Lifetime Warranty: Data & Identity

Living in a neighborhood replete with tall, deciduous trees, when the opportunity arose I had “gutter covers” installed around the house. When once one of those tall trees decided to attack the house, I remembered the “lifetime warranty” that came with that installation. Sure enough, it was for the lifetime of that company, which — naturally — no longer existed.

There’s a bit of chatter around Twitter today regarding a decision to purge idle accounts. The details apparently aren’t firm yet, but the vagaries include “sometime next month” and “accounts that have no login in the last six months.” One of the voiced benefits: freeing up account names so they can be reissued.

Two angles appeared immediately:

  1. Identity Management. People and organizations have identity, reputations, and relationships linked to their names. When the names change, we start over, for better or worse carrying little if any notoriety between the names. Similarly, should someone move in and claim our names, they have the opportunity to claim our identity, our reputation, and our relationships. Sometimes it’s “Under New Management!” Other times, the havoc of identity theft ensues…
  2. Data Management. TOS’s and EULA’s be damned! When you place your data and communications into another organization’s hands, you are implicitly accepting the risk that your data will be lost, stolen, compromised, abused, used for purposes other than you intended, etc.; and you are implicitly accepting the risk that that access switch will be turned off without a moment’s notice. What now?

Yes, “what now?” indeed…

In the Twitterverse, I’ve seen the first “What about my deceased dad’s tweets?” questions. “I like to visit them from time to time to remember our conversations, but I don’t have a login to his account!” Extend this to every other data service that relies on a third party to accept, hold, and present data that means something to you: Facebook, Instagram, YouTube, email, blogs, websites, data storage, …; then remember that your rights to all of that are as thin as the clause that allows the provider to change the agreement at their leisure.

How about identity? I shared with you in a recent post seeing a text message from my friend that was actually from his wife, yes? When large numbers of our interactions are not face-to-face anymore, let alone in our own “voice,” we become quite comfortably conditioned to accept that email accounts, text messages, twitter handles, and everything else are natural extensions of the person or entity that we trust. (Conversely, it is easy to assume that an email account, text message, twitter handle, or anything else is not from an individual we trust if we have not previously associated them with the individual ~ but that’s a post for another time…) The bottom line? These chains of trust are often easily broken, and once broken they are easily exploited.

What to do? Well, in our perspective it boils down as usual to risk analysis. For each piece of data, for each service you use, ask what it would mean to you if it was gone or compromised. Do you have your cloud data backed-up locally in some intelligible format? Do you have the sensitive stuff protected even in the cloud? Do you have alternatives available to provide those basic services like group / family communications, email, instant messaging, and telephony? Are your peers aware of your plan and know how to fail over to the alternatives? Do you have methods in place to authenticate one another, verifying identities periodically and especially before discussing important matters when not face-to-face, so you know you’re communicating with the right person? Do you have a strategy to signal that the communication channel is not secure, to switch to alternative channels, or even to indicate on the sly that you’re in distress?

Some of that may seem far fetched. If so, good! Maybe you’re one of the ordinary folks who may never encounter these problems. The items are not in your threat modeling, or they are in your threat modeling but you estimate it’s extremely unlikely that you’ll be impacted catastrophically if it does. That is a completely reasonable outcome of thoughtful risk analysis. On the other hand, if any of the threats resonate with you and you haven’t given any thought to handling them, well, good! That’s also a completely reasonable outcome of thoughtful risk analysis, and now you know where to focus your efforts.

Our role? Helping people and organizations open their eyes to the possible threats — particularly those in their blind spots — and helping with remediation strategies where warranted. We make posts like these freely and communicate the same everywhere, and we offer to confidentially review your situation as a service. Take a stab at the exercise yourself, then contact us for an outside assessment.

Security: It’s not a joke.

Browsing through INFOSEC social media, I spotted a post picked up by the community gaining some traction. Content?

The people most afraid of being spied on are secretly hoping they’re interesting enough to be.

Some Jackass on Twitter

Right… so what about “nobodies” like these?

  • Reporters
  • Dissidents
  • People in abusive relationships
  • People with oppressive employers
  • Victims of identity theft
  • People with medical conditions
  • People with socially unpopular lifestyles
  • Victims of data compromises all of the way up to the OPM level.

Maybe it’s just “locker room humor” inside the INFOSEC echo chamber ~ who knows? Still, there are three points to consider:

  1. The INFSOSEC community historically uses fear to raise awareness, to maintain vigilance, and undoubtedly to drum up sales as well. The profession inspires paranoia.
  2. People and systems are watching you. It may not always be personal, and it may not always be with hostile intent, but systems are actively working to monitor, characterize, and profit from your activity. [Insert targeted ad here.]
  3. There are plenty of nobodies who actually are targets of personal, hostile monitoring.

The community can do better:

  1. Focus on proper risk management: Consider the client’s situation and what the client wishes to protect. Consider the potential threats, the likelihoods of compromise, and the estimated costs of damages. Consider mitigation strategies and costs. Formulate a plan accordingly.
  2. From time to time, give back: Use your skills developed in corporate and government environments to help those nobodies and communities.
  3. Read-up on and support organizations such as the Electronic Frontier Foundation (EFF, external link), a non-profit focused on digital privacy, freedom of speech, and associated technologies. As of this morning, their front page story is related to stalkerware. Check their page “Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications” (external link), an invaluable resource.

And as always, if you need additional help, contact us.

Roll Your Own? Why not?!

In today’s news, there are revelations, allegations, and speculations of commercial VPN compromises. In at least one case, it seems the access to the VPN server came through the cloud hosting provider’s administrative access to the hosting hardware. In that case, with root access, public certificates together with their private keys used by the service were accessible for a few months before the cert expired.

That paragraph contains enough fuel to fill an INFOSEC proponent’s life with glee ~ page one of a veritable “choose your own adventure” novel: Which thread would you like to pull? The obvious one is how wildly these commercial VPN providers promote how secure they’ll make you — often leading one to believe that security extends a bit beyond the scope of what a VPN provides — and here they are in the news. Karma… people do love that “pride before the fall” business, don’t they? Here’s a less shiny thread that should have industry scratching their heads: What if the VPN provider did everything technically right, but it was the cloud / hosting provider’s security breach that allowed the compromise? Has your organization considered that angle for cloud security? Do your contracts pass liability to the hosting provider? If so, would it really make a difference once your brand takes the black eye?

Stuff worth considering. Anyway, for me, it was something different. It was a blowhard’s Twitter thread seemingly mocking other people’s advice to roll your own VPN service. People piled on and then one person escalated with “‘stand up your own VPN service’ is the new ‘stand up your own email server.'” Naturally, anything near that fire ignited as well. Soon there was, “Why not stand up your own ISP?” “Why not create your own internet?” “How about a WISP?” “How about those mesh networks?” “Why not roll your own crypto?” Etc.

Sigh… “Celebrity shit-posting” and the anti-intellectuals hopping on the bandwagon. Who benefits from it all? Not our clients, that’s for sure.

So, for each of those “Why not?” assertions that cause actual SMEs to cringe, let’s instead ask “Yes, why not indeed?” in response:

  1. Why not stand up your own VPN? Whether your objective is to tunnel your traffic out and away from the coffee shop or the airport lounge, or if it’s to reach your files at home or your servers at the office, a private VPN is absolutely a correct answer. It is simple enough to do, it’s completely private. The up front costs are between $0 and $50 and the recurring costs are likely between $0 and $10 per month depending on the complexity and what you want to accomplish. Odds are that you’ll be using the same software components that the commercial folks are buying.
  2. Why not stand up your own email server? The code bases for the two or three major software packages have been stable just about forever and are still actively maintained. They’re proven and they’re battle hardened. You can keep your data close by and controlled.
  3. Why not create your own ISP? Internet? WISP? Mesh Network? Were you even aware it was possible? Your cheap wireless firewall router box from Walmart essentially sets up a private network in the house wherein you can set up websites, file servers, email servers, and whatever else you like and make them all accessible to anyone on that network. Everyone in the neighborhood could do the same. If they’ve got something cool they want to share, we just need to establish a network link to join them and a mechanism to route the connections back and forth. Maybe that’s a router and a wireless connection that everyone on the cul-de-sac can see. How about a few houses up the block where the signal is a bit weak? What if the house just before it could relay the signal? So far, nothing has touched the internet-proper at all. Here’s the thing: Communities are doing this. Places without internet access have travelers bringing back copies of websites on a thumb drive to be added or updated to the isolated network — how cool is that? Under-served communities are setting up their own Wireless ISPs to ensure that families and businesses can get a signal where Comcast and Verizon don’t believe it’s worth going. Cities are standing up their own public ISPs to ensure a base level of services is available to all of their citizens, much to the chagrin of the major ISPs.
  4. Why not roll our own crypto? Here’s the thing: the first iterations of anything, including crypto, were people rolling their own. And like everything else, we learn from mistakes and make improvements — a continuous process. It’s one thing to ignore the work of folks who’ve gone before, but it’s an entirely different thing to shunt people to ground and declare that they shouldn’t try and innovate.

It goes on. We can handle our own email and data. We can create our own telephone and chat services. We can make our information available to each other in any number of forms. We can do it all privately, and we can actually do that without touching the internet itself — the same equipment that lets us connect to Comcast and Verizon let us connect to each other without them. Is it worth it? Well, that depends on us our risk tolerance and our operational needs.

With the explosion in commercial networked technology over the last 30 or so years, you’d think we’d all be able to stand up a website or similar before graduating middle school. Instead, as a society we’ve largely become device operators, ignorant of how the pieces fit together. There, there — leave it to the professionals… We’ve created a new form of illiteracy, and it’s left us ungrounded — unable to distinguish when we’re being hoodwinked or bamboozled by businesses, governments, or anyone else.

Before you know it, we have celebrity shit-posting SMEs on Twitter making technical recommendations to major corporations putting us all at risk.

So, if you find yourself around the water cooler with the kibitzers slamming that commercial VPN for their breach, why not pull the other thread instead and ask them how they mitigate the risks of putting their own corporate services in the cloud where they could be compromised by the host? It could be an interesting chat.

Find your trusted advisers and ask questions. Never stop asking questions.