If you had sat down to read this book when it was initially written in 2012, you might think that a lot of the content belonged squarely to the tin foil hat brigade.
Julian Assange, editor in chief at whistleblowing site Wikileaks, has a marmite effect on people. Some see him as a valiant hero taking on the increasingly controlling and manipulative governments of the world, while others cast him as a fame seeking egotist. As is usually the case in things like this I’m sure a little of both is true. What is undeniable though is that inside the pages of the book are discussions about the security services and their deep spying techniques that only came to public light when another whistleblower, Edward Snowden, gave up everything in his life to bring the information to the public.
So, time to take off the tin foil hat and start paying attention.
Assange, in dramatic fashion, sets the scene with the statement ‘This book is not a manifesto. There is not time for that. This book is a warning.’
By the time you’ve finished reading, you can’t help agreeing.
Cypherpunks are activists who use strong cryptography tools to protect their identity and privacy online. They also promote the idea that everyone should do the same unless they want their every digital transaction and communication stolen and stored by the security services of the western world. It’s a harsh political stance, but over the course of the debates that rage in the book, allied with Snowden’s revelations, the reader is drawn into an incredible, scary world that isn’t like the one we imagine it to be.
Assange brings together three other advocates – Jacob Appelbaum, Andy Muller-Maguhn, and Jeremie Zimmermann – to have a round table discussion of the dangers that electronic spying has for an unwitting population, and how they can safeguard against it. The writing style is that of a transcription of these talks, which is effective in bringing out the differing standpoints of those involved.
During the discourse they cover subjects such as government surveillance, digital currency, censorship, and from there branch into other tangential thoughts as their minds fire on all cylinders. Perhaps one of the most prescient arguments they make is how governments use the ‘Four horsemen of the Infopocalyse’ – child pornography, terrorism, money laundering, and the war on drugs – to pass overreaching legislation that none dare argue with, lest they be seen to support these awful practices.
It rings true when you look at David Cameron’s recent internet censorship bill that trumpets the filtering of pornography, but also seemingly cuts off access to dissident sites in the background. It’s a subtle, complex issue, and one that Assange and co don’t really offer any tangible solutions for (in that how do you stop these things without some form of censorship?), but the beginning of the discussion, and the eye opening effect it has to make you scrutinise government policies, is something we all can all benefit from.
It’s not a light read by any means, filled to the brim as it is with ideas, arguments, and sometimes chilling visions of the future, but it is an important book. The debates do lend themselves to easily becoming echo chambers, and I would like to see another edition where they include someone to argue the opposite position, though Assange often strays into a devil’s advocate role to keep the discussion on some kind of level footing.
Whether you care about computers, surveillance, hackers, Assange or not, Cypherpunks should be on your reading list. The sooner the better.
One of the harsh realities of our now digitally interconnected lives is the constant threat of hackers trying to gain access to our systems. According to a recent study by the University of Cambridge we here in the UK spend an estimated £100 million each year on anti-virus software to protect our valuable data, yet still stories of identity theft, compromised email accounts, and social media hijacking continue. But when you look at the figures, and see how the actual types of crimes are broken down, a surprising common factor emerges. Although most of us associate hacking with malicious software that somehow breaks into our systems via brute force, the real truth is actually a lot more simplistic.
‘While software companies are learning how to strengthen programs,’ explains Christopher Hadnagy, in his book Social Engineering : The Art of Human Hacking, ‘hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people.’
Writing code is complicated and time consuming, plus there’s the distinct possibility that it can be traced back to an origin source, leaving the police a trail of breadcrumbs to follow. So rather than investing their resources in these forms of attack, human hackers instead use techniques that have long existed in the physical world – an old fashion con. By now we’ve all seen examples of phishing attacks: emails that appear to have been sent from our banks, or favourite online shopping portals. They usually arrive in our inbox warning us (ironically) of security threats, are often accompanied by graphics from the real site, and a time pressure to respond quickly or the relevant account will be shut down. All the customer needs to do is click on the embedded link, confirm their account details and everything will be fine. Of course the email is a fake, the site you click through to is also bogus, but the details you enter – usually of a financial manner – are very real, and now rest on the machine of someone who will immediately embark on a shopping spree.
These scams are as old as the internet itself, in fact they have existed in one form or another since people first became people, but the threat of the modern age is that the information needed to trick us is often given away freely by ourselves on social media sites, internet forums, or even by casual conversations with seemingly well meaning strangers.
‘Many of these attacks,’ continues Hadnagy, ‘could have been avoided if people were educated, because they could act on that education. Sometimes just finding out how malicious people think and act can be an eyeopener. I was recently discussing with a close friend her financial accounts and how she was worried about being hacked or scammed. In the course of the conversation we started to discuss how easy it is to guess people’s passwords. I told her that many people use the same passwords for every account. I saw her face go white as she realised this is her. I told her that most people use simplistic passwords that combine something like their spouses name, his or her birthday or anniversary date. I saw her go an even brighter shade of pale. I continued by saying that most of the time people choose the simplest security question, such as your mother’s maiden name, and how easy finding that information is via the internet or a few fake phone calls.’
This combination of real world conversations mixed with online information gives the enterprising hacker, or social engineer as some call them, a powerful amount of knowledge about us. Knowledge they can use to accomplish frighteningly penetrative attacks. In his book Hadnagy lays out the various tactics that social engineers use to ensnare their targets. These include information gathering via the internet, direct phone calls posing as representatives from companies the target uses, raiding their rubbish bins for financial information such as bank accounts or credit card numbers, all of which they can use to build a profile of the target enabling the hacker to create a persona or fake website that will be the most alluring. It sounds at times like something out of a James Bond movie, but these techniques are used constantly in one fashion or another, usually with the intent of gaining access to the target’s office machine which of course then means they have access to the business as a whole. This form of elicitation is a skill that social engineers develop to a high degree, so the target often doesn’t even know that they surrendered the information.
‘The goal with elicitation is not to walk up and say what is the password to your servers?’ Hadnagy reveals. ‘The goal is getting small and seemingly useless bits of information that help build a clear picture of the answers you are seeking or the path to gaining those answers’.
Armed with these different fragments of knowledge, hackers can then exploit weaknesses in other parts of the human chain, sometimes with devastating consequences.
Mat Honan is a senior writer at Wired magazine and has written for many of the top tech magazines. He is someone who understands the internet, technology, and the culture that surrounds it. But during the summer of 2012 his digital world was torn apart in the space of an hour when determined hackers employed a variety of tactics to gain access to his accounts. The tech community was shocked at the apparent ease with which this happened, as it highlighted the house of cards nature of online security.
A hacker, posing as Mat, called Amazon and said he wanted to add a new credit card to his existing account, the number was of course fake, but this didn’t matter. Amazon required Honan’s billing address, email contact, and the name on the account – all of which was possible to find by a little digging online and some logical deduction. The process was complete and the hacker finished the call. Moments later he rang again saying that he was locked out of his account, the operator asked for him to confirm the details of his account – including the new credit card number – and not surprisingly the details matched. The hacker was issued a replacement password for the account, and now they could see the numbers of Honan’s actual credit cards – not the whole number, just the last four digits. As it turns out these four numbers just happened to be the exact part of the card that Apple use as part of their account verification process.
The hacker placed a call to the Applecare support line saying that he had forgotten the password to his me.com account. After supplying the operator with the billing address and credit card digits a temporary password was issued from Apple which allowed him to access the account. He was in. All it took was a quick Google search and two phone calls. In a matter of minutes the hacker had gained access to Honan’s Gmail account, Twitter, remotely wiped his iPhone, iPad and then finally his Gmail account.
‘In many ways, this was all my fault’ Mat wrote on his Wired blog detailing the events. ‘My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.’
Since the events were made public both Apple and Amazon have made changes to their customer service practices so that these weakness can’t be used again. The fact that they were only discovered after hackers had used them to destroy most of Honan’s online life though, suggests that they never even knew it was possible in the first place. The hackers that think beyond the boundaries of code breaking and malware will always be looking for ways to draw seemingly innocent information from their targets, and until we become aware of these possibilities they will most likely succeed. With software you can build in complex levels of security, and have warning flags go up the minute a breach is attempted. Incorporating these types of failsafes into people may take a little longer.
A version of this post originally appeared as part of a new series of features called News Viewpoint that I write for the PC Advisor website and also appears in the April 2013 issue of the print magazine – yes, I know that’s in the future, but the way magazines work is a mysterious form of sorcery. To see the original click HERE or pop out to your local newsagent and purchase the rather splendid magazine itself.