Security Saturday!
Chain compromise is a term I just made up, because before I started writing I thought I would be writing about supply chain compromise, but over the past week I have also run into another problem. Information chain compromise.
To start at the end, Troy Hunt ran into an information chain compromise when someone alerted him of a security breach at a crypto-wallet company, which after he shared it turned out to be a phishing mail pretending to be a security breach notification. The link to the source is below and you can hear more about it there. I simply realized that we have a supply chain problem in both means and information when I heard that.
A chain compromise means that something you rely on gets compromised and therefor your own functioning is compromised. For an example, let's say that Parler and Amazon disagree and Amazon stops hosting Parler, that is a form of supply chain compromise. Parler stops functioning because somebody upstream in their supply chain got compromised or otherwise unwilling or unable to provide their service. Same with Troy Hunt and the faulty report. He relies on the people sending him mails to be fairly confident about the veracity of the reports, so if someone misses a beat on that, he takes the blow because he is the public figure tweeting the result out.
Now you might think that chain compromise is only a problem for public people and for companies, but that is not so. Imagine your android phone deciding you can no longer install Parler. You were downstream relying in the play store to deliver you apps, but the play store decided to no longer deliver Parler, meaning that your supply chain for apps has been compromised.
Now this is of course all theoretical (or is it?) to show the fragility of the supply chains we take for granted, and how sometimes there is no alternative. The same goes for information. For example, if the Netherlands had one press bureau (let's call it ANP, the General Dutch Press), and they provided most press reporting to other news outlets so that those other news outlets can research those stories or just place them in their papers and news programs for a fee, that would mean the information supply chain has become a single point of failure for when bad information is pushed via this ANP.
Of course, none of this is theoretical. ANP is a real bureau and provides much of the news in the Netherlands. Similarly, the Play Store does decide to drop apps it does not like and similarly Amazon did stop serving Parler. People have been saying we need our own infrastructure, and I agree. But I do not think I will agree with having the same infrastructure that was already in place. The best cure against chain compromise is to not have to rely on the chain.
Do I need my phone to function? No, my mail is also available online. All my business contacts and my personal contacts have my email and my phone number both. Moreover, since I have damaged hearing, I do not rely on phone calls as much as most people do. I can also still do banking without my phone. The only thing that I do have to rely on is 2FA, but that can be remedied by getting a Yubikey, or a dedicated phone that just does 2FA (or a desktop app). Most notably 1Password offers to save 2FA information for you, which would make it available where-ever 1Password is. Although that shifts some of the chain compromise risk to 1Password.
But let's move on from that and have a look at many things. You do not need Facebook. It used to be normal to not vacuum up all the information from aunt Sally. If you are really interested in aunt Sally you can call her. You can actually call her usinga landline even, (again, mobile phone is not a must) or send her a postcard or email. It used to be normal that people could not be reached when travelling but we have gotten so used to it.
Alright, you say, I see your point in supply, we need to diversify infrastructure and not just get another one. We need to get multiple ones and maybe be okay with having less (slower, faultier, more basic etc...). But I do not see what you will point out with information chain compromise.
Worry not, information compromise is easier to get around. Most of us do not need to know what is going on in the world at large. Being among neighbors and knowing what happens in your neck of the woods is probably enough. But if you go for information, you can simply diversify it. I have made it a habit to check people by trust. I trust Tim Pool because he told the story about Malmö (Sweden). I have a friend in Sweden as some of you know, and I talked about that place with him. He made it very clear that no-one in Sweden likes to talk about it, or go there because the stories Tim Pool told are true. It has gone downhill fast.
See, while supply chain compromise needs you to diversify and/or replace your chain, with information we at least have the ability to build trust. Now there can be bad actors that spread 90% truth to lure in the checkers, and then deceive them with 10% lies. Of course, and that is a problem with the web of trust as well (as you all know it). It only works with people that function correctly 100% of the time and make no mistakes.
I feel like at this point I am more ranting, but let the conclusion be clear. All of us are vulnerable to chain compromise, and being aware of it is only step one.
And since this is about the information you use to take decisions with and the tools you use to act out your decisions, it is clear that having an idea about your supply and information chains is imperative to your security. I won't tell you which sources to trust, or what chains to secure. But I gave you some starting points.
See I have an education that pre-programmed me to solve these problems a certain way, and I have some convictions that do not allow me to trust every person equally. So not only need I to check my chains for compromise, I need other people (like all of you) that think different than I do, to point out the ways in which a supply chain could be fixed or information could be verified. Not just in a technological way, but in any way. The more methods of verification and alternatives you have, the more secured you will be against chain compromise.
Shoutout to @idesofideas (1desof1deas locals) for notifying me about the decentralized web-service thing. I forgot the name, but you did setup your site there so that it works with that system in the Brave Browser!
But supply chain is not solved with just that, because brave and so many others are actually all Chromium (Chrome open-source)... There is alternatives for that as well, and the people at lunduke.locals.com have many opinions and ideas about it :)
Stay safe out there!
https://www.troyhunt.com/weekly-update-228/
https://1des0f1deas.locals.com/post/387630/uninhabitable-lands-demand-a-more-robust-ship
https://lunduke.locals.com
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
