On April 4, 1967, Dr. Martin Luther King delivered a passionate speech at Riverside Church in New York staking out his opposition to the war in Vietnam. One year later to the day, he was assassinated. Now, 50 years after that fateful day, the truth about the assassination of Dr. King can finally be told.
Now openly admitted, governments and militaries around the world employ armies of keyboard warriors to spread propaganda and disrupt their online opposition. Their goal? To shape public discourse around global events in a way favourable to their standing military and geopolitical objectives. Their method? The Weaponization of Social Media. This is The Corbett Report.
I touched on this story in my article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, but i wanted to give it a dedicated page and expand on it because i keep coming across bits of information which seem to verify something i was told long ago regarding encryption.
Somewhere around 2002 i sold a PC to a very nice, older fella who said he had worked for the government either directly or as a contractor. I don’t recall which and he didn't state what department he worked for. He said he had a security clearance and, as i recall, it was a crypto clearance. He left me with the strong impression that he wasn't going to provide a lot of detail as to what exactly he did, however i had no reason to disbelieve anything he said since he seemed genuine and very matter-of-fact. Our time together was short because he had to be somewhere, but we chatted a while and he touched upon some very interesting topics that i wanted to know more about and so i suggested we continue our conversation through encrypted email. He looked at me and responded with, "Encryption is useless.". Those words stuck with me ever since.
Cray Trinity Supercomputer
Obviously encryption is not useless, but i suspect what he meant was that the "intelligence" community has the ability to break possibly any encryption that existed at the time. While i was somewhat skeptical about his statement, that skepticism has since evaporated. First of all we have to consider the computing power that the intelligence communities have access to. Let's assume that you're encrypting an email using a modern encryption algorithm along with a very long and secure passphrase, and let's further assume that it would take roughly 10,000 years for the average computer to break it. Would you feel confidant using such encryption? Well, what happens if that code breaking computer is 100,000 times more powerful than than your PC? And what if you chain together 100 of those computers? Decrypting that email may now be possible in a few hours or seconds. Does the NSA not have access to computers that are orders of magnitude more powerful than anything in the public sphere? And what might they have that we don't know about? What about quantum computers? Without the ability to know what the enemy possesses, one must assume that no encryption is safe.
Whether encryption is useless or not depends upon the threat we want to mitigate. For example, if you wanted to download copyrighted content whilst avoiding having your ISP send you nasty-grams, then encryption is certainly not useless. However given what i have read and heard over the years, i strongly suspect that encryption is not effective if, for example, it is the NSA that decides to target you and i think that multiple statements and documents released by Edward Snowden and Bill Binney strongly suggest this. There is perhaps another possibility here though. What if, as some suspect, Snowden was allowed to leak what he did, sort of as a limited hangout. Personally i think Snowden is genuine, but that doesn't mean that the information in the documents he released wasn't intended to be released. Furthermore, there is certainly classified and compartmentalized technology that Snowden knows absolutely nothing about. What if the U.S. intelligence community wanted to quell a potential uprising by 'we the people'? It is apparently a historic fact that one way to accomplish this is to make people think they are being surveilled which, in turn, compromises their ability to communicate effectively due to self-censorship.
While i think it is smart to assume that everything we say or do over a network, or while in the presence of electronic devices capable of recording us such as a smartphone or smart assistants, even if the encrypted data we send and receive were secure, that data can be stored indefinitely until some time in the future when the encryption can be broken. One may assume that the immediate problem with storing that amount of data is processing it and developing coherent intelligence, however this is seemingly quite doable with advanced technology such as quantum computing and artificial intelligence (AI). Both Binney and Snowden have stated that the massive, ongoing and patently illegal and unconstitutional data collection practices as employed by intelligence communities are not effective in preventing threats because of the wide net cast by the programs, but i'm not sure they considered AI or other advancements in technology, or even know about some the hardware which may be in play.
In the 2015 interview with Bill Binney (video below, NSA Whistleblower William Binney The Future of Freedom), Richard Grove of Tragedy and Hope asks Binney what people can do to mitigate the risks posed by mass surveillance. Binney answered with the following:
If you're a target i don't believe there's any way you can eliminate the risk. I mean in fact i don't think there's anything you can do to stop it. If they're after you they're going to get you one way or the other. I mean there's so many...if they can't get it through the internet, through the tapping of the lines, or anything like that through a commercial means, and they're unsure about you, they can get it by close access means, uh coming in and actually bugging your house or bugging your, um, or putting monitors in your system...in your house or on your computer, they can use your computer video to look back at you, or they can monitor um, within a certain distance the keystrokes your making on your computer or what you're putting on your computer screen and if that's not enough they can come in through the firewall you think you have but don't and go through your operating system that you think protects you but doesn't and read your uh, encrypted email that you thought was secure but isn't, or, they can simply wait for you to do decrypts if you've done that and pull them off and use your unused CPU while you're on the computer to drain it. It's called active attack. So if you're a target there's virtually nothing you can do. And if they fail in their electronic means they can always send the FBI at you to do a sneak-and-peak and take your photograph or do whatever they want.
Another Achilles heel regarding encryption is that, even if the algorithm were bullet proof, it wouldn't matter in the least if there are backdoors in the code. Again this was talked about by both Binney and Snowden who stated that this is indeed a problem. In the 2013 article, NSA and GCHQ have broken internet encryption, created backdoors that anyone could use by Extremetech, we read:
New documents released by Edward Snowden show that the NSA and its British equivalent, GCHQ (pictured above), have cracked VPNs, SSL, and TLS -- the encryption technologies that keep your data secure on the internet. The NSA program, dubbed Bullrun, took 10 years to crack the web's encryption technologies, before finally reaching a breakthrough in 2010 that made "vast amounts" of previously unreadable data accessible. Perhaps more worryingly, the NSA has an ongoing program to place backdoors in commercial products (websites, routers, encryption programs, etc.) to enable easy snooping on encrypted communications. The documents, which contain some choice phrases such as, "work has predominantly been focused this quarter on Google due to new access opportunities being developed," almost completely undermines the very basis of the internet, obliterating the concept of trust online.
The documents outline a three-pronged plan to ensure the NSA can access the bulk of the internet's encrypted traffic: Influencing the development of new encryption standards to introduce weaknesses, using supercomputers to break encryption, and collaborating with ISPs and tech companies to gain backdoor access.
Despite the threats we face we must never be dissuaded from communicating. We must have dialog because without it, as Binney states, society stagnates and self-destructive behavior is one of the results.
video: NSA Whistleblower William Binney The Future of Freedom
video: They're Watching You
video: NSA Whistleblower: Government Collecting Everything You Do
Relying on anti-virus software to protect your system is paramount to relying on guard rails to keep your car on the road. Here's why...
UPDATE: Since writing this article i have finally dropped Windows and moved to Linux-based operating systems which are inherently more secure in some ways (not all). I humbly suggest you consider doing the same. End update.
My view on the subject of anti-malware/security suite software may be quite different than that of most casual computer users. I think that one of the primary keys to securing your system is a lack of stupidity rather than anti-virus software, and that relying on such products for protection is tantamount to relying on guard rails to keep your car on the road.
Problem number one: Often the primary method vendors of anti-virus software employ to protect against malware is by way of virus signatures, also known as 'definitions'. In order to develop a signature for a piece of malicious code, generally the vendor must be aware of its existence and since black-hat malware authors or those identifying 0-day vulnerabilities often sell their code or findings to major corporations, governments and other black-hats, they are obviously going to try to protect their secret as long as possible. This means that an exploit may exist undetected in the wild for hours, days, weeks or even years.
Problem number two: There are many viruses and software exploits that were never, are not currently, and may never be detected by any widely available, general anti-malware product. In fact, it is rather trivial to write a piece of malware that most popular anti-malware products will happily report as being 'clean'.
Problem number three: No single product can possibly protect your system against all threats, much less malware which is tailored for a specific target. On the other hand it simply is not feasible, or even possible in some cases, to run multiple anti-virus products simultaneously.
Problem number four: Everyone with an internet connection has very likely been infected with malware. If you think you are an exception, then i would posit that you simply never knew your system was/is compromised.
Problem number five: The good ol' days of malware are gone. While it was often humorous to read about or even experience your mouse cursor moving without you moving it, much of the malware being distributed today is orders of magnitude more sophisticated and more dangerous. Malware that targets industry has actually killed people. Today's malware is often designed to be as stealthy, efficient and resource friendly as possible so that it can remain completely undetected. With many millions of dollars to be earned in the malware market, the stakes are extremely high.
I'm not suggesting you throw your hands up in utter defeat, trash your anti-virus software and commence to having digi-sex without a digi-condom, but i want to make it clear that relying primarily upon anti-virus software to protect you against malware threats is a road laden with land mines, regardless of how many products you use, what they cost, what they scored on the latest Virus Bulletin test, or what bells and whistles the vendor claims it has. If there was just one, affordable anti-virus product that protected against even the majority of the threats, there wouldn't be heaps of malicious hackers getting paid to write malware any longer, yet malware is more prevalent today than ever before and more people are running anti-malware software today than ever before. What does that tell you about the overall effectiveness of the anti-virus industry? And it gets worse.
The 2016 article, Antivirus software could make your company more vulnerable, from CSO Online, points out exactly what is suggested in its title which is that using popular anti-malware products that are generally trusted can, in and of itself, get you in trouble:
Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.
Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.
This does not mean you can't protect yourself from the majority of common threats however. Not only can you do so, but you can do so quite effectively without even using an anti-virus product. I wouldn't recommend that Windows users go without any protection, but my point is that anti-virus software plays a much less significant role for the savvy computer user who relies on more effective means of protection than any software product can provide.
Security is a dish best served cold. And in layers. Here are some of the key security practices i would suggest for most anyone, especially the casual computer user who is at the greatest risk due to their lack of technical knowledge:
Realize what the vectors for attack are, which is basically anything you connect to your machine including flash drives, discs, modems, routers, printers, USB devices, T.V.'s and even peripherals like mice and keyboards, as well as anything that is delivered through your network connection.
Realize that malicious software isn't likely to be considered malicious by your anti-virus product until after it is known to exist and a signature has been developed and pushed out by the vendor, leaving you completely vulnerable in the interim. Also realize that the existence of some exploits and malware may never be known.
Realize that no anti-malware product on the planet is bullet-proof -- Not. Even. Close. -- and many are just plain garbage or are effectively malware themselves which vacuum up personal data and send it off to who knows where, or worse. Do some research before choosing a product.
By learning just a handful of good security practices, the burden of protection will naturally shift more toward the smarter you and away from your dumber anti-virus software.
Do not install crap-ware or software from nefarious sources and, by all means, forget about "warez" and "cracks" as failing to do so will cause doom at some point.
That game or joke document that's being passed around all over Facebook or by email or wherever? Let it pass.
Get in the habit of never opening email attachments. None. Ever. Period. The only exception is if you are expecting something important from someone you trust and even then you should not trust any attachment blindly, especially if it's an executable. Even hyperlinks can be dangerous. Your coworker or close friend could be using a little social engineering to infect you, or they could be infected themselves and not know it, or it might not be your coworker or friend at all, but rather someone impersonating them. If someone sends you something you really want to see, ask them to send a link to the webpage if possible and make sure you know where that link is pointing before clicking it (and ask them to quit sending attachments unnecessarily).
For many of us, our internet browser is are our primary window to the digital world. It is also a most attractive vector for attack, not only because of security holes and poorly coded extensions, but because of what websites people visit. Tighten down the security of your web browser and remove any unnecessary plugins, including Flash, Java, the Adobe PDF viewer, etc.. Most modern browsers can handle video and PDF content without plugins anyway and Java is rarely used by websites anymore.
Browse smart and stay away from porn sites or any other questionable sites, even if they are hugely popular. Keep in mind that you need not click or do anything on a malicious website to become infected other than simply visit it (see drive-by malware). I would also suggest dumping Microsoft Internet Explorer and replacing it with something more secure and transparent, which is basically anything other than IE.
As with your browser, your email client is also a huge vector for attack, so learn how to harden it by disabling JavaScript and HTML mail. As with your browser, i would suggest dumping any Microsoft email clients and replacing them with something more secure and transparent, such as Thunderbird.
Scan everything you download from any source with a decent anti-virus product. You don't have to run a bloated "security suite" in the background that analyzes your every click and key press and file you open as long as you work and play smart, but at least have an on-demand scanner available to manually scan all incoming downloads and email attachments.
If you're not sure about the integrity of a piece of software or the reputation of a website, scan it using something like the VirusTotal service, which uses a whole bunch anti-malware products to scan a single file or website URL. There are several add-ons for Firefox that make accessing VirusTotal very easy. Certainly do not rely on the over-pimped "Web of Trust" service or any other service where the data comes primarily from everyday users who lack knowledge regarding malware and rate sites based primarily upon their bias.
If you use only popular, mainstream software products for protection, such as Windows Defender or the Comodo Internet Security suite, etc., realize that chances may be significantly higher that malware is in play which is purposely designed to completely bypass the protection these popular products offer. The larger the following, the bigger the target.
Do not log on to your operating system as an administrator.
Keep regular backups of your data, preferably off site and encrypted, but at least on an external drive. If you have become infected, do not rely on the Windows System Restore utility since the malware may have infected those backups as well.
If you discover a virus, and especially if it's a Trojan, assume all your data has been compromised including any passwords, banking information, credit card numbers, documents, etc.. You should immediately unplug your computer from your modem and take action to remove the virus, change all of your passwords and notify your bank.
Again, i do not advocate running around the web with your skirts flying high and no underwear on. The trick is to find a good anti-malware product and, while there are hoards of products to choose from, there are not that many that are actually worth considering. In the past i have had extended communications with a couple of people who are apparently heavy hitters in the anti-malware industry and Bitdefender seems to be one of the better general purpose products. So is Malwarebytes Anti-Malware. I will emphasize again however that there is no single product, nor combination of products, that will protect you from all threats.
Personally i don't run a resident virus scanner at all any more, but i do use the Emsisoft Commandline Scanner which is an on-demand scanner (you have to run it manually) to scan everything i download. It is a general purpose anti-malware tool that is probably about as good as they come and it's free for personal use. Also known by it's executable, a2cmd, the Emsisoft scanner is a hybrid of both the Emsisoft and Bitdefender products.
While i have been infected a couple of times back in the day, to my knowledge i haven't been infected with any malicious software in the last 15 years or so since i started learning more about computer security. I am very careful about what i download and install, what websites i visit and where i allow JavaScript or browser plugins to run and what email attachments i choose to open. I have taken measures to harden my browser and email client and i use a non-Microsoft firewall and anti-virus products. I never plug anything into my everyday machine that i don't own, especially flash memory. Still, i feel very threatened by the potential that something will slip by my defenses, but my paranoia plays a key role in keeping me infection free... at least to the best of my knowledge.
