Is your data really yours?

Jan09
by Shahid Sharif on January 9, 2019 at 3:11 pm
Posted In: cyber resilience, cyber resiliency, cyber security, cyberresilience, cybersecurity, data, Privacy, Security
matrix
Photo by Markus Spiske on Unsplash

When internet was born, services were siloed, flicker provided photography services, Hotmail provided email, and yahoo provided email and news.  As the internet matured, the providers started providing more services. Microsoft, which was offering news, acquired hotmail and included it in their MSN suite.  Later Yahoo acquired Flickr to add to their suite of products.  This is not an exhaustive list but the idea was for big corporations to offer suite of products to their customers.  Once on-boarded on one service from their suite , on-boarding them to other products would be a matter of marketing. Cybersecurity was not a big concern and data collection had just started.

Single Sign-on

As the acquisitions continued it became difficult for users to manage multiple accounts  and for platform owners track who was using their services.  To address this issue, single sign on solutions started to crop up.  With single sign on users had to just remember one userid/password and once logged on they could visit all the other properties on the platform.  What the users did not realize was that single sign-on although made their lives easy, in return they would end up loosing a lot more. You say how so? Read on.

data center

Data is the new soil, not oil

Well that single sign-on capability made it easy for platform owners to track logged on users’ activities while using the platform.  In effect the platform owners once they collected all the logs and fed them through a event logging engine, they would be able to track anything the user did. This very information can be used for any number of purposes, further re-enforcing the “data is the new soil paradigm” , okay , what do I mean?

Once the data has been collected by the platform owner, they can harvest all kinds of information from it, and if they sell this data further the new owners can get some other information from the same data.  As the data gets collected, data mining companies can correlate the data with other data elements to get richer information.  Lets say one set of data has user’s email address, name and phone number.  Another source of data might have user email address, name and mailing address, now due to correlation the information about the user has become richer.  This entity can then sell this data onward and the new owner can corelate this data with the data they hold and make it richer. This cycle does not end as we leave log data every time we use the internet, this data can also be called bread crumbs.  When some has enough such breadcrumbs they have pretty much reconstructed a digital version of you.

Platforms as data aggregators

If you are using the platforms offered by likes of GAFA ( stands for Google, Apple, Facebook, and Amazon or you could also say Google, Amazon, Facebook, and Apple), your data is already centralized.  Users while using these platforms create the data which stays in the platform eco system enriching existing data that is already there.  This data gets even richer as data from other sources is amalgamated. Lets pick on one of the GAFA companies and see what data they might have on you.

Google

Google has a lot of platforms in their ecosystem, most common ones being:

  • Gmail
  • Google News
  • Google Voice
  • YouTube
  • Drive
  • Photos
  • Maps
  • Android
  • Google Play Store

While you go about your normal daily activities Google is analyzing all the data

  • Where you are located
  • Who sends you emails
  • What kind of emails you receive
  • The contents of those emails
  • What are your video consuming patterns, such as what you watch, when you watch, comments you make.
  • What kind of files you store on google drive and their contents
  • Photos can already identify dog, cat, baby, etc. Once you tag folks they know exactly what John looks like and so on, where the picture was taken
  • If you are on mobile, and your location is turned on, all your travels are being tracked
  • If you use google voice, they already know what you sound like and if you have google voice configured to listen for “Ok Google”, it is always listening to all what you are saying and activates when it hears the key word “Ok Google”

Facebook

Facebook is not far in terms of data collection either, some of their platforms are:

  • Facebook
  • Messenger
  • Instagram
  • Pages
  • Groups
  • WhatsApp

While Messenger and WhatsApp seem to be providing end to end encryption, Facebook is still able to identify the parties exchanging messages.  Similar to Google, users on Facebook are uploading their photos, tagging them, checking in at locations, creating posts, tagging folks as friends, spouses, brothers, sisters, cousins, etc.  The information that Facebook has is comparatively richer than what google has.  It is just a matter of how it is mined.

When a user starts consuming a product from an ecosystem owned by one entity, the user in spite of getting free services, is the biggest loser.  This is because as we use the platform in our daily lives, we keep on adding to our existing data and as a result making it richer.

Data Rush

Remember “Gold Rush” , I  have coined this term “Data Rush” to draw the similarities on how everyone is after your data just like back then folks were after gold.  Gold made people rich, but once they bartered it for fiat(money) it was gone, and if they spent the money, they were left with nothing.  The advantage of data that big organization own about you is that they don’t as such “give” your data to their clients and have nothing left, but they share certain attributes about you while still holding the original data.  Once the organization has collected user data, it keeps on giving like a high interest savings account, and the users keep adding to it as they continue to create more data by using the platforms in the ecosystem.

Gold Rush and cybersecurity
Gold Rush

Data is the new ‘Oil’ was used throughout 2017 and 2018, which does not seem to be true, as ‘oil’ does not keep giving unlike data, which keeps on giving.  Hence the most appropriate term would be Data is the new soil.  As long as you have the soil, you till it (data mine) and it keeps producing crops(more data about data subjects after co-relation).

Privacy

Having too much data about ourselves with vendors, means we are making ourselves susceptible to data breaches which end up impacting our privacy.  The Equifax breach in 2017 exposed data of 147.9 million consumers in US and Canada, majority of impacted users were in US. This data was passed on to Equifax by the organizations that we chose to do business with.

Laws related to credit reporting give us rights to our credit information if it’s reported. But there’s no legislation requiring lenders to take the step of reporting in the first place.”

From <https://www.nerdwallet.com/blog/finance/banks-credit-bureaus-opt-out-reporting-account-information/>

We are responsible for our data, hence we have to ensure we think twice what we share and who we share it with, if in doubt ask.

Cyber Resilience

Resilience is the ability of a system to recover from failures.  Cyber Resilience is ability of an organization and the users to recover from cyber attacks, which are always about data.  As we share more data we are making ourselves more susceptible to identity theft, hence to address this risk there are two ways, one very drastic is to stop using electronic medium all together, which is not realistic in this time and age.  The best approach will be so minimize our digital footprint.

We will discuss more about ways of minimizing our digital footprint in the next post.

└ Tags: , , , , , ,
 Comment 

Red Team vs Blue Team

Dec18
by Shahid Sharif on December 18, 2018 at 8:43 am
Posted In: Security

Red Team and Blue Team comparison

RedTeamBlueTeam

└ Tags: , , , ,
Comments Off on Red Team vs Blue Team

Introduction to Zero Knowledge Proofs-Infographic

Dec04
by Shahid Sharif on December 4, 2018 at 8:54 am
Posted In: Blockchain, Distributed Ledgers, Privacy Coins, Security

Zero Knowledge Proofs Infographic

Introduction to Zero Knowledge Proofs

└ Tags: , , ,
Comments Off on Introduction to Zero Knowledge Proofs-Infographic

How to evaluate an ICO?

Jul28
by Shahid Sharif on July 28, 2018 at 2:41 pm
Posted In: Blockchain, Cryptocurrencies, ICO

These are some of the key considerations when evaluating an ICO:

  1. What is the token trying to achieve/solve/disrupt
  2. How many of the total tokens being issued are held by the ICO issuer?
  3. Which individuals are part of the ICO issue core team? What are their backgrounds, what is their track record in this space
  4. If there is a GitHub page, review the various repositories and see how many people are supporting it, and what percentage are active, because you could have one hundred people listed, and only five are active, not a good sign. How often are changes being committed?
  5. How long does the ICO run for?
  6. What does the ICO issuer plan to do with the capital raised?
  7. If the ICO has already been issued, check http://coincap.io for its details.
  8. See what community is saying about this ICO, sites like:

https://www.smithandcrown.com/
http://reddit.com
Team sites on Telegram
Team sites on Discord
Team sites on Slack

└ Tags: ,
Comments Off on How to evaluate an ICO?

Lightning, Plasma, Raiden, and State Channels

May27
by Shahid Sharif on May 27, 2018 at 8:00 am
Posted In: Blockchain, Side Chains

BlogPost Title Graphic

Introduction

Blockchains suffer from scaling issues.  This is due to the fact that every transaction has to be propagated to all the nodes in the network and after propagation is complete the mining activity to create a block and provide a confirmation.    In bitcoin blockchain a confirmation can take about ten minutes.  When it comes to the security of a blockchain the number of nodes is directly related to the security of the blockchain, more nodes mean better security.  Whereas the performance is indirectly proportional whereby as the number of nodes increases the blockchain starts to slow down as the transactions need to be propagated to more nodes.

Transactions Per Second (TPS) for some blockchains are:

  • Bitcoin Blockchain processes 7 TPS
  • Ethereum processes 13TPS
  • Ripple processes 1500 TPS
  • Visa processes 1700 TPS,  if required the system can process up to 56000 TPS

Scaling Solutions

Besides sharding, some of the scaling solutions,  called layer two solutions that I will be discussing are:

  • Plasma for Ethereum
  • Raiden for Ethereum
  • Lightning for Bitcoin and Litecoin

Plasma

Plasma addresses the scaling problem by providing a framework that allows implementation of nested chains.

As per the Plasma whitepaper:

“Plasma is a proposed framework for incentivized and enforced execution of smart contracts which is scalable to a significant amount of state updates per second (potentially billions) enabling the blockchain to be able to represent a significant amount of decentralized financial applications worldwide.

These smart contracts are incentivized to continue operation autonomously via network transaction fees, which is ultimately reliant upon the underlying blockchain (e.g. Ethereum) to enforce transactional state transitions.”

This is how you would deploy a Plasma chain:

  • A smart contract is deployed on Ethereum main net that serves as the “root” of the child chain. It contains the basic “state-transition rules” of the child chain, records hashes, and serves as bridge that lets users move assets between the child chain and Ethereum main net.
  • A child chain is created that has its own consensus algorithm such as PoA, PoS, or other.
  • Deploy Child chain related contracts to the child chain
  • As the child chain produces blocks, they are committed to the root contract created in #1 above.
  • The root contract commits the updates to mainnet.

Raiden

Raiden is a lightning implementation for Ethereum, and next I will talk about Lightning.

“The Raiden Network is an off-chain scaling solution for performing ERC20-compliant token transfers on the Ethereum blockchain. It is Ethereum’s version of Bitcoin’s Lightning Network, enabling near-instant, low-fee, scalable, and privacy-preserving payments.”

Lightning

Implements Smart contracts, using three technologies:

  • Multi Signatures.
  • Check Lock time and Check sequence verify, relative time from previous transaction.
  • Hash lock time contracts, forward a promise that can be unlocked by a secret.

State channels are setup between parties.  The party initiating the channel has to deposit bitcoin in escrow, this ensures that the other party will receive the funds once the channel is closed.  The amount deposited establishes the maximum value that can be transacted within the channel.

  • Final transaction is written to the bitcoin blockchain after the state channel has been closed.
  • You have to stay online all time to ensure other party does not close the channel on you
  • In case you get cheated, you have 8 hours to send a competing transaction
  • Scaling at every layer
  • Lightning applications (lApps)  vs dApps

You can deploy a lightning node.  BOLT(Basis of Lightning Technology) is an interoperability standard. Currently there are three BOLT compliant technologies to implement lightning.

  • LND from Lightning Labs
  • C-Lightning from Blockstream
  • Éclair from ACINQ

 

Conclusion

All blockchains throughput was tested in Q4 2017 when they got bogged down by the number of transactions and the transaction fees soared.  Lightning went live Q1 2018 while the other two are still in development.

 

References

└ Tags: , , , , , , , ,
Comments Off on Lightning, Plasma, Raiden, and State Channels