Stephen Smith's Blog

Musings on Machine Learning…

Archive for December 2018

The Technology of “Influence” – Part 3 The Onion Browser

with one comment

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In this series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. I’ve talked about HTTPS and VPNs so far, now we’re going to discuss the Onion Browser and the Tor network.

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

The Tor Network

Tor is an abbreviation for The Onion Router. You tend to see Tor and Onion used interchangeably. Nowadays Tor tends to refer to the Tor network and Onion to the open source browser that utilizes the Tor network to browse the web.

The Tor network and Onion Browser were developed by a group of people dedicated to security, privacy and anonymity. The Tor network depends on thousands of volunteers operating Tor network nodes (servers). When you use the Onion browser, each server connection that you use goes through a different random path through these Tor network nodes. Each node acts like a VPN, encrypting communications and hiding the location of the original request. To some degree using the Tor network is like using a set of different VPNs for each website you visit. This makes tracking you down very hard.

The Onion Browser is an open source Internet browser that performs all it’s requests through the Tor network.

The Dark Web

The dark web consist of a number of websites that aren’t linked to from the regular web. They only accept requests over the Tor network and you have to find out about them through means other than Googling. This so-called dark web has been know to host all sorts of “bad” e-commerce sites dealing in illegal drugs, human trafficking and child pornography. Whenever law enforcement tries to ban encryption or anonymity, they always use these sites as excuses to be able to track and spy on normal people’s web activity.

On the other hand in highly repressive states which block a lot of Internet traffic with the outside world, the Tor network and the dark web are the only way that dissidents can freely communicate, or that regular citizens can browse the web at all. Generally governments spend way more time tracking dissidents than they ever spend tracking down the illegal websites they claimed to be upset about.

How Safe Is It?

That all sounds pretty good, so why doesn’t J@ck just use the Onion browser and just not bother with all the other things he does? For one thing, government security services spend a lot of time trying to crack the Tor network. Many of the thousands of nodes in the Tor network are actually operated by government agencies. If one of these is your exit node, then they can get quite a bit of info on you. It’s a bit of a race between the developers of the Tor network and government departments like Homeland Security as to how safe the network is at any time.

Another problem is that even though, say Google can trace who you are from the network traffic, they can record things like your typing patterns and mouse movement patterns. These are apparently just like fingerprints and can be used to identify you. Other means are required to disguise these sort of things.

A general maxim in security is never trust anything entirely. The original name of the Onion browser was based on this idea of having many layers of security like the layers of an Onion. Tor provides several layers, but you can add more layers to be more secure.

Performance

Every server that you hit introduces a delay as that server receives, processes and then transmits your network packets of information. With the Tor network, you introduce a bunch of these delays to give you better security and privacy. Further, not all the Tor nodes have the greatest Internet bandwidth or server power. After all they are paid for and operated by volunteers. This all adds up to the Tor network being very slow. If you ever try to download a movie of the Tor network it will take forever. This is why people pay for VPNs with decent bandwidth and performance, rather than using Tor. If you aren’t downloading movies, and just doing small queries then it is usable. This is what J@ck tends to be doing.

Summary

The Tor network and Onion Browser are key tools used by every hacker. It provides great security and anonymity at the cost of access speed. If you want to check out the dark web then you need to use the Onion Browser.

Advertisements

Written by smist08

December 22, 2018 at 2:57 am

The Technology of “Influence” – Part 2 VPN

with 2 comments

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In a series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. I talked about HTTPS in my last post and in this article, we’re going to discuss Virtual Private Networks (VPNs).

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

What is a VPN?

We talked about HTTPS last time as a way to secure the communications protocol that a Browser uses to talk to a Web Server. Now consider a corporate network. People at work have their computers hooked directly into the corporate network. They use this to access email, various internal corporate websites, shared network drives and other centrally deployed applications. All of these services have their own network protocols all different than HTTP. Some of these protocols have secure variants, some don’t. Some have heavy security, some light security. Now suppose you want to access these from home or from a hotel while on a business trip? You certainly can’t just do this over the Internet, because its a public network and anyone can see what you are doing. You need a way to secure all these protocols. This is the job of VPN. When you activate VPN on your laptop, it creates a secure tunnel from your laptop through the Internet to a server in your secure corporate data center. The security mechanisms VPN uses are largely the same as HTTPS and pretty secure. Using VPN then allows you to work securely from home or from remote locations while travelling.

Why Would J@ck Use VPN?

J@ck Tr@de doesn’t work for a corporation. Why does he use VPN? Whose VPN does he use? In the example above, if I’m connected to my corporate VPN, all my network traffic is tunnelled through the VPN to the corporate server. So if I browse the Internet while connected to VPN, my HTTPS requests are sent to the corporate server and then it sends them to the Internet. This extra step slows things down, but it has an interesting side-effect. If I’m not signed into Google and I Google something, Google will see my Internet Address as the corporate server rather than my laptop. That means Google won’t know who I am exactly. It also means my location shows up as the location of the corporate server. This then hides both my location and my identity, things J@ck is very interested in doing.

But J@ck doesn’t work for a corporation? Whose VPN does he use? This “feature” of hiding identity and location is sufficiently valuable that people like J@ck will pay for it. This has resulted in companies setting up VPNs just for this purpose. Their VPN server doesn’t connect to other corporate network programs, only the Internet. Using one of these VPN services will help hide your identity and location, or at least websites can’t determine these from the address fields in your web network packets.

VPNs are popular with non-hackers as well to get at geographically locked content. For instance if you live in Canada, then the content you can get from Netflix is different than the content you get in the USA. But if you are in Canada and connect to a US based VPN server then Netflix will see you as being located in the USA and will give you the US content while you are connected.

Downsides of VPN

Sounds good, so what’s the catch? One is that since these are usually paid services, so you need to pay a monthly fee. Further, you need to authenticate to the VPN service so they know who you are. The VPN knows your IP address so it can trace who and where you are.

So do you trust your VPN? Here you have to be careful. If the VPN provider is located in the USA, then its subject to the Patriot Act and law enforcement can get ahold of their info. If you want US Netflix content, then you have to use an US based VPN, but at the same time US law enforcement really doesn’t care that much about the vagaries of what Netflix allows where. If you are a hacker then you really care and probably want to use a VPN in a country with some protections. For instance in Europe, getting a warrant for this is very difficult. Or perhaps use a VPN in the Caribbean that tend to ignore external law enforcement agencies requests. A bit of Googling can help here. Some hackers use a two or three VPNs at once, located in wildly different jurisdictions to make it even harder to be traced.

Internet bandwidth is expensive, so feeding streaming movies through a VPN can require their delux expensive plan. Doing little bits of hacking doesn’t require that much bandwidth so can be a little cheaper.

There are free VPNs, but most of these are considered rather suspect since they must be supporting themselves somehow, perhaps by selling secrets. VPNs are illegal in some countries like Iraq or North Korea. VPNs are required to be run by the government in other countries like China and Russia. So be wary of these.

Summary

VPNs are a way to secure your general Internet communications. They have the desirable side-effect of hiding your Internet address and location. VPNs are absolutely necessary for corporate security and useful enough that lots of other people use them as well,

Notice that J@ck doesn’t just rely on an VPN by itself, rather its one layer in a series of protections to ensure his anonymity and privacy.

Written by smist08

December 13, 2018 at 12:34 am

The Technology of “Influence” – Part 1 HTTPS

with 4 comments

Introduction

In my novel “Influence”, the lead character J@ck Tr@de performs various hacking tasks. In the book he spends a lot of time securing his connections, hiding his identity and hiding his location. In a series of blog posts, I’m going to talk about the various technologies mentioned in the book like VPN, the Onion Browser, Kali Linux and using VHF radios. But first I need to talk about HTTPS which is the normal Internet security mechanism we all use to secure our bank and shopping transactions. I’ll look at what this does protect and what it doesn’t protect. Once we understand the limitations of HTTPS, we can go on to look at why J@ck goes to so much trouble to add so many extra levels of security and misdirection.

For anyone interested, my book is available either as a paperback or as a Kindle download on Amazon.com:

Paperback – https://www.amazon.com/dp/1730927661
Kindle – https://www.amazon.com/dp/B07L477CF6

What is HTTPS?

The communications protocol that Browsers use to communicate with Web servers is called HTTP (HyperText Transfer Protocol). This is the protocol that gets data for websites and downloads it to your browser to be displayed. The S added is for Secure and makes this process secure by encrypting the communications. In the early days of the Web doing all this encrypting/decrypting was expensive both for typical personal computers of the day and for web sites that have quite a high volume of traffic. These days computers are more powerful and can handle this encryption easily, and due to the prevalence of hackers and scammers, the current tendency is to just encrypt all Internet traffic. In fact most modern browsers will not let you use plain old HTTP and require the S for security.

HTTPS is actually quite secure. It is very difficult to decrypt with modern computer resources (even cloud based). It authenticates the server via a digital certificate which is provided by a certificate authority that validates the identity of who has the certificate. The protocol protects against man-in-the-middle attacks where someone impersonates one party and relays the information. It protects against data being tampered with in any way.

Sounds pretty good, and in fact it is pretty good. So why does J@ck feel a need to use VPNs or use the Tor network via the Onion Browser?

Weaknesses of HTTPS

J@ck’s main complaint is that: who he talks to knows who he is and what he is doing. For instance, all Google searches go through HTTPS, so no one can eavesdrop on what you are searching for. But, Google knows. Google logs all your searches and builds a detailed profile of you. Further Google is an American company and subject to the Patriot Act and other government programs to hand over your data if requested. Hence if, say you are Googling on hacking techniques, Google could turn that over to the FBI along with your IP address. Then the FBI can ask your ISP who owns this IP address and identify you and come to your door to ask you some questions. Of course if you are signed into your Google account, then they don’t need to bother with the IP address lookup. J@ck certainly doesn’t want that to happen.

HTTPS has some other weaknesses as well. The process of granting authentication certificates isn’t perfect. One of the most common Windows Updates is to alter the list of trusted certificate authorities, since they are often caught handing out fake certificates to shady operators. Along the same lines, most people don’t check the certificate of who they are talking to. This is how most phishing emails work. They send and email asking you to check your bank account, with a link that is similar to your banks, but not the same. The fake link goes to a page that looks like your bank’s login page, but it isn’t. If you click on the certificate icon in your browser you will see the certificate that that it isn’t your banks. But who does this? If you type in your username and password to this site, the bad actors can then use it to login to your real bank account and steal your money.

Hackers can learn a bit about the content of HTTPS traffic even though its encrypted. Perhaps the URI by comparing the lengths of the strings.

Another worry is that often more companies can see your data than you might think. For instance if you are talking to your bank, then you certainly expect you bank can understand your data. However your bank might use a third party web hosting company to host the web site and then that company can also see your data. Then the web hosting company might host the site on a cloud provider like AWS or Azure and then that group might be able to see your data. Then often websites protect themselves against DDoS attacks using a service like CloudFlare and part of that setup lets CloudFlare see the unencrypted data. So suddenly you aren’t just trusting one company, but four companies. This then provide many more vectors of attack and vulnerable points for hackers. Plus the bank might have hired outsourced programming to set up their website, and those contractors have enough credentials to see unencrypted data. These are actually the main causes for all the security breaches you read about at large Internet sites.

Summary

HTTPS is a pretty good way to secure Internet traffic and if you follow some basic good practices you should be ok. For instance never use a link in an email. Always goto the website through another means (like a favorite or use Google). For data you really care about, like your bank account, only access it from a network you trust, not the Wifi at a hotel or coffee shop.

Now that we understand the strength and weaknesses of HTTPS we can look at the extra layers that J@ck uses to stay anonymous and secure.

Written by smist08

December 11, 2018 at 2:33 am

Posted in Security, Writing

Tagged with , ,

“Influence” – My First Novel

with 5 comments

Introduction

I am really excited that my first novel is now available for sale on Amazon as either a paperback or as a Kindle download. Here is the synopsis for the novel:

Influence is set in the present about punk rock hacker, J@ck Tr@de, who discovers a security backdoor in a large corporate server operating system to gain access to all of the world’s servers. He uses this illicit access to mine bitcoin and influence local politics via Social Media. He becomes criminally and romantically entwined with Mia, the creator of the backdoor and their plans escalate to increase their wealth and power. The FBI investigate and chase them, in a clumsy cat and mouse game. As the story progresses, J@ck’s Social Media altering Bots become more and more influential.l. They make J@ck a billionaire through stock market manipulation. The Social Media Bots continue to evolve…

Where It Began

I’ve been writing this blog since January, 2009. That will be ten years of blogging next month! I really enjoy blogging, mostly on my technology interests. This blog started by being all things ACCPAC, since that’s what I worked on originally at Computer Associates, then ACCPAC International and finally Sage. I find I really enjoy writing and was looking to do more. Almost three years ago I retired, and at that point mostly lost my main blogging topic on Sage 300 (ACCPAC).

I’ve always been a big Science Fiction fan, I’ve read Science Fiction since elementary school with books like Isaac Asimov’s Lucky Starr series. When I started at Computer Associates, I lived in Tsawwassen and had a long bus ride commute downtown. I spent most of this ride voraciously reading all the Science Fiction novels nominated for the Hugo and Nebula Awards, as well as whatever my favorite authors published.

We spent this March down in Yuma, Arizona. One of the things we did while we were down there was attend the “Write On the Edge” writing group. This group gets together weekly at the Yuma Foothills Library to do some writing. They do some sort of writing exercise each meeting. The first time we attended, it was to write a few paragraphs on a topic that a moderator chose. Since Easter was approaching, the topic was “Easter Eggs”. There were a lot of short pieces on people’s favorite Easter family moments (whether real or imagined) and one about horrible carnivorous beasts hatching from the eggs. I took the approach of computer software Easter Eggs meaning little jewels buried in the code. This led to the creation of the J@ck Tr@de character and the few paragraphs around where he finds the W-Server backdoor.

Then as we did the 24 hour drive back home (over three days), I kept thinking about those few paragraphs and felt I had enough ideas to develop it into a novel. This then led to “Influence”.

A Lot of Writing

When I got home, I put the blogging aside (hence no articles here from March to July) and started my novel. I first wrote a very quick outline. Mostly a beginning and an ending, some settings and some notes on some characters. I then started writing. I tried to write at least two pages a day. Sometimes more, and there were only a couple of days when I didn’t write anything. I participated in a couple of writing groups, one in Gibsons and one in North Vancouver. These were get togethers at coffee shops where writers bring their laptops and write. My wife, Cathalynn Labonte-Smith is also an author. She has Creative Writing, Technical Writing and Teaching degrees. She has worked as an editor and would read what I wrote each day and edit it. I wrote the whole thing in Google Docs, so the collaboration was really easy. I was pretty happy to finish my first and second drafts in July.

It’s Written, Now What?

I then went to publish the book. Most of the bigger publishers only take submissions from literary agents. So I followed the submission guidelines for a number of agencies, but didn’t have any luck. I did quite a bit of online research and talked to quite a few authors. The consensus seemed to be that the publishers were publishing less and less each year and that they only picked up authors who’ve already made a name for themselves on their own. Further the published authors didn’t think the publishing companies do much to promote their work and that they have to do all their own promotion. Meanwhile self-publishing is getting easier and easier. I chose Kindle Direct Publishing form Amazon, mostly because its all online, there are no upfront costs and it was easy. So now my book is on Amazon for sale around the world.

Summary

Buy my book:

Paperback – https://www.amazon.com/dp/1730927661

Kindle – https://www.amazon.com/dp/B07L477CF6

It was a lot of fun writing. I planned this book to be the first book in a trilogy and I’ve already written sixty pages of the second volume.

 

Written by smist08

December 5, 2018 at 7:08 pm