Internet security

[SomeCallMeMom]

I happened to read an article on Internet security a couple weeks ago & it got me thinking. Basically, the article said you have two ways of combatting it...Either stop using the internet entirely or flood the internet with misinformation. I typed my name in a couple of search engines & was surprised what popped up. Pictures, addresses, phone numbers & all sorts of information. I decided I didn't like all that information out there, so I started working on locking it down. I had to go to each individual site and request that my information not be shown. I even closed down a couple accounts that I had forgotten I even had. Now, typing my e-mail address, phone number or name doesn't give any results. It was something I had never really given any thought to before, so I thought I would pass it along. Now, I'll check them regularly to make sure I don't pop up again.

 

[1krr]

Best way to keep your information from being abused is to know how it is collected and analysed. You might here lots of things about "big data" and with the Snowden revelation, it confirmed what most in the industry already knew was going on. In basic terms, think of your information like a mosaic; perhaps one of those mosaics made up of thosands of pictures that when you step back, you see the "big picture."

That is a great metephore for all the little tidbits of information you leave around the internet. This post for example doesn't really tell you much about me. My username is 1krr and with some research, you might find that I own, used to own, or have an interest in motorcycles and most specifically in a CBR1000RR sport bike. Now the PIs and general sleuths in the room will get that "ahha" moment an start to think that is interesting. But there are also some facts like I'm posting on an Oklahoma centric firearms forum, speficially in the "preppers" forum probably tells you a great deal about me. Of course none of this is intended to be racially/culturally insensitive just raw analysis. It would seem to suggest a better than 50% odds that I'm white 70% that I'm male. I like motorcycles, guns, and prepperadness. I've been registered for a long time but post rarely over the span of time which might suggest I tend to be reclusive or uncomfortable with people I don't know. But the social nature of much of the above hobbies would suggest that while I do not seek out attention in big crowds I might be deeply involved in smaller, tight-nit, communities surrounding car shows, shooting ranges, etc.

In any case, the above is an overly simplified way of using some, what seems like benign information to identify me for x purpose. But this is good ol' detective work and is not data science. As a data scientist, I take a different approach. I would pick out all the bits of data that uniqily identify everyone and associate them with each other. I wouldn't read 1krrs posts on ok-shooters, I would collect every post by anyone on okshooters and store it. Then I would ignore the context of the words but read the words themselves. Misspellings are a big one. Who mispelled the same word in the same way? Puncuation and capilization? Do they use a lot of commas and where? Do they tend to use abbriviated words or compounded words? Type your post then turn all the letters white where you can't see them and what is left? A pattern of symbols. Once I have patterns, I look to see how those patterns associate with other patterns and that the outcomes typically are. With a few iterations of this, one having done the analysis can tell you fairly affirmatively, who you are, what you like, how you act in random situations, and with that, how I can manipulate you into doing something I want you to do. Thankfully, for the most part, the end result of all this is some very successful advertising that makes companies ALOT of money.

But it can be more sinister. If you are familiar with binary numbering (the same as a computer uses), then when I say it only takes 33 bits of information to affirmatively identify anyone in the world, anywhere. In binary, it's just a symple 2 digit system, 0 and 1. Each bit represent some peice of information. Counting them to ten, 0 = 0, 1 = 1, 10 = 2, 11 = 3. 100 = 4. 101 = 5, 110 = 6, 111 = 7, 1000 = 8, 1001 = 9, and 1010 = 10. Since we only have two digits, basicially and on and off, you see how we got four bits to represent 10 things.Each additional bit added increases the number by ^2. So what does this mean? It means by collecting and compiling huge volumes of little tidbits of info, I can identify with 100% accuracy, who you are, and from the context of those bits, I can tell you what you like, where you go, with whome, when, and by sneaking in some statistics, could compel you within reason to act the way I want you to (ie to go buy that damn coach purse, you know you want it, you've said so in every social media site you own, which I've corollated to you using all the tidbits you've left around, you wonderful little creature of habit, you! Hell, I can tell alot about you by what you never say (don't post your location, birth date, etc).

This is why Facebook, Amazon, Google, and many others spend billions in technology research and infrastructure because big data allows the right people so much good knowldge into your life, their slight nudge in the form of a well time and properly colored ad gets the sale 80% of the time. Business use the way you interact with their websites to profile/pattern you and generate content most relevent to your willingness to seperate your money from your wallet in exchange for some high markup widget they are selling. People use this information in all kinds of ways. Security guys use patterns to identify or predict the type of attack they may face.

Fun read about the basics here:
http://blogs.wsj.com/digits/2010/08/04/the-information-that-is-needed-to-identify-you-33-bits/

Now what do you do about it? Because the data is insignificant people have no problems happily typing it into Facebook, Pintrest, Gmail (hosted email is a BIG one), etc. And because it is seemly insignificant, it's generally fairly honest, Big data relies on being able to pull together realitively factual and accurate information. Since it's basically collecting and storing huge volumes of data to search out and corolate patterns, the first step to annonimity is to change your paterns. Use periods where commas are supposed to do. Don't ignore the intrusion into your PII (personally identifyable information) but skipping those fields, fill them out! If you are 23 year old asian female, become a 57 year old white male. Accurately filling that information out is a gold mine for big data algorythms. One of the major algorythms is calls map/reduce and it's just a way of sucking up huge bits of data and making a table of context or an index which will tell you where all the instances some bit you are looking for it located quickly. And you can compound those searches to genreate patterns to see what you can learn about your subject. Change some of that data and all of a sudden, you are fitting into patterns that don't make sense. Change your profile. My facebook account thinks I'm a 21 year old student at OU. I may be but it doesn't seem like it compared to most of my open books friends and It doesn't change how I use the system. It does change the advertising I see if I see any at all. If you use amazon and find it a little creepy that they know so much about what you are going to buy; buy random things. If you have no kids, buy a box of diapers for a friend that has kids. Order tools and toenail polish (makes good improvised machinists blue). Be contradictory in what you put in. If you read this post closely, you will see lots of commas and abbriviations mismatch with some mispelled words (I really am a lazy typer so that's not uncommon).

Other things are, use multiple browsers. Use Firefox instead of Chrome sometimes since sites log your useragent (basically a fingerprint of the browser and the computer it is running on). The later has a useragent switcher that you can use to turn Firefox into any propular browser out there. You can use TOR networks but the only people who do are typically either honest to goodness bad guys or people trying to bypass their work url filter to watch porn or get to okshooters! (easier ways to do this). In anycase, rambled enough but ask question, I'm happy to talk all about big data analytics because it's a realm I'm working in and do very much enjoy (but I don't do the advertising side of things).

 

[dennishoddy]

Awesome information.

reminds me of back in the Military days when data mining was done by phone, radio, and personal observations. I had a really high security clearance, so we got training on a regular basis on how to conduct ourselves and transmit information without giving away intel.

The Data revolution, has exponentially increased this to the point, that I personally don't believe we have any chance in hell of keeping ourselves private anymore.

Commerce and gubberment has us by the ying yang.

Interestingly enough, I read today that our gubberment is suing Yahoo. They have so far refused to release consumer information to the feds.

The gubberment's argument is that terrorists are using Yahoo to communicate knowing its not going to our gubberment.

I kind of doubt that.

 

[SomeCallMeMom]

1krr,

that was a LOT of information, but thank you so much! I guess it just shows how naive I was about it all.

 

[BadgeBunny]

1krr,

that was a LOT of information, but thank you so much! I guess it just shows how naive I was about it all.

No kidding. I've read it 3 times now and I still haven't taken it all in ... Computer security is one of those things I probably don't pay enough attention to. Believe it or now (as she sits here playing around on OSA and Pinterest ) I'd be just fine without a computer ... or a phone ... or a tv ...

My poor husband would D.I.E. from the culture shock though ...

 

[KOPBET]

What's an ALOT?

 

[1krr]

Just my half-assed attempt to show how even random text can be combined to put together in unique ways. People tend to misspell the same words in the same ways which can be useful in identifying someone. Combinations of letters, numbers, spaces, and so on are called "strings" in computers. Your name and location for example are very unique strings. From it and a little time writing some code to scour Google, one might guess that your first name starts with a K, last name ends with an S. You live in the NE of the state. You were born around the middle part of the last century and enjoy the greatest creation America ever put on 4 wheels (couldn't agree more)!

There is a lot more info out there but really it's just about sharing with folks some of the technical aspects with folks who want to know. Many don't really care since in the grand scales of society if the worst we face is someone doing a better job selling me stuff, it's my responsibility to decide whether to buy crap I may or may not need. I do think people need at least the opportunity to understand what is going on behind the scenes because if given the information, it's an individual's responsibility to decide what to do with it. This is just a tool but like many tools, people will come up with creative ways to use it for better or worse.

EDIT: Another point in rambling on about strings made me think of another issue: passwords. They are just strings as well. To a computer, it's just meaningless 1s and 0s. Humans on the other hand can understand variations. Most modern systems store passwords in a hash using a one way algorithm. All that really means is that it's a formula that can take some string and boil it down to some other giberish. MD5 is a common and well used hashing algorithm. For example, a password of "I am a nerd" generates an MD5 hash has of 8c7e3deb8c90fe971d24d8230253b280. What makes one way formulas unique is that it is irreverable meaning that you couldn't hack in and steal the hash from a database or file and directly reverse it to the original password. This is awesome the classic way to get around that when you are a 15 year old in your mom's basement with a load of stolen password hashes is to precalculate as many possible hashes as you can. That way you have a list of billons of hashes and the password that generated them.

Here is some interesting info about passwords. People use words they know for passwords. If it's in a dictionary, the 15 year old has it in 7 seconds. But did you know, to a computer, there is a difference between upper case and lower case? So "password" is different than "Password" which is different than "PASSWORD". So even one upper case and lower case password makes each letter twice as hard to guess. For a computer, it means fractions of a second difference in finding your password but it is still an important concept. Let's assume you get tricky and use "Password1". Nevermind that everyone does this and most of them use 1 so I'm going to search that first lets just look at it from a computing power perspective. Now the password is one character longer but there are also 10 more possible types of characters. So with all lower case, there are 26 possible answers to each letter. With upper case and lower case, there are 52 possible answers to each letter. When I add numbers, now there are 62. So with an 8 character password all in lower case there are 8^26 possible solutions of which one is the right password. But with upper case and the number 1 at the end, there are now 9^62 possible solutions. Huge numbers! But now, lets add a ! (shift 1) to the end so the password is "Password1!". Now we are into special characters and that is when things get really tough on the ol' hacker computer the 15 year old is beating up your password with. In raw "strings" your password couple be any one of 10^72 possible combinations. That's a 10 with 72 zeros behind it only using the characters on the same key as the numbers.

But the computer cracker dudes are crafty. They know these things. Even though "Password1!" and "nJa81&0z@l" are valid potential solutions a computer might test, the handy hacker kid is going to test your password with dictionary terms first. and then just change a couple letters at a time playing the odds that they will get to your password sooner if they lock in some words and phrases we all know about. He will also map certain sets of characters on the key board into his cracking tool by only searching the characters in the sector of the keyboard with letters and numbers. Only search letters, numbers and the special characters on the number keys (everyone uses !,@, and *) or to the right of the letter key section (the <>?:"{}| keys). . Now you can trick this up a bit by using "P@ssw0rd1!" to stop it from catching the dictionary word but using @ in place of a and 0 in place of o is as old as the hills. The 15 year old will aleady have those variations at the top of the list. Really, "nJa81&0z@l" is as about as good a password as any! I've memorized about 5 of these random combinations and I change just one letter or number to a different case. Remember those hashes we store in place of passwords? "nJa81&0z@l" hashed to 78e72b1259b84c079df89ac1b7ec2a1b but "nJa81&0z@l!" with just an exclamation point added changes to 8a36f4f64df4ea27c4b6c62705dce2fa. It's completely different. You might notice that the hashes are all the same length so you can't use the length of the hash to infer the original password length so you don't know how many characters you have to guess.

But that is a pain in the ass. After another midnight rambling, you are probably asking me, dude, just tell me what the hell I need to do. Well, I'm glad you asked! Basically, put together combinations of characters that aren't common. Use a passphrase such as "thisismypassword" instead of "password." Add a capital to a character other than the first one such as "thisisMYpassword". Add a number like "this1sMYpassword"/ Then add a special character like "this1sMYpas$word". Finally add in some of those keys on the right side so it looks like "<this1sMYpas$word>". That last one would be pretty damn hard to hack.

But if you don't want to be bothered with it, there is an even easier way. Use something that isn't a dictionary word like "P@ssword" and change it very frequently with just a letter here or number there. "Password@10" which next time gets changed to "password@10". These generate completely different hashes. That way, even if they do get your password, by the time they've hacked in, gotten it, and decrypted it, you've already changed it with some simple variation and moved on. Most often, they don't care about your password specifically. It's just a batch of maybe hundreds of thousands they've stolen and they pick the low handing fruit and go do their dirty deads on that person's dime.


BTW, thanks all who can survive reading my ramblings. Just another midnight rant about fun nerdy stuff to know to keep yourself safe in this wild wilderness we call the internet. As always, questions! I'm happy to help and trade knowledge any day.

 

[Lurker66]

Son of a gun. Ramble some more. I've been using same name n password for 10years. Guess I'm screwed.

Seriously tho this is good info.

 

[Blitzfike]

Lots of tricks on Linux or Unix based systems to be gained by using special characters normally reserved for system use. If you know how, you can nullify the characters use in a stored string such as a password making it very difficult for someone who stumbles into your system to change the password. They keep getting an error message that the string contains forbidden characters.