Trust
Trust is powerful word. In IT world means more that you can think. If anybody accuses your company of doing some nasty things you are in big trouble. Is really hard to protect of reputation when discussion is hot and defence arguments are complex. Nobody want to read technical things which are complicated and require logical thinking.
Kaspersky Lab
I suppose that you’ve heard about USA ban for Kaspersky products.
Mainstream in America since many months attacks president Trump. They are still
looking for his connections with Russia. Annoyed secret service found a good
pretext to get rid of Kaspersky software from crucial computers. USA even
after cold war have frigid relations with Russia. So, why they used Kaspersky
software, if they so much afraid them? Post-truth politics is fine. If you
follow DHS link you will not find any proof that Kaspersky spied secret
services in USA. There is no evidence, even small piece of code, disassembled
part which shows that they prepare special software to grab data.
Few days ago Kaspersky Lab released statement. They described accident which is root of problem. I will quote part of it, because it’s not true that everything stays in internet:
The malware was detected inside a folder named “Office-2013-PPVL-x64-en-US-Oct2013.iso”. This suggests an ISO image mounted in the system as a virtual drive/folder. … The user was infected with this malware for an unspecified period, while the product was inactive. The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine. … One of the files detected by the product as new variants of Equation APT malware was a 7zip archive. The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.
And that’s all. This is the way how antivirus works. It found something new, a sandbox or other heuristic test showed something suspected then it sent probe into mother spaceship. After that it’s analyzed and signature is made. Did they read license of a program which should contain that information?
So, who say the true?
Do you have an email address? I suppose that you have at least one. Do you pay for that? I don’t think so. Well, why it is for free? Somebody gave you part of server disk, you may store there whatever you wish. You know the answer and if you have ever thought deeper about that you might not be happy. Most of us decide to sell our privacy, secrecy of correspondence to have free letterbox. Certainly, we don’t expect that some person is reading right now our mails, but we can expect that some program is looking for interesting words to present us better adverts. The same program might also sends some notifications to another system if you disagree with your government, president, law in your country, etc. They might still watching you silently, without following you around. So, do you believe that your private data are only used by a server company and it doesn’t share it with some secrete service?
Cookies and spy services
Almost each big service use cookies to spy your activity. I disabled them by default
long time ago. Each day I see dozens notifications that if I wish
watch some service then I have to enable cookies. Portals know when last time you visited
them, where you was – geolocalization, what you was searching and they assign to you
an unique ID to easy recognize you. It’s only tip of the iceberg what they know about your
internet activity. Just take a look into your web browser settings – you might find there hundreds cookies.
After many years network spying techniques evolved and right now the most popular are spy services,
sometimes called stats or analytics services. They gave possibility to watch users
in real time, they choices, search, selected pages. Did I say that even banks use spy services?
No? Small example – in Poland bank sent: account number and balance – who might care about that
data? And the funniest thing: the GET method was used so everyone between your computer and
spy service might read that data – here is a link (warning: polish language). Total madness.
SSL and bank
Do you know how SSL work? It’s good to know something about it, because you use SSL to
connect to your bank account in secure way. I’m not going to describe how it
works, but for this post important are this things: there is a trusted certificate
authority. Do you know issuer of certificate used by your bank? I live in Poland
and I have a account in foreign bank, but a bank branch is in my country and has
polish service. So, who is an issuer (CA) of this service? In this certain case it’s
Certum Trusted Network CA. I suppose that you don’t know this company so let
me explain. Certum is strictly connected with another company Asseco. The
last company is not well known in my country from some reasons. It touches:
- finance,
- public institutions – stack exchange, all tree letters insitutions in Poland (secret services) and more,
- telecommunication – the main player responsible for optical fibres.
It’s only a part of their interest. So, the company strictly connected with government, which has access to main lines of internet in Poland is a trusted certificate authority for many institutions. It sounds like formula for invisible man in the middle attack (MITM). Is it good or bad? From one point of view we might say that is reasonable to have that powerful company which takes care about our affairs. From the other side, you can forget about bank secrecy, private mobile calls. Even if you are good citizen they keep eye on you without warrant. Is it a good solution and what is the other possibility? Can you imagine that an issuer is some anonymous company from another country. Is it better solution?
You might say that I’am a dreamer but, did you heard about French agency ANSSI which faked Google certs and made MITM?
I’m not happy with that knowledge.
So, do you trust that data, metadata send by your computer, mobile phone or any other electric devices are not used to spy you?