broken telephone and the hammer which smashed it

Tracking Cookies, Analytics, and the GDPR. Or “How I learned to stop worrying and FUCK the European Union”

General Data Protection Regulation

Wikipedia: The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The General Data Protection Regulation, often referred to as the GDPR for short, is a European Union law taking effect in 2018. This law was crafted to address the problem of corporations exploiting the data they gather from consumers using their internet products, which has gotten completely out of hand.

Enter: The Problems

GDPR was rushed. This is most blatantly evident in the huge number of obvious per-use-cases where it simply does not apply. There’s a whole lot of exemptions made to allow for conflicts with other laws. They wanted to punish Facebook, and they did not take the time required to craft a thoughtful solution that will survive long term. I will try to address some of the more damaging issues introduced by this regulation.

WHOIS: A necessary public tool for the Internet to function

The first casualty in this story is the WHOIS service. When you register a domain name you are leasing a public resource from a limited pool of similar resources. For this reason it is absolutely necessary to ensure that every domain name registered is a real person, who is using their domain for real legitimate purposes. In cases where they are not, the domain is released back into the public pool so that someone more deserving can utilize it.

WHOIS not only provides a means of contacting the owner or maintainer for a particular domain, it also provides an important tool for diagnosing security problems such as being attacked from specific networks. It is necessary to use WHOIS to contact the appropriate administrator handling security on those networks.

Because of the terrible way in which GDPR has been executed, there has been a rushed effort to “fix” WHOIS to be compliant with GDPR. But WHOIS doesn’t need fixing, it works exactly the way it’s supposed to already. The problem is ignorance among the users, period.

Analytics, a god given right.

Another huge problem area is website analytics. GDPR places restrictions on the kinds of data that can be gathered using tracking and reporting software. But this is insanity, you can’t restrict what methods I use to monitor and police the activity of those accessing MY networks. I am 100% within my rights to scan and record 100% of your requests against my server, all of your page-viewing habits, and anything else I can think of. It’s my toy, and you’re touching it. You damn well better believe I’m recording your fingerprints and there is nothing anyone can do about that. When you are visiting my website you are not entitled to privacy. (I do respect your privacy, you just aren’t entitled to it). One nation cannot change this with some bullshit law, it’s a fundamental concept of property ownership, it’s older than the EU and more important.

The EU is Disintegrating. Why do their laws matter?

This is a contentious item to be sure but no less important. With the removal of Greece and then the United Kingdom, it is reasonable to assume that the European Union is already dead. It is too soon to assume that they will recover from the loss of two significant member nations. We don’t have a lot of historical precedent, but typically when a “union” starts losing members it is no longer a union. Why should the global marketplace conform to the laws of a failed nation? What gives the EU more authority on this subject than say, a collection of Third World nations? Nothing. It’s favoritism from “Western” nations. That’d be fine, if the EU weren’t crumbling, but all of the indications are that it is. Maybe we shouldn’t be betting on the losers.

So what’s the right answer?

FUCK man, how the hell should I know? The internet was not invented with privacy in mind. Encryption was an after-thought. Here’s a suggestion, why don’t we spend the next 5 to 10 years brainstorming and crafting an INTELLIGENT and BUG-FREE privacy protection treaty? The Internet is a global environment, and laws which regulate behavior on the Internet should only be those which all of us living on this planet can agree upon. This is really common sense that any properly educated adult could only conclude.

Why are you down on privacy rights?

I’m not. You probably realize if you’ve spent time on my blog I’m a die-hard privacy advocate. I also hate poorly crafted regulations, which is what the GDPR is. I wish they would have spent more time on it. I wish they would have consulted with more qualified experts. Maybe if they’d crafted the law on github and allowed the public to submit issues, the result would have been better. Heck all laws should be written this way.

Some Tips

There is a classic saying well known amongst grey-bearded hackers: “If you don’t want it known, don’t use the phone”. You should firstly assume that whatever you’re doing on the Internet, someone is watching it. If you want to protect your data you should encrypt it, and secure your computer against unauthorized spying. Visit ssd.eff.org for a lot of excellent tutorials on how to achieve this.

This Post is a Work In Progress

The consequences and fallout of the GDPR are still unfolding. I will be updating this post as I find more things to complain about which would surely have been caught if they’d spent a bit more time on the bill.

stacks of money

DMARC is not the solution to E-mail Fraud.

The latest craze in E-mail security appears to be DMARC. Let me preface my post by saying I use DMARC, I use SPF and I use DKIM. I understand that people are mostly up in arms about the importance of DMARC because of how many major organizations haven’t adopted it. I understand it’s importance.

Problems with DMARC

Here’s the issue as I see it. DMARC does not solve phishing E-mails. It doesn’t do much more than SPF already does, and it doesn’t solve trust or identity in E-mail.

DMARC requires compliance by the recipient server to function at all, and all it does is tell the recipient to reject, quarantine, or allow fraudulent E-mails, a feature that SPF already provides.

This prevents someone from sending email from “custserv@paypal.com” but it doesn’t do anything to prevent them from sending an email from “custserv@payypal.com” which is how a huge number of phishing attacks are launched.

Oh and DMARC gives you some forensic information on who is sending fake E-mails from your domain. Which is completely useless in a high traffic real world scenario because you can’t take any effective action against the perpetrators.

Key Pair Signing & Encryption, a Real Solution.

Meanwhile we have PGP/GPG signatures which would, if properly implemented, provide a user friendly means of identifying the sender of an E-mail and verifying the integrity of an E-mail. But these have been completely disregarded by nearly 100% of organizations as “too difficult” to implement. Seriously, why doesn’t GMAIL come with a ‘PGP’ button?

PGP is arguably easier to implement worldwide than SPF + DKIM + DMARC. All you need to do is create the functionality client-side to create keys manage keyrings and interact with key databases. Compare this with setting up 3 different inline mail verification tools on every E-mail server in the world plus a slew of DNS records which can instruct servers to pass fake E-mails along without notifying the end users at all of suspicion.

Why are we being sold this half-assed solution to E-mail fraud when the real answer has existed for decades and would be easier to implement? If someone can explain why DMARC is being treated as the holy grail of E-mail security I would really appreciate it.

GPG/PGP is “Too Hard” for End Users

Bullshit. The difficulty of PGP/GPG has nothing to do with the technology and everything to do with the lack of proper support in E-mail clients. End Users don’t need to understand the technology at all, they just need a button that creates a key and publishes it to public key databases. The process is no more complicated than adding people to the address book on your phone.

Paranoid Conclusion

Using keypairs to verify authenticity of E-mail comes with a bonus feature, they can be used to encrypt E-mail to the point that it is “uncrackable”. Adding the signing capability to a service like GMAIL would also make it a lot easier for users to encrypt their E-mail, which would destroy Google’s business model since they read all of your E-mail to gather data. This is probably the #1 reason why keypairs have been ignored, with the #2 reason being pressure from world governments.

Your Thoughts?

My paranoid conclusion is not the only possible scenario, I would love to hear the opinions of other internet security experts on this issue.

Some Good News

You can implement PGP/GPG in your own E-mail and start using it with your friends, family and colleagues right away. And you should.  Visit the Electronic Frontier Foundation website to find some simple step by step tutorials for all platforms.

My Public Key: https://tailpuff.net/keys/

Cloudflare’s “Keyless SSL” Feature violates trust and privacy.

SSL exists to ensure Privacy and Trust

SSL serves two purposes. Privacy and Trust. Both purposes are equal. Privacy means it encrypts your traffic, this ensures that packet sniffers on a public network can’t view your credit card number when you purchase something on Amazon. Trust means when you visit Amazon.com, you know that the responding server is actually Amazon.com

Without both Privacy and Trust, SSL is useless.

If you compromise either privacy or trust, the SSL certificate becomes completely worthless. Now your activities are at risk of being compromised, which is precisely what SSL exists to protect against.

KeyLess SSL violates both Privacy and Trust.

Cloudflare’s new feature “Keyless SSL” violates both privacy and trust. This dubious service operates by decrypting 100% of your web traffic between the server and Cloudflare’s network. That means Cloudflare can view your credit card numbers. All that is required is a Cloudflare employee to hide malicious code in their traffic inspection function and they could steal thousands or millions of credit card numbers in an hour.

Browsers should Declare all Cloudflare traffic “Insecure”.

The solution is simple. If SSL traffic comes from Cloudflare, one must assume that it has been decrypted and inspected during transit. This means it is not secure. Web Browsers need to declare this to the user. Traffic that comes from Cloudflare websites should be flagged as insecure, regardless of the SSL status.

The “Internet of Things” must be stopped.

Preface

The Internet of Things is an idiotic idea dreamed up in a marketing lab at Apple and other corporations. Wide-eyed executives with no real grasp of technology saw an emerging market where they could capitalize and make billions of dollars, and they rushed to dive in without thought toward the consequences.

What is the Internet of Things?

The IoT or Internet of Things is the name given to a world filled with devices that have embedded operating systems which are internet-capable. On paper, in a fictional utopian paradise, it presents some pretty cool ideas. Sharing of data between apps, remote control, etc.

Where did the Internet of Things go wrong?

The IoT has been a complete fucking disaster. Because the devices are being rushed to market and made by the lowest bidders in chinese code-factories, the software is easily exploitable. The IoT has regressed internet security by 30 years in a handful of months.

What is the evidence for this disaster?

A recent DDoS attack, that is a “Distributed Denial of Service”, was launched using a botnet which is comprised at least in part by millions of “Internet of Things” devices. This was the largest recorded DDoS attack in the history of the internet and it won’t be the last. Think of this like a country testing a nuclear bomb. A black-hat hacker-for-hire group is displaying it’s capability. Next they will sell their service to anyone willing to pay.

What is the solution?

The Internet of Things needs to die, right now. Boycott all embedded devices which do not have robust security controls. Device owners need the ability to upgrade the software and install their own security controls which could be superior to the factory settings. This is absolutely required to bring embedded devices up to speed with the rest of the computerized world.

What if we do nothing?

Selling unstoppable DDoS attacks will become a common practice. With the IoT growing at a ridiculous rate, it will become trivial for anyone with some technical know-how to own networks of millions of bots. A huge black-market industry will emerge. There will be attacks on corporations, on non-profits, on news organizations, on government systems. Giant CDNs like Cloudflare will be destroyed by botnets. The internet will become a wasteland. The benefits we’ve seen in recent decades, improvements to human rights for example, will be lost.

Summary

This is a pivotal moment in human development. We have a choice to nudge our own technological evolution forward in a responsible manner, or push everyone off a cliff in a fool’s gold-rush lead by absolute idiots who are drunk on greed and have no idea how the technology works.