The Future of Staying Safe Online Now

A movement towards more self-reliant technology consumers by Steven Hatzakis

🌐 👭👫👬

This article explores why consumers will inevitably seek to become more self-reliant 💪 when protecting themselves against cybersecurity risks, to help bring light to our darkened web.

Source: Steven Hatzakis art, celestial constellation map of north polar projection

Given the increasing threats faced on the world wide web, 😇 online web users and their 💻 devices are increasingly at risk. Bad actors lurk in the dark web 👿 intending to cause harm and have access to powerful tools 🛠.

While such tools can be used offensively as weapons to cause harm by bad actors, consumers have new choices and ways to stay safer ⚡️.

Photo source: Unsplash

This article journeys toward a destination where consumers can arm themselves with information and powerful tools, learning along the way [Skip to the end for the tools or read along below for the ride]. 🍿

Article high-level themes 🐶

• ✅ A snapshot of modern web challenges
• ✅ Risks and changing threat landscape
• ✅ How consumers can better protect themselves online
• ✅ Accessing powerful albeit complex cybersecurity tools
• ❗️ Not meant to be a complete guide but rather to increase awareness

The internet is not becoming safer, it’s getting worse ⚠️

We’ve come a long way since the first internet browser. In March 2019 which marked thirty years after the internet’s creation, Tim Berners-Lee, the original founder of the worldwide web, raised concerns about the dark side of the web.

Source: Unsplash

The web remains a dangerous place that literally steals the brightness from the light web where people try to remain safe and where businesses continue to fail to protect those same consumers.

Below is a recent message from Sir Tim Berners-Lee:

[Also see: https://cdn.theguardian.tv/mainwebsite/2015/02/19/150119TIMBERNERSLEE01BEGINNINGSREEXv3_FromGLabs-16x9.mp4]

A recent report by ENISA published in January 2019, shows that web-based attacks are increasing, with nearly half targeted at US-based IP addresses.

Source: ENISA

The ENISA report highlighted that other attacks are also on the rise despite a decline in spam.

Domain fronting remains another major risk, as outlined in the most recent annual RSA conference:

The threat landscape has changed with new attack vectors including malvertising, crypto-jacking, ransomware, and many other threats to internet users, including the Distributed Denial of Service (DDoS) attacks that can take entire web services offline.

Source: ENISA, using 2018 data

Symptoms of a larger problem, the web has a disease ⛔️

Just a few days ago while writing this section of the article, I read a headline that WhatsApp’s original co-founder, Brian Acton, who sold his company to Facebook for $18b, is again urging consumers to delete all related Facebook applications. (note: his encrypted messaging app Signal is a competitor)

Photo source: Unsplash

Mark Zuckerberg had just announced plans for Facebook to pivot to a more privacy-focused offering, yet barely a few days after Facebook announced it failed to properly secure millions of its user’s passwords. Facebook failed to properly secure those passwords in their database, as those plaintext secrets where found not to be encrypted when they should have. 😲

Even if a strong password was chosen, they weren’t protected properly (as Forbes also explains here) due to the negligent absence of encryption. 🛂

Given the number of breaches that continue to hit the mainstream media (and potentially countless more yet to be announced or detected), users’ trust has been continually eroded. 😞

Photo source: Unsplash

Many trusted platforms have been subject to repeated data breaches which have become the new “normal” and leading to greater distrust of a company’s ability to guarantee security for consumers. Perhaps consumers are too reliant. 😉

Observations:

• Technology giants may be losing their grasp on loyal consumers as trust erodes from privacy/security breaches
• Consumers are still utterly reliant on services like Google, Google Cloud/ Amazon / AWS, or payments providers (Visa, PayPal Engineering, etc..) and major banks
• Lack of educational resources and cyber tools may it harder for consumers to protect themselves without overly relying on 3rd parties

The modern corporation, and future collective/cooperative

Capital markets are vital for economic prosperity, yet shareholder incentives must be aligned with the incentives of end users.

Source: Unsplash

Such an alignment of interest is needed so both benefit and not one at the other’s expense (a challenge that open public blockchains are trying to figure out with experimental governance and incentive models using cryptography and creative blockchain technology recipes).

Engineering Challenges:

• Game theory and economic incentives 🎮 💰
• Governance models that prioritize security and fairness 🏦 👩‍⚖ 👨‍⚖
• Regulatory compliance and accommodating laws/jurisdictions 📚 👮

The founder’s dilemma, a governance/incentive problem

The issue at hand is a founder’s dilemma that is manifesting itself at large scale across the global economy.

The breaches at the largest technology conglomerates are causing shockwaves that are rippling into (legal and regulatory) debates and actions across various governments.

Founder’s Dilemma:

• Aligning interests of shareholders with the interests of consumers
• Effects of the business on society 🌎 ♻️

The cause of all these breaches in nearly all cases comes down to some form of human error (from one or more humans, and one or more errors).

Photo source: Unsplash

Many free/freemium services are not entirely free 🚫 🆓

There are many such services that appear free to users but comes at some cost (i.e. a ‘free’ google search), as the clues and data left behind by users are of great value when re-sold to advertisers, marketers, researchers, and State actors.

Data is valuable but users don’t have a way to directly unlock that value.

Freemium Takeaway:

• Many free services are not entirely free
• Value is extracted but not always directly shared with users
• Users don’t have many options and are forced to trust services

Source: Unsplash

Cybersecurity is a promising sector 🕵️‍♀️ 🕵 📈

Just as defense becomes a more valuable sector in times of war, cybersecurity is becoming a valuable sector.

In recent years the cyber sector has branched out further to encompass additional electronic and digital commerce industries where cryptographic security has become a necessity to safeguard market participants.

In 2018, over $1.8b was raised for cybersecurity startups, according to data from CB Insights 📊.

Analogies of monetizing data to monetizing money 💲 🏦

Ideally, some of the value captured from consumer data within an industry like social media should go back to consumers who would be compensated for their data.

This need to compensate users for their data is analogous to what an account holder expects in terms of earning interest from within a checking account even as the bank re-hypothecates those funds for use elsewhere.

Fintech Service Providers:

• Compensate users more, not just shareholders
• Create public utilities that are open (open-source)
• Encourage self-reliance and set those expectations in terms & conditions

How to fix the problem: you are the solution 🆘

Comparable to banking (but worse) much of the modern web is so highly inefficient that it is as good as broken and change is needed at the infrastructure level.

Even if the value is captured at the protocol level and shared with the public (compared to the application layer), it does no good if users cannot be more self-sovereign over their data. For example, matters like the self-custody of digital assets or other plain-text secrets relating to privacy/security and personal data should be controlled by their respective owners in an ideal world (i.e. power to the people). ⚡️

Photo source: Unsplash

My point is that there is an opportunity for change and to fix things, but it’s the end user [you] that needs to regain power as companies alone cannot be expected to be our guardians, which is why I think greater self-reliance is inevitable for the greater-good and safeguarding users on the web.

Until then we remain helplessly reliant on many services and at the mercy of the cybersecurity risks, yet we can act to reduce those risks and regain defensive power to deter the growing array of threats online including phishing (i.e. typosquatting from bogus emails, sites, and program executable files that appear genuine).

Actionable Steps:

• Consumer education will help empower change
• Software changes in UI/UX design leading to new tools and experiences
• Defend against cybersquatting/phishing (i.e. here is a quiz from Google)

Photo source: Unsplash

Using cybersecurity tools, the good 😃 and the bad 💩

While plenty of tools exist on the dark web and that are often used offensively by bad actors to do harm to others, consumers literally remain in the dark, as they do not have access to equally powerful tools that could be used for defensive purposes, unless they rely on third parties.

Examples of Cybersecurity Tools and limitations:

• Kali Linux and penetration testing software (can cause damage if misused)
• Vulnerable Password managers (can expose password)
• Privacy hoarding VPNs (may not protect privacy)
• Leaky Firewalls (may not prevent hackers)
• Bug-prone end-to-end encrypted services (may not protect data)

Breaches 👎 and the need to reduce the ‘quantity’ of trust 👍

The problem is that third parties are subject to breaches, as we’ve discussed, where consumers end up becoming the victim.

Photo source: Unsplash

There must be ways that consumers can take greater responsibility to protect themselves, and that is what I am writing about here, including tools that are available albeit remain mostly complex and hard to access without relying on trusted third-parties.

Again, my goal is to help users minimize the trust they expend, not eliminate it completely (not yet), as some level of trust is always needed at some level.

The building blocks of cybersecurity ➕ ✖️ ➗ ➖

Consumers remain largely unsafe against hackers or data compromises due to data privacy leaks and a growing landscape of cybersecurity risks, thus empowering consumers directly seems like a logical next step as we enter deeper into a greater need for cybersecurity. Below we examine various cryptographic primitives available today.

Building blocks of cybersecurity applications:

• Randon-Number Generators 🎲
• Hash Functions #️⃣
• Encryption/Decryption Ciphers & Algorithms 🔐㊙️ 🔓
• Zero-Knowledge Proofs 👽

Photo source: Unsplash

Research Questions ❓❓❓

What does the road ahead look like for consumers when it comes to cybersecurity? And what can consumers do to protect themselves without the need to be as reliant on others and instead be more self-reliant on their own defenses against these risks?

These are the types of questions I think about and which lead me to the inevitable conclusion of an upcoming trend of 👉 self-reliant and empowered internet users 👊which we discuss below in ways to shine some light on the web.

Examples are not meant to be exhaustive:

• 📱Use of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) (but be sure to backup recovery key before syncing)
• ✉️ Securing any secondary email addresses listed as recovery addresses on main email accounts
• 📪 Disabling Two-Step Verification (2SV) for any security-dependent services to reduce SIM port hacking risks
• Combine the use of a VPN along with manually setting DNS (i.e. Cloudflare’s https://1.1.1.1/ service)
• 🔎Learn to inspect code even if it looks unintelligible to the untrained user
• 🖥 Learn to run command line operations and apps from a terminal window
• ❓Ask questions and research answers and be responsible for your own due diligence/opinion
• ❓Question security assumptions and go deeper layer by layer

Photo source: Unsplash

Empowering the light web ☀️ 👥

The problem most internet users face in protecting themselves online is that the cybersecurity tools that consumers could theoretically use to protect themselves are often too complex to run manually, even though they are readily available today (links further below).

Cyber complexity challenges for users:

• One mistake can make a secure process insecure (i.e. reusing the same salt/key and initialization vector to encrypt different messages).
• Less room for error (i.e. no reset button)
• Greater attention to detail required
• Takes time to learn new approaches/methods

Photo source: Unsplash

Expected security assumptions in terms of bits 🔬

Cryptographic primitives will change over time, as they will be used so long as they are perceived to be safe and up until they are no longer secure. In advance of that convergence point (when old methods are no longer as secure relative to the risks), new methods are used to replace the old primitives ones.

Source: Pedersen cryptography (commitment scheme cryptographic primitive)

Cryptographic Security is usually measured in binary bits, which may refer to the length of a key and/or the range of possible numbers that the key was randomly chosen from (i.e. a 128-bit binary number chosen from a range of 2¹²⁸ possible 128-bit numbers).

Opinion: Any Psudeo-Random Number Generator is only as secure the various entropy inputs it gathers from various input sources, each time the generator runs (such as is outlined in the W3C Crypto API referenced in this post).

Cryptographically secure processes imply that the underlying primitives and method of construction of the processes used by an application has ideally been widely tested and relied upon as an industry standard.

body[data-twttr-rendered="true"] {background-color: transparent;}.twitter-tweet {margin: auto !important;}

GG18 threshold ECDSA just got real, KZen style! run it in your network with any parameters. First ever open source threshold ECDSA 🎉 Here's a demo. https://t.co/418Kh7BLmT cc: @sgoldfed , @rgennaro67 https://t.co/MfP9a9g4Sc

— @ZenGo

function notifyResize(height) {height = height ? height : document.documentElement.offsetHeight; var resized = false; if (window.donkey && donkey.resize) {donkey.resize(height); resized = true;}if (parent && parent._resizeIframe) {var obj = {iframe: window.frameElement, height: height}; parent._resizeIframe(obj); resized = true;}if (window.location && window.location.hash === "#amp=1" && window.parent && window.parent.postMessage) {window.parent.postMessage({sentinel: "amp", type: "embed-size", height: height}, "*");}if (window.webkit && window.webkit.messageHandlers && window.webkit.messageHandlers.resize) {window.webkit.messageHandlers.resize.postMessage(height); resized = true;}return resized;}twttr.events.bind('rendered', function (event) {notifyResize();}); twttr.events.bind('resize', function (event) {notifyResize();});if (parent && parent._resizeIframe) {var maxWidth = parseInt(window.frameElement.getAttribute("width")); if ( 500 < maxWidth) {window.frameElement.setAttribute("width", "500");}}

Meanwhile, newly introduced proposals (i.e. blind signatures, by Boneh et al) may still be under the peer-review period and going through such testing and not yet adopted.

Here is an example of a diagram/flowchart showing the schematics of BIP-39 for Curve Ed-25519. Cryptocurrency wallets that implement this process to create human-readable keys (mnemonic words), will usually result in 256-bits of security in the resulting 24–words (or 128 bits for 12-word key phrases), excluding the checksum bits which are deterministic (hash-derived).

Breaking modern cryptographic primitives 🔨 💔

While the cryptographically secure processes we’ve discussed could (and likely may) be broken in the future, for the present moment they are believed to remain safe enough. These primitives are tested by and depended upon by the cybersecurity community for a reasonable amount of time (i.e. the next few years or until they are expected to no longer be secure), given the number of known theoretical attack vectors that are feasible. It’s a race against time.

Photo source: Unsplash

Any such security assumption means the attack vectors that are infeasible are valid risks that just have an extraordinarily low probability such that they are considered near impossible/improbable. In other words, given the available technology and resources that an attacker or group could access, if it would take 1 million years to guess a password of with n bits of security, that becomes a negligible risk.

🔜 Post-Quantum Algorithms 🚧 📐

Quantum computers could potentially crack such a password (see Polynomial versus Non-deterministic Polynomial time on Wikipedia) perhaps in minutes or days, turning the risk into a non-negligible one that would no longer provide the security needed to remain cryptographically secure and require immediate change.

A new suite of Quantum-resistant algorithms has been proposed as part of a second-round selection following submissions to the National Institute of Standards (NIST).

These forward-thinking preparations enable the worldwide web including major standard’s bodies to have enough time to transition to the next-generation of encryption algorithms when the time is right (ideally long before the currently used ones are broken, and using the Mosca Theorem to estimate how long).

Reality check: Reseachers who were funded by grants from the US, Switzerland and Russia, recently announced a paper proving the ability to reverse time or reverse-enginner data (rewind states) through the use of a quantum computer program design, as seen in the excerpt below.

These next-generation technologies will be the building blocks for cybersecurity tools which go through rigorous testing by academics and governments globally before being widely adopted and incorporated into standards for everyday use by the masses. 🔮

Cybersecurity tools remain complex 🔠 🔣 🔢

Running a primitive cryptographic application manually (i.e. hash functions, or encryption and decryption algorithms) remains a highly technical process even for sophisticated users, often requiring programming-like skills such as running code on a command-line level.

Here is a snapshot of what the hash value is for an empty string (“”), using three hash different algorithms separately in Python.

Source: BCAVentures.com

Many powerful cryptographic primitives help secure the internet protocols that run the web but are unavailable to the masses in “easy form”, forcing them to trust related third-party services who implement such services — behind the scenes — on their behalf.

Even more advanced software such as Kali Linux can cause numerous problems and harm if used incorrectly (i.e. accidentally DDoS’ing your own website and getting your IP blacklisted from your own provider) and is an example of the type of tools that hackers use offensively.

Yet, the same tools are also used by security researchers and hired white-hat hackers for defensive purposes to audit software and look for vulnerabilities to patch.

Photo source: Unsplash

Automation happening behind the scenes 🎪

I hope by now this picture is becoming more vivid, in terms of the processes that you could imagine are happening behind the scenes by software, even during normal processes such as sending an email or uploading a file to an encrypted service.

As many third parties eventually succumb to some type of 📁 data breach or mishandling of consumer data, this, in turn, can cause financial and physical harm to consumers. Whether sensitive personal data and privacy are part of a breach, if there is direct potential financial harm such as loss of property or funds, such breaches could even result in the loss of human life in the worst cases.

Below we will look at some solutions to begin to chip away at solving these problems, with the help of open-source software and open systems.

Photo source: Unsplash

Open-source provides Transparency first and foremost 🔍

The main aspect of open-source is not whether the software is free or not, but whether the underlying language and architecture are visible for its users to examine and potentially vet the source-code in its entirety.

Compare this open structure to closed-source technology which is based on blind-trust when it comes to any underlying code which remains hidden to all except its creators/owners, and you can see there are pros/cons to each approach.

Photo source: Unsplash

The range of open-source licenses ©️ ©️ ®️ ™️ 🚫

Even though there are different types of open-source licenses (see choosealicense.com from GitHub), ranging from less restrictive and more open, to more restrictive and less open, at the end they are all open in terms of visibility of the code (which is what matters in the context of this article).

Open-source public repositories such as code found on sites such as Github invite collaboration as the public can inspect and contribute corrections, improvements and other feedback that can help drive the development process.

Linux has evolved as an open-source operating system where some of its branches (distributions) are vibrant and widely used, while other branches died off due to lack of support/adoption. Below is an example of how open-source can evolve, as seen in this treemap of Linux distributions over time:

source: NPU on Reddit

Other licenses that have yet to be accepted by the Open Source Initiative (OSI) standard’s body that deals with the official “open-source” designation are still open-source in my opinion. For me open means the full visibility of the source code, even if the secondary benefits of sharing and use are restricted, such as MongoDB’s newest Server-Side Public License (SSPL).

Cybersecurity risks with open-source software 🎯 👜

While open-source software can be just as susceptible to security breaches as closed-source or mixed-source software is, making the code fully open allows for transparency to proper due diligence to be conducted.

A recent analysis found that many open-source projects have leaked their cryptographic key data, which shows that best-practices are needed to secure authentication data (i.e. a path to the user's SSH key referenced, as opposed to referencing the actual secret key in the hosted file).

Photo source: Unsplash

Firefox recently launched its Firefox Send web app, which enables a user to send an encrypted file to anyone else via the use of a link, where the link acts as the key to decrypt the file, along with the ability for links to expire and be made available to one or more recipients.

End to End encryption, from 3rd party services 🏪

Services that use end-to-end encryption might even be illegal in certain countries (like in Australia which just passed new encryption laws last year, unless certain backdoors are implemented which inherently reduce the security properties such service try to aim to offer in the first place).

Other countries are funding the development of end-to-end encrypted service, with the European Commission recently awarding a grant of over 1m euro to Swiss-based provider Proton Mail ✉️ to help fund its bug-bounty 🐛offering to crowdsource development of its open-source components (i.e. pay developers who help improve its code and find/fix bugs).

body[data-twttr-rendered="true"] {background-color: transparent;}.twitter-tweet {margin: auto !important;}

Congrats @ProtonMail on the €2m funding from the @EU_Commission! Q: will the code be open-source on @github? (If so, I'd suggest you consider using bounties on the @GetGitcoin platform to crowdsource developers to work on related tasks): https://t.co/ZOFQCTbr7P

— @shatzakis

function notifyResize(height) {height = height ? height : document.documentElement.offsetHeight; var resized = false; if (window.donkey && donkey.resize) {donkey.resize(height); resized = true;}if (parent && parent._resizeIframe) {var obj = {iframe: window.frameElement, height: height}; parent._resizeIframe(obj); resized = true;}if (window.location && window.location.hash === "#amp=1" && window.parent && window.parent.postMessage) {window.parent.postMessage({sentinel: "amp", type: "embed-size", height: height}, "*");}if (window.webkit && window.webkit.messageHandlers && window.webkit.messageHandlers.resize) {window.webkit.messageHandlers.resize.postMessage(height); resized = true;}return resized;}twttr.events.bind('rendered', function (event) {notifyResize();}); twttr.events.bind('resize', function (event) {notifyResize();});if (parent && parent._resizeIframe) {var maxWidth = parseInt(window.frameElement.getAttribute("width")); if ( 500 < maxWidth) {window.frameElement.setAttribute("width", "500");}}

And while open-source is transparent (unlike closed-source code), it still requires either self-reliance to inspect the code yourself or to rely on trusted third-parties who maintain such repositories.

Cybersecurity Tools for Defense 🛡 👓

What should a consumer do if someone must always be trusted, are there other options?

This is a key question that is driving my focus when it comes to what consumers need to stay safe online, and ways they can use cryptographic primitives in easy-to-use cybersecurity tools.

Photo source: Unsplash

Perfect Security will never exist 🔁

Just as a clean room is only clean at that moment in time, as a particle of dust might fly in, time introduces decay in a process known as entropy. This is a term (and formula) also used in computer science that Claude Shannon borrowed from Boltzmann’s equation for entropy in physics, as it shared a similar structure for calculating the strength of a random string, hence entropy applies to information theory.

Pro Tip: You can calculate the entropy of a random password generated by calculating the log2(possible combinations) (i.e. log2(PasswordLibrary^PasswordLength) = overall entropy in bits.)

Entropy Formula:

• Log2(Possible combinations)= overall password entropy
• RangeofPossibleCharacters^LengthofPassword=Possible combinations
• Log2(RangeofPossibleCharacters) = Entropy per character
• Entropy per character * LengthofPassword = overall password entropy

Photo source: Unsplash

The reason there is no such thing as perfect security is because of time, since as time passes, new methods of penetrating security arise because security is a process, not a destination. This is also why key sizes continue to increase as even more entropy is needed. In the words of many famous cryptographers and cybersecurity thought-leaders, let us ponder those words again, “security is a process, not a destination”.

[…security is a process, not a destination.]

Comparing security to hacking old video games 🎮 👾

One analogy I like to compare when I think of how time changes our approach to a given technology is that over 20 years ago. For example, some Nintendo games were very very difficult to beat back in the early 80’s and 90s, and inspired a generation of gamers.

However, nowadays gamers stream at conferences such as GDQ (Games Done Quick) where they use the most creative methods to hack the game control commands.

Photo source: Unsplash

These hacks are possible thanks to their ingenious approaches to reverse engineering how the random number generators work in the games, along with how screen state is recorded (such as with things like ‘frames per second’ for a given pixel area).

I was mind blown when I first saw these game hacking ninjas in action, like beating the game in under 5 minutes.

So what does this have to do with cybersecurity? Read on please.

Source: YouTube

The original game designer probably did not expect users to be able to exploit these hacks, but time and lots of trial-and-error are what helped lead the world record win in Super Mario Brothers on the original Nintendo Entertainment System (NES).

For any Millennial or other age groups who played NES, the following video shows how far we’ve come thanks to time and gamers determined to hack these games using novel and creative methods.

It’s a real game

Protecting oneself online is becoming like a complex game, that is real, and where users need to hack (learn) and simplify so they can win and protect their data.

Just like the argument where Bitcoin users hope to be sovereign over their own money (with a bearer instrument that is resistant to censorship and unforgeable), users need to learn to be sovereign over their own data first — or risk losing the private keys that control their digital money.

Photo source: Unsplash

Learning how to be sovereign over your own data 💪

While there are plenty of tools on the dark web that can be used for offensive purposes (i.e. Kali Linux), including illegal applications that can cause financial harm or other irreparable damage, there exists an opposite force to counter these threats in the form of many open-source cybersecurity tools that can be used by consumers to defend themselves.

📝 There are also good tips and resources from Staysafeonline.org https://twitter.com/StaySafeOnline run by The National Cyber Security Alliance (NCSA) a non-profit, and the Cybersecurity and Infrastructure Security Agency (CISA), a sub-division of the Department of Homeland Security (DHS) 🇺🇸.

The Electronic Frontier Foundation (EFF) is another great resource 🏆 and major voice 📢 that helps advocate for protecting consumers rights on the internet.

I’ve used some of Electronic Frontier Foundation’s browser-plugins from time to time, including Privacy Badger, HTTPS Everywhere, which are great tools.

However, the permissions these applications require means that you still have to trust them as third parties with your data (i.e. trust a 3rd party to protect you against other 3rd parties).

Dependencies that have dependencies 👽

This same ‘trust’ dilemma exists in source code when it comes to third-party dependencies that developers rely on, and the dependencies of those dependencies. Below is an example of vulnerabilities detected in NPM a popular JavaScript programming library.

Moderate vulnerability being detected after running NPM, patched in version 2.3.1

Evolving Standards on the Web

The International Standards Organization (ISO) which is working on a few related cryptography standards (i.e. The 27000 series) including for blockchain and cybersecurity, and there is ISOC, ISACA, COBIT and the ITU Telecommunication Standardization Sector (ITU-T), and the Center for Internet Security (CIS).

Other institutions such as the WorldWide Web Consortium (W3C) have a cryptography API (note: I am a contributor on Github to the W3C Crypto repository 🤓).

Photo source: Unsplash

Trusted commands such as `getRandomValues`(which is the equivalent of using the `secrets` library in Python or the `Dev(Random)` command on Linux terminal) is depended on by countless internet applications to source secure-enough entropy (i.e. entropy that pre-image resistant) to seed a pseudo-random number generator that is cryptographically secure in terms of bits (i.e. 256-bit numbers). 🙀

These technicalities could put the average consumer to sleep 😴 💤, but one need not understand the inner workings of hash functions (unless curious, or pursuing higher education) but rather how they tie into the bigger cybersecurity picture. 🖼

In other words, lots of people trust that these processes are cryptographically-secure because if someone could feasibly re-create that entropy (pre-image) that would break the security assumptions and put users data at risk.

Photo source: Unsplash

Trust cannot yet be eliminated from software

Some degree of Trust is required at all levels, and that unit of trust becomes a commodity that is often squandered on the internet by users who give out too much of it and too freely (and then fall victim to breaches).

Until we [perhaps] have a trustless internet one day, with trustless applications, there are still huge opportunities now for consumers to minimize the amount of trust they are forced to have/accept, and to reduce the risks and attack surface of their digital footprint.

Here are examples:

• ☑️ Learn how to use cryptographic primitives (encryption algorithms & hash functions)
• ☑️ Generate random cryptographically-secure passwords of various lengths/strength
• ☑️ Opt for simpler tools where the entire code can be inspected in a single file
• ☑️ ️Learn to use devices in cold storage environments (i.e. old laptop with wifi disabled) 📴

Practice, practice, practice..makes things easier

I want to shift the discussion towards the light web and how consumers will potentially behave in a world where self-reliance becomes as a necessity to protect oneself online, as more and more data breaches continue and trust in third-parties is eroded.

⚡️ ⚡️⚡️ I host a few such open-source cybersecurity tools like the Advanced Encryption Standard (AES) algorithm, available as a tool that can be used manually.⚡️⚡️⚡️

Source: https://bcaventures.com/AES.html

⚡️ AES is an encryption algorithm (often using 128-bit or 256-bit keys) that is widely used on the internet behind the scenes in automated services that consumers trust every day.⚡️

However, the average user has probably never run AES manually as it otherwise remains complex.

The version of the tool I host works on a standalone basis even when not connected to the internet and allows users to encrypt and decrypt their data locally and securely (if used properly and with plugins disabled and in an offline environment).

The beauty of this version of the AES app I host is that all of the code is contained in one file, like other standalone tools. This file can be inspected by a user more easily than a typical application that contains numerous (perhaps dozens or hundreds) of source code files and folders.

Photo source: Unsplash

Other advanced tools for learning/experiments and real usage

Another such tool we host on BCAVentures.com is the Shamir Secret Sharing Scheme tool, which can be seen below where the secret string “This whole sentence is an example of a secret pasted into this tool.” becomes encrypted into 3 shares (ciphertext/keys) where at least 2 of the 3 shares are needed to reconstruct (decrypt) back to the original plaintext secret message.

Source: BCAventures.com

The Shamir Secret Sharing tool allows a plain text secret (i.e. personal document, password, or other personal/private data to back up) to be encrypted into a chosen number of shares where a minimum number of those shares are needed to decrypt back to the original data.

In the screenshot above, a 2-of-3 ratio is chosen, where each of the five shares becomes the ciphertext/encrypted data, but are also part of the secret key/password needed to decrypt/unlock the data(when at least two of the three are combined and pasted into the tool).

Below is an example of pasting at least two of the three shares back into the ‘combine’ field where the original secret is revealed just below in dark shaded text that is highlighted:

Source: BCAVentures.com

While many of these tools remain too difficult for the average user, I expect that will change.

Consumers are being compelled to become more self-reliant, as the value of their data increases along with the increasing risks we face and new changing threat landscape on the web.

Photo source: Unsplash

Advanced cybersecurity tools (including open public blockchain networks) that allow time-stamping to prove provenance or verify that a particular document existed at some point in time, is another use case (such as for a legal agreement or will, etc..).

Hashing a document where the hash of the document is recorded publicly as a digital fingerprint, will help not only empower users but echelon in a new paradigm of services and solutions from next-generation companies.

Photo source: Unsplash

It is still early as the average user doesn’t know how to hash a file unless using a 3rd party services, which is why I believe it is best to learn to do it from the command line yourself while looking at the source code to see what is “under the hood.”

Tip: Something as simple as having a spell checker plugin enabled can introduce risks for data to leak, which is why these tools are designed to work offline on a standalone basis, ideally in a cold environment (air-gapped).

Wow moment, we are almost there 🔜

The goal is to help empower users with such tools like through efforts that BCA Ventures is pursuing, by wrapping open-source applications within an easy to access platform, that will “wow” them with powerful cybersecurity tools (not there yet).

Here is a free ‘wow’ in the meantime:

source: medium.com

Take Action

If you liked this article and its purpose, please give it one or many claps 👏 on Medium.com and the Hackernoon.com community to help spread this important message by clicking on the plus sign over the 👏 icon with the ➕ sign!

Thank you ~

Note: Steven Hatzakis is the founder of BCA Ventures Inc., an early-stage cybersecurity R&D hub, please follow our new handle on Twitter.com/chainadvisors and on Medium.com/chainadvisors (@chainadvisors) and contact us to learn more.