Over the last few days I’ve had a massive increase in traffic from Chinese data centres & ISPs. The traffic has been relentless & the CPU usage on my server kept spiking enough to cause a fault in my cPanel hosting. I’m on a great hosting package with UKHOST4U and the server is fast & stable, but it is shared with a few other websites. This means that I couldn’t just blanket ban Chinese IP ranges. Even though we don’t sell our products in China, it seemed like a very heavy-handed approach, and to block via .htaccess with the entire range of Chinese IP addresses was causing a 2-3 second delay in page parsing (pages normally load in around 600ms).
I’ve been a huge fan of Cory Doctrow for a while now. With regular appearences on 2600’s Off The Hook radio show, not to mention his work for the EFF, he is well known in internet circles.
This video is over an hour long, but goes a long way to explain the direction in which our technology (and the companies who run them) are going. If we leave it to the quasi-monopoly companies we have already, we are in for a rough ride. Recommended for any internet user, especially those with a penchant for smart home devices (he outlines some good real world hacks, including hacking a pacemaker). A great advocation for ignoring all of the apps & walled gardens & returning to the open internet.
As I see it, net neutrality is already dead. While it may be possible for anyone to create a website or web content & share it with the rest of the world, we have reached a point where a handful of gatekeepers restrict access to that content through their ubiquity & their algorithms.
Take my website for example. The vast majority of my traffic, more than 90%, now comes from google organic search. Only 5 or 6 years ago I would receive traffic from MSN (now bing), Yahoo, AOL, Ask and a plethora of other search engines. I would get hits from DMOZ and other directory sites & I would get lots of links from other blogs and websites.
Today, the majority comes from Google. Google has become the defacto search engine & this is a direct challenge to Net Neutrality. For one, algorithms cater all of your searches to you. This may sound wonderful, but it creates millions of separate filter bubbles. Before google made the algorithm changes that catered search results based on your own activity, a website would climb the ranks based on real world popularity. If you had an amazing blog post or popular webpage it would be promoted up the rankings for all users, regardless of their own browsing habits. This produced a genuine meritocracy in search & every website had its chance to shine, given the content was good.
A few years back, content was ranked based on how many other people linked to it & how authoritative it was deemed. This system could be gamed, but on the whole it worked very well. Around 2012 Google started to make changes. Probably due to the introduction of the Chrome web browser, Android phones and chrome books. Users started to integrate their online lives with Google. A google account was required for Youtube & Gmail and a whole host of their services. At this point, google had the perfect way to start slurping up all of your browsing data, all of your email contents, your google+ posts, your hangouts & messages. This allowed for specific catering of search results & pretty much ended authoritative content on google. This shift to locking users into google services was the first step of the major tech companies in shutting down net neutrality in a new way. It’s no good having great content if Google deems it of no use. This could have huge implications. Think political, social and corporate interests.
Google have made themselves the internet (and not just google, between google, facebook, twitter, instagram & spotify there isn’t any room for competition). By making themselves the first port of call for most web users, they have become the gate keepers. The judges of quality, the architects of our information.
This problem is further compounded by Google’s advertising model. My browser is very secure, I use Ghostery, Adblock & Privacy Badger to block as many trackers & adverts as possible. My search looks very different to that of most regular users, see the screenshots below.
As you can see from the above example, searching for badges on Google, in the top screenshot I’m given search results which aren’t filtered by any factors such as my browsing history, location or email contents. This is as close to how google used to work as possible. Without tailoring of my search results I’m mostly given the most relevant and best websites. This doesn’t take into account any blocking from search results google may have done of perfectly relevant content that has been deemed algorithmically unacceptable.
Now the bottom two screenshots tell a different story. That’s how my search looks when I’m logged into google & my ad blockers are turned off. They are hijacked considerably by advertising. Paid links. Most of the content above the fold is advertising content & is given more prominence through styling. It urges a user to click the content. This is not democratic. The more you can pay, the more you can sap search traffic towards content which may be incorrect, irrelevant or misleading. If you have the money, you can top all search results.
It’s the same below the fold, the bottom of the page is full of advertising and noise, the actual search results get lost amongst the noise. This is another way in which net neutrality is being destroyed. My search here is pretty mundane, just searching for badges in the UK, but imagine it was on searches such as climate change, political campaigns or even denial of events. If you had the bank roll & the manpower, you could top all relevant search results & influence a large part of the debate. Given that Google is now the defacto search engine, you could literally get any story in front of everyone searching a topic. The ability to shape or re-write history is yours if you can afford it. This will have profound effects on politics. We have already seen the power of the internet in politics both in the UK & USA and this will only get worse as people discover the power of the internet, not only to influence, but to avoid scrutiny.
I personally use startpage and duck duck go to search. It is not as convenient as being logged into a google account, but I know the results aren’t tailored & that my search history isn’t shaping my view of the internet. I recommend you all consider spreading your search wings & find less intrusive search engines.
Moving on to social media, if it’s photos you are sharing, you probably use Instagram (Facebook), if it’s instant messaging & text messaging, it’s probably whatsapp (Facebook) or Facebook messenger. If you want to share personal thoughts with close friends & family it’s probably Facebook you are using, and for more generic less personal sharing or professional social media use you probably use twitter. For your video watching, you probably use Youtube (google) & for music, no doubt it’s spotify.
You can see the issue here, nearly all of our online lives are controlled by a few companies. It is they who decide what we are allowed to see & they who take payment to promote the websites & views of those with the most money. You probably spend the majority of your time flitting between services owned by Facebook, Google & Twitter. This leads to a serious erosion of net neutrality as you are only exposed on the internet to content they see fit & proper (of course unless money is involved, in which case you can buy as many users eyeballs as your funds will allow).
Facebook is a company I have now distanced myself from. I have an empty profile on there & have even blocked access to Facebook urls in my hosts file on my computers. Facebook is the worst example of both data mining of users data & the filter bubble effect. Facebook wants to keep you online & on their platform, be it via a web browser or app. The Facebook feed used to be a basic set of status updates, you could visit & spend 10 minutes catching up with friends & sharing photos. It was a pretty benign service. I now see it as a serious threat to the open internet. Your Facebook feed is now a never-ending, algorithmically generated quagmire of information, all tailored specifically to you. If Facebook knows you are interested in something, it will show you more of that. Lots more of that. It’s almost impossible to finish using Facebook. All of your likes, all of your comments and all of your activity go towards building a picture of you. They profile every user & compare you to other users. Content other users similar to you like is shown to you. Your bubble becomes smaller and smaller until everybody is exposed only to information which they relate too.
This tailoring of information may sound wonderful if your interest is in something innocent, say kittens or coastal walks, but imagine if your interests are a little more serious. We saw in the UK how Facebook essentially split the country in half. Those of us on the Pro EU side & those on the Anti EU side. Each group were shown more & more information which reinforced their own view, while never being shown the other sides of the argument. This isn’t debate, it’s the reinforcement of divisions in society, the reinforcement of prejudices and without neutrality it has got way out of hand. I stopped using Facebook shortly after Jun 2016 after reading more & more about their algorithms & the filter bubbles they create.
As a web developer I can see the engineering thinking behind these algorithms. As feats of engineering they are superb & very accurate, however as someone who studied Web Development in a humanities department back in 2005 I can see that applying only engineering thinking to social platforms is a recipe for disaster. I believe that the referendum in the UK was extra devastating because of social media. Both sides, from what they could glean from their Facebook pages, thought they couldn’t lose. All of the information they received via Facebook reinforced their own views without ever challenging them. That is not a debate & with such algorithms it will only drive deeper divisions between every niche community in the world. With a referendum or a vote, chances are one side will always lose. It’s the whole point of putting things to a vote, but social media reinforced to both sides that their argument was beyond question to such an extent that the devastation was even greater for the losing side. And it spills out & has real world effects in society.
As I was saying earlier, I learned Web Development very early on. Back then it wasn’t really a thing & my degree route was actually called Web Content Management. We did web design & development, but we also did internet law, internet infrastructure, information architecture & information retrieval. We studied web accessibility for disabled users and a whole host of humanities focused modules alongside the technical modules. This gave me a great oversight of the internet, not just from an engineering standpoint but also that of a user & society in general. Back then, you didn’t google for things, you searched. Youtube didn’t exist, bandwidth was expensive & videos online kept to a minimum. It was much easier to read genuine fresh content, to learn new things & discover new ideas & ways of thinking. Back then it was a neutral place. Discussions were done on IRC or over instant messaging clients. They didn’t take place in public. Tweets didn’t exist & certainly wouldn’t have been used as authoritative quotes in the media. News wasn’t broken, it was triple checked, confirmed, edited and then published. We didn’t use personal information, we used nicknames or handles. We didn’t share private or identifying information. The net was a better place.
If you wanted to publish ideas, you first had to learn a bit about the internet, almost like getting a license to drive. We had netiquette (if you used ALL CAPS you where very angry). If you wanted to write to your MP, you had to write or email, not just shout abuse at them on twitter.
The internet will always have bias as long as engineers are programming the algorithms, but any tailoring based on your own interests introduces another layer of bias which is not healthy. If you think of a traditional library such as a university library, you would go to the shelves housing the subject you where interested in & every single book on those shelves would carry equal weight. Your selection would be based on reviewing a sample of books & choosing the most relevant. Search engines have taken this away from information retrieval as searches are first skewed by paid advertising, then by algorithms & finally by a users search profile. If you are constantly being shown things you are familiar with and never any variation, you will never develop a rounded knowledge of any subject. Imagine walking into a library & there being salesman pushing their books at you, shouting for your attention, it just wouldn’t happen.
I fear for the future of the internet if more people move towards these major tech players. The underlying technology of the internet will probably remain neutral, but if all the portals people use to access the internet are controlled by the likes of Facebook & Google, people will only ever be exposed to the content that is deemed fit. This could lead to major headaches for all democracies. Online electioneering is already beginning, the billionaires are bankrolling the politicians & secretly funding campaigns. They are creating misinformation & fake news is now a thing. They are mining vast quantities of data from social media & targeting users in extremely precise ways online. This funding is known as dark money & as it’s impossible to keep a track of online ad spending it introduces the ability to win elections by buying influence with unlimited spending. All of this information is ours to give, and modern web users give it freely. That needs to change. Consider your privacy, do you want pictures of your children appearing in advertising because in the terms & conditions you agreed to it states that all content becomes the property of Facebook? I know I wouldn’t!
So consider your web usage. If a website requires you to sign-up to browse, look for another service. Try some of the different search engines, they may be slightly less convenient, but your privacy is worth much more to you. If you use a Gmail or Hotmail account, remember that your emails are being scanned & used to cater your search results. Always log out of social media & google when not using them. Consider a service such as Proton mail or self hosted email. Don’t put your most intimate details onto Facebook & twitter. The moment you upload that content you lose control of it. Remember, these services make money from your clicks, they are designed to hold your attention and keep you on their websites. Be careful what you click ‘like’ on. Don’t help them market to you.
Install ghostery to stop these companies tracking your movements around the internet. Don’t rely on Facebook & Twiter for all of your news and facts. Anything that uses an algorithm will never give you balance & will only divide people further.
I intend to write more on this subject. I’ll address different areas one at a time, but hopefully this post will at least get you thinking. There is a world of wonderful & informative information out there on the Web, don’t let Google & Facebook hide it from you.
GPG is important for emails as it means that an email remains encrypted between the sender & the receiver. It works on the principle of key pairs. Each user generates a pair of keys, one private key remains secret and on the user’s computer, the other, known as a public key is free to distribute on the internet and allows you to pass it on to those you wish to communicate with.
It is important that your private (secret) key always remains private & you never share it with anyone. The keys are paired so that both are required to encrypt & decrypt emails. I won’t go into the technicals of it, if you are interested there are a lot of free resources which will guide you through the technology.
Encryption also requires a password to be set when creating your key pair. This password allows you to unlock your keys & use them to encrypt your email. Both sender & receiver need to set up a keypair & share their public keys with each other. This allows encrypted communication between both parties.
On OSX/ OS Sierra you can use the free & open source GPG Suite to install the tools required to start encrypting email. The suite includes the GPG keychain which allows you to create your key-pair for your email address, and it also allows you to store the public keys of your recipients & to upload your public keys to public key servers. It allows you to manage & store your keys.
Also in GPG suite you have GPG mail which integrates with the native mac mail client. Much of the encryption process is automated once you setup your keypair, including downloading the keys of recipients you address your emails to. You can also sign your emails with GPG Mail which confirms your email as authentic to the recipient.
First, install GPGsuite using the .DMG file available on their website. If you are using Sierra or require cutting edge enhancements, opt for the beta package.
Once installed you will have an extra option in your settings preference pane called GPG Preferences. This allows you to set your GPG preferences, such as update checking and the public keyserver you would like to use. Most people can just leave this set with the default values.
The first thing you will want to set up are your keypairs. Make sure you have added the email account you want to start using with encryption as one of your Mac Mail accounts. If you use a free account such as Gmail you can still add it to your Mac Mail software & encrypt emails using that account.
Next, head to your applications folder & select the newly installed GPG keychain application. Open the application and click New in the top left corner. You will be presented with the following screen, showing you your Mac Mail email addresses. In these settings, select the email account you would like to use with GPG encryption, select the box to upload your public key (makes it much easier for people to correspond with you) and enter your passphrase.
The passphrase is a vital part of your encryption as it unlocks your keypair for use. Make sure it is a strong password & one you can remember. Also, my advice is to use a password you only use for encryption. This password is never for use with any online services such as websites. A single hack of any of those sites could reveal your password, so encryption passwords are only for local use.
Once you are happy with your passphrase, click generate key. Your GPG key pair will be generated & public key uploaded to they keyservers.
You should then see your newly created key within GPG Keychain. You are now good to start creating encrypted emails.
My advice, if you are going to start encrypting emails between friends, family or colleagues is to first send them an email with your public key attached. This way, they can import it into their keychain to allow them to email you. They can also send you theirs back. This isn’t a requirement if you have both uploaded them to a keyserver, but it’s always a good idea before you start encrypting communications between you. It’s also a friendly way to allow the other party to know that you want to encrypt your emails & to expect future emails to be encrypted.
Now, fire up Mac Mail and compose a new email, you will see a new OpenPGP option in the top right of your compose window. This will be green if using an email account for which you have created a keypair & will be greyed out if composing from an account without a keypair. In the screenshot below I’m emailing between my own account & my unused gmail account which also has a keypair. As you can see the OpenPGP button is green which means a keypair is present & I can encrypt on this account.
You will also see in the above screenshot the two blue icons. They are blue if they are enabled, but are greyed out if either a public key isn’t present for your recipient or you have opted not to encrypt. If you do have a public key for your recipient in your GPG Keychain you can activate one or both of these buttons. The left one which is a padlock is your encryption button, the right one is your GPG signature to securely sign your email. If sending to someone with whom you have a public key, I would always sign & encrypt.
Once you are setup, emailing is just as straightforward as before. Write your message, your subject and add any attachments you would like. Note that only the body of the email is encrypted, the subject line is not so be careful what you use there as it is publicly viewable. Once you are ready you can hit send, at this point you will be given an OpenGPG prompt for your pass phrase. This is your encryption pass phrase which you setup at the time of creating your key pair. This password will be required every time you encrypt or decrypt an email. You can opt to save the pass phrase in your keychain but I would advise against that. The whole point of encryption is to make email for your eyes only (and your recipient of course) so keep the passphrase to yourself & commit it to memory. It’s just good practice.
The last part of the puzzle is decrypting email. Below is a screenshot I took of the email I just sent between my two accounts. When opening the email you will be asked for your encryption passphrase, this is to unlock your own keypair to decrypt the email. You will see from the screenshot that the email looks like any other, with the exception that it has signature and encryption details. The padlock shows that the email is encrypted.
If you follow these steps you will ensure any correspondence sent between you & your friends/family can’t be read by any third-party. This means that if your email account is hacked, the contents of your messages remain private. Perfect for family photos, private information and general personal chatter. It also means that companies such as google can’t read your emails for advertising & data collection purposes. The message remains scrambled with encryption across the whole internet, no matter who intercepts it.
Once you get used to this process it will become second nature. I like the ‘at rest’ security of encrypted emails. I’m less worried about personal emails being hacked or stolen in a data grab. If my server is compromised, my emails are not. I also like the fact that using a completely unique password for my encryption means that my encryption password is never in the wild online. I’ve committed a complex password to memory & I’m not likely to forget it after typing it so many times.
No security is perfect, but this is by far the biggest bang for your buck with regards securing your communications on a day-to-day basis.
You must keep your key pair secure. You can back them up using GPG keychain, both your public & private key, but you must keep them safe. Never put your secret (private) key online or into cloud storage. If you ever lose control of your keypair, someone could pose as you and send emails masquerading as you, not to mention decrypt emails if they guess your passphrase. GPG Keychain has the ability to revoke keys if you feel they have been compromised. You can then generate a new keypair & upload to keyservers as required.
This is just a brief outline of how to get started with OpenPGP using GPGSuite. If you would like to know more, you can read up online. A good starting point is the GPGtools site itself.
If you would like to send your first encrypted email, drop me a message at john AT johnlarge.co.uk using my public key which you can retrieve from the keyservers or download by clicking here. If you want to add to this post or correct please do let me know, like my other cybersecurity posts I’ve kept it as simple and non technical as possible to make it accessible. The post will evolve over time.
The internet is a public place, but it is also a place where you can’t control data flows. As soon as you upload information or data to the internet, you need to assume it is now on public record. Even if you believe your account is private and secure, there is a good chance that at some point, the data will be used, resold or even hacked & released into the wild. If you approach the internet with this in mind it is very easy to secure your information. I’ll come to internet security later, but let’s start with your hardware itself.
I personally have a lot of computers. I have two Macbook Pro’s and an iMac, I also have Raspberry Pi’s running various versions of Linux & also an old IBM Thinkpad X200 running Trisquel Linux. All of these machines use full disk encryption.
With apple products, make sure your software is up to date. All of my machines run OS Sierra which is a free upgrade. Sierra has a very good version of full disk encryption known as Filevault 2. Filevault 2 allows you to encrypt the entire contents of your hard drive with a password. This means that without the password, the contents of the Hard Drive can’t be read by a third-party. File Vault requires the disk password as soon as you start your machine, so anyone who steals your hardware will be unable to boot your machine to access information & also unable to wipe the hard drive to reinstall the OS on your hard drive. This is vital in case of loss or theft of your devices. We store so much personal information on our devices & their security is as important as securing your own home. Perhaps more important.
The same goes for iPhones. Make sure you use a strong passcode or passphrase to secure your device & consider not using fingerprint access. Your fingerprint is very convenient, but a strong passcode is much more secure. Also, backup your iPhone or iPad to an actual computer and not to iCloud. If someone hacks your iCloud, they could clone your iPhone from one of your own backups & access your entire iOS environment.
The passwords you use should be unique & strong. You should also ensure that your encryption password is never stored or used for any online accounts. Your encryption password should be unique from any other password you use. You can choose a way of codifying your password, for instance take your favourite book (paper back or hard back) and use your birthday to select a page and a line. For instance, pick up a copy of Harry Potter, go to the page number which relates to your day of birth and then on that page go to the line number which relates to your month of birth. Use the text on that line for your password.
You can use any method to code your password, that is just a single example. Whatever you choose, make sure you have a way of reminding yourself which is not obvious. Without your encryption password your data would be lost forever.
Also, on Macs, make sure you disable any guest accounts in Settings > Users & Groups. Turn on the Firewall in Settings > Security & Privacy. This menu also contains the settings for turning on Filevault.
While in Security & Privacy, make sure you choose to require a password after sleep or screen saver. This means that if you need to leave your laptop or desktop unattended, you can put it to sleep to lock the machine or set the screen to sleep after a certain amount of idle time. These are basics steps to secure your machine but will make a vast difference to the physical security of your Mac.
With my iMac I use a Kensington lock to physically lock the machine to my desk. Make sure any external hard drives for your mac are also formatted with encryption & set your encryption password on each of them. This means if any are lost or stolen, for example your time machine backup drive, they cannot be accessed by anyone but those with the encryption password. I encrypt all media including USB flash drives. It only takes seconds to mount them & enter a password, but it does mean that your data is always much more secure. Get into the habit of encrypting & you will massively reduce your exposure to hacking & identity theft.
Something else I always do is use a small roll of black insulation tape to cover up the webcams on my laptops and desktops. You can peel it off easily if you require the webcam for facetime or skype, but most of the time I tend to leave the cameras covered. The camera can be used for spying by both governments & criminals & there have been many cases of people being recorded on their webcams & then blackmailed. For the sake of a few pence, always have a roll of insulation tape and cover your webcams. You can even colour match the tape to your black Macbook/iMac bezel.
With regards to securing your iPhone my main advice would be to set a fast timeout on your automatic screen lock. Never leave your phone unlocked & make sure you get into the habit of locking the screen whenever you put the device down. Also make sure under your Touch ID & passcode options in iOS settings, that you opt to require the passcode immediately & that you opt to erase the device after 10 failed attempts. This means that in the event of loss or theft, the device will likely wipe itself before anyone can get your information & identity from the device. You can also use iCloud to remotely message & wipe your Mac’s & iOS devices.
Mac’s & iOS devices now increasingly rely on cloud services to sync & store your data. Ensure that you setup two factor authentication on your iCloud account, to make sure only someone with access to one of your physical devices can login to your iCloud account. Also, be aware that if iCloud is ever hacked & the encryption keys that Apple hold are accessed, your iCloud data can be decrypted. Ensure that anything you offer up to the cloud is information which isn’t personally identifiable or potentially damaging. The cloud is ideal for mundane documents and data which isn’t specifically personal, but if it is something you want to keep private, don’t ever upload it to cloud services. I’ll cover this more in my next post regarding securing yourself online.
Finally, never give out your encryption password, it is the key to all of your data. Never use it for anything but encrypting, never use it with an online provider. If you do need to make a note of the password, codify & hide it in a way that it can’t obviously be identified as a password. Always aim to physically keep hold of your devices. It is much harder to compromise your devices if they are always in your possession.
Never give out any passwords in email or over the phone. If someone calls asking for your account details, don’t give them out or ask them for their details and phone number & offer to call them back. You can then check the number & details online & call a verified number.
Finally keep software up to date. There are zero day exploits being discovered and utilised daily. You massively decrease your attack surface if you keep software, services & devices patched & up to date.
I will add to this post as & when I think of tips to help. If you have anything to add, please let me know in the comments. There will be loads that I have missed & I expect this post will constantly evolve. I’ve also tried to keep the post as straightforward and non technical as possible. I want the basics to be adopted by everyone, so I’ve left out the in-depth discussions on things like AES & encryption bit sizes.