In the field of digital security, there’s something called the zero trust principle. Simply put, it means to trust nothing under any circumstances, ever. If a system isn’t cryptographically and mathematically provable to be secure, then it isn’t secure. This principle has never been more relevant than it is today given the intense fight for privacy. We are living in a state of constant surveillance. It is no longer a conspiracy, it’s happening right now. So, let’s take a look at the far reaching consequences of this simple rule and why it must dictate every action of anyone who cares about their privacy.
Let’s consider a simple chat application. There are two straightforward things such an app needs to do:
- The user should be able to send a message to another user
- The user should be able to receive a message from another user
That’s the core, everything else (media/emojis etc.) is just the icing on top. In a perfect world, we’d simply be able to send the plain-text message directly from one user’s device, it’d travel through the internet and arrive at the other end, unmolested.
But alas, that’s not the world we live in. At every junction, you are open to attack. Let’s try to think of every possible thing that could go wrong. Remember, zero trust.
- Keyloggers
- A keylogger planted on the user’s device by an adversary
- A keylogger built into your operating system (Windows 10, I’m looking at you)
- A hardware keylogger, a little something something in between your keyboard’s connection to the computer, quietly recording every key stroke.
- Network
- Perhaps the WiFi router was compromised. Surely it doesn’t use the default password, right?
- The router doesn’t even have to be compromised, another device on the same local network could simply insert itself in between your connection to the actual router (ARP Spoofing), a form of man-in-the-middle attack.
- Perhaps the WiFi still uses WEP instead of WPA
- Are you sitting in an office, does the employer enforce a custom firewall? One that can monitor and log all network traffic?
- What about your Internet Service Provider (ISP)? Could they be snooping on everything you do?
- Authentication and Encryption
- Is the device protected at all? Could some other user just open it up and look through the user’s private messages?
- Does it use passwords? How strong is the password? Can it withstand hundreds of billions of guesses per second? Is the hashing algorithm itself secure?
- What about the chat application? How does it authenticate the user? How does it store their credentials? Are the messages encrypted? How strong is the encryption?
- Other attack vectors
- Are you sitting in a public place? Is someone looking over your shoulder?
- What about security cameras?
- Could someone who knows you guess your password? What about your security questions?
- Did you notice that every single one of the above scenarios could be true simultaneously?
Okay I’m going to stop now, but the list goes on and on and on. It isn’t paranoid if it’s actually true. Every single one of the above is a very real security concern for modern systems.
This is why the zero trust principle is so important. It sounds simple but in practice it effects everything we do, it lies at the very heart of cyber security. Whether you’re choosing a password or protecting your computer or using an app. It isn’t a mere guideline, it’s a mindset, a way of thinking.
Why you can’t trust companies
Let’s have a little reality check..
- Dropbox actively searches through user’s files. Their Terms of Service states that it can search through your files to see if they comply with its ToS and Acceptable Use Policy. Dropbox is not alone. What about other cloud storage services (Google Drive, Microsoft OneDrive or Apple iCloud)? Surely we can trust them to leave our files alone, right guys?
- Google scans all your emails. And do you remember the Yahoo 1 billion accounts hack? Substandard password storage at one of the biggest companies in the world lead to the single biggest digital heist in history. Trusting a company means not only trust their intentions but also their competence.
- “Yahoo helps the government read your emails. Just following orders, they say.”. Oh this just gets better and better.
There’s nothing inherently wrong with ‘trusting’ companies. However..
- You may trust their intentions but can you trust their competence?
- You may trust their competence but can you prove the quality (and security) of their private software?
- They may have the heart of angels and perfectly secure software[citation needed] but can you trust them to stand up to the government? Will they choose to shutdown instead of betraying your trust?
Trust. We deserve better.
And here is our reality. You are being watched. Private and state-sponsored organizations are monitoring and recording all your online activities. You have no privacy. The fight for privacy isn’t to keep it, it is to win it. And whether you like it or not, you are a part of it.
Silver lining
Fear not, it isn’t all so hopeless. The answers are already here. If any of what you’ve just read made you feel a bit uneasy, made you rethink some things, I highly recommend you check out PrivacyTools.io. It has an excellent collection of alternative privacy-conscious tools that you can start using right now and join the fight for privacy.
Why not use a secure Dropbox alternative that runs on your own server? Why not use a encrypted chat messenger that you can compile from it’s open source repository? Just because we cannot trust companies doesn’t mean we have to stop using products that we need. Open source, self-hosted and decentralized software is the only way to replace trust with confidence. Provable, justified and cautious confidence. And most of these are free. Free is always good.
For all the tutorials on this website, you’ll find that there is an element of zero trust in every single one. Sometimes it’s subtly implied, sometimes it’s blatant, but it’s always there. And so it must be for all things digital.
Whether you’re hobbyist hacker or a security professional or just a citizen of the internet, this is something that you always need to keep in the back of your mind.
Want to be a real hacker? Sign Up!
