Insights For Success

Strategy, Innovation, Leadership and Security

OnePlus policy that makes it a better buy than Samsung, HTC or LG

GeneralEdward Kiledjian

As a security technologist, the security philosophy of the OEM is a crucial determinant of my decision to buy or recommend a device. This is where Apple shines with it's iPhone update strategy. Every single iPhone receives updates (security and version) at the same time. 

This is why I highly recommend Google's Pixel devices. The Pixel line offers the same regular and speedy update schedule. The other Android manufacturer that has shown it cares about upgrades is OnePlus. Until this week, it did a great job delivering updates quickly, but it didn't formally commit to a software upgrade schedule. 

All of that changes this week when OnePlus unveiled its new operating system (Android) maintenance schedule. It has copied the Google Pixel model and will deliver major upgrades for two years and security updates for three years. 

As per the maintenance schedule, there will be 2 years of regular software updates from the release date of the phone (release dates of T variants would be considered), including new features, Android versions, Android security patches and bug fixes and an additional year of Android security patch updates every 2 months.
— OnePlus OS Maintenance Schedule

Conclusion

OnePlus has always offered solid well-designed devices at competitive prices. This new software maintenance schedule commitment makes their offering that much more compelling. 

I can no longer recommend devices from manufacturers that do not regularly deliver security and version upgrades. This is why I only recommend Android devices from Google, Blackberry Mobile and OnePlus. 

Is TOR Private and Anonymous?

GeneralEdward Kiledjian

One of the most frequently asked questions I receive from readers (from this blog, Twitter and LinkedIn) is "Should I consider TOR private and anonymous?" 

This question is interesting with fervent activists on each side [of the issue]. On one side are TOR proponents extolling the virtues of the platform and explaining how it will save humanity from the scourge of privacy-invading networks. On the other side of the discussion are conspiracy theorists that claim TOR is nothing more than an NSA honeypot (a data collection tool). 

Like most important topics, the truth is never as clean as we would like it. The truth is that TOR is a little bit of this and a little bit of that. Let's dive straight in. 

Who started TOR?

Conspiracy theorists love highlighting the fact that the United States Navy developed TOR. So the first question we need to tackle is regarding this origin statement.

The core privacy functionality of the TOR network, the onion routing, was developed by United State Naval research laboratory employees named Paul Syverson, Michael G Reed and Favid Goldschlag. The purpose of the technology was to protect US intelligence communication. 

The TOR Project was launched in September 2002 by Paul Syverson,  Roger Dingldine and Nick Mathewson. In 2004, the Naval Research Laboratory released the TOR code under a free license, and the EFF (Electronic Frontier Foundation) began funding the initiative. The Tor project we know and love today was started in December 2006 as a 501(c)(3) non-profit organization with support from the US International Broadcast Bureau, Internews, Human Rights Watch, the University of Cambridge, Google and  Stichting NLnet.

It is true that the majority of the funding for the free and open source project came from the US government. 

Does the government control TOR entry and exit nodes?

When talking about TOR privacy and confidentiality, there are 2 distinct question most astute users ask:

  1. Can someone "see into" my traffic?
  2. Can someone tie TOR traffic back to me? 

The first theory I read about consistently was that world governments (particularly the 14 Eyes Countries) control the majority of the TOR Exit nodes thus can "see into the traffic." Looking strictly at the Exit node piece, governments have no deterministic way of knowing where a suspects traffic will exit from the network. As long as they don't control all of the TOR Exit nodes (which we believe they do not), they can't be sure the suspect traffic will flow through their nodes. Additionally, if the site you are visiting is using cheap and easy to implement security (like TLS) then even if the government controls the exit node, they won't be able to "see inside the traffic." Traffic that joins the TOR network to access a TOR hidden service never exits the network so it wouldn't even pass through an Exit node.

What if a government controls both the Entry node and Exit node you use? Assuming you are using TOR to browse the "normal" internet then you will hit an exit node. If the government(s) control enough of the entry and exit nodes, they can use statistical correlation tie traffic back to you. 

If you are browsing a site with well-designed security, they still would not be able to see "inside your traffic" but would know that you originated the traffic flow (aka collect metadata). 

It is important to remember that the TOR Project isn't just idly sitting on the sidelines watching the government violate its technology. They are actively working to harden the platform and work tirelessly to make it more secure every day. Some of the techniques used by the TOR platform include:

  • Switching TOR circuits regularly and unpredictably. Thus making long-term data mining more difficult. 
  • Ensuring that the TOR nodes used are as randomized as possible. Thus making predictability of route near impossible.
  • and more 

Has the TOR browser been hacked?

The answer is yes but hold on before you install the TOR browser from your computer. I would submit that almost every commercial or free software has exploitable bugs that would compromise a users privacy and confidentiality. The question isn't whether a product has these types of exploitable bugs but rather what the software "vendor" does about them. The TOR project has been an incredibly honourable steward of the TOR platform. They quickly patch any discovered vulnerability. 

The other "trick" for the extra paranoid is to switch the security level in the TOR Browser to high. This will break some sites, but you want strong security don't you? 

Can I be tracked using the TOR Browser?

I wrote an article in 2016 talking about browser fingerprinting techniques and referred readers to the EFF's Panopticlick site to test this on their own devices. Browser Fingerprinting is a technique that leverages information your browser gladly provides to sites to uniquely identify you and then track you as you browse the web. 

To illustrate the power or browser fingerprinting, I ran the Ponopticlick site on my "normal use" machine using different browsers. 

  • My reference browser will be Google Chrome (same results with or without UBlock Origin): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • The Brave "privacy" browser (default configuration): Your browser fingerprint appears to be unique among the 1,747,235 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • Microsoft Edge (Win 10 latest update): Within our dataset of several million visitors tested in the past 45 days, only one in 218410.63 browsers have the same fingerprint as yours.
    Currently, we estimate that your browser has a fingerprint that conveys 17.74 bits of identifying information.
  • Microsoft Internet Explorer (Win 10 latest update): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.

  • Tor Browser with safest security option: Within our dataset of several million visitors tested in the past 45 days, one in 92.3 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 6.53 bits of identifying information.

So in safest mode, the TOR browser does dramatically reduce information leaking about your browser but the fact you are using a low popularity browser is in fact itself a tracking tool. The short answer to this question is that tracking is still possible.

Should I trust the TOR Browser?

I've addressed some of the most common questions I receive, but the only reason you read this article is for this one question alone. You want to know if the TOR browser is safe enough for you. 

Unfortunately for you, I'm a security professional, and I believe security is never black or white. The question of whether the TOR Browser is safe enough for you is the real question and that depends. 

It depends on the types of activities you are performing. 

On the low end of the spectrum is a general user that wants to use TOR to browse questionable websites from work without leaving traces in the company proxy logs or without being stopped by a URL filtering tool. For this type of user, the privacy and anonymity afforded by TOR are probably sufficient. It is unlikely that a nation state will target you for deanonymization and tracking. 

On the other end of the spectrum is a hardened criminal trying to sell nuclear secrets to the highest bidder. You would probably be classified as a high-value target by the global intelligence community, and thus they would use the full arsenal of tools to identify and track you. If you are a criminal mastermind hellbent on world domination, you probably need better tools than TOR. 

A tweet by Edward Snowden explains it best:

Security is a complex system of risk management and mitigating controls. There is no magic bullet where everyone is safe and anonymous all of the time. True security is a complex architecture of different technologies implemented in very particular ways, to achieve the protection level you desire or need. 

If you are browsing adult content from home and want some level of anonymity, TOR is perfect. 

If you want to browse it while at work, know that most companies have agents installed on your workstation to track your browsing regardless of the browser used. 

Therein lies the real risk. Whether you are using TOR or the end-to-end encrypted Signal messenger, the tools themselves are often secure.  However, if someone compromises either of the endpoints, you can still be de-anonymized. This is why true security must be done in layers.

Maybe you need to run a secure Operating System, like Qubes OS that routes its traffic through TOR (booted from read-only media and hash checked to ensure it has not been tampered with). Additionally, even if you have a safe and secure computer, operating system and connection, you must still be careful not to involuntary divulge clues about yourself when online, so security hygiene is also very critical. 

Security is though. Perfect security doesn't exist.

Calgary airport offers the best WIFI performance in Canada

GeneralEdward Kiledjian

Ookla, everyone's favourite speed test service has just published internet performance metrics for North American airports. Calgary Airport has been rated as the best performer of all Canadian airports and is the third best in North America.

  1. Seattle Tacoma International
  2. Denver International Airport
  3. Calgary International

Montreal's Pierre Elliot Trudeau Airport was rated the worst. Toronto's expensive Toronto Pearson International Airport is rated 23rd.

Examples of Darknet (TOR) sites

GeneralEdward Kiledjian

I have received a lot of requests from readers, LinkedIn and Twitter connections to provide examples of some "interesting" darknet (TOR Onion Network) sites. I have posted over a dozen on my LinkedIn page but thought I would show a couple here.

My security team and I perform internet and darknet reconnaissance work to create briefing packages on cyber crime, determine trends and spot organizational dangers. As part of this research, we sometimes stumble on interesting examples that I share. 

I have chosen not to hide the onion addresses (aka the URL) because I want to show that these are not made up designs but actual sites. I discourage anyone from using or visiting these sites. I am providing these as example for educational purposes only.

Bitcoin Fig is a centralized Bitcoin tumbler. A Cryptocurrency tumbler is a service that intakes identifiable, tainted or stollen cryptocurrencies and delivers them back with an obscure trail. This is used to improve anonymity when questionable transactions are being performed. These firms typically charge 1-4% of the "cleaned" amount and operate out of countries with strict private banking laws like Cayman Islands, Panama and the Bahamas.

The The Cannabis Growers and Merchants Cooperative CGMC is a "by invitation" cannabis market. They offer a trustless (aka escrow) shopping experience to protect buyers.

The sense of anonymity offered by TOR, attracts many with much more questionable products. Above is the French connection that deals in Heroin, Meth, brown sugar, Superman XTC pills, black tar, Amber glass BHO crumble and other products guaranteed to screw your life.

We've covered drugs and now we turn our attention to sports betting. BETTOR claims to be a marketplace that sells winning bets (not predictions). They claim to have 100% winning bets for football, basketball and tennis. I don't gamble so I cannot vouch for the quality of their recommendations. 

CyberGuerrilla is another example of groups using the pseudo-anonymity of TOR to do what they probably wouldn't on the "normal" internet. This site describes it's mission as "The CyberGuerrilla Collective is an autonomous body based in Europe with collective members worldwide. Our purpose is to aid in the creation of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression."

I describe this site as a blog platform for closet anarchists. 

Escrow defense is a buyer/seller escrow service. 

Cash is King is a get rich quick scheme. You pay them in BItcoin and they "sell" you cash that was destined for destruction. They claim to have a way of moving the cash before it is destroyed but need you to "launder it". How much is this service you ask?

What if you were scared as a king by Burger King and want nothing to do with a King? What is a cash strapped person to do? You can always buy counterfit US dollars from the USD site

What if you want to deal with digital currency? No worries, enter Vendor. Vendor sells hacked Paypal accounts.

How do you cash out these PayPal accounts without getting caught? Conveniently they offer a "cheap" laundered bitcoin service for a small nominal fee ($45USD for each BTC).

So now you have your drugs, your cheap cash and your cheap bitcoin. All this money is burning a hole in your wallet and you want to spend it on "cool" stuff. How about some counterfeit clothing?

What about stolen electronics like a Sony Playstation, an iPad, iPhone, Acer laptop,  or Samsung Galaxy S9?

 

Since you haven't spent all your money yet, maybe you should think about the future and use DoubleBit to grow your crypto using darknet markets. For a "small" fee, they will "invest" your crypto for growth then will return "clean crypto" back to you with outrageously generous short term returns (I am being sarcastic, I have never used their service so I wouldn't know).

Why invest when you simply buy money from the BigDeal marketplace (http://bh3ly32vcg52brrc.onion/)

If you work for a publicly traded company and want to cash out some insider knowledge, you can use The Stock Insiders site

Snapchat usage grows among teens

GeneralEdward Kiledjian

Pew Research publishes interesting surveys, and they recently shared results about what teens use most. Contrary to public opinion, Snapchat is still king with teens, followed by Youtube. Facebook usage amongst teens is down 71% compared to the 2014-2015 Pew report. 

  • 45% of teens admitted to being online "almost constantly."
  • 24% of teens admitted to being online "several times a day."

Girls are more likely to be "almost constantly" online (50%) compared to boys (39%). 

Provided by Pew Research

Instagram is still going strong and 72% of teens now use it (up from 52% in 2015). 70% of teens use Snapchat (up from 41% in 2015). 

Most platforms have an equal amount of creation and consumption except Youtube, where the most significant proportion is consumption. 

You will notice that Snapchat and Instagram have higher usage than Facebook. Interestingly you will note:

  • Instagram/Snapchat are designed to post pictures, whereas Facebook supports photos but videos, links, text updates, etc.
  • Instagram/Snapchat are designed to be used on a smartphone, whereas Facebook is multiplatform. This is confirmed when the stats show that 95% of teens have or have access to a smartphone (88% of teens have access to a computer at home).

31% of teens believe social media has a positive impact on their lives while 24% think it has a negative one. 45% believe it has a neutral effect on their lives.