Connect with us

Technology

The Ultimate Online Privacy Guide

Published

on

The Ultimate Online Privacy Guide

By Douglas Crawford

Introduction

Edward Snowden’s NSA spying revelations highlighted just how much we have sacrificed to the gods of technology and convenience something we used to take for granted, and once considered a basic human right – our privacy.

It is just not just the NSA. Governments the world over are racing to introduce legislation that allows to them to monitor and store every email, phone call and Instant Message, every web page visited, and every VoIP conversation made by every single one of their citizens.

The press has bandied parallels with George Orwell’s dystopian world ruled by an all-seeing Big Brother about a great deal. They are depressingly accurate.

Encryption provides a highly effective way to protect your internet behavior, communications, and data. The main problem with using encryption is that its use flags you up to organizations such as the NSA for closer scrutiny.

Details of the NSA’s data collection rules are here. What it boils down to is that the NSA examines data from US citizens, then discards it if it’s found to be uninteresting. Encrypted data, on the other hand, is stored indefinitely until the NSA can decrypt it.

The NSA can keep all data relating to non-US citizens indefinitely, but practicality suggests that encrypted data gets special attention.

If a lot more people start to use encryption, then encrypted data will stand out less, and surveillance organizations’ job of invading everyone’s privacy will be much harder. Remember – anonymity is not a crime!

How Secure is Encryption?

Following revelations about the scale of the NSA’s deliberate assault on global encryption standards, confidence in encryption has taken a big dent. So let’s examine the current state of play…

Encryption Key Length

Encryption Key 01Key length is the crudest way of determining how long a cipher will take to break. It is the raw number of ones and zeros used in a cipher. Similarly, the crudest form of attack on a cipher is known as a brute force attack (or exhaustive key search). This involves trying every possible combination to find the correct one.

If anyone is capable of breaking modern encryption ciphers it is the NSA, but to do so is a considerable challenge. For a brute force attack:

  • A 128-bit key cipher has 3.4 x10(38) possible keys. Going through each of them would thousands of operations or more to break.
  • In 2011 the fastest supercomputer in the word (the Fujitsu K computer located in Kobe, Japan) was capable of an Rmax peak speed of 10.51 petaflops. Based on this figure, it would take Fujitsu K 1.02 x 10(18) (around 1 billion) years to crack a 128-bit AES key by force.
  • In 2016 the most powerful supercomputer in the world is the NUDT Tianhe-2 in Guangzhou, China. Almost 3 times as fast as the Fujitsu K, at 33.86 petaflops, it would “only” take it around a third of a billion years to crack a 128-bit AES key. That’s still a long time, and is the figure for breaking just one key.
  • A 256-bit key would require 2(128) times more computational power to break than a 128-bit one.
  • The number of years required to brute force a 256-bit cipher is 3.31 x 10(56) – which is about 20000….0000 (total 46 zeros) times the age of Universe (13.5 billion or 1.35 x 10(10) years!

The NUDT Tianhe-2 supercomputer in Guangzhou, China

128-bit Encryption

Until the Edward Snowden revelations, people assumed that 128-bit encryption was in practice uncrackable through brute force. They believed it would be so for around another 100 years (taking Moore’s Law into account).

In theory, this still holds true. However, the scale of resources that the NSA seems willing to throw at cracking encryption has shaken many experts’ faith in these predictions. Consequently, system administrators the world over are scrambling to upgrade cipher key lengths.

If and when quantum computing becomes available, all bets will be off. Quantum computers will be exponentially more powerful than any existing computer, and will make all current encryption ciphers and suites redundant overnight.

In theory, the development of quantum encryption will counter this problem. However, access to quantum computers will initially be the preserve of the most powerful and wealthy governments and corporations only. It is not in the interests of such organizations to democratize encryption.

For the time being, however, strong encryption is your friend.

Note that the US government uses 256-bit encryption to protect ‘sensitive’ data and 128-bit for ‘routine’ encryption needs.

However, the cipher it uses is AES. As I discuss below, this is not without problems.

Ciphers

Encryption key length refers to the amount of raw numbers involved. Ciphers are the mathematics used to perform the encryption. It is weaknesses in these algorithms, rather than in the key length, that often leads to encryption breaking.

By far the most common ciphers that you will likely encounter are those OpenVPN uses: Blowfish and AES. In addition to this, RSA is used to encrypt and decrypt a cipher’s keys. SHA-1 or SHA-2 are used as hash functions to authenticate the data.

AES is generally considered the most secure cipher for VPN use (and in general). Its adoption by the US government has increased its perceived reliability, and consequently its popularity. However, there is reason to believe this trust may be misplaced.

NIST

The United States National Institute of Standards and Technology (NIST) developed and/or certified AES, RSA, SHA-1 and SHA-2. NIST works closely with the NSA in the development of its ciphers.

Given the NSA’s systematic efforts to weaken or build backdoors into international encryption standards, there is every reason to question the integrity of NIST algorithms.

NIST has been quick to deny any wrongdoing (“NIST would not deliberately weaken a cryptographic standard”). It has also has invited public participation in a number of upcoming proposed encryption-related standards in a move designed to bolster public confidence.

The New York Times, however, has accused the NSA of introducing undetectable backdoors, or subverting the public development process to weaken the algorithms, thus circumventing NIST-approved encryption standards.

News that a NIST-certified cryptographic standard – the Dual Elliptic Curve algorithm (Dual_EC_DRGB) had been deliberately weakened not just once, but twice, by the NSA destroyed pretty much any existing trust.

Encryption

That there might be a deliberate backdoor in Dual_EC_DRGB had already been noticed before. In 2006 researchers at the Eindhoven University of Technology in the Netherlands noted that an attack against it was easy enough to launch on ‘an ordinary PC.’  Microsoft engineers also flagged up a suspected backdoor in the algorithm.

Despite these concerns, where NIST leads, industry follows. Microsoft, Cisco, Symantec and RSA all include the algorithm in their products’ cryptographic libraries. This is in large partbecause compliance with NIST standards is a prerequisite to obtaining US government contracts.

NIST-certified cryptographic standards are pretty much ubiquitous worldwide throughout all areas of industry and business that rely on privacy (including the VPN industry). This is all rather chilling.

Perhaps because so much relies on these standards, cryptography experts have been unwilling to face up to the problem.

Perfect Forward Secrecy

Perfect Forward Secrecy 01
One of the revelations in the information provided by Edward Snowden is that “another program, code-named Cheesy Name, was aimed at singling out SSL/TLS encryption keys, known as ‘certificates,’ that might be vulnerable to being cracked by GCHQ supercomputers.”

That these certificates can be “singled out” strongly suggests that 1024-bit RSA encryption (commonly used to protect the certificate keys) is weaker than previously thought. The NSA and GCHQ could therefore decrypt it much more quickly than expected.

In addition to this, the SHA-1 algorithm widely used to authenticate SSL/TLS connections is fundamentally broken. In both cases, the industry is scrambling fix the weaknesses as fast as it can. It is doing this by moving onto RSA-2048+, Diffie-Hellman, or  Elliptic Curve Diffie-Hellman (ECDH) key exchanges and SHA-2+ hash authentication.

What these issues (and the 2014 Heartbleed Bug fiasco) clearly highlight is the importance of using perfect forward secrecy (PFS) for all SSL/TLS connections.

This is a system whereby a new and unique (with no additional keys derived from it) private encryption key is generated for each session. For this reason, it is also known as an ephemeral key exchange.

Using PFS, if one SSL key is compromised, this does not matter very much because new keys are generated for each connection. They are also often refreshed during connections. To meaningfully access communications these new keys would also need to be compromised. This makes the task so arduous as to be effectively impossible.

Unfortunately, it is common practice (because it’s easy) for companies to use just one private encryption key. If this key is compromised, then the attacker can access all communications encrypted with it.

OpenVPN and PFS

The most widely used VPN protocol is OpenVPN. It is considered very secure. One of the reasons for this is because it allows the use of ephemeral keys.

Sadly this is not implemented by many VPN providers. Without perfect forward secrecy, OpenVPN connections are not considered secure.

It is also worth mentioning here that the HMAC SHA-1 hashes routinely used to authenticate OpenVPN connections are not a weakness. This is because HMAC SHA-1 is much less vulnerable to collision attacks than standard SHA-1 hashes. Mathematical proof of this is available in this paper.

The Takeaway – So, is Encryption Secure?

To underestimate the NSA’s ambition or ability to compromise all encryption is a mistake. However, encryption remains the best defense we have against it (and others like it).

To the best of anyone’s knowledge, strong ciphers such as AES (despite misgivings about its NIST certification) and OpenVPN (with perfect forward secrecy) remain secure.

As Bruce Schneier, encryption specialist, fellow at Harvard’s Berkman Center for Internet and Society, and privacy advocate famously stated,

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.”

Remember too that the NSA is not the only potential adversary. However, most criminals and even governments have nowhere near the NSA’s ability to circumvent encryption.

The Importance of End-to-end Encryption

End-to-end (e2e) encryption means that you encrypt data on your own device. Only you hold the encryption keys (unless you share them). Without these keys, an adversary will find it extremely difficult to decrypt your data.

Encryption

Many services and products do not use e2e encryption. Instead they encrypt your data and hold the keys for you. This can be very convenient, as it allows for easy recovery of lost passwords, syncing across devices, and so forth. It does mean, however, that these third parties could be compelled to hand over your encryption keys.

A case in point is Microsoft. It encrypts all emails and files held in OneDrive (formerly SkyDrive), but it also holds the encryption keys. In 2013 it used these to unlock the emails and files of its 250 million worldwide users for inspection by the NSA.

Strongly avoid services that encrypt your data on their servers, rather than you encrypting your own data on your own machine.

HTTPS

Although strong encryption has recently become trendy, websites have been using strong end-to-end encryption for the last 20 years. After all, if websites were not secure, then online shopping or banking wouldn’t be possible.

The encryption protocol used for this is HTTPS, which stands for HTTP Secure (or HTTP over SSL/TLS). It is used for websites that need to secure users’ communications and is the backbone of internet security.

When you visit a non-secure HTTP website, data is transferred unencrypted. This means anyone watching can see everything you do while visiting that site. This includes your transaction details when making payments. It is even possible to alter the data transferred between you and the web server.

With HTTPS, a cryptographic key exchange occurs when you first connect to the website. All subsequent actions on the website are encrypted, and thus hidden from prying eyes. Anyone watching can see that you have visited a certain website, but cannot see which individual pages you read, or any data transferred.

For example, the BestVPN.com website is secured using HTTPS. Unless you are using a VPN while reading this web page, your ISP can see that you have visited www.bestvpn.com, but cannot see that you are reading this particular article. HTTPS uses end-to-end encryption.

Secured website Firefox

It is easy to tell if you visit a website secured by HTTPS – just look for a locked padlock icon to the left of the main URL/search bar.

There are issues relating to HTTPS, but in general it is secure. If it wasn’t, none of the billions of financial transactions and transfers of personal data that happen every day on the internet would be possible. The internet itself (and possibly the world economy!) would collapse overnight.

For a detailed discussion on HTTPS, please see here.

Metadata

An important limitation to encryption is that it does not necessarily protect users from the collection of metadata.

Even if the contents of emails, voice conversations, or web browsing sessions cannot be readily listened in on, knowing when, where, from whom, to whom, and how regularly such communication takes place can tell an adversary a great deal. This is a powerful tool in the wrong hands.

For example, even if you use a securely encrypted messaging service such as WhatsApp, Facebook will still be able to tell who you are messaging, how often you message, how long you usually chat for, and more. With such information, it would be easy to discover that you were having an affair, for example.

Although the NSA does target individual communications, its primary concern is the collection of metadata. As NSA General Counsel Stewart Baker has openly acknowledged,

“Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.

Technologies such as VPNs and Tor can make the collection of metadata very difficult. For example, an ISP cannot collect metadata relating to the browsing history of customers who use a VPN to hide their online activities.

Note, though, that many VPN providers themselves log some metadata. This should be a consideration when choosing a service to protect your privacy.

Please also note that mobile apps typically bypass any VPN that is running on your device, and connect directly to their publishers’ servers. Using a VPN, for example, will not prevent WhatsApp sending metadata to Facebook.

Identify Your Threat Model

When considering how to protect your privacy and stay secure on the internet, carefully consider who or what worries you most. Defending yourself against everything is almost impossible. And any attempt to do so will likely seriously degrade the usability (and your enjoyment) of the internet.

Identifying to yourself that being caught downloading an illicit copy of Game of Thrones is a bigger worry than being targeted by a crack NSA TAO teamfor personalized surveillance is a good start. It will leave you less stressed, with a more useable internet and with more effective defenses against the threats that really matter to you.

Of course, if your name is Edward Snowden, then TAO teams will be part of your threat model…

I will discuss steps you should take to help identify your threat model in an upcoming article on BestVPN.com. In the meantime, this article does a good job of introducing the basics.

Use FOSS Software

Ultimate Privacy Guide Illustration 03 01The terrifying scale of the NSA’s attack on public cryptography, and its deliberate weakening of common international encryption standards, has demonstrated that no proprietary software can be trusted. Even software specifically designed with security in mind.

The NSA has co-opted or coerced hundreds of technology companies into building backdoors into their programs, or otherwise weakening security in order to allow it access. US and UK companies are particularly suspect, although the reports make it clear that companies across the world have acceded to NSA demands.

The problem with proprietary software is that the NSA can fairly easily approach and convince the sole developers and owners to play ball. In addition to this, their source code is kept secret. This makes it easy to add to or modify the code in dodgy ways without anyone noticing.

Open source code

The best answer to this problem is to use free open source software (FOSS). Often jointly developed by disparate and otherwise unconnected individuals, the source code is available to everyone to examine and peer-review. This minimizes the chances that someone has tampered with it.

Ideally, this code should also be compatible with other implementations, in orderto minimize the possibility of a backdoor being built in.

It is, of course, possible that NSA agents have infiltrated open source development groups and introduced malicious code without anyone’s knowledge. In addition, the sheer amount of code that many projects involve means that it is often impossible to fully peer-review all of it.

Despite these potential pitfalls, FOSS remains the most reliable and least likely to be tampered with software available. If you truly care about privacy you should try to use it exclusively (up to and including using FOSS operating systems such as Linux).

Steps You Can Take to Improve Your Privacy

With the proviso that nothing is perfect, and if “they” really want to get you “they” probably can, there are steps you can take to improve your privacy.

Pay for Stuff Anonymously

One step to improving your privacy is to pay for things anonymously. When it comes to physical goods delivered to an actual address, this isn’t going to happen. Online services are a different kettle of fish, however.

It is increasingly common to find services that accept payment through Bitcoin and the like. A few, such as VPN service Mullvad, will even accept cash sent anonymously by post.Ultimate Privacy Guide Illustration 04 01

Bitcoin

Bitcoin is a decentralized and open source virtual currency that operates using peer-to-peer technology (much as BitTorrent and Skype do). The concept is particularly revolutionary and exciting because it does not require a middleman to work (for example a state-controlled bank).

Whether or not Bitcoins represent a good investment opportunity remains hotly debated, and is not within the remit of this guide. It is also completely outside of my area of expertise!

Source: Bestvpn.com

Modupe Gbadeyanka is a fast-rising journalist with Business Post Nigeria. Her passion for journalism is amazing. She is willing to learn more with a view to becoming one of the best pen-pushers in Nigeria. Her role models are the duo of CNN's Richard Quest and Christiane Amanpour.

1 Comment

1 Comment

Leave a Reply

Technology

Verve Backs Effective Digitization of Public Identity System

Published

on

Verve Good Life Promo

By Modupe Gbadeyanka

One of the leading payments companies in Nigeria, Verve, has reaffirmed its support for the digitization of public identity system, stressing that the nation would benefit greatly from this.

The firm, which is a champion of digitized identity management solutions, said it was strongly behind the federal government’s efforts to create a robust digitization framework for comprehensive identity management for Nigerians.

The Nigerian government ramped up its digital identity management campaign to ensure a proper and foolproof identification system, as obtained in most countries across the globe.

In 2019, the Federal Government of Nigeria, through the National Identity Management Commission (NIMC) joined the coalition calling for the recognition of September 16 as International Identity Day to further consolidate its target of a comprehensive digital identity management system

According to the NIMC, the digital identity ecosystem includes players in both the private and public sectors to improve the commission’s reach across the nation.

Players in the sectors include qualified private vendors who will provide data collection services and issue National Identification Number (NIN) under the National Identity Management System (NIMS) programme.

The commission seeks to enrol all Nigerians and legal residents in a centralized identity database, with the aim of creating an authentication channel that would foster seamless and safe local and foreign transactions.

Verve as a provider of safe and seamless payment solutions, through its technology framework, possesses the expertise and capacity to provide contemporary digitized identification solutions. This positions Verve as a suitable partner in the ongoing public identity digitization drive, providing structures that will advance the goals of the NIMC.

Marking this year’s National Identity Day at the Presidential Villa in Abuja, the Divisional Chief Executive Officer (DCEO) for Payment Cards and Digital Tokens, Interswitch Group, Vincent Ogbunude, restated the firm’s commitment towards supporting a digital ecosystem in tandem with the aims of the Federal Ministry of Communication and Digital Economy.

Ogbunude said, “Verve is proud to be supporting the federal government on this project. This partnership underpins our commitment and investment to grow the digital identity management system in Nigeria. At Interswitch we understand the critical place for identity, indeed we believe that a person’s identity is a fundamental human right that should not be trifled with.”

Emphasizing the importance of having an identity management database for Nigeria, Africa’s most populous country and the 7th most populous nation in the world, the Minister of Communication and Digital Economy, Isa Pantami, said that a comprehensive identity database was important in identifying the total number of residents in the country.

He also noted that a digitized identity management system would aid the government in crafting a proper national budget to better cater to the needs of Nigerians.

The minister pointed out that the digital national identification exercise would serve as a convenient substitute for frequent census exercises, “if the database is updated”.

Continue Reading

Technology

Data Science Nigeria Unveils AI Startup Incubation Hub

Published

on

DSN AI Startup Incubation Hub

By Sodeinde Temidayo David

Leading Artificial Intelligence (AI) hub, Data Science Nigeria (DSN), has announced the launch of the country’s first AI Startup Incubation and Research Centre.

The launch also included a bespoke AI Startup Summit which was themed Building Nigeria’s Artificial Intelligence Unicorns, under the topic titled How to build scalable startups leveraging AI and exponential technologies.

With the launch of the new AI startup incubation hub, the organization is set to promote its vision to build a world-class AI, knowledge research and innovation ecosystem that would deliver high-impact transformational research.

Speaking at the event, the founder and lead mentor of Data Science, Mr Olubayo Adekanmbi, expressed that the dominant fact remains that artificial intelligence is a big game-changer, and is going to change how unicorns of the future will emerge.

This follows research by PwC, a global consulting firm, which noted that AI can contribute as much as $15.7 trillion to the global economy by 2030.

According to Mr Adekanmbi, AI has the potential to boost the global GDP by 16 per cent. With this, he noted the need to support the local AI start-ups to become world-class unicorns of tomorrow.

The lunch featured other startups like Data Vault, Vooli, Farm Speak, Snark Health, Kitovu, Stedigital, Adeseko Technology Limited, Tech Semester, Archer, Freestyle Journal, Tech Oga, and CrossVu Digital.

As part of the value proposition to the successful startups that were embraced into the incubation programme, startups will be taken through an immersive and enriching experience that involves entrepreneurship training, technical support, access to markets, free workstation, networking, mentorship, and access to financial opportunities.

Present at the unveiling were key stakeholders in the technology space, including the Chief Executive Officer (CEO) of Future Africa, Mr Iyinoluwa Aboyeji, who commended the organization for the initiative, noting that it’s one of the organizations that are building the future in a very practical sense.

On her part, the head, Lagos Innovates (Startups), Ms Ireayo Oladunjoye, also commended DSN on behalf of the Lagos State Employment Trust Fund (LSETF) and Lagos Innovates.

In her words, “we are glad to continue to support and collaborate with DSN and the AI Startup Lab in supporting the Technology ecosystem.”

Data Science Nigeria has trained, mentored and inspired 100,000 Nigerian undergraduates and graduates to build new skills in advanced analytics, data science and create one million jobs and opportunities in data science, including advanced analytics.

Continue Reading

Technology

Twitter Integrates Bitcoin Payment Feature

Published

on

Twitter Fake news

By Ashemiriogwa Emmanuel

Popular micro-blogging app, Twitter, has announced that it will roll out the ‘Tips feature’ that will allow users to get paid in Bitcoin on the social network.

This is a sequel to the introduction of Tip Jar, a recently added feature on the bird app that makes it easy for users to send money to their favourite creators on the micro-blogging service using third-party apps, including Cash App, Patreon, Venmo, Chipper, Bandcamp, Razorpay, GoFundMe, PicPay, and Wealthsimple Cash — depending on their region — to their Twitter bios and individual Tweets to receive funds.

Disclosing the twitter-bitcoin integration, the company on Thursday said that its Tips feature will now roll out globally to all Apple iOS users this week and will become available for Android users in the coming weeks.

According to the company, the new feature will also allow users to add their bitcoin address to send and receive these cryptocurrency tips.

It added that no cut of the money is taken from any money sent through its Tips feature.

“We want everyone on Twitter to have access to pathways to get paid. Digital currencies that encourage more people to participate in the economy and help people send each other money across borders and with as little friction as possible — help us get there,” the product lead manager of the company, Mrs Esther Crowford said.

With over 330 million monthly active users, Twitter’s integrated Strike bitcoin lighting wallet service is little or no surprise, given that its CEO, Mr Jack Dorsey, is one of the most vocal supporters and endorses the adoption of the cryptocurrency.

Mr Dorsey had previously hinted that a BTC tipping option was being developed when the social media firm revealed its “Tip Jar” concept was designed to enable platform users to reward content creators with the touch of a button.

He has also discussed his other company, Square’s plans to build a decentralized exchange for Bitcoin.

Continue Reading

Like Our Facebook Page

Latest News on Business Post

Trending

%d bloggers like this: