Facebook Expands To Spy On The Workforce

Apparently Facebook is trying to be a better spy.  They’re integrating common workplace apps such as Microsoft Sharepoint and many other commonly used digital tools in the workplace.  This is a strategic move so they could sell this data to the highest bidder in order for another IT company to get an advantage over the competition.  With this new level of spying Facebook gets an idea of what tools people prefer since they already know more than we do about ourselves.  As with people data, data based on their work habits is extremely valuable as it filters up to knowing how their workplace functions.

I admit this was written nearly entirely with sarcasm but I’m really not joking.

Your Car, TV, Phone, Computer and Other Devices Spy On You

Years ago this would be called a “conspiracy theory” but now that the CIA’s “Vault 7” hacking tools have been released this is an established truth.  What’s more scary is the revelation applies to pretty much all computing devices and all OS’s.   The CIA has found exploits and used backdoors into the various devices.  I suspect the backdoors and some vulnerabilities were forcefully injected by the US government.  To make it more scary we have the NSA’s PRISM and this combined with the CIA dump is alarming because those entities combined with other governments surely have a lot more than what has been revealed.  It is not a stretch but rather insane to believe you are not likely being watched and listened to.  We haven’t even covered well funded, private hacking groups.

There are two issues here.  The first one is companies who willingly create vulnerabilities and backdoors at the request of governments and private groups.  The second issue is compounded by the first one where on top of that many products and companies also spy on their customers and also share that data with third party companies and governments at will without any disclosure or regulation.

It’s more than just following where you’ve gone and listening and watching you, the new smart vehicles can be hacked and likely have government mandated malware or backdoors.  Imagine if a government doesn’t like someone and they suddenly have a tragic accident.  There is absolutely no reason why this shouldn’t be the case and perhaps one day we may learn of cases of bizarre traffic accidents that were not really accidents at all.

On an interesting note the “Marble Framework” was released which is essentially an anti-forensic tool to make it difficult for malware and virus experts to attribute the code to the CIA or the US government.  The framework would essentially make it look like enemies of the US such as China, Russia, Iran, or North Korea were responsible for cyberattacks and malware that the US itself had created.

With all this it sounds hopeless but it is not, Edward Snowden famously stated “do not give up on encryption” as clearly not everything is hackable and compromised, there are steps we can take to prevent ourselves from being hacked by the government.  Edward Snowden’s comments and actions are of particular use, the fact that he still says to use encryption means there are ways to be secure.  We should also remember that he used the Tails distribution for communication and used OpenPGP, so it appears at least in the recent past, this was a secure and unbreakable way of communicating.

“What last year’s revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default,” he said. — Edward Snowden

How can you protect yourself?  There are steps we can take but avoiding the usage of free, insecure services to communicate such as gmail,facebook,whatsapp and also avoiding products that spy on us.  Try to get an older TV or if you get a newer one rip it open and disable the microphone, wifi etc.  If you drive a vehicle consider again seeing if it is possible to disable some of the spying features on it or drive an older vehicle without technology that logs and calls home.  It’s time to get armed and follow certain procedures, avoid certain products and make it as a difficult as possible to be spied on.  Although the programs and hacking methods, groups like the CIA possess are incredible, not all are guaranteed to be successful especially on those who do not run default or standard settings.

Bitcoin vs Bitcoin Cash

This has been one of the most controversial issues in cryptocurrency.  The Bitcoin Cash Hardfork emanates from this issue of what amounts to basically a setting in a config file.

The issue was real back then with Bitcoin only having a 1MB (megabyte) blocksize.  You would think 1MB could store a lot of transactions and this was fine until Bitcoin exploded and began to be used by millions worldwide (something not exactly expected or planned for by the original devs).  Bitcoin can only do 7 transactions per second which is way too slow and what was happening is that the entire block was already fully utilized as soon as it was mined.  It would be like your banks ATM or POS machine crashing before you could do a transaction.  In other words Bitcoin was overloaded and couldn’t keep up with the transactions that were being demanded causing slow processing that could take days to send some Bitcoin!

Some of the devs felt that this wasn’t an issue and wanted to keep things the same as Satoshi created them (with the 1MB blocksize). They felt Bitcoin was never meant to be used for payments such as a cup of coffee and that very slow transactions weren’t an issue.  They also voiced concerns that a larger blocksize would stop people from running full nodes and increase centralization since a larger blocksize requires more computing power.

The Bitcoin Cash team disagreed and did a hardfork which is essentially a copy and counterfeit of the original Bitcoin.   The only real change they made was the blocksize to 8MB which means faster and cheaper transactions than the original Bitcoin.

There were problems initially with potential reply attacks since to get this Bitcoin Cash you have to use your real Bitcoin wallet/private keys to receive it.  This meant that nefarious wallet creators could steal your coins from the real Bitcoin network if you didn’t move your original coins to another wallet first.  There is also the threat of a replay attack.  Replay attacks work on the fact that both chains are identical.  If you send a transaction on one chain, an attacker could see it and then broadcast the transaction on the other chain to their own address.

This is one big reason I don’t like hardforks aside from the confusion, scams and devaluation, it’s one more huge problem to have a reply attack.

These issues are why I believe hardforks shouldn’t be possible.  If it means the blockchain is not 100% open source and permissionless then this is acceptable.  Open Source is currently what makes most currencies vulnerable.  Let’s take it back to the secure, traditional IT methods of a secure server vs client model (where the secure server should be Bitcoin or whatever currency we are talking about).

My money is on the real Bitcoin.  Bitcoin Cash could have been interesting if they did more than just increase the blocksize and didn’t copy the blockchain.  I pick the original Bitcoin for the long run.

Bitcoin Private and Cloak Cryptocurrencies

There is a huge emphasis on privacy with a lot of new coins but I do feel that a lot of coins focus on a single issue and leave the overall business and usability aspect out.  How do these newer coins fare?

Cloak

My first impression is why doesn’t the non-www version work while the www version does?  Does their team not know how to properly configure nginx or is it just a simple mistake and oversight?

Cloakcoin.com-Forbidden-ConfigError

They call their encryption ENIGMA which I am not sure is a joke or if they aren’t aware of the ENIGMA encryption box in Germany that was compromised during WWII?  I would more so be worried that it is a read between the lines joke or a hint that the team is doing something more than they claim?  Sorry but I just can’t get over the fact that they would not know about the Enigma box from Germany that was decoded.

For my second point I do like the privacy aspects but this is where I have concerns.  On one head they tout privacy, but then to have more privacy they obfuscate transactions by using other clients wallets?  Why would you allow a third-party and random strange to process or handle any part of the transaction?  I do realize they say it is fully encrypted and obfuscated so the random third party stranger on the network shouldn’t know anything about you or your transaction, but to me it violates the principle of privacy and security.  It reminds me of how everyone believed the TOR network is a good idea and secure, but in reality whoever runs an exit node can spy on other users, including the NSA.  This architecture of Cloak makes me worried that a vulnerability could be found and that privacy could be worse than most other Bitcoin-style coins.  Even if a simple vulnerability was not found, you are essentially passing private information to random strangers on the network, the NSA or other large funded organizations could use this to spy on other users or even perhaps modify transactions and create chaos on the network.

I also find it confusing how they say it is private but you have to enable “ENIGMA” on top of “Cloak Shield” to truly make it private?

Here are the parts I’ve picked on from their website:

Alice’s Cloak wallet then automatically sends a request to the network for other Cloak wallets who have elected to become ENIGMA mixer nodes to obfuscate her transaction. All of this is done privately and securely throughout with no identities or true IP addresses revealed.

Bob has cloaking mode enabled in his wallet and the wallet generates a secure CloakShield encryption channel for communications with Alice’s wallet. Bob’s wallet sends Alice a secure connection, containing encrypted inputs and outputs to commence the transaction.

With this confirmed, Alice, with full anonymity, creates an encrypted ENIGMA transaction containing her true inputs and outputs and Bob’s cloaking (obscured) inputs and outputs. Bob and Alice both sign the ENIGMA transaction before it is submitted to the network for inclusion into a PoS block.

Going back to the concerns I have above, I really don’t like how Alice’s wallet would ever communicate with anyone other than the receiver or the Cloak network.  By introducing Bob, there is the chance that Bob could decipher and identify what Alice is doing.  Of course that’s not what should happen, but I believe it is a huge security whole to involve random third parties in confirming or obfuscating transactions.  The situation reminds me a lot of the vulnerabilities in the TOR network.  Essentially Bob is like an exit node, running transactions for Alice.  Bob shouldn’t know who Alice is or what she is doing, but what if there is an implementation error or other issue?  This could be avoided by not using any random third party.

I think Cloak does a great job but they’ve actually introduced a huge security hole by doing the random, third party, processes the transaction part.  It would be like saying “my data is encrypted so I’ll send encrypted copies to everyone”.  Sure it is encrypted but if someone can ever hack your encrypted data either through bruteforce or an algorithm/implementation error then you are done for.  The best solution is to never send private and sensitive data to an extra, third party.

I do think the Cloak project has worked hard and it has some great ideas but aside from privacy and what I believe are security holes in how they implement it, they have done a great job but it is not a coin that does everything right.

Bitcoin Private

For those who know me, I am very much against forks.  As I’ve stated before they decrease, value, lead to scams and confusion.  This can be evidenced with Bitcoin Gold regardless of who you believe was responsible.  Right off the bat Bitcoin Private is warning of scammers trying to confuse you with a warning on their website.

BitcoinPrivate-BTCP-Scam-Private-Keys

The problem with these types of coins, hardforks or what I think are really counterfeits is that you need to give up the very “private keys” of your real, valuable Bitcoin to claim the “new counterfeit coin”.  This is a huge security problem, regardless of who made the wallet what if the wallet is designed or hacked to maliciously steal your real Bitcoins?  There is no easy and secure way to claim your coins from these counterfeits.   Once you give up your private keys to Bitcoin Cash, Bitcoin Gold, Bitcoin Private they could steal your real Bitcoins.

Now there is a way around it, you could transfer your coins to another wallet but it’s a huge pain and a mistake could cost a novice user all of their Bitcoin.

Now in all fairness I appreciate this team at least has official wallets ready for download, unlike Bitcoin Cash.

Users who have the currency called “ZClassic” are also involved here, which is also another confusing fork of ZCash.

This is what I mean about all of the confusion.  It creates an environment where holders and buyers are easily confused about which is the real “Bitcoin”, which is the real ZCash.  And really, I can’t see any reason why people are forking except as a cash grab and counterfeiting spree.

For this reason I don’t trust Bitcoin Private anymore than I trust the other forks (although I trust Bitcoin Gold the least).  I personally feel there is no good reason to trust any of them.  If they want to make a new or better currency they should really just make their own, or at least copy it under a new name.  But of course forking, creates unwilling participants and owners of the new currency, while enriching and rewarding the hardforkers for their counterfeiting.

For those reason if I had to pick between the two, I think Cloak has our best interests at heart and hardforked coins are just a scam, counterfeit and cash grab by unscrupulous people.

Cloud VPS Server Comparison by Techrich

Recently a friend asked me to compare ourselves to other large Cloud providers.  It didn’t take me long to think about it, considering essentially Techrich and Compevo architecture are identical. This wasn’t by accident, but by my own principles on how an IT company should function.  Since designing what is now known as the “Super High Performance Cloud Architecture” back in 2009. I knew I wanted Techrich to be smart on security, strict on reliability, and strong on IT protocols.

This infographic probably says it the best but I’ll do my best to explain it as well (explanation below the infographic).

Techrich Cloud VPS Server Hosting Comparison

In a nutshell most of the other Cloud architectures out there rely heavily on a shared storage pool for their VPS’s. We don’t do this.

Some companies have even gone down completely when one of their “main shared storage nodes” was hacked or had a hardware failure.

The problem with shared storage nodes/SANs (Storage Area Networks)

The problem with this architecture is that multiple physical hostnodes rely on a single point of failure for storage.  Not only that, but you can imagine the performance issues that shared network bandwidth cause when multiple hostnodes are competing for the same disk IO resources from a single shared node.

Now I know some companies have redundant shared storage but this is not good enough for both performance, security and reliability reasons.

The Techrich way of doing things is that we have tons of individual nodes that are active/failover.  This eliminates the possibility that a shared storage fault could take offline multiple hostnodes.

In our architecture we have Cloud in a 1-to-1 structure, that means data is live replicated to a standby server which does nothing but wait in case the main server fails or has an issue.

By doing this the performance is also higher, since storage is all local, you get the benefit of Cloud architecture but none of the high risks or performance issues that traditional “shared storage” Cloud brings you.

That’s the Techrich advantage and why we developed our own proprietary and hybrid system to accomplish this.  To date we’ve never been hacked or had any downtime and this is because of the architecture we’ve pursued while sparing no expense in delivering what we feel is the best product.  This is what I’d recommend all of my colleagues and friends to do if they went Cloud.  If they were going to use a shared storage cloud I’d recommend that they just make their own with a few dedicated servers or even a single dedicated server can sometimes be better, more affordable and reliable in the long-run.

When these large Cloud companies like Amazon and Alibaba started out, we did wonder would we lose out to customers who valued price over quality, security and reliability?  We were shocked when the opposite ended up happening- there was a sudden rush of sign ups, and not only that, we had to order a ton of extra servers to keep up with the demand.  I had my IT support staff double and working overtime to meet the crazy rush. It was a good problem to have, but it forced me to grow a lot faster than predicted.

In fact we’ve now noticed a trend that the bottom feeders (scammers, hackers, spammers) have gone to the cheap Cloud companies and a lot of larger players have moved to us.  This is in part, because companies who are more tech and privacy orientated who don’t want to be in a PRISM country or be at risk of the NSA being given access to their sensitive, private and proprietary business/ client information  (which is mandated for large-Cloud providers operating out of any PRISM country), so they moved to us and remain with us.

Now we get clients who even run small or middle scale businesses who have found us and switched to us simply because they do not want to be on something as risky as Amazon or Alibaba. I guess you could call Techrich and Compevo, the original IT business security company. And I plan to keep it that way.

 

Facebook Tracks Non-Users Too!

As some people are just learning, Facebook has been tracking both users and even non-users in a violation of their privacy that most never opted into.  Anytime you visit a Facebook related or enabled site, they are tracking you.  Conversely as a Facebook user, they track and relate all of your off-Facebook activity on any site that uses Facebook plugins or functionality (which are a lot of sites).  This is horrible and should be stopped but in all fairness “they all do it” and if anything Google is probably worse.

If the above is not bad enough, the PRISM network has backdoors to all of these services so you are being violated directly by corporations and multiple governments who index all of your activity.  Privacy is a thing of the past unfortunately.

However there are ways to fight back such as disabling cookies and deleting all cookies regularly and especially to use a random VPN to make tracking harder.

It’s not so much that the majority of people have anything to hide, but privacy is a right everyone has.  Most people would object to having cameras in the washroom, not because they are doing something wrong but because you have the right to dignity and privacy.

Hopefully the longstanding issue with most giant online sites from Facebook, Google etc.. will drive demands from people around the world to restore privacy and digital rights in an era where infringement is common.

 

Lightning Network – LN Network DDOS’d and Attacked By Organized Group

A group calling itself Bitpico has bragged about attacking the LN (Lightning Network).  The group claims it is stress testing the network and the LN developers responded that they are analyzing and trying to close any attack vectors before the currency is used more.

It is almost a traditional DOS attack where nodes were flooded with false transactions to overwhelm them so no real transactions could get through (similar to a web attack that opens frivolous connections to overwhelm the server).

Inevitably almost all networks go through this and it really is a typical cat and mouse game in any public, permissionless blockchains.  It is really an IT security nightmare where no one is authenticated or vetted whatsoever.  There is little disincentive for organized and well-funded groups not to attack blockchains if they have enough motivation, and clearly many do.

 

Alibaba’s Sesame China’s All-in-One Credit Rating System

Alibaba’s Sesame Credit which launched in 2015 is one of the highest profile Social Credit Systems in China.  In part this is because it gathers a lot of data from Alibaba Cloud services (the same thing as essentially what Facebook, Google and other US companies do).  However, in China the process is more formal and complex as it isn’t just for spying and marketing purposes.

It is a system that essentially rates your associates, activities, lifestyle and not just your financial credit alone.  So it is both a pro and con in some cases that these aspects are used, but it all depends on your lifestyle.

I find it highly controversial and it all really depends on how fair will the system be and is it more fair than the traditional model?

With ICOs like Bloom I wonder how it will fare and compare?

Why Deleting Facebook Is Futile Unless…..

I’ve had this conversion with a lot of people over the years and what I’ve found is that the majority of people are complacent about privacy and security.  In a way it is good that some have woken up to what Facebook is and has been doing but this idea of some floated around that “I will trust Facebook until it gave me reason not to”.  This is a completely flawed idea in my opinion.  Facebook was never trustworthy and its TOS always gave it a right to violate your privacy, harvest your data for both government and marketing purposes etc… In fact Google, Gmail, Hotmail, Telegram, Whatsapp and the list goes on are free for a reason.  One, they make money by spying on you and they also provide a great backdoor to the NSA to spy on you (hopefully everyone now understand the PRISM spying network).

There were times where some would debate about the length and depth of spying by major free services but this is no longer in debate.  If you are using these freebie services and just delete Facebook alone you haven’t done enough.

Here are some steps to secure yourself and your privacy:

Delete Everything!

Seriously stop using these free chat and e-mail services and tell your friends and family that you won’t communicate via those mediums.

Secure Your E-mail

Use your very own, owned e-mail server with encryption including GnuPG to encrypt e-mails in both transit and storage.  There are providers who can get you a VPS or full Dedicated Server for this purpose.  You will probably find that your e-mail stops going missing, is fast and more reliable to boot!

Stop Using US Based Massive Cloud Servers

This could be in the form of an Amazon, Microsoft, Alibaba VPS instance but you can expect that those services will not be keeping your data private and most likely have been obliged to allow backdoor access to your server and data.

Another type of user would again be those who “store data in the Microsoft, Google or Apple Cloud”.  Stop using those services if you value your privacy.

Secure Your Chat

Everyone likes instant chat but did you ever wonder why all the traditional chat services like ICQ and MSN Messenger shutdown?  My belief is that being forced to chat on your phone makes it easier to both identify and track you but also to spy on you.  Once again top offenders are Telegram, Whatsapp and any similar ones.

To secure your chat you should run your own encrypted chat server.

These are just a few common sense things you can do to make it much more difficult to have your rights and privacy violated.  Personal and intimate moments shouldn’t be uploaded to the Cloud for corporate and government agencies to peruse!]

In general try to think in a security minded way perhaps as you would your house.  Would you feel secure at home if you knew your living quarters was shared with multiple people or that it was being spied on constantly.   Think about steps you would take to protect your house or property from intruders and spies.  Your digital house works the same way, so be sure to keep the keys and access in your control and not that of a third party which can’t be trusted.

We Need A Better Coin Now!

Cryptocurrency today as of the time of this writing is in a bit of a flux and identity crisis.  Part of this is due to a well directed campaign in the news via government and banking entities.  However, I will always give credit where it is due and many of the flaws that have been pointed out by these entities are completely true.  In fact, from a business, security and IT standpoint I find that most cryptocurrencies are almost impossible to use.  There are coins that individually address “some of the issues” but I have never seen a coin or team that “just seems to get it”.

Whether it’s how an ICO is run, basic functionality, security, privacy, getting out information it seems apparent to me that the vast majority of teams and coins do not sufficient combined IT and Business Knowledge to make things work.

There are just so many issues with a lot of the top coins that could kill them, let me name a few in no particular order.

Speed – 99% of cryptocurrencies are extremely slow taking minutes, hours or several days to complete a transaction!

Expensive – A lot of times you can spend a small fortune just sending a small amount of coin to someone (you could spend $100 to send $5 of coins with some Ethereum tokens for example)!

Security – Most coins are by default completely insecure.  Any coin that has a public ledger is insecure and has 0 privacy.  This allows for replay attacks and all kinds of nasty things.  It also means your activities are easily tracked and traced.  Imagine if your competitors can see exactly who is paying and who you are paying including the full amounts?  It would put your business at a huge disadvantage.  Having “public, permissionless blockchain” such as Bitcoin, Ethereum, Litecoin etc..  will mean the coins can never be secure when the whole public is involved.

Hardforks – Most coins are easily counterfeited, hard or softforked where basically anyone can copy an entire coin and just rename it and call it their own, while confusing and devaluing the original coin holders.  This should never be able to happen just for the reason of sanity, continuity and integrity.  There have already been scams like the BTG Scam and replay attacks.

PoW/Mining – It is absolutely crazy that mining still exists, as cool as it originally was, mining is now a hindrance in many ways to the cryptocurrency community.  Not only is it wasteful in terms of energy resources, it is unsustainable in both environmental, monetary and functional terms.  Returns are so slow with most major coins that it is almost not worth it unless your power is cheap or free.

To top it off why on earth should we let transactions be controlled by “miners finding the next block”.  It doesn’t secure the network anymore and that is because coins like Bitcoin were created before ASICs and assumed “no one would party would hold more than 10% hashing power”.  Of course single pools in China have way more than 10% power and so do some mining farms possibly.  This means that pools and large farms could work together to defraud people by sending false transactions and confirming it among themselves.  By the time the scam is realized the parties who initiated the scam would already have escaped with the money.

Mining also leads to centralization, the very thing that cryptocurrency was meant to avoid.  This inevitable because as difficulty increases, only large corporate or government players with deep pockets can continue.

The same applies with running full nodes, large organizations will be the one running them.

Usability – Most coins are unusable because they are slow and insecure but to make it worse there’s more.  The current coins are not easily integrated in a secure way.  You shouldn’t have to run a full Litecoin, Bitcoin or Ethereum node on a huge mega server with tons of RAM and HDD just to create receiving addresses and receive payments.  This not only inefficient, it is insecure because the same computer that generates the receiving addresses is usually the one that holds the wallet/funds.

To top it off you can send to a wrong or non-existent address and lose your money forever with virtually all currencies.  Blockchain is just a big database, couldn’t some query be done to make sure the address actually exists?!  On top of that there is no feedback, send by e-mail or notifications by e-mail you always need to keep your wallet open to notice.  It would be much easier if these different functions are kept separate.  However this is a problem too because most cryptocurrencies are admittedly not secure if you don’t sync the entire chain.  And that’s another issue, syncing is a huge issue with coins like Ethereum it is extremely slow and takes a ridiculous amount of CPU cycles.  Imagine paying someone from Craigslist in person  and one of you says “hold on mate sorry I have to wait for my wallet to sync for hours or days!”.