In the internet-connected world we live in, aspects of privacy, security, and governance have been abstracted into an intangible, virtually invisible dimension that is hard to understand and harder to navigate.
The digital infrastructure upon which almost everything rests today has shifted power in ways that are difficult to comprehend. Today’s internet is tracking and storing almost every single action on the internet in some way. This mass storage of data lies behind nothing more than other software bits that determine who has access to the data.
But because humans are biologically wired to live in a physical world, it’s hard to fully grasp the implications of a such a seemingly ethereal infrastructure on our physical world. But It is exactly this transition into the world of bits that espionage, war, authoritarianism, civil rights, etc has begun to manifest itself in new ways. It’s not that the implications of physical wars and injustices are no longer relevant; they are just becoming a smaller part in proportion to the bigger picture.
History of Exploits
When the internet started, it was used by a small, academic community that trusted each other. In fact, because there were so few people using the internet, every computer had a file that listed every single website that existed. No one thought to use the internet maliciously, mostly because there wasn’t much to exploit.
But it wasn’t long before we ate from the tree of knowledge.
In 1988 a graduate student from Columbia, Robert Tappan Morris, created the first notable computer worm. Although the Morris worm may not have been the first malicious piece of code to be deployed, it was the first computer worm to do a significant amount of damage to internet infrastructure, estimated at around 10% of the Internet at the time.
Fast forward 28 years to where we are now in 2016, and the level of internet malware, spyware, and worms have increased beyond anyone’s comprehension. From cyber-warfare between countries to advertising to spam to malware to analytics, data is being accessed and exploited in every way imaginable.
Here are a few of them with a few examples of each:
- Governments are using malware and DOS (denial of service) attacks to achieve a political agenda.
- In order to prevent Iran from producing a nuclear weapon, the US was able to infect Iran’s nuclear centrifuges with a malware called stuxnet that prevented Iran from building nuclear weapons.
- China has repeatedly DDOS’d US government websites with China’s “great cannon” (a byproduct of the great firewall).
- Syria took down the New York Times in 2013 with a DNS attack.
- The SWIFT hack of 2016 stole $81M from Bangladesh Bank.
- Governments are using filters to censor and monitoring internet traffic to surveil.
- Snowden leaks revealed that the NSA had been spying on many US citizens, collecting all sorts of telecommunications. Part of this revelation included that the NSA was intercepting internet routers mid-shipment and overwriting router firmware to give them a backdoor.
- The Great Firewall of China has been limiting Chinese connectivity to the outside world.
- A network filtering and surveillance software written for schools has reportedly shown up in Iran, Sudan, and Syria to monitor their citizens.
- Advertising companies are using tracking cookies to follow your activity across the internet.
- Schools are installing monitoring software onto school-issued laptops.
- Criminals are using cross site request forgeries, cross site scripting, and phishing attacks to commit fraud.
- Criminals are using trojans to hijack traffic and get access to your computer.
- Criminals are using ransomware to make money by locking important data.
It is only through well-engineered programs, protocols, and cryptography that it is possible to keep ourselves safe online. With the internet lacking many of the constraints of the physical world, the stakes of being compromised is much more significant. Just because you have nothing to hide doesn’t mean that you shouldn’t expect some level of privacy and security. In a physical world, I can have in-person conversations where I decide what I want to share to who I want to share things to. In the same way, having freedom of speech online means that I should also have the expectation of agency and privacy when communicating online.
And while that sounds easily achieved, understanding the security mechanisms of the infrastructure we have in place is the first step to understanding how to build secure systems.
The Mixing of Internet and State
When you visit www.senate.gov, how can you tell whether you are being watched? And how do you know what information they have about you? And how can you be sure that the page you are seeing actually belongs to the US Senate?
The short answer is that you can’t know any of those things for sure. You can check the cookies and open the developer console to inspect the resources and requests, but that insufficient to determine any of the questions we asked above. Let’s start by taking a step back and look at each piece of this puzzle separately.
How can you tell whether you are being watched?
Browser cookies are something you may have heard of, or you may even have cleared at some point. But there is a lot of misinformation about what a cookie actually is, and how they work.
When I first make a connection to www.senate.gov, there is a server on the other end that is notified about my intent to view the webpage. The server then returns a webpage via the HTTP specification for my browser to render into a page I can read. As a part of that specification, the website is able to set a small chunk of data that I will send back to the server for any subsequent visit to that website. Usually, the data that gets set is some sort of unique identification number.
If I look at the cookies that are set on www.senate.gov, I see that there are three cookies set for my particular browser.
Notice that the cookie contains name, content, domain, path, send, set date, and expiration date fields. This means that a website can only set cookies for it’s own domain, which is referred to as the “origin”.
Now, can you tell by the cookie content what this cookie is for? I have a few guesses, but I’ll let you think about it. Email me if you have any ideas.
Seems pretty straightforward, why are cookies problematic?
Well, it turns out that any request made from a page, such as an external image load, has the ability to set a cookie. This means that advertisers that display any sort of ad on a page has the ability to set a cookie for their origin whenever you load an ad. Then, if you visit another site that contains an ad from the some ad vendor, that ad company can track you across the internet.
How do you know what information they have about you?
To see just how much information is being sent back and forth from a site like Facebook, opening up wireshark (a tool that allows you to monitor network connections) and filtering by Facebook’s IP and the proper port (tcp.port == 443 && ip.dst == 126.96.36.199) reveals that merely as I scroll down the page, packets are being sent back to Facebook.
But because Facebook works over HTTPS (We’ll get to that later), it’s hard to know exactly what is being sent without digging through the highly obfuscated source code.
How can you be sure that the page you are seeing actually belongs to who it claims to be?
Whenever your browser makes a request for a website, it sends data through a network of servers and routers that make sure things go to and from the right place. But what happens if a router that is supposed to pass your data to the right place decides that it wants to be malicious and pretend to be the website you are asking for?
On plain HTTP, there is no way of knowing whether the website you are looking at has been tampered with or modified between you and the server, nor can you be sure that you are actually talking to the server you want.
Over HTTPS, whenever you make a request for a URL, your browser also searches Certificate Authorities (known as CAs) for the valid encryption keys of that website. Then, your browser uses the key provided by the CA to validate the key sent by the server before any encrypted data is exchanged. This way, SSL can guarantee that a website is who they say they are and that your connection was not tampered with.
Great so we’ll just implement SSL, run all our traffic over HTTPS and our problems will go away right?
Not quite. Although SSL encrypts the data that you are sending, it doesn’t protect the metadata that reveals who you’re talking to, how much information you’re sending, and other information about your data. One example is that although Google maps operates over an HTTPS connection, the way they encoded the blocks of map data made it possible for someone listening to your connection to make a pretty accurate guess about where you were looking on the map by the amount of data that was being transferred.
So although SSL is not a complete solution, it’s a necessary start for protecting the privacy and security of internet users. Historically, getting an SSL certificate registered with CAs was a long and expensive process. However, thanks to LetsEncrypt, SSL certificates are now free and easily implementable.
It is because of this new service provided to an increasingly dangerous internet that now diplateevo is served over HTTPS! If you look in your address bar next to the URL, there should be an icon of a green padlock indicating that your connection is over HTTPS.
Hopefully within a few years the majority of websites will be running off HTTPS and browsers will start throwing warnings when connecting over HTTP. After all, https://senate.gov/ can’t keep giving the page it does now.
A Tribute to Internet Activism
It’d be wrong to talk about internet freedom without giving proper credit to the people who have given their lives to thanklessly improving security for the rest of us. I’m talking about folks like the Electronic Frontier Foundation, the Freedom of the Press Foundation, the BSD community, and countless other communities.
But one story sticks out personally to me: the story of Aaron Swartz. Aaron was a hacktivist who worked incessantly at ensuring free speech was possible on the internet, and fought to keep the internet an open place. He was a part of Rootstrikers, Demand Progress, and many other organizations that participated in civic activism. After facing a federal indictment, Aaron took his life.
I can’t help but think of what could have been if Aaron was still advocating for the things he believed so deeply in. To many in the security community, getting mechanisms implemented is a long and arduous process, but impacts more people than we can imagine.
Governments are finally starting to think about what democracy means in an internet era. Let’s not mess this up.