, they know everything about it and are nostalgic of the old days.

Some sub-cultures still cultivate this mentality. They admire ASCII and ANSI art, they get hyped on chiptune, they love to play wargames and capture the flag, they use Unix-like operating systems, they get crazy on internet hunts and alternative reality games.

Wargames are games where you have to legally hack into softwares. It helps understand what can be vulnerable in a system.

To play them you need a wide knowledge of programming, many types of technologies, networking, social engineering, and more.

I’ve written about it before.

Alternative reality games are similar to wargames as in you have to crack enigma. The difference is that they use steganography more than wargames. Cicada 3301, an online secret community, have used it multiple times to hire new members.

The hitch about ARG is that they are extremly easy to put in place but hard for the players to beat.

Xero on Nixers made one for the community. I made some too on a hidden website… but that’s another story.

No, you aren’t anonymous!

A song by Rockwell and Michael Jackson: I always feel like… Somebody’s watching me!

Thanks xero for the proofreading, the fonts, and the awesome glitches images found in this post.

If you want to have a more in depth discussion I'm always available by email or irc. We can discuss and argue about what you like and dislike, about new ideas to consider, opinions, etc..
If you don't feel like "having a discussion" or are intimidated by emails then you can simply say something small in the comment sections below and/or share it with your friends.