A movement towards more self-reliant technology consumers by StevenĀ Hatzakis š šš«š¬ This article explores why consumers will inevitably seek to become more self-reliant šŖ when protecting themselves against cybersecurity risks, to help bring light to our darkenedĀ web. Source: Steven Hatzakis art, celestial constellation map of north polar projection Given the increasing threats faced on the world wide web, š online web users and their š» devices are increasingly at risk. Bad actors lurk in the dark web šæ intending to cause harm and have access to powerful toolsĀ š . While such tools can be used offensively as weapons to cause harm by bad actors, consumers have new choices and ways to stay saferĀ ā”ļø. Photo source: Unsplash This article journeys toward a destination where consumers can arm themselves with information and powerful tools, learning along the way [Skip to the end for the tools or read along below for the ride].Ā šæ Article high-level themesĀ š¶ ā A snapshot of modern web challenges ā Risks and changing threat landscape ā How consumers can better protect themselves online ā Accessing powerful albeit complex cybersecurity tools āļø Not meant to be a complete guide but rather to increase awareness ā ļø The internet is not becoming safer, itās getting worse Weāve come a long way since . In March 2019 which marked thirty years after , Tim Berners-Lee, the original founder of the worldwide web, raised concerns about the dark side of theĀ web. the first internet browser the internetās creation Source: Unsplash The web remains a dangerous place that literally steals the brightness from the light web where people try to remain safe and where businesses continue to fail to protect those same consumers. Below is a recent message from Sir : Tim Berners-Lee [Also see: https://cdn.theguardian.tv/mainwebsite/2015/02/19/150119TIMBERNERSLEE01BEGINNINGSREEXv3_FromGLabs-16x9.mp4 ] A recent published in January 2019, shows that web-based attacks are increasing, with nearly half targeted at US-based IP addresses. report by ENISA Source: ENISA The ENISA report highlighted that other attacks are also on the rise despite a decline inĀ spam. Domain fronting remains another major risk, as outlined in the most recent annual RSA conference: The threat landscape has changed with new attack vectors including malvertising, crypto-jacking, ransomware, and many other threats to internet users, including the Distributed Denial of Service (DDoS) attacks that can take entire web servicesĀ offline. Source: ENISA, using 2018Ā data Symptoms of a larger problem, the web has a diseaseĀ āļø Just a few days ago while writing this section of the article, I read a headline that WhatsAppās original co-founder, Brian Acton, who sold his company to Facebook for $18b, is again urging consumers to . (note: his encrypted messaging app is a competitor) delete all related Facebook applications Signal Photo source: Unsplash Mark Zuckerberg had just for Facebook to pivot to a more privacy-focused offering, yet barely a few days after . Facebook failed to properly secure those passwords in their database, as those plaintext secrets where found not to be encrypted when they should have.Ā š² announced plans Facebook announced it failed to properly secure millions of its userās passwords Even if a strong password was chosen, they werenāt protected properly (as also explains ) due to the negligent absence of encryption. š Forbes here Given the number of breaches that continue to hit the mainstream media (and potentially countless more yet to be announced or detected), usersā trust has been continually eroded.Ā š Photo source: Unsplash Many trusted platforms have been subject to repeated data breaches which have become the new ānormalā and leading to greater distrust of a companyās ability to guarantee security for consumers. Perhaps consumers are too reliant.Ā š Observations: Technology giants may be losing their grasp on loyal consumers as trust erodes from privacy/security breaches Consumers are still utterly reliant on services like Google, / Amazon / AWS, or payments providers (Visa, , etc..) and majorĀ banks Google Cloud PayPal Engineering Lack of educational resources and cyber tools may it harder for consumers to protect themselves without overly relying on 3rdĀ parties The modern corporation, and future collective/cooperative Capital markets are vital for economic prosperity, yet shareholder incentives must be aligned with the incentives of endĀ users. Source: Unsplash Such an alignment of interest is needed so both benefit and not one at the otherās expense (a challenge that open public blockchains are trying to figure out with experimental governance and incentive models using cryptography and creative blockchain technology recipes). Engineering Challenges: Game theory and economic incentives š®Ā š° Governance models that prioritize security and fairness š¦ š©āāĀ šØāā Regulatory compliance and accommodating laws/jurisdictions šĀ š® The founderās dilemma, a governance/incentive problem The issue at hand is a founderās dilemma that is manifesting itself at large scale across the globalĀ economy. The breaches at the largest technology conglomerates are causing shockwaves that are rippling into (legal and regulatory) debates and actions across various governments. Founderās Dilemma: Aligning interests of shareholders with the interests of consumers Effects of the business on society šĀ ā»ļø The cause of all these breaches in nearly all cases comes down to some form of human error (from one or more humans, and one or moreĀ errors). Photo source: Unsplash Many free/freemium services are not entirely free š«Ā š There are many such services that appear free to users but comes at some cost (i.e. a āfreeā google search), as the clues and data left behind by users are of great value when re-sold to advertisers, marketers, researchers, and StateĀ actors. Data is valuable but users donāt have a way to directly unlock thatĀ value. Freemium Takeaway: Many free services are not entirelyĀ free Value is extracted but not always directly shared withĀ users Users donāt have many options and are forced to trustĀ services Source: Unsplash Cybersecurity is a promising sector šµļøāāļø šµĀ š Just as defense becomes a more valuable sector in times of war, cybersecurity is becoming a valuableĀ sector. In recent years the cyber sector has branched out further to encompass additional electronic and digital commerce industries where cryptographic security has become a necessity to safeguard market participants. In 2018, over $1.8b was raised for cybersecurity startups, according to data from š. CB Insights Analogies of monetizing data to monetizing money š²Ā š¦ Ideally, some of the value captured from consumer data within an industry like social media should go back to consumers who would be compensated for theirĀ data. This need to compensate users for their data is analogous to what an account holder expects in terms of earning interest from within a checking account even as the bank re-hypothecates those funds for use elsewhere. Fintech Service Providers: Compensate users more, not just shareholders Create public utilities that are open (open-source) Encourage self-reliance and set those expectations in terms & conditions How to fix the problem: you are the solutionĀ š Comparable to banking (but worse) much of the modern web is so highly inefficient that it is as good as broken and change is needed at the infrastructure level. Even if the value is captured at the protocol level and shared with the public (compared to the application layer), it does no good if users cannot be more self-sovereign over their data. For example, matters like the self-custody of digital assets or other plain-text secrets relating to privacy/security and personal data should be controlled by their respective owners in an ideal world (i.e. power to the people).Ā ā”ļø Photo source: Unsplash My point is that there is an opportunity for change and to fix things, but itās the end user [you] that needs to regain power as companies alone cannot be expected to be our guardians, which is why . I think greater self-reliance is inevitable for the greater-good and safeguarding users on theĀ web Until then we remain helplessly reliant on many services and at the mercy of the cybersecurity risks, yet we can act to reduce those risks and regain defensive power to deter the growing array of threats online including phishing (i.e. typosquatting from bogus emails, sites, and program executable files that appear genuine). Actionable Steps: Consumer education will help empowerĀ change Software changes in UI/UX design leading to new tools and experiences Defend against cybersquatting/phishing (i.e. here is a ) quiz fromĀ Google Photo source: Unsplash Using cybersecurity tools, the good š and the badĀ š© While plenty of tools exist on the dark web and that are often used offensively by bad actors to do harm to others, consumers literally remain in the dark, as they do not have access to equally powerful tools that could be used for defensive purposes, unless they rely on thirdĀ parties. Examples of Cybersecurity Tools and limitations: Kali Linux and penetration testing software (can cause damage ifĀ misused) Vulnerable Password managers (can expose password) Privacy hoarding VPNs (may not protectĀ privacy) Leaky Firewalls (may not preventĀ hackers) Bug-prone end-to-end encrypted services (may not protectĀ data) Breaches š and the need to reduce the āquantityā of trustĀ š The problem is that third parties are subject to breaches, as weāve discussed, where consumers end up becoming theĀ victim. Photo source: Unsplash There must be ways that consumers can take greater responsibility to protect themselves, and that is what I am writing about here, including tools that are available albeit remain mostly complex and hard to access without relying on trusted third-parties. Again, my goal is to help users minimize the trust they expend, not eliminate it completely (not yet), as some level of trust is always needed at someĀ level. The building blocks of cybersecurity ā āļø āĀ ā Consumers remain largely unsafe against hackers or data compromises due to data privacy leaks and a growing landscape of cybersecurity risks, thus empowering consumers directly seems like a logical next step as we enter deeper into a greater need for cybersecurity. Below we examine various available today. cryptographic primitives Building blocks of cybersecurity applications: Randon-Number Generators š² Hash Functions #ļøā£ Encryption/Decryption Ciphers & Algorithms šćļøĀ š Zero-Knowledge ProofsĀ š½ Photo source: Unsplash āā Research Questions ā What does the road ahead look like for consumers when it comes to cybersecurity? And what can consumers do to protect themselves without the need to be as reliant on others and instead be more self-reliant on their own defenses against theseĀ risks? These are the types of questions I think about and which lead me to the inevitable conclusion of an upcoming trend of š which we discuss below in ways to shine some light on theĀ web. self-reliant and empowered internet users š Examples are not meant to be exhaustive: š±Use of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) (but be sure to backup recovery key beforeĀ syncing) āļø Securing any secondary email addresses listed as recovery addresses on main emailĀ accounts šŖ Disabling Two-Step Verification (2SV) for any security-dependent services to reduce SIM port hackingĀ risks Combine the use of a VPN along with manually setting DNS (i.e. ās service) Cloudflare https://1.1.1.1/ šLearn to inspect code even if it looks unintelligible to the untrained user š„ Learn to run command line operations and apps from a terminalĀ window āAsk questions and research answers and be responsible for your own due diligence/opinion āQuestion security assumptions and go deeper layer byĀ layer Photo source: Unsplash Empowering the light web āļøĀ š„ The problem most internet users face in protecting themselves online is that the cybersecurity tools that consumers could theoretically use to protect themselves are often too complex to run manually, even though they are readily available today (links furtherĀ below). Cyber complexity challenges forĀ users: One mistake can make a secure process insecure (i.e. reusing the same salt/key and initialization vector to encrypt different messages). Less room for error (i.e. no resetĀ button) Greater attention to detailĀ required Takes time to learn new approaches/methods Photo source: Unsplash Expected security assumptions in terms of bitsĀ š¬ Cryptographic primitives will change over time, as they will be used so long as they are perceived to be safe and up until they are no longer secure. In advance of that convergence point (when old methods are no longer as secure relative to the risks), new methods are used to replace the old primitives ones. Source: Pedersen cryptography (commitment scheme cryptographic primitive) Cryptographic Security is usually measured in binary bits, which may refer to the length of a key and/or the range of possible numbers that the key was randomly chosen from (i.e. a 128-bit binary number chosen from a range of 2Ā¹Ā²āø possible 128-bit numbers). Opinion: Any Psudeo-Random Number Generator is only as secure the various entropy inputs it gathers from various input sources, each time the generator runs (such as is outlined in the W3C Crypto API referenced in thisĀ post). Cryptographically secure processes imply that the underlying primitives and method of construction of the processes used by an application has ideally been widely tested and relied upon as an industry standard. body[data-twttr-rendered="true"] {background-color: transparent;}.twitter-tweet {margin: auto !important;} GG18 threshold ECDSA just got real, KZen style! run it in your network with any parameters. First ever open source threshold ECDSA š Here's a demo. cc: , https://t.co/418Kh7BLmT @sgoldfed @rgennaro67 https://t.co/MfP9a9g4Sc ā @ZenGo function notifyResize(height) {height = height ? height : document.documentElement.offsetHeight; var resized = false; if (window.donkey && donkey.resize) {donkey.resize(height); resized = true;}if (parent && parent._resizeIframe) {var obj = {iframe: window.frameElement, height: height}; parent._resizeIframe(obj); resized = true;}if (window.location && window.location.hash === "#amp=1" && window.parent && window.parent.postMessage) {window.parent.postMessage({sentinel: "amp", type: "embed-size", height: height}, "*");}if (window.webkit && window.webkit.messageHandlers && window.webkit.messageHandlers.resize) {window.webkit.messageHandlers.resize.postMessage(height); resized = true;}return resized;}twttr.events.bind('rendered', function (event) {notifyResize();}); twttr.events.bind('resize', function (event) {notifyResize();});if (parent && parent._resizeIframe) {var maxWidth = parseInt(window.frameElement.getAttribute("width")); if ( 500 < maxWidth) {window.frameElement.setAttribute("width", "500");}} Meanwhile, newly introduced and going through such testing and not yetĀ adopted. proposals (i.e. blind signatures, by Boneh et al) may still be under the peer-review period Here is an example of a diagram/flowchart showing the schematics of BIP-39 for Curve Ed-25519. Cryptocurrency wallets that implement this process to create human-readable keys (mnemonic words), will usually result in 256-bits of security in the resulting 24āwords (or 128 bits for 12-word key phrases), excluding the checksum bits which are deterministic (hash-derived). Breaking modern cryptographic primitives šØĀ š While the cryptographically secure processes weāve discussed could (and likely may) be broken in the future, for the present moment they are believed to remain safe enough. These primitives are tested by and depended upon by the cybersecurity community for a reasonable amount of time (i.e. the next few years or until they are expected to no longer be secure), given the number of known theoretical attack vectors that are feasible. Itās a race againstĀ time. Photo source: Unsplash Any such security assumption means the attack vectors that are infeasible are valid risks that just have an extraordinarily low probability such that they are considered near impossible/improbable. In other words, given the available technology and resources that an attacker or group could access, if it would take 1 million years to guess a password of with n bits of security, that becomes a negligible risk. š Post-Quantum Algorithms š§Ā š Quantum computers could potentially crack such a password (see on ) perhaps in minutes or days, turning the risk into a non-negligible one that would no longer provide the security needed to remain cryptographically secure and require immediate change. Polynomial versus Non-deterministic Polynomial time Wikipedia A new suite of Quantum-resistant algorithms has been proposed as part of a second-round selection following submissions to the . National Institute of Standards (NIST) These forward-thinking preparations enable the worldwide web including major standardās bodies to have enough time to transition to the next-generation of encryption algorithms when the time is right (ideally long before the currently used ones are broken, and using the to estimate howĀ long). Mosca Theorem : Reseachers who were funded by grants from the US, Switzerland and Russia, recently announced a paper (rewind states) through the use of a quantum computer program design, as seen in the excerptĀ below. Reality check proving the ability to reverse time or reverse-enginner data These next-generation technologies will be the building blocks for cybersecurity tools which go through rigorous testing by academics and governments globally before being widely adopted and incorporated into standards for everyday use by the masses.Ā š® Cybersecurity tools remain complex š š£Ā š¢ Running a primitive cryptographic application manually (i.e. hash functions, or encryption and decryption algorithms) remains a highly technical process even for sophisticated users, often requiring programming-like skills such as running code on a command-line level. Here is a snapshot of what the hash value is for an empty string (āā), using three hash different algorithms separately inĀ Python. Source: BCAVentures.com Many powerful cryptographic primitives help secure the internet protocols that run the web but are unavailable to the masses in āeasy formā, forcing them to trust related third-party services who implement such servicesāāābehind the scenesāāāon theirĀ behalf. Even more advanced software such as Kali Linux can cause numerous problems and harm if used incorrectly (i.e. accidentally DDoSāing your own website and getting your IP blacklisted from your own provider) and is an example of the type of tools that hackers use offensively. Yet, the same tools are also used by security researchers and hired white-hat hackers for defensive purposes to audit software and look for vulnerabilities toĀ patch. Photo source: Unsplash Automation happening behind the scenesĀ šŖ I hope by now this picture is becoming more vivid, in terms of the processes that you could imagine are happening behind the scenes by software, even during normal processes such as sending an email or uploading a file to an encrypted service. As many third parties eventually succumb to some type of š data breach or mishandling of consumer data, this, in turn, can cause financial and physical harm to consumers. Whether sensitive personal data and privacy are part of a breach, if there is direct potential financial harm such as loss of property or funds, such breaches could even result in the loss of human life in the worstĀ cases. Below we will look at some solutions to begin to chip away at solving these problems, with the help of open-source software and openĀ systems. Photo source: Unsplash Open-source provides Transparency first and foremostĀ š The main aspect of open-source is not whether the software is free or not, but whether the underlying language and architecture are visible for its users to examine and potentially vet the source-code in its entirety. Compare this open structure to closed-source technology which is based on blind-trust when it comes to any underlying code which remains hidden to all except its creators/owners, and you can see there are pros/cons to each approach. Photo source: Unsplash The range of open-source licenses Ā©ļø Ā©ļø Ā®ļø ā¢ļøĀ š« Even though there are different types of (see from ), ranging from less restrictive and more open, to more restrictive and less open, at the end they are all open in terms of visibility of the code (which is what matters in the context of this article). open-source licenses choosealicense.com GitHub Open-source public repositories such as code found on sites such as Github invite collaboration as the public can inspect and contribute corrections, improvements and other feedback that can help drive the development process. Linux has evolved as an open-source operating system where some of its branches (distributions) are vibrant and widely used, while other branches died off due to lack of support/adoption. Below is an example of how open-source can evolve, as seen in this treemap of Linux distributions overĀ time: source: NPU onĀ Reddit Other licenses that have yet to be accepted by the standardās body that deals with the official āopen-sourceā designation are still open-source in my opinion. For me open means the full visibility of the source code, even if the secondary benefits of sharing and use are restricted, such as ās newest . Open Source Initiative (OSI) MongoDB Server-Side Public LicenseĀ (SSPL) Cybersecurity risks with open-source software šÆĀ š While open-source software can be just as susceptible to security breaches as closed-source or mixed-source software is, making the code fully open allows for transparency to proper due diligence to be conducted. A recent analysis found that many , which shows that best-practices are needed to secure authentication data (i.e. a path to the user's SSH key referenced, as opposed to referencing the actual secret key in the hostedĀ file). open-source projects have leaked their cryptographic key data Photo source: Unsplash Firefox recently launched its , which enables a user to send an encrypted file to anyone else via the use of a link, where the link acts as the key to decrypt the file, along with the ability for links to expire and be made available to one or more recipients. Firefox Send web app End to End encryption, from 3rd party servicesĀ šŖ Services that use end-to-end encryption might even be illegal in certain countries (like in last year, unless certain backdoors are implemented which inherently reduce the security properties such service try to aim to offer in the firstĀ place). Australia which just passed new encryption laws Other countries are funding the development of end-to-end encrypted service, with the European Commission recently awarding a grant of over 1m euro to Swiss-based provider Proton Mail āļø to help fund its bug-bounty šoffering to crowdsource development of its open-source components (i.e. pay developers who help improve its code and find/fixĀ bugs). body[data-twttr-rendered="true"] {background-color: transparent;}.twitter-tweet {margin: auto !important;} Congrats on the ā¬2m funding from the ! Q: will the code be open-source on ? (If so, I'd suggest you consider using bounties on the platform to crowdsource developers to work on related tasks): @ProtonMail @EU_Commission @github @GetGitcoin https://t.co/ZOFQCTbr7P ā @shatzakis function notifyResize(height) {height = height ? height : document.documentElement.offsetHeight; var resized = false; if (window.donkey && donkey.resize) {donkey.resize(height); resized = true;}if (parent && parent._resizeIframe) {var obj = {iframe: window.frameElement, height: height}; parent._resizeIframe(obj); resized = true;}if (window.location && window.location.hash === "#amp=1" && window.parent && window.parent.postMessage) {window.parent.postMessage({sentinel: "amp", type: "embed-size", height: height}, "*");}if (window.webkit && window.webkit.messageHandlers && window.webkit.messageHandlers.resize) {window.webkit.messageHandlers.resize.postMessage(height); resized = true;}return resized;}twttr.events.bind('rendered', function (event) {notifyResize();}); twttr.events.bind('resize', function (event) {notifyResize();});if (parent && parent._resizeIframe) {var maxWidth = parseInt(window.frameElement.getAttribute("width")); if ( 500 < maxWidth) {window.frameElement.setAttribute("width", "500");}} And while open-source is transparent (unlike closed-source code), it still requires either self-reliance to inspect the code yourself or to rely on trusted third-parties who maintain such repositories. Cybersecurity Tools for Defense š”Ā š What should a consumer do , are there otherĀ options? if someone must always be trusted This is a key question that is driving my focus when it comes to what consumers need to stay safe online, and ways they can use cryptographic primitives in easy-to-use cybersecurity tools. Photo source: Unsplash Perfect Security will never existĀ š Just as a clean room is only clean at that moment in time, as a particle of dust might fly in, time introduces decay in a process known as entropy. This is a term (and formula) also used in computer science that borrowed from Boltzmannās equation for entropy in physics, as it shared a similar structure for calculating the strength of a random string, hence entropy applies to information theory. Claude Shannon Pro Tip: You can calculate the entropy of a random password generated by calculating the log2(possible combinations) (i.e. log2(PasswordLibrary^PasswordLength) = overall entropy inĀ bits.) Entropy Formula: Log2(Possible combinations)= overall passwordĀ entropy RangeofPossibleCharacters^LengthofPassword= Possible combinations Log2(RangeofPossibleCharacters) = Entropy per character Entropy per character * LengthofPassword = overall passwordĀ entropy Photo source: Unsplash The reason there is no such thing as perfect security is because of time, since as time passes, new methods of penetrating security arise because security is a process, not a destination. This is also why key sizes continue to increase as even more entropy is needed. In the words of many famous cryptographers and cybersecurity thought-leaders, let us ponder those words again, āsecurity is a process, not a destinationā. [ā¦security is a process, not a destination.] Comparing security to hacking old video games š®Ā š¾ One analogy I like to compare when I think of how time changes our approach to a given technology is that over 20 years ago. For example, some Nintendo games were very very difficult to beat back in the early 80ās and 90s, and inspired a generation ofĀ gamers. However, nowadays gamers stream at conferences such as GDQ (Games Done Quick) where they use the most creative methods to hack the game control commands. Photo source: Unsplash These hacks are possible thanks to their ingenious approaches to reverse engineering how the random number generators work in the games, along with how screen state is recorded (such as with things like āframes per secondā for a given pixelĀ area). I was mind blown when I first saw these game hacking ninjas in action, like beating the game in under 5Ā minutes. So what does this have to do with cybersecurity? Read onĀ please. Source: YouTube The original game designer probably did not expect users to be able to exploit these hacks, but time and lots of trial-and-error are what helped lead the world record win in Super Mario Brothers on the original Nintendo Entertainment SystemĀ (NES). For any Millennial or other age groups who played NES, the following video shows how far weāve come thanks to time and gamers determined to hack these games using novel and creativeĀ methods. Itās a realĀ game Protecting oneself online is becoming like a complex game, that is real, and where users need to hack (learn) and simplify so they can win and protect theirĀ data. Just like the argument where (with a bearer instrument that is resistant to censorship and unforgeable), āāor risk losing the private keys that control their digitalĀ money. Bitcoin users hope to be sovereign over their own money users need to learn to be sovereign over their own data first Photo source: Unsplash Learning how to be sovereign over your own dataĀ šŖ While there are plenty of tools on the dark web that can be used for offensive purposes (i.e. ), including illegal applications that can cause financial harm or other irreparable damage, there exists an opposite force to counter these threats in the form of many open-source cybersecurity tools that can be used by consumers to defend themselves. Kali Linux š There are also good tips and resources from run by The National Cyber Security Alliance (NCSA) a non-profit, and the , a sub-division of the Department of Homeland Security (DHS)Ā šŗšø. Staysafeonline.org https://twitter.com/StaySafeOnline Cybersecurity and Infrastructure Security Agency (CISA) The is another great resource š and major voice š¢ that helps advocate for protecting consumers rights on the internet. Electronic Frontier Foundation (EFF) Iāve used some of ationās browser-plugins from time to time, including , , which are greatĀ tools. Electronic Frontier Found Privacy Badger HTTPS Everywhere However, the permissions these applications require means that you still have to trust them as third parties with your data (i.e. trust a 3rd party to protect you against other 3rd parties). Dependencies that have dependencies š½ This same ātrustā dilemma exists in source code when it comes to third-party dependencies that developers rely on, and the dependencies of those dependencies. Below is an example of vulnerabilities detected in NPM a popular JavaScript programming library. Moderate vulnerability being detected after running NPM, patched in versionĀ 2.3.1 Evolving Standards on theĀ Web The International Standards Organization (ISO) which is working on a few related cryptography standards (i.e. The 27000 series) including for blockchain and cybersecurity, and there is ISOC, ISACA, COBIT and the ITU Telecommunication Standardization Sector (ITU-T), and the Center for Internet SecurityĀ (CIS). Other institutions such as the (note: I am a contributor on Github to the š¤). WorldWide Web Consortium (W3C) have a cryptography API W3C Crypto repository Photo source: Unsplash Trusted commands such as `getRandomValues`(which is the equivalent of using the `secrets` library in Python or the `Dev(Random)` command on Linux terminal) is depended on by countless internet applications to source secure-enough entropy (i.e. entropy that pre-image resistant) to seed a pseudo-random number generator that is cryptographically secure in terms of bits (i.e. 256-bit numbers). š These technicalities could put the average consumer to sleep š“ š¤, but one need not understand the inner workings of hash functions (unless curious, or pursuing higher education) but rather how they tie into the bigger cybersecurity picture.Ā š¼ In other words, lots of people trust that these processes are cryptographically-secure because if someone could feasibly re-create that entropy (pre-image) that would break the security assumptions and put users data atĀ risk. Photo source: Unsplash Trust cannot yet be eliminated fromĀ software Some degree of Trust is required at all levels, and that unit of trust becomes a commodity that is often squandered on the internet by users who give out too much of it and too freely (and then fall victim to breaches). Until we [perhaps] have a trustless internet one day, with trustless applications, there are still huge opportunities now for consumers to minimize the amount of trust they are forced to have/accept, and to reduce the risks and attack surface of their digital footprint. Here are examples: āļø Learn (encryption algorithms & hash functions) how to use cryptographic primitives āļø of various lengths/strength Generate random cryptographically-secure passwords āļø Opt for simpler tools where in a singleĀ file the entire code can be inspected āļø ļøLearn to use devices in (i.e. old laptop with wifi disabled) š“ cold storage environments Practice, practice, practice..makes thingsĀ easier I want to shift the discussion towards the light web and how consumers will potentially behave in a world where self-reliance becomes as a necessity to protect oneself online, as more and more data breaches continue and trust in third-parties isĀ eroded. ā”ļø ā”ļøā”ļø I host a few such open-source cybersecurity tools like the algorithm, available as a tool that can be used manually.ā”ļøā”ļøā”ļø Advanced Encryption Standard (AES) : https://bcaventures.com/AES.html Source ā”ļø is an encryption algorithm (often using 128-bit or 256-bit keys) that is widely used on the internet behind the scenes in automated services that consumers trust everyĀ day.ā”ļø AES However, the average user has probably never run AES manually as it otherwise remainsĀ complex. The version of the tool I host works on a standalone basis even when not connected to the internet and allows users to encrypt and decrypt their data locally and securely (if used properly and with plugins disabled and in an offline environment). The beauty of this version of the AES app I host is that all of the code is contained in one file, like other standalone tools. This file can be inspected by a user more easily than a typical application that contains numerous (perhaps dozens or hundreds) of source code files andĀ folders. Photo source: Unsplash Other advanced tools for learning/experiments and realĀ usage Another such tool we host on BCAVentures.com is the , which can be seen below where the secret string āThis whole sentence is an example of a secret pasted into this tool.ā becomes encrypted into 3 shares (ciphertext/keys) where at least 2 of the 3 shares are needed to reconstruct (decrypt) back to the original plaintext secretĀ message. Shamir Secret Sharing Scheme tool Source: BCAventures.com The Shamir Secret Sharing tool allows a plain text secret (i.e. personal document, password, or other personal/private data to back up) to be encrypted into a chosen number of shares where a minimum number of those shares are needed to decrypt back to the originalĀ data. In the screenshot above, a 2-of-3 ratio is chosen, where each of the five shares becomes the ciphertext/encrypted data, but are also part of the secret key/password needed to decrypt/unlock the data(when at least two of the three are combined and pasted into theĀ tool). Below is an example of pasting at least two of the three shares back into the ācombineā field where the original secret is revealed just below in dark shaded text that is highlighted: Source: BCAVentures.com While many of these tools remain too difficult for the average user, I expect that willĀ change. Consumers are being compelled to become more self-reliant, as the value of their data increases along with the increasing risks we face and new changing threat landscape on theĀ web. Photo source: Unsplash Advanced cybersecurity tools (including open public blockchain networks) that allow time-stamping to prove provenance or verify that a particular document existed at some point in time, is another use case (such as for a legal agreement or will,Ā etc..). Hashing a document where the hash of the document is recorded publicly as a digital fingerprint, will help not only empower users but echelon in a new paradigm of services and solutions from next-generation companies. Photo source: Unsplash It is still early as the average user doesnāt know how to hash a file unless using a 3rd party services, which is why I believe it is best to learn to do it from the command line yourself while looking at the source code to see what is āunder theĀ hood.ā : Something as simple as having a spell checker plugin enabled can introduce risks for data to leak, which is why these tools are designed to work offline on a standalone basis, ideally in a cold environment (air-gapped). Tip Wow moment, we are almost thereĀ š The goal is to help empower users with such tools like through efforts that BCA Ventures is pursuing, by wrapping open-source applications within an easy to access platform, that will āwowā them with powerful cybersecurity tools (not thereĀ yet). Here is a free āwowā in the meantime: source: medium.com Take Action If you liked this article and its purpose, to help spread this important message by clicking on the plus sign over the š icon with the āĀ sign! please give it one or many claps š on Medium.com and the Hackernoon.com community Thank youĀ ~ Note: Steven Hatzakis is the founder of ., an early-stage cybersecurity R&D hub, please follow our new handle on and on (@chainadvisors) and contact us to learnĀ more. BCA Ventures Inc Twitter.com/chainadvisors Medium.com/chainadvisors
Share Your Thoughts