paint-brush
The Future of Staying Safe Online Now ā€‚by@shatzakis
893 reads
893 reads

The Future of Staying Safe Online Now

by Steven HatzakisMarch 29th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

This article explores why consumers will inevitably seek to become more self-reliant šŸ’Ŗ when protecting themselves against cybersecurity risks, to help bring light to our darkened web.

People Mentioned

Mention Thumbnail

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image -  The Future of Staying Safe Online Now
Steven Hatzakis HackerNoon profile picture

A movement towards more self-reliant technology consumers by StevenĀ Hatzakis

šŸŒ šŸ‘­šŸ‘«šŸ‘¬

This article explores why consumers will inevitably seek to become more self-reliant šŸ’Ŗ when protecting themselves against cybersecurity risks, to help bring light to our darkenedĀ web.

Source: Steven Hatzakis art, celestial constellation map of north polar projection

Given the increasing threats faced on the world wide web, šŸ˜‡ online web users and their šŸ’» devices are increasingly at risk. Bad actors lurk in the dark web šŸ‘æ intending to cause harm and have access to powerful toolsĀ šŸ› .

While such tools can be used offensively as weapons to cause harm by bad actors, consumers have new choices and ways to stay saferĀ āš”ļø.

Photo source:Ā Unsplash

This article journeys toward a destination where consumers can arm themselves with information and powerful tools, learning along the way [Skip to the end for the tools or read along below for the ride].Ā šŸæ

Article high-level themesĀ šŸ¶

  • āœ… A snapshot of modern web challenges
  • āœ… Risks and changing threat landscape
  • āœ… How consumers can better protect themselves online
  • āœ… Accessing powerful albeit complex cybersecurity tools
  • ā—ļø Not meant to be a complete guide but rather to increase awareness

The internet is not becoming safer, itā€™s getting worseĀ āš ļø

Weā€™ve come a long way since the first internet browser. In March 2019 which marked thirty years after the internetā€™s creation, Tim Berners-Lee, the original founder of the worldwide web, raised concerns about the dark side of theĀ web.

Source: Unsplash

The web remains a dangerous place that literally steals the brightness from the light web where people try to remain safe and where businesses continue to fail to protect those same consumers.

Below is a recent message from Sir Tim Berners-Lee:

[Also see: https://cdn.theguardian.tv/mainwebsite/2015/02/19/150119TIMBERNERSLEE01BEGINNINGSREEXv3_FromGLabs-16x9.mp4]

A recent report by ENISA published in January 2019, shows that web-based attacks are increasing, with nearly half targeted at US-based IP addresses.

Source: ENISA

The ENISA report highlighted that other attacks are also on the rise despite a decline inĀ spam.

Domain fronting remains another major risk, as outlined in the most recent annual RSA conference:

The threat landscape has changed with new attack vectors including malvertising, crypto-jacking, ransomware, and many other threats to internet users, including the Distributed Denial of Service (DDoS) attacks that can take entire web servicesĀ offline.

Source: ENISA, using 2018Ā data

Symptoms of a larger problem, the web has a diseaseĀ ā›”ļø

Just a few days ago while writing this section of the article, I read a headline that WhatsAppā€™s original co-founder, Brian Acton, who sold his company to Facebook for $18b, is again urging consumers to delete all related Facebook applications. (note: his encrypted messaging app Signal is a competitor)

Photo source:Ā Unsplash

Mark Zuckerberg had just announced plans for Facebook to pivot to a more privacy-focused offering, yet barely a few days after Facebook announced it failed to properly secure millions of its userā€™s passwords. Facebook failed to properly secure those passwords in their database, as those plaintext secrets where found not to be encrypted when they should have.Ā šŸ˜²

Even if a strong password was chosen, they werenā€™t protected properly (as Forbes also explains here) due to the negligent absence of encryption. šŸ›‚

Given the number of breaches that continue to hit the mainstream media (and potentially countless more yet to be announced or detected), usersā€™ trust has been continually eroded.Ā šŸ˜ž

Photo source:Ā Unsplash

Many trusted platforms have been subject to repeated data breaches which have become the new ā€œnormalā€ and leading to greater distrust of a companyā€™s ability to guarantee security for consumers. Perhaps consumers are too reliant.Ā šŸ˜‰

Observations:

  • Technology giants may be losing their grasp on loyal consumers as trust erodes from privacy/security breaches
  • Consumers are still utterly reliant on services like Google, Google Cloud/ Amazon / AWS, or payments providers (Visa, PayPal Engineering, etc..) and majorĀ banks
  • Lack of educational resources and cyber tools may it harder for consumers to protect themselves without overly relying on 3rdĀ parties

The modern corporation, and future collective/cooperative

Capital markets are vital for economic prosperity, yet shareholder incentives must be aligned with the incentives of endĀ users.

Source: Unsplash

Such an alignment of interest is needed so both benefit and not one at the otherā€™s expense (a challenge that open public blockchains are trying to figure out with experimental governance and incentive models using cryptography and creative blockchain technology recipes).

Engineering Challenges:

  • Game theory and economic incentives šŸŽ®Ā šŸ’°
  • Governance models that prioritize security and fairness šŸ¦ šŸ‘©ā€āš–Ā šŸ‘Øā€āš–
  • Regulatory compliance and accommodating laws/jurisdictions šŸ“šĀ šŸ‘®

The founderā€™s dilemma, a governance/incentive problem

The issue at hand is a founderā€™s dilemma that is manifesting itself at large scale across the globalĀ economy.

The breaches at the largest technology conglomerates are causing shockwaves that are rippling into (legal and regulatory) debates and actions across various governments.

Founderā€™s Dilemma:

  • Aligning interests of shareholders with the interests of consumers
  • Effects of the business on society šŸŒŽĀ ā™»ļø

The cause of all these breaches in nearly all cases comes down to some form of human error (from one or more humans, and one or moreĀ errors).

Photo source:Ā Unsplash

Many free/freemium services are not entirely free šŸš«Ā šŸ†“

There are many such services that appear free to users but comes at some cost (i.e. a ā€˜freeā€™ google search), as the clues and data left behind by users are of great value when re-sold to advertisers, marketers, researchers, and StateĀ actors.

Data is valuable but users donā€™t have a way to directly unlock thatĀ value.

Freemium Takeaway:

  • Many free services are not entirelyĀ free
  • Value is extracted but not always directly shared withĀ users
  • Users donā€™t have many options and are forced to trustĀ services

Source: Unsplash

Cybersecurity is a promising sector šŸ•µļøā€ā™€ļø šŸ•µĀ šŸ“ˆ

Just as defense becomes a more valuable sector in times of war, cybersecurity is becoming a valuableĀ sector.

In recent years the cyber sector has branched out further to encompass additional electronic and digital commerce industries where cryptographic security has become a necessity to safeguard market participants.

In 2018, over $1.8b was raised for cybersecurity startups, according to data from CB InsightsĀ šŸ“Š.

Analogies of monetizing data to monetizing money šŸ’²Ā šŸ¦

Ideally, some of the value captured from consumer data within an industry like social media should go back to consumers who would be compensated for theirĀ data.

This need to compensate users for their data is analogous to what an account holder expects in terms of earning interest from within a checking account even as the bank re-hypothecates those funds for use elsewhere.

Fintech Service Providers:

  • Compensate users more, not just shareholders
  • Create public utilities that are open (open-source)
  • Encourage self-reliance and set those expectations in terms & conditions

How to fix the problem: you are the solutionĀ šŸ†˜

Comparable to banking (but worse) much of the modern web is so highly inefficient that it is as good as broken and change is needed at the infrastructure level.

Even if the value is captured at the protocol level and shared with the public (compared to the application layer), it does no good if users cannot be more self-sovereign over their data. For example, matters like the self-custody of digital assets or other plain-text secrets relating to privacy/security and personal data should be controlled by their respective owners in an ideal world (i.e. power to the people).Ā āš”ļø

Photo source:Ā Unsplash

My point is that there is an opportunity for change and to fix things, but itā€™s the end user [you] that needs to regain power as companies alone cannot be expected to be our guardians, which is why I think greater self-reliance is inevitable for the greater-good and safeguarding users on theĀ web.

Until then we remain helplessly reliant on many services and at the mercy of the cybersecurity risks, yet we can act to reduce those risks and regain defensive power to deter the growing array of threats online including phishing (i.e. typosquatting from bogus emails, sites, and program executable files that appear genuine).

Actionable Steps:

  • Consumer education will help empowerĀ change
  • Software changes in UI/UX design leading to new tools and experiences
  • Defend against cybersquatting/phishing (i.e. here is a quiz fromĀ Google)

Photo source:Ā Unsplash

Using cybersecurity tools, the good šŸ˜ƒ and the badĀ šŸ’©

While plenty of tools exist on the dark web and that are often used offensively by bad actors to do harm to others, consumers literally remain in the dark, as they do not have access to equally powerful tools that could be used for defensive purposes, unless they rely on thirdĀ parties.

Examples of Cybersecurity Tools and limitations:

  • Kali Linux and penetration testing software (can cause damage ifĀ misused)
  • Vulnerable Password managers (can expose password)
  • Privacy hoarding VPNs (may not protectĀ privacy)
  • Leaky Firewalls (may not preventĀ hackers)
  • Bug-prone end-to-end encrypted services (may not protectĀ data)

Breaches šŸ‘Ž and the need to reduce the ā€˜quantityā€™ of trustĀ šŸ‘

The problem is that third parties are subject to breaches, as weā€™ve discussed, where consumers end up becoming theĀ victim.

Photo source:Ā Unsplash

There must be ways that consumers can take greater responsibility to protect themselves, and that is what I am writing about here, including tools that are available albeit remain mostly complex and hard to access without relying on trusted third-parties.

Again, my goal is to help users minimize the trust they expend, not eliminate it completely (not yet), as some level of trust is always needed at someĀ level.

The building blocks of cybersecurity āž• āœ–ļø āž—Ā āž–

Consumers remain largely unsafe against hackers or data compromises due to data privacy leaks and a growing landscape of cybersecurity risks, thus empowering consumers directly seems like a logical next step as we enter deeper into a greater need for cybersecurity. Below we examine various cryptographic primitives available today.

Building blocks of cybersecurity applications:

  • Randon-Number Generators šŸŽ²
  • Hash Functions #ļøāƒ£
  • Encryption/Decryption Ciphers & Algorithms šŸ”ćŠ™ļøĀ šŸ”“
  • Zero-Knowledge ProofsĀ šŸ‘½

Photo source:Ā Unsplash

Research Questions ā“ā“ā“

What does the road ahead look like for consumers when it comes to cybersecurity? And what can consumers do to protect themselves without the need to be as reliant on others and instead be more self-reliant on their own defenses against theseĀ risks?

These are the types of questions I think about and which lead me to the inevitable conclusion of an upcoming trend of šŸ‘‰ self-reliant and empowered internet users šŸ‘Šwhich we discuss below in ways to shine some light on theĀ web.

Examples are not meant to be exhaustive:

  • šŸ“±Use of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) (but be sure to backup recovery key beforeĀ syncing)
  • āœ‰ļø Securing any secondary email addresses listed as recovery addresses on main emailĀ accounts
  • šŸ“Ŗ Disabling Two-Step Verification (2SV) for any security-dependent services to reduce SIM port hackingĀ risks
  • Combine the use of a VPN along with manually setting DNS (i.e. Cloudflareā€™s https://1.1.1.1/ service)
  • šŸ”ŽLearn to inspect code even if it looks unintelligible to the untrained user
  • šŸ–„ Learn to run command line operations and apps from a terminalĀ window
  • ā“Ask questions and research answers and be responsible for your own due diligence/opinion
  • ā“Question security assumptions and go deeper layer byĀ layer

Photo source:Ā Unsplash

Empowering the light web ā˜€ļøĀ šŸ‘„

The problem most internet users face in protecting themselves online is that the cybersecurity tools that consumers could theoretically use to protect themselves are often too complex to run manually, even though they are readily available today (links furtherĀ below).

Cyber complexity challenges forĀ users:

  • One mistake can make a secure process insecure (i.e. reusing the same salt/key and initialization vector to encrypt different messages).
  • Less room for error (i.e. no resetĀ button)
  • Greater attention to detailĀ required
  • Takes time to learn new approaches/methods

Photo source:Ā Unsplash

Expected security assumptions in terms of bitsĀ šŸ”¬

Cryptographic primitives will change over time, as they will be used so long as they are perceived to be safe and up until they are no longer secure. In advance of that convergence point (when old methods are no longer as secure relative to the risks), new methods are used to replace the old primitives ones.

Source: Pedersen cryptography (commitment scheme cryptographic primitive)

Cryptographic Security is usually measured in binary bits, which may refer to the length of a key and/or the range of possible numbers that the key was randomly chosen from (i.e. a 128-bit binary number chosen from a range of 2Ā¹Ā²āø possible 128-bit numbers).

Opinion: Any Psudeo-Random Number Generator is only as secure the various entropy inputs it gathers from various input sources, each time the generator runs (such as is outlined in the W3C Crypto API referenced in thisĀ post).

Cryptographically secure processes imply that the underlying primitives and method of construction of the processes used by an application has ideally been widely tested and relied upon as an industry standard.

body[data-twttr-rendered="true"] {background-color: transparent;}.twitter-tweet {margin: auto !important;}

GG18 threshold ECDSA just got real, KZen style! run it in your network with any parameters. First ever open source threshold ECDSA šŸŽ‰ Here's a demo. https://t.co/418Kh7BLmT cc: @sgoldfed , @rgennaro67 https://t.co/MfP9a9g4Sc

ā€”ā€Š@ZenGo

function notifyResize(height) {height = height ? height : document.documentElement.offsetHeight; var resized = false; if (window.donkey && donkey.resize) {donkey.resize(height); resized = true;}if (parent && parent._resizeIframe) {var obj = {iframe: window.frameElement, height: height}; parent._resizeIframe(obj); resized = true;}if (window.location && window.location.hash === "#amp=1" && window.parent && window.parent.postMessage) {window.parent.postMessage({sentinel: "amp", type: "embed-size", height: height}, "*");}if (window.webkit && window.webkit.messageHandlers && window.webkit.messageHandlers.resize) {window.webkit.messageHandlers.resize.postMessage(height); resized = true;}return resized;}twttr.events.bind('rendered', function (event) {notifyResize();}); twttr.events.bind('resize', function (event) {notifyResize();});if (parent && parent._resizeIframe) {var maxWidth = parseInt(window.frameElement.getAttribute("width")); if ( 500 < maxWidth) {window.frameElement.setAttribute("width", "500");}}

Meanwhile, newly introduced proposals (i.e. blind signatures, by Boneh et al) may still be under the peer-review period and going through such testing and not yetĀ adopted.

Here is an example of a diagram/flowchart showing the schematics of BIP-39 for Curve Ed-25519. Cryptocurrency wallets that implement this process to create human-readable keys (mnemonic words), will usually result in 256-bits of security in the resulting 24ā€“words (or 128 bits for 12-word key phrases), excluding the checksum bits which are deterministic (hash-derived).

Breaking modern cryptographic primitives šŸ”ØĀ šŸ’”

While the cryptographically secure processes weā€™ve discussed could (and likely may) be broken in the future, for the present moment they are believed to remain safe enough. These primitives are tested by and depended upon by the cybersecurity community for a reasonable amount of time (i.e. the next few years or until they are expected to no longer be secure), given the number of known theoretical attack vectors that are feasible. Itā€™s a race againstĀ time.

Photo source:Ā Unsplash

Any such security assumption means the attack vectors that are infeasible are valid risks that just have an extraordinarily low probability such that they are considered near impossible/improbable. In other words, given the available technology and resources that an attacker or group could access, if it would take 1 million years to guess a password of with n bits of security, that becomes a negligible risk.

šŸ”œ Post-Quantum Algorithms šŸš§Ā šŸ“

Quantum computers could potentially crack such a password (see Polynomial versus Non-deterministic Polynomial time on Wikipedia) perhaps in minutes or days, turning the risk into a non-negligible one that would no longer provide the security needed to remain cryptographically secure and require immediate change.

A new suite of Quantum-resistant algorithms has been proposed as part of a second-round selection following submissions to the National Institute of Standards (NIST).

These forward-thinking preparations enable the worldwide web including major standardā€™s bodies to have enough time to transition to the next-generation of encryption algorithms when the time is right (ideally long before the currently used ones are broken, and using the Mosca Theorem to estimate howĀ long).

Reality check: Reseachers who were funded by grants from the US, Switzerland and Russia, recently announced a paper proving the ability to reverse time or reverse-enginner data (rewind states) through the use of a quantum computer program design, as seen in the excerptĀ below.

These next-generation technologies will be the building blocks for cybersecurity tools which go through rigorous testing by academics and governments globally before being widely adopted and incorporated into standards for everyday use by the masses.Ā šŸ”®

Cybersecurity tools remain complex šŸ”  šŸ”£Ā šŸ”¢

Running a primitive cryptographic application manually (i.e. hash functions, or encryption and decryption algorithms) remains a highly technical process even for sophisticated users, often requiring programming-like skills such as running code on a command-line level.

Here is a snapshot of what the hash value is for an empty string (ā€œā€), using three hash different algorithms separately inĀ Python.

Source: BCAVentures.com

Many powerful cryptographic primitives help secure the internet protocols that run the web but are unavailable to the masses in ā€œeasy formā€, forcing them to trust related third-party services who implement such servicesā€Šā€”ā€Šbehind the scenesā€Šā€”ā€Šon theirĀ behalf.

Even more advanced software such as Kali Linux can cause numerous problems and harm if used incorrectly (i.e. accidentally DDoSā€™ing your own website and getting your IP blacklisted from your own provider) and is an example of the type of tools that hackers use offensively.

Yet, the same tools are also used by security researchers and hired white-hat hackers for defensive purposes to audit software and look for vulnerabilities toĀ patch.

Photo source:Ā Unsplash

Automation happening behind the scenesĀ šŸŽŖ

I hope by now this picture is becoming more vivid, in terms of the processes that you could imagine are happening behind the scenes by software, even during normal processes such as sending an email or uploading a file to an encrypted service.

As many third parties eventually succumb to some type of šŸ“ data breach or mishandling of consumer data, this, in turn, can cause financial and physical harm to consumers. Whether sensitive personal data and privacy are part of a breach, if there is direct potential financial harm such as loss of property or funds, such breaches could even result in the loss of human life in the worstĀ cases.

Below we will look at some solutions to begin to chip away at solving these problems, with the help of open-source software and openĀ systems.

Photo source:Ā Unsplash

Open-source provides Transparency first and foremostĀ šŸ”

The main aspect of open-source is not whether the software is free or not, but whether the underlying language and architecture are visible for its users to examine and potentially vet the source-code in its entirety.

Compare this open structure to closed-source technology which is based on blind-trust when it comes to any underlying code which remains hidden to all except its creators/owners, and you can see there are pros/cons to each approach.

Photo source:Ā Unsplash

The range of open-source licenses Ā©ļø Ā©ļø Ā®ļø ā„¢ļøĀ šŸš«

Even though there are different types of open-source licenses (see choosealicense.com from GitHub), ranging from less restrictive and more open, to more restrictive and less open, at the end they are all open in terms of visibility of the code (which is what matters in the context of this article).

Open-source public repositories such as code found on sites such as Github invite collaboration as the public can inspect and contribute corrections, improvements and other feedback that can help drive the development process.

Linux has evolved as an open-source operating system where some of its branches (distributions) are vibrant and widely used, while other branches died off due to lack of support/adoption. Below is an example of how open-source can evolve, as seen in this treemap of Linux distributions overĀ time:

source: NPU onĀ Reddit

Other licenses that have yet to be accepted by the Open Source Initiative (OSI) standardā€™s body that deals with the official ā€œopen-sourceā€ designation are still open-source in my opinion. For me open means the full visibility of the source code, even if the secondary benefits of sharing and use are restricted, such as MongoDBā€™s newest Server-Side Public LicenseĀ (SSPL).

Cybersecurity risks with open-source software šŸŽÆĀ šŸ‘œ

While open-source software can be just as susceptible to security breaches as closed-source or mixed-source software is, making the code fully open allows for transparency to proper due diligence to be conducted.

A recent analysis found that many open-source projects have leaked their cryptographic key data, which shows that best-practices are needed to secure authentication data (i.e. a path to the user's SSH key referenced, as opposed to referencing the actual secret key in the hostedĀ file).

Photo source:Ā Unsplash

Firefox recently launched its Firefox Send web app, which enables a user to send an encrypted file to anyone else via the use of a link, where the link acts as the key to decrypt the file, along with the ability for links to expire and be made available to one or more recipients.

End to End encryption, from 3rd party servicesĀ šŸŖ

Services that use end-to-end encryption might even be illegal in certain countries (like in Australia which just passed new encryption laws last year, unless certain backdoors are implemented which inherently reduce the security properties such service try to aim to offer in the firstĀ place).

Other countries are funding the development of end-to-end encrypted service, with the European Commission recently awarding a grant of over 1m euro to Swiss-based provider Proton Mail āœ‰ļø to help fund its bug-bounty šŸ›offering to crowdsource development of its open-source components (i.e. pay developers who help improve its code and find/fixĀ bugs).

body[data-twttr-rendered="true"] {background-color: transparent;}.twitter-tweet {margin: auto !important;}

Congrats @ProtonMail on the ā‚¬2m funding from the @EU_Commission! Q: will the code be open-source on @github? (If so, I'd suggest you consider using bounties on the @GetGitcoin platform to crowdsource developers to work on related tasks): https://t.co/ZOFQCTbr7P

ā€”ā€Š@shatzakis

function notifyResize(height) {height = height ? height : document.documentElement.offsetHeight; var resized = false; if (window.donkey && donkey.resize) {donkey.resize(height); resized = true;}if (parent && parent._resizeIframe) {var obj = {iframe: window.frameElement, height: height}; parent._resizeIframe(obj); resized = true;}if (window.location && window.location.hash === "#amp=1" && window.parent && window.parent.postMessage) {window.parent.postMessage({sentinel: "amp", type: "embed-size", height: height}, "*");}if (window.webkit && window.webkit.messageHandlers && window.webkit.messageHandlers.resize) {window.webkit.messageHandlers.resize.postMessage(height); resized = true;}return resized;}twttr.events.bind('rendered', function (event) {notifyResize();}); twttr.events.bind('resize', function (event) {notifyResize();});if (parent && parent._resizeIframe) {var maxWidth = parseInt(window.frameElement.getAttribute("width")); if ( 500 < maxWidth) {window.frameElement.setAttribute("width", "500");}}

And while open-source is transparent (unlike closed-source code), it still requires either self-reliance to inspect the code yourself or to rely on trusted third-parties who maintain such repositories.

Cybersecurity Tools for Defense šŸ›”Ā šŸ‘“

What should a consumer do if someone must always be trusted, are there otherĀ options?

This is a key question that is driving my focus when it comes to what consumers need to stay safe online, and ways they can use cryptographic primitives in easy-to-use cybersecurity tools.

Photo source:Ā Unsplash

Perfect Security will never existĀ šŸ”

Just as a clean room is only clean at that moment in time, as a particle of dust might fly in, time introduces decay in a process known as entropy. This is a term (and formula) also used in computer science that Claude Shannon borrowed from Boltzmannā€™s equation for entropy in physics, as it shared a similar structure for calculating the strength of a random string, hence entropy applies to information theory.

Pro Tip: You can calculate the entropy of a random password generated by calculating the log2(possible combinations) (i.e. log2(PasswordLibrary^PasswordLength) = overall entropy inĀ bits.)

Entropy Formula:

  • Log2(Possible combinations)= overall passwordĀ entropy
  • RangeofPossibleCharacters^LengthofPassword=Possible combinations
  • Log2(RangeofPossibleCharacters) = Entropy per character
  • Entropy per character * LengthofPassword = overall passwordĀ entropy

Photo source:Ā Unsplash

The reason there is no such thing as perfect security is because of time, since as time passes, new methods of penetrating security arise because security is a process, not a destination. This is also why key sizes continue to increase as even more entropy is needed. In the words of many famous cryptographers and cybersecurity thought-leaders, let us ponder those words again, ā€œsecurity is a process, not a destinationā€.

[ā€¦security is a process, not a destination.]

Comparing security to hacking old video games šŸŽ®Ā šŸ‘¾

One analogy I like to compare when I think of how time changes our approach to a given technology is that over 20 years ago. For example, some Nintendo games were very very difficult to beat back in the early 80ā€™s and 90s, and inspired a generation ofĀ gamers.

However, nowadays gamers stream at conferences such as GDQ (Games Done Quick) where they use the most creative methods to hack the game control commands.

Photo source:Ā Unsplash

These hacks are possible thanks to their ingenious approaches to reverse engineering how the random number generators work in the games, along with how screen state is recorded (such as with things like ā€˜frames per secondā€™ for a given pixelĀ area).

I was mind blown when I first saw these game hacking ninjas in action, like beating the game in under 5Ā minutes.

So what does this have to do with cybersecurity? Read onĀ please.

Source: YouTube

The original game designer probably did not expect users to be able to exploit these hacks, but time and lots of trial-and-error are what helped lead the world record win in Super Mario Brothers on the original Nintendo Entertainment SystemĀ (NES).

For any Millennial or other age groups who played NES, the following video shows how far weā€™ve come thanks to time and gamers determined to hack these games using novel and creativeĀ methods.

Itā€™s a realĀ game

Protecting oneself online is becoming like a complex game, that is real, and where users need to hack (learn) and simplify so they can win and protect theirĀ data.

Just like the argument where Bitcoin users hope to be sovereign over their own money (with a bearer instrument that is resistant to censorship and unforgeable), users need to learn to be sovereign over their own data firstā€Šā€”ā€Šor risk losing the private keys that control their digitalĀ money.

Photo source:Ā Unsplash

Learning how to be sovereign over your own dataĀ šŸ’Ŗ

While there are plenty of tools on the dark web that can be used for offensive purposes (i.e. Kali Linux), including illegal applications that can cause financial harm or other irreparable damage, there exists an opposite force to counter these threats in the form of many open-source cybersecurity tools that can be used by consumers to defend themselves.

šŸ“ There are also good tips and resources from Staysafeonline.org https://twitter.com/StaySafeOnline run by The National Cyber Security Alliance (NCSA) a non-profit, and the Cybersecurity and Infrastructure Security Agency (CISA), a sub-division of the Department of Homeland Security (DHS)Ā šŸ‡ŗšŸ‡ø.

The Electronic Frontier Foundation (EFF) is another great resource šŸ† and major voice šŸ“¢ that helps advocate for protecting consumers rights on the internet.

Iā€™ve used some of Electronic Frontier Foundationā€™s browser-plugins from time to time, including Privacy Badger, HTTPS Everywhere, which are greatĀ tools.

However, the permissions these applications require means that you still have to trust them as third parties with your data (i.e. trust a 3rd party to protect you against other 3rd parties).

Dependencies that have dependencies šŸ‘½

This same ā€˜trustā€™ dilemma exists in source code when it comes to third-party dependencies that developers rely on, and the dependencies of those dependencies. Below is an example of vulnerabilities detected in NPM a popular JavaScript programming library.

Moderate vulnerability being detected after running NPM, patched in versionĀ 2.3.1

Evolving Standards on theĀ Web

The International Standards Organization (ISO) which is working on a few related cryptography standards (i.e. The 27000 series) including for blockchain and cybersecurity, and there is ISOC, ISACA, COBIT and the ITU Telecommunication Standardization Sector (ITU-T), and the Center for Internet SecurityĀ (CIS).

Other institutions such as the WorldWide Web Consortium (W3C) have a cryptography API (note: I am a contributor on Github to the W3C Crypto repository šŸ¤“).

Photo source:Ā Unsplash

Trusted commands such as `getRandomValues`(which is the equivalent of using the `secrets` library in Python or the `Dev(Random)` command on Linux terminal) is depended on by countless internet applications to source secure-enough entropy (i.e. entropy that pre-image resistant) to seed a pseudo-random number generator that is cryptographically secure in terms of bits (i.e. 256-bit numbers). šŸ™€

These technicalities could put the average consumer to sleep šŸ˜“ šŸ’¤, but one need not understand the inner workings of hash functions (unless curious, or pursuing higher education) but rather how they tie into the bigger cybersecurity picture.Ā šŸ–¼

In other words, lots of people trust that these processes are cryptographically-secure because if someone could feasibly re-create that entropy (pre-image) that would break the security assumptions and put users data atĀ risk.

Photo source:Ā Unsplash

Trust cannot yet be eliminated fromĀ software

Some degree of Trust is required at all levels, and that unit of trust becomes a commodity that is often squandered on the internet by users who give out too much of it and too freely (and then fall victim to breaches).

Until we [perhaps] have a trustless internet one day, with trustless applications, there are still huge opportunities now for consumers to minimize the amount of trust they are forced to have/accept, and to reduce the risks and attack surface of their digital footprint.

Here are examples:

  • ā˜‘ļø Learn how to use cryptographic primitives (encryption algorithms & hash functions)
  • ā˜‘ļø Generate random cryptographically-secure passwords of various lengths/strength
  • ā˜‘ļø Opt for simpler tools where the entire code can be inspected in a singleĀ file
  • ā˜‘ļø ļøLearn to use devices in cold storage environments (i.e. old laptop with wifi disabled) šŸ““

Practice, practice, practice..makes thingsĀ easier

I want to shift the discussion towards the light web and how consumers will potentially behave in a world where self-reliance becomes as a necessity to protect oneself online, as more and more data breaches continue and trust in third-parties isĀ eroded.

āš”ļø āš”ļøāš”ļø I host a few such open-source cybersecurity tools like the Advanced Encryption Standard (AES) algorithm, available as a tool that can be used manually.āš”ļøāš”ļøāš”ļø

Source: https://bcaventures.com/AES.html

āš”ļø AES is an encryption algorithm (often using 128-bit or 256-bit keys) that is widely used on the internet behind the scenes in automated services that consumers trust everyĀ day.āš”ļø

However, the average user has probably never run AES manually as it otherwise remainsĀ complex.

The version of the tool I host works on a standalone basis even when not connected to the internet and allows users to encrypt and decrypt their data locally and securely (if used properly and with plugins disabled and in an offline environment).

The beauty of this version of the AES app I host is that all of the code is contained in one file, like other standalone tools. This file can be inspected by a user more easily than a typical application that contains numerous (perhaps dozens or hundreds) of source code files andĀ folders.

Photo source:Ā Unsplash

Other advanced tools for learning/experiments and realĀ usage

Another such tool we host on BCAVentures.com is the Shamir Secret Sharing Scheme tool, which can be seen below where the secret string ā€œThis whole sentence is an example of a secret pasted into this tool.ā€ becomes encrypted into 3 shares (ciphertext/keys) where at least 2 of the 3 shares are needed to reconstruct (decrypt) back to the original plaintext secretĀ message.

Source: BCAventures.com

The Shamir Secret Sharing tool allows a plain text secret (i.e. personal document, password, or other personal/private data to back up) to be encrypted into a chosen number of shares where a minimum number of those shares are needed to decrypt back to the originalĀ data.

In the screenshot above, a 2-of-3 ratio is chosen, where each of the five shares becomes the ciphertext/encrypted data, but are also part of the secret key/password needed to decrypt/unlock the data(when at least two of the three are combined and pasted into theĀ tool).

Below is an example of pasting at least two of the three shares back into the ā€˜combineā€™ field where the original secret is revealed just below in dark shaded text that is highlighted:

Source: BCAVentures.com

While many of these tools remain too difficult for the average user, I expect that willĀ change.

Consumers are being compelled to become more self-reliant, as the value of their data increases along with the increasing risks we face and new changing threat landscape on theĀ web.

Photo source:Ā Unsplash

Advanced cybersecurity tools (including open public blockchain networks) that allow time-stamping to prove provenance or verify that a particular document existed at some point in time, is another use case (such as for a legal agreement or will,Ā etc..).

Hashing a document where the hash of the document is recorded publicly as a digital fingerprint, will help not only empower users but echelon in a new paradigm of services and solutions from next-generation companies.

Photo source:Ā Unsplash

It is still early as the average user doesnā€™t know how to hash a file unless using a 3rd party services, which is why I believe it is best to learn to do it from the command line yourself while looking at the source code to see what is ā€œunder theĀ hood.ā€

Tip: Something as simple as having a spell checker plugin enabled can introduce risks for data to leak, which is why these tools are designed to work offline on a standalone basis, ideally in a cold environment (air-gapped).

Wow moment, we are almost thereĀ šŸ”œ

The goal is to help empower users with such tools like through efforts that BCA Ventures is pursuing, by wrapping open-source applications within an easy to access platform, that will ā€œwowā€ them with powerful cybersecurity tools (not thereĀ yet).

Here is a free ā€˜wowā€™ in the meantime:

source: medium.com

Take Action

If you liked this article and its purpose, please give it one or many claps šŸ‘ on Medium.com and the Hackernoon.com community to help spread this important message by clicking on the plus sign over the šŸ‘ icon with the āž•Ā sign!

Thank youĀ ~

Note: Steven Hatzakis is the founder of BCA Ventures Inc., an early-stage cybersecurity R&D hub, please follow our new handle on Twitter.com/chainadvisors and on Medium.com/chainadvisors (@chainadvisors) and contact us to learnĀ more.