|
META TOPICPARENT | name="FirstPaper" |
| |
< < | Splitting The Red Herring Sea
A Different Model For Cybersecurity | > > | Hiding in Plain Sight: Alternative Approaches to Cybersecurity (Draft 2) | | | |
< < | -- By MenahemGrossman - 06 Mar 2015 | > > | -- By MenahemGrossman - 14 May 2015 | |
Introduction | |
< < | Much of conventional cybersecurity efforts focus on keeping intruders out, by using firewalls and similar techniques; and encrypting data, making it difficult for thieves to use even when it is intercepted. However, experience has taught cybersecurity experts never to assume that their networks are impenetrable to determined hackers. I would suggest a different approach to protecting sensitive data, to supplement existing methods. (I would be surprised if no one has thought of this before. It may be that it is unworkable, or that I simply did not look hard enough; but as far as I know, it is my own idea.) My idea is that rather than focusing exclusively on trying to prevent thieves from getting their hands on our data, we can let them help themselves—to lots and lots of it, more than they can handle. In other words, I propose to protect data by hiding it like the proverbial needle in a haystack. This would be accomplished by surrounding our data with enormous amounts of real-seeming, but actually false, data. | > > | Much of conventional cybersecurity efforts focus on keeping intruders out, by using firewalls and similar techniques; and encrypting data, making it difficult for thieves to use even when it is intercepted. However, experience has taught cybersecurity experts never to assume that their networks are impenetrable to determined hackers. Conventional cybersecurity methods are in some respects analogous to building strong walls and using heavy padlocks: eventually, a determined intruder will find a chink he can exploit to breach the defenses. A particular disadvantage of such beefy security measures is that their very use can signal to interested parties that there is something worth targeting. For example, encrypting your email, when relatively few people are doing it, may be a red flag that brings you to the attention of a government security agency. | | | |
< < |
If we are encrypting our data, how can the data look "like" data that it isn't? If we are not encrypting our data, why did we give up doing something that works in order to depend instead solely upon confetti?
| > > | This paper will discuss some of the available and theoretical kinds of methods to protect sensitive information without attracting attention. While these methods may not be as secure in the conventional sense as encryption, they represent additional weapons with distinct advantages in the fight for privacy and anonymity. | | | |
> > | Steganography | | | |
< < | For example, to nullify monitoring of our web searches or browsing habits, ‘bots’ could be used that enter searches and surf the web endlessly in our names. | > > | One family of techniques is known collectively as “steganography,” which refers to techniques for conveying secret messages whereby the very presence of a message is concealed. In some cases, the secret message is concealed within an innocuous message. In the digital realm, for example, it is possible to embed a message in an image or sound file, by altering bits of the carrier file in a specific way, so that the application of a filter targeting those changes will reveal the secret message. Then there is Spammimic.com, a site which will convert a string of text into a perfectly readable message offering a dubious sales pitch to the reader. | | | |
< < |
You could look at the TrackMeNot? add-on for Firefox, which does this.
| > > | While it is theoretically possible to detect such techniques through statistical analysis, the computing resources required to analyze every innocuous transmission may prove prohibitive, given the sheer volume of data moving across networks, a volume that is only increasing. Even were the government to attempt to analyze all the data it can reach, it still may be possible to stay a step ahead, by spreading the secret message over a sufficient number of carrier transmissions, thus keeping a sufficiently low profile to evade detection. Of course, these techniques currently require a very deliberate effort and coordination between sender and recipient which tend to make such techniques more trouble than they are worth for most people. | | | |
> > | Making Lots of Noise | | | |
< < | This could be a simple tool that anyone could download and set to run quietly in the background without much drain on bandwidth, and it would make us seem to data miners like completely omnivorous creatures. Eventually, big data would catch on, but the result would be the same: our true activities would be buried in an avalanche of information overload. No doubt big data will try to develop algorithms to discern human activity, but it should not be too hard to develop a tool that mimics human behavior really well—and does so many times over. In fact, I would bet that this already exists somewhere. | > > | A related idea that could potentially be developed would be to camouflage information by generating a large amount of fake information that would be indistinguishable by an outside observer from the real thing. This idea is relatively simple to apply in the context of protecting information that is not intended for a specific recipient. For example, to nullify monitoring of our web searches or browsing habits, tools such as the “trackmenot” browser extension could be used to enter searches and surf the web endlessly in our names, thus making it impossible for an outsider to separate the signal from the noise. | | | |
< < |
You could have found what you were looking for. So in the next draft, you should.
| > > | Similarly, companies concerned about having their confidential information stolen can generate a massive amount of variant information, so that thieves who break into the data repository will not be able to distinguish the valuable data from the worthless, which will lower the value of the data mine, and decrease the incentive to break in in the first place. Of course, companies will likely need to be able to distinguish the real records from the fake ones themselves, and will therefore need to develop an internal “distinguishing key” for that task, which will itself become a potential target for thieves. But because the fact of the camouflage is not readily apparent, the potential thief will need to be more familiar with the system he is trying to break into than he would otherwise; he will need to go in with a much clearer idea of what exactly he is looking for. For example, the company might use a variation of “trackmenot” to make it appear as though all the documents—real and fake—were being regularly accessed, using a false set of distinguishing keys. It would then take a very careful observation and analysis of the system to see through the subterfuge. | | | |
> > | Waving Lots of Red Flags | | | |
< < | Technical Difficulties | > > | A similar approach may be possible for email as well, although it would represent a significantly steeper challenge. The idea would be to generate a massive stream of communication, both innocuous-seeming (of the sort that spammimic produces) as well as messages containing content designed to attract the interest of potential snoops. Assume the NSA scans all emails, and flags the phrase “assassinate Obama.” If everyone is constantly sending emails containing such red flags, the NSA can do nothing about it, and will have no way of recognizing true persons of interest. Again, there would need to be a system of “distinguishing keys” for recipients, which the government would try to detect. But possibly, a decentralized, dynamic system could be developed that would give government snoops a real headache. | | | |
< < | More complex by several orders of magnitude would be a similar effort to camouflage two-way communications such as e-mail or sensitive documents stored on a company server. The obstacles are technical, sociological, and possibly legal. | > > | Admittedly, participating in such a system could backfire by attracting attention, but it may be easier to generate a critical mass of users sufficient to dilute suspicion than it would be to get everyone on board with encryption, since all it would require is a one-time signup. There would however likely be some resistance to a system designed to blind national security agencies. | | | |
< < |
Maybe you're looking at the wrong layer. And you aren't really thinking about confetti in relation to encryption. You could, for example, think about adding entropy to VPNs, which is a place where confetti has a high functionality.
The biggest problem is the technical one: if we want to camouflage our true communications by surrounding them with fake ones, we need a way for the recipient to tell the difference and only pay attention to the real messages. (Documents stored on a non-public server are also essentially communications between the creator and the authorized readers, and I expect they could be dealt with in a fundamentally similar way.) This would presumably need to be accomplished through transmission of a “pointer” message that would tell the recipient’s email client which messages to ignore and hide from the recipient user. (If the messages are stored on google’s servers, the system would need to be such that the separation/sorting would occur only at the level of the recipient’s local machine.) This creates the obvious potential for a snoop to try to intercept the pointer itself and see through the camouflage.
This circular problem may indeed be insurmountable, but I have a hunch it is not. A first step might be to protect the pointers themselves in the same way, by sending numerous false pointers. In effect there would be a continuous cycle whereby a stream of true pointers would indicate the subsequent true pointers and false pointers would point to false pointers. The trick is to get the system rolling by having the sender and recipient on the same page at the inception. This would require some sort of digital handshake at the outset to synchronize sender and receiver to the correct stream of pointers, but from there on, the system would sustain itself. Granted, that initial handshake/synchronization might still be snooped, but it can be done very carefully—even in person, or through some other portal, making it very hard to trace.
Logistical and Legal Difficulties
The sociological/logistical problem is that when something like this is adopted specifically between a pair of people, it may arouse suspicion and cause more harm than good. The answer is to scale the system up and have a network of people using it with each other, so that they can’t all be pursued. In such a multi-lateral system, however, the handshake problem seems far more difficult. I still hope that there can be developed a system in which a central server enables the process between multiple users, by creating a separate stream of pointers for each pair of users who communicate. Of course, trusting an external server to do this job is a vulnerability. Furthermore, generating a critical mass of users is likely to prove difficult in the present environment of ignorance and apathy regarding security. Finally, creating real-seeming but fake communication and documents is significantly more complex than mimicking browsing and searching patterns, and would need to be tailor-made for different applications. (E.g., hospitals would create fake medical records, Target would create fake customer financial data sheets, etc.) Again, this may be unrealistic in an environment where companies don’t even bother encrypting sensitive material.
An additional wrinkle in protecting communication is that government surveillance would use automated processes to search for and flag messages meeting particular criteria. To defeat the selective searching, the fake messages would need to be designed to attract government interest. Sending fake messages with the words “kill” and “Obama” in the same sentence so as to inundate government surveillance and overtax the government’s ability to follow up on suspicious communication might violate the law. Even if it is not presently illegal, there would presumably be attempts to legislate in response. Public sentiment would also likely be unsympathetic to efforts that are designed specifically to blind government anti-terrorism efforts. Still, if done more subtly, it could be made so it would be hard to prove that the fake messages are intended to interfere with government specifically, and there would then be a strong First Amendment defense.
The primary direction of improvement for the essay is to get in touch with the relevant computer science and current tech, rather than trying to make it all up at once as it goes along.
| > > | It may also be illegal to send pretend threats in order to drown out the government’s ability to “hear” real threats. Even if it is not presently illegal, there would presumably be attempts to legislate in response. Still, if done less aggressively, it could be calibrated in a way so that it would be hard to prove that the fake messages are intended to interfere with government specifically, and there would then be a strong First Amendment defense. | |
|
|