paint-brush
Only way to not be hackedby@Forgetabstract
111 reads

Only way to not be hacked

by Jaroslav LipskyNovember 16th, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

This article born around <a href="https://en.wikipedia.org/wiki/2016_Democratic_National_Committee_email_leak" target="_blank">DEMparty emails</a>, hacker wars between countries and everyday freshly baked zero-days to morning breakfast. Protection from which I see only in simple basis:

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Only way to not be hacked
Jaroslav Lipsky HackerNoon profile picture

This article born around DEMparty emails, hacker wars between countries and everyday freshly baked zero-days to morning breakfast. Protection from which I see only in simple basis:

Think as hacker: do not believe in security but believe in social engineering

Being on white side but techy I know something about programmable systems. And news are bad: systems in grand hole. The most stupid thought in security is believing in super Public Corp © which protect you. NO. Because that doesn’t matter. Moreover: large system multiplied risks while small open source program with one talent engineer can control it all by one “authoritarian” head (with push/community checking help).

Hello Google

I write these lines reading Hacker News post on which anonymous googler writes “ Do you know how many bugs you need to fix to get promoted? Infinity. No matter how many you fix, it will never get you enough “impact” for promotion. Never.”

Hello World

Bad news for real world complex systems is in their control. No matter how do you talent in your C++ because even small software can be hacked by hacking of Operating System. Or by compiler problems. OK: you are talent and small open source community that make a decision for own OS. Perfect small OS with perfect control. As example we can name it Tails or another more “from scratch”, “native” and secure project. In that time while you program perfect OS, engineers from Intel unconsciously make zero day in processor design… or asian manufacturer get instruction from their government intelligence service to put beetles inside (as example Intel have trojan engineers that send alternative compatible freshly baked designs to manufacturer). And for them who do not understand: strength of the system defined by they weakest part. Weak processor -> Weak OS -> Weak program.

Security defined by level not end state. Permanent state of security equals to level of hacker tools. We just need to forgot about unhackable systems because it is not about real world problem. That is illusion: permanent security breaks over time in dynamics. Security is not constant it is variable.

Answer: illusion of breaking

Answer from Nature

If you weak — mimicry.

As example you have own email server. You can mimicry software of the server for another popular alternative. You can mimicry version for 6 month ago with known top popular zero days. In next, you research popular hacker pattern for these zero days and help hacker to reduce him attempts for “breaking” achievement. In opposite to heat hacker we need to cold him in support of conceit. Knowing your guest you give another version of the system to foolish him. These emails will include false activity without any sensible data. Problem with this case is false checking by send checking email that can discredit actual server state. Solution for that can be found in pseudo email forwarding onto another server with input box auto-clearing pseudo option. For trust you can give list of latest 30 emails without addresses that will be filtered to exclusion list of top and medium important person addresses. You just feed your hacker by limited low priority list of garbage (including own checking garbage). Second problem is persons that will use your system — they are weakest chain so problem grows again but there we can use ecosystem of fooling software that will work through one perplex framework (for creating wrong emails exchange relationships flow and information filtering). For problem of external shadowing of relationships between persons we will fool again by simulation alternative channel of messaging these persons — chat. Pseudochat. This chat will be a garbage file with pseudo auth shell by meaning that chat is not real program and can’t be hacked by definition.

https://en.wikipedia.org/wiki/Distraction_display

Better if this chat will be unpopular or something “new” because we do not know about breaches in internal server security of Whatsup, Telegram or Signal. Hackers might have direct access to chat infrastructure without need to bruteforce your account keys (and so there they will reveal real picture).

Informers is another non-techy but big problem that will rush it all — so you need to know who are users of your system (not case for own but headache by government usage).

This idea is good for close ecosystems but also can be tried to adapt by commercial products (popularity is a problem).

In this post I do not give you recipe how to protect mail server of your organization: every step raises new narrow problem that you need to be answered (and strategically planned). Actually there is pure methodology of deception from nature that we can use only and that was used against us long time. White hats need to use power of social engineering against black.