Security Saturday!
The price of Security
This week there is a lot to think and write about. First of all, TikTok seems to be under fire for good reason (link below). Moreover, this week again I got into doign my job in my free time. That is, I get into a conversation and end up speakign to people about the behaviour of apps. Of course, the TikTok story ties right into this, although my fight at the time was with Discord.
It is no secret that free (or in Discord's case upgrade-ware) software will have several levels of intrusivity. Some are purely for function, some are there because of laziness to do a better job, yet others are there out of maliciousness. Discord I would put in the laziness category with maybe only a hint of the maliciousness. TikTok definitely seems to be of the malicious kind.
As some comments remark, this is normal. This is how it goes. We provide analytics platforms that do the same for any app that uses our platform. And this is where the price of comes in. The suggestion made to us is that because this happens and is standardized, we should accept it. However, every piece of data collected is a breach waiting to happen, which can possibly lead to identity theft, impersonation, direct hacking attempts and more. The price I pay for not having this happen to me, is that I choose to not use some services.
- I use apps like Discord and Zoom only from within a browser that I trust (That would be Firefox or Chromium, NOT Chrome or Safari).
- I do not install apps like TikTok on my phone, although I am a little less uptight on my phone in general. My phone has less sensitive data saved.
- I do not install some (really nice) games that aggressivly scan my memory (like Warframe), for the simple reason that I cannot guarantee there is no abuse.
This list is not exhaustive, and I am not really uptight about it. I have Steam on my system, which does some scanning (I believe, someone on the internet said...) but so far they have been a company that has given me no reason to doubt that they are serious about doing it in a gentlemanly way. I also allow DRM-locked content in my browser, which the EFF has something to say about. (Link Below)
This little rant then brings me to the EFF. Cory Doctorow is, as far as I can tell, still a special advisor for them. I have great respect for the dude in a sense, but he really misses the ball on some topics. Now that the EFF has gone off the deep end, I would hope that he himself sees the problem they have run into.
See, the EFF (Electronic Frontier Foundation), much like the Dutch Bits of Freedom, is supposed to provide a voice for free expression on the internet and against mass surveillance (among other things). In their haste to please those that screamed for free expression the loudest, they have become woke. I follow them on twitter for now, but I am very inclined to unfollow them. I am left with no organisation to speak for me as I want to have true freedom, and not an equitted freedom as advocated by the EFF nowadays.
Because of course mass surveillance is bad in my eyes, however, focused surveillance with a clear attainable goal is not. Much so freedom of expression is wonderful, especially on the internet.
However, internet connectivity is not a human right (however much the EFF wants you to believe it is). The freedom of expression that I can stand behind is one that allows you to spew anything on any channel available to you. It does not guarantee you access to any particular channel. Besides, what degree of connectivity is a right? 3G? 4G? 5G? Cable? Fiber? When someone has a right to free speech, they have it or not. Either they can say anything, or it is not free. However, with internet access it seems that most companies utilize the bandwidth such that the average person has a good experience. Therefor providing the baseline will result in a horrible internet experience. So people will then advocate for something average, however this costs more (and is paid for by someone, I'm sure) and it will UP the average internet performace, which means the companies will once again utilize more bandwidth and the average will become the new slow.
This is, of course, only one of the issues with the EFF. Their narrative on mass surveillance has shifted to BLM protest surveillance. Is it important that you are not identified at a protest? Yes. However, it is also important that those that abuse their right to protest to harm others be identified. It is, again, not the surveillance itself that is the issue, but the context that it is used in.
The EFF has been losing sight of their original (stated) purposes for a while now, although maybe this was their heart all along. Who can say?
Now, the EFF produced one of the most violent ad- and tracker blocking browser extensions, Privace Badger. It is not nuanced enough for my tastes, but it is a good resource to have. However, with the state of the EFF being as it is, would I really trust an extension they made and give it the power to filter my internet connection? Here again, we pay a price. Because the EFF has forsaken that which they stood for in the name of wokeness and being an ally to the oppressed rather than a countervoice filled with sensibility, there seems to be no voice of reason left for me to follow, and I shall have to do this myself.
This is the price I pay for trying to think for myself, and as with the price of security I shall have to choose to abandon certain organisations, principles and benefits.
But because I pay it, I can keep my integrity and security, and have a less biased opinion available for those who need it.
https://www.boredpanda.com/tik-tok-reverse-engineered-data-information-collecting/
https://www.eff.org/deeplinks/2014/05/how-drm-harms-our-computer-security
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
