Internet security.
It seems like yesterday when 12 years ago I was hunting for viruses in the computers of my friends. Basically in any computer I could get my hands on. It all started back in Windows 98, on a computer with 64MB Ram. Most of the times, my visits to friend’s houses would end up in me cleaning their computers from ridiculous amounts of viruses, troyans etc. Those were the first couple of years of internet access and most people thought that the computer was just another gaming machine. One of the most remarkable things I have seen was computers being totally controlled by backdoors, the mouse being totally hijacked and the other party closing any windows I would open, cancelling my downloads etc. The only thing that helped there was to pull the phone cable out and format.
That was still the era of the dial up internet. On one of my malware adventures, I had a close encounter with a dialer and I instinctively pulled the plug without really knowing what was going on. Just the fact that a modem starts dialing on its own, seemed suspicious enough. With the dawn of DSL, we saw rootkits and all sorts of spyware infecting peoples computers.
One of my favourite tools back then were independent firewalls. I still remember how disappointed I was when my favorite firewall was bought (and eventually discontinued) by another company as the new windows firewall rendered all firewalls obsolete.
And there was also…. SPAM. Huge amounts of unsolicited emails created a problem that seemed unbeatable, almost invincible. I used to spend long hours trying to track down the spammers domains and hosting providers, then sending emails to all abuse addresses I could find, hoping to get some provider to take some action. 9/10 of the providers didn’t reply. It was only after gmail appeared that the problem of spam was more or less solved. With such great spam filters Google mail became the slayer of spam! Little did we know back then that gmail was not really free and besides viewing ads, we have been paying for the service with our privacy. Nowadays I believe that privacy is a far too great price to pay for spam filters, no matter how good they are.
“Entropy is a terrible thing.” Why is security researcher Juan so right? His words, posted at the recent Kaspersky reddit AMA session (questions and answers) made a huge impact on me. On the one hand I was thrilled that these guys replied to my questions, on the other hand this sentence hovered like a black cloud over my mind. “Entropy is a terrible thing”. When I asked how we can get our privacy back, when we have been using services like gmail and facebook for a long time the answer was basically that we can’t. We can only limit the information we volunteer on those websites from now on.
I am a fan of Mikko Hypponen because he has the gift of talking in a very lucid and clear manner. I recently discovered how many more thrilling lectures of him have been published on YouTube that are not only informative of the current situation but also dwell on the philosophical, social and ethical aspects of security and privacy problems. What did I learn from his lectures? That anyone who is not an American and uses American free services is being surveyed. As he states in his lectures, the American law protects the privacy of Americans but not of the rest of the world. Which is quite absurd, in my opinion, because all humans have the same right to privacy. You can’t justify an unethical action simply because a person was born somewhere else.
This lack of privacy and our general stubborn refusal to understand how serious this issue is led me to do something about it. I switched to a European email provider that uses encryption. I started to limit and audit the texts I send through the facebook messenger by asking myself, do I want the NSA guys to read this or not? The plan is to slowly stop using it completely, once I have found a satisfying replacement.
And then this.
Happy with my new encrypted, non-American email I started using it to email friends. The provider has a wonderful interface and even an app for android devices. A worthy replacement of gmail. However, I noticed that all my friends have their email accounts on gmail or other American free providers. So, when I am sending my nicely encrypted email, the text is being received by an American server, lands on the gmail hard disks and back to the NSA. WTF! It just dawned on me that it is not enough for me to protect my privacy but anyone who would want to exchange emails with me, should take care of their privacy too. This is a kind of a dead end, especially when you have to send professional emails to employers or colleagues who use gmail. 99% of them use gmail and you can’t really ask them to change email provider without risking getting fired :D. Some people may tell me that it is not a big deal and who cares about the privacy of such mundane emails? And I would reply, why should it not be a big deal? It turns out that our options are very limited. Our options are reduced to using the internet for professional reasons or not using the internet at all :D. They are basically holding a gun to our head.
Awareness.
We need to spread awareness. The ideas spread by Mikko’s Hypponen lectures are quite unique. Nobody talks about these, apart from few other IT security experts. We need to reach people who are not interested in computer security and educate them. We need to find creative ways to create awareness. IT security companies have now a role that should actually be a governmental role. Just like our physical security is a matter of the police, our electronic security should also be. Ironically, it is governments who mostly threaten our privacy! Antivirus companies have developed from simple computer geeks to people who safeguard our electronic rights and security. The more the world relies on technology and the more our lives depend on the internet, the more important becomes to be cyberly secure. The responsibility of educating people now falls on the Antivirus Companies and Security Researchers. Their publications, tweets, lectures and communications with the world should not be targeted only to security professionals, nor only to computer geeks. I am afraid that it has become an ethical obligation to reach every novice user of the internet and explain to them the gravity of the situation. Because if we don’t spread awareness, we cannot hope for change and improvement in the laws on privacy but mainly in the habits of people who use the internet.
Of course, there is another solution to the problem, that could potentially limit the spreading of viruses to the masses.
Create a computer that is … not a computer. Create a computer model that has a similar philosophy to the android devices and does not make it easy for viruses to be planted in it. The vast majority of pc users, use only a browser and MS office. Would it not possible to create a pc desktop with an operating system that does not allow programming and making big changes on it? Just like in smartphones? One would only need to add MS Office functionality and this would cover 99% of people’s computer needs, personally and professionally. Most people don’t even use 10% of the capabilities of their computer. Why expose them to a powerful system, that they don’t need nor know (or want to know) how to protect? This idea kind of reminds me the administrator option that windows introduced at some version, but that was different I guess, because one had the option to bypass it.
Basically we need a new operating system to cover the needs of the new internet era. Things are changing and the time has come for us to see new operating systems and even new kinds of hardware! The question now is whether mankind will be able to keep up with the changing internet needs and threats by creating secure systems and spreading awareness, or whether we will be left one step behind change.