This Expert Opinion is taken from an article published on Hackernoon. It is used with the permission of the author.
Cybersecurity is a promising sector
Just as defense becomes a more valuable sector in times of war, cybersecurity is becoming a valuable sector.
In recent years the cyber sector has branched out further to encompass additional electronic and digital commerce industries where cryptographic security has become a necessity to safeguard market participants.
In 2018, over $1.8b was raised for cybersecurity startups, according to data from CB Insights.
Analogies of monetizing data to monetizing money
Ideally, some of the value captured from consumer data within an industry like social media should go back to consumers who would be compensated for their data.
This need to compensate users for their data is analogous to what an account holder expects in terms of earning interest from within a checking account even as the bank re-hypothecates those funds for use elsewhere.
Fintech Service Providers:
- Compensate users more, not just shareholders
- Create public utilities that are open (open-source)
- Encourage self-reliance and set those expectations in terms & conditions
How to fix the problem: you are the solution
Comparable to banking (but worse) much of the modern web is so highly inefficient that it is as good as broken and change is needed at the infrastructure level.
Even if the value is captured at the protocol level and shared with the public (compared to the application layer), it does no good if users cannot be more self-sovereign over their data. For example, matters like the self-custody of digital assets or other plain-text secrets relating to privacy/security and personal data should be controlled by their respective owners in an ideal world (i.e. power to the people).
My point is that there is an opportunity for change and to fix things, but it’s the end user [you] that needs to regain power as companies alone cannot be expected to be our guardians, which is why I think greater self-reliance is inevitable for the greater-good and safeguarding users on the web.
Until then we remain helplessly reliant on many services and at the mercy of the cybersecurity risks, yet we can act to reduce those risks and regain defensive power to deter the growing array of threats online including phishing (i.e. typosquatting from bogus emails, sites, and program executable files that appear genuine).
- Consumer education will help empower change
- Software changes in UI/UX design leading to new tools and experiences
- Defend against cybersquatting/phishing (i.e. here is a quiz from Google)
Using cybersecurity tools, the good and the bad
While plenty of tools exist on the dark web and that are often used offensively by bad actors to do harm to others, consumers literally remain in the dark, as they do not have access to equally powerful tools that could be used for defensive purposes, unless they rely on third parties.
Examples of Cybersecurity Tools and limitations:
- Kali Linux and penetration testing software (can cause damage if misused)
- Vulnerable Password managers (can expose password)
- Privacy hoarding VPNs (may not protect privacy)
- Leaky Firewalls (may not prevent hackers)
- Bug-prone end-to-end encrypted services (may not protect data)
Breaches and the need to reduce the ‘quantity’ of trust
The problem is that third parties are subject to breaches, as we’ve discussed, where consumers end up becoming the victim.
There must be ways that consumers can take greater responsibility to protect themselves, and that is what I am writing about here, including tools that are available albeit remain mostly complex and hard to access without relying on trusted third-parties.
Again, my goal is to help users minimize the trust they expend, not eliminate it completely (not yet), as some level of trust is always needed at some level.
The building blocks of cybersecurity
Consumers remain largely unsafe against hackers or data compromises due to data privacy leaks and a growing landscape of cybersecurity risks, thus empowering consumers directly seems like a logical next step as we enter deeper into a greater need for cybersecurity. Below we examine various cryptographic primitives available today.
Building blocks of cybersecurity applications:
- Randon-Number Generators
- Hash Functions
- Encryption/Decryption Ciphers & Algorithms
- Zero-Knowledge Proofs
What does the road ahead look like for consumers when it comes to cybersecurity? And what can consumers do to protect themselves without the need to be as reliant on others and instead be more self-reliant on their own defenses against these risks?
These are the types of questions I think about and which lead me to the inevitable conclusion of an upcoming trend of self-reliant and empowered internet users which we discuss below in ways to shine some light on the web.
Examples are not meant to be exhaustive:
- Use of Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) (but be sure to backup recovery key before syncing)
- Securing any secondary email addresses listed as recovery addresses on main email accounts
- Disabling Two-Step Verification (2SV) for any security-dependent services to reduce SIM port hacking risks
- Combine the use of a VPN along with manually setting DNS (i.e. Cloudflare’s https://18.104.22.168/ service)
- Learn to inspect code even if it looks unintelligible to the untrained user
- Learn to run command line operations and apps from a terminal window
- Ask questions and research answers and be responsible for your own due diligence/opinion
- Question security assumptions and go deeper layer by layer
Empowering the light web
The problem most internet users face in protecting themselves online is that the cybersecurity tools that consumers could theoretically use to protect themselves are often too complex to run manually, even though they are readily available today (links further below).
Cyber complexity challenges for users:
- One mistake can make a secure process insecure (i.e. reusing the same salt/key and initialization vector to encrypt different messages).
- Less room for error (i.e. no reset button)
- Greater attention to detail required
- Takes time to learn new approaches/methods
Expected security assumptions in terms of bits
Cryptographic primitives will change over time, as they will be used so long as they are perceived to be safe and up until they are no longer secure. In advance of that convergence point (when old methods are no longer as secure relative to the risks), new methods are used to replace the old primitives ones.
Source: Pedersen cryptography (commitment scheme cryptographic primitive)
Cryptographic Security is usually measured in binary bits, which may refer to the length of a key and/or the range of possible numbers that the key was randomly chosen from (i.e. a 128-bit binary number chosen from a range of 2¹²⁸ possible 128-bit numbers).
Opinion: Any Psudeo-Random Number Generator is only as secure the various entropy inputs it gathers from various input sources, each time the generator runs (such as is outlined in the W3C Crypto API referenced in this post).
Cryptographically secure processes imply that the underlying primitives and method of construction of the processes used by an application has ideally been widely tested and relied upon as an industry standard.
Meanwhile, newly introduced proposals (i.e. blind signatures, by Boneh et al) may still be under the peer-review period and going through such testing and not yet adopted.
Here is an example of a diagram/flowchart showing the schematics of BIP-39 for Curve Ed-25519. Cryptocurrency wallets that implement this process to create human-readable keys (mnemonic words), will usually result in 256-bits of security in the resulting 24–words (or 128 bits for 12-word key phrases), excluding the checksum bits which are deterministic (hash-derived).
Breaking modern cryptographic primitives
While the cryptographically secure processes we’ve discussed could (and likely may) be broken in the future, for the present moment they are believed to remain safe enough. These primitives are tested by and depended upon by the cybersecurity community for a reasonable amount of time (i.e. the next few years or until they are expected to no longer be secure), given the number of known theoretical attack vectors that are feasible. It’s a race against time.
Any such security assumption means the attack vectors that are infeasible are valid risks that just have an extraordinarily low probability such that they are considered near impossible/improbable. In other words, given the available technology and resources that an attacker or group could access, if it would take 1 million years to guess a password of with n bits of security, that becomes a negligible risk.
Quantum computers could potentially crack such a password (see Polynomial versus Non-deterministic Polynomial time on Wikipedia) perhaps in minutes or days, turning the risk into a non-negligible one that would no longer provide the security needed to remain cryptographically secure and require immediate change.
A new suite of Quantum-resistant algorithms has been proposed as part of a second-round selection following submissions to the National Institute of Standards (NIST).
These forward-thinking preparations enable the worldwide web including major standard’s bodies to have enough time to transition to the next-generation of encryption algorithms when the time is right (ideally long before the currently used ones are broken, and using the Mosca Theorem to estimate how long).
Reality check: Reseachers who were funded by grants from the US, Switzerland and Russia, recently announced a paper proving the ability to reverse time or reverse-enginner data (rewind states) through the use of a quantum computer program design, as seen in the excerpt below.
These next-generation technologies will be the building blocks for cybersecurity tools which go through rigorous testing by academics and governments globally before being widely adopted and incorporated into standards for everyday use by the masses.
Cybersecurity tools remain complex
Running a primitive cryptographic application manually (i.e. hash functions, or encryption and decryption algorithms) remains a highly technical process even for sophisticated users, often requiring programming-like skills such as running code on a command-line level.
Here is a snapshot of what the hash value is for an empty string (“”), using three hash different algorithms separately in Python.
Many powerful cryptographic primitives help secure the internet protocols that run the web but are unavailable to the masses in “easy form”, forcing them to trust related third-party services who implement such services — behind the scenes — on their behalf.
Even more advanced software such as Kali Linux can cause numerous problems and harm if used incorrectly (i.e. accidentally DDoS’ing your own website and getting your IP blacklisted from your own provider) and is an example of the type of tools that hackers use offensively.
Yet, the same tools are also used by security researchers and hired white-hat hackers for defensive purposes to audit software and look for vulnerabilities to patch.
Automation happening behind the scenes
I hope by now this picture is becoming more vivid, in terms of the processes that you could imagine are happening behind the scenes by software, even during normal processes such as sending an email or uploading a file to an encrypted service.
As many third parties eventually succumb to some type of 📁 data breach or mishandling of consumer data, this, in turn, can cause financial and physical harm to consumers. Whether sensitive personal data and privacy are part of a breach, if there is direct potential financial harm such as loss of property or funds, such breaches could even result in the loss of human life in the worst cases.
Below we will look at some solutions to begin to chip away at solving these problems, with the help of open-source software and open systems.
Open-source provides Transparency first and foremost
The main aspect of open-source is not whether the software is free or not, but whether the underlying language and architecture are visible for its users to examine and potentially vet the source-code in its entirety.
Compare this open structure to closed-source technology which is based on blind-trust when it comes to any underlying code which remains hidden to all except its creators/owners, and you can see there are pros/cons to each approach.
The range of open-source licenses
Even though there are different types of open-source licenses (see choosealicense.com from GitHub), ranging from less restrictive and more open, to more restrictive and less open, at the end they are all open in terms of visibility of the code (which is what matters in the context of this article).
Open-source public repositories such as code found on sites such as Github invite collaboration as the public can inspect and contribute corrections, improvements and other feedback that can help drive the development process.
Linux has evolved as an open-source operating system where some of its branches (distributions) are vibrant and widely used, while other branches died off due to lack of support/adoption. Below is an example of how open-source can evolve, as seen in this treemap of Linux distributions over time:
source: NPU on Reddit
Other licenses that have yet to be accepted by the Open Source Initiative (OSI) standard’s body that deals with the official “open-source” designation are still open-source in my opinion. For me open means the full visibility of the source code, even if the secondary benefits of sharing and use are restricted, such as MongoDB’s newest Server-Side Public License (SSPL).
Cybersecurity risks with open-source software
While open-source software can be just as susceptible to security breaches as closed-source or mixed-source software is, making the code fully open allows for transparency to proper due diligence to be conducted.
A recent analysis found that many open-source projects have leaked their cryptographic key data, which shows that best-practices are needed to secure authentication data (i.e. a path to the user’s SSH key referenced, as opposed to referencing the actual secret key in the hosted file).
Firefox recently launched its Firefox Send web app, which enables a user to send an encrypted file to anyone else via the use of a link, where the link acts as the key to decrypt the file, along with the ability for links to expire and be made available to one or more recipients.
End to End encryption, from 3rd party services
Services that use end-to-end encryption might even be illegal in certain countries (like in Australia which just passed new encryption laws last year, unless certain backdoors are implemented which inherently reduce the security properties such service try to aim to offer in the first place).
Other countries are funding the development of end-to-end encrypted service, with the European Commission recently awarding a grant of over 1m euro to Swiss-based provider Proton Mail to help fund its bug-bounty offering to crowdsource development of its open-source components (i.e. pay developers who help improve its code and find/fix bugs).
And while open-source is transparent (unlike closed-source code), it still requires either self-reliance to inspect the code yourself or to rely on trusted third-parties who maintain such repositories.
Cybersecurity Tools for Defense
What should a consumer do if someone must always be trusted, are there other options?
This is a key question that is driving my focus when it comes to what consumers need to stay safe online, and ways they can use cryptographic primitives in easy-to-use cybersecurity tools.
Perfect Security will never exist
Just as a clean room is only clean at that moment in time, as a particle of dust might fly in, time introduces decay in a process known as entropy. This is a term (and formula) also used in computer science that Claude Shannonborrowed from Boltzmann’s equation for entropy in physics, as it shared a similar structure for calculating the strength of a random string, hence entropy applies to information theory.
Pro Tip: You can calculate the entropy of a random password generated by calculating the log2(possible combinations) (i.e. log2(PasswordLibrary^PasswordLength) = overall entropy in bits.)
- Log2(Possible combinations)= overall password entropy
- RangeofPossibleCharacters^LengthofPassword=Possible combinations
- Log2(RangeofPossibleCharacters) = Entropy per character
- Entropy per character * LengthofPassword = overall password entropy
The reason there is no such thing as perfect security is because of time, since as time passes, new methods of penetrating security arise because security is a process, not a destination. This is also why key sizes continue to increase as even more entropy is needed. In the words of many famous cryptographers and cybersecurity thought-leaders, let us ponder those words again, “security is a process, not a destination”.
[…security is a process, not a destination.]
Steven Hatzakis – Head of Blockchain Expert Committee