22 Mar 2018

Review: Future crimes

The title of this book is a bit misleading, as the crimes described therein are happening right now. For example:
These are just a few of the examples that I have saved in the two months since I finished the book, and I haven't even tried to look for more as I've been focussing on taking steps to reduce my digital vulnerabilities. Put differently, Goodman's book (subtitle: "Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It") was so shocking that I -- someone who's worked with computers for 35 years -- decided that I needed to act (see below) rather than continue with business as usual.

In this review, I will go over some highlight from the book, but I will also give some advice on what you should do to prepare yourself and protect yourself, even if you do not read the book.

Some highlights and thoughts
  1. Governments and businesses, hackers and criminals are relentlessly innovating to use technology to accomplish their goals. In most cases, these goals are not your goals, so you may be victimized as they exploit their power.
  2. Anti-virus software misses 95 percent of malware. Your computer may say "green" even when it's compromised.
  3. Greater connectivity means greater vulnerability. Systems that were secure for decades may be compromised by adding VOIP phones. Internet-connected printers might send your scans to China, etc.
  4. Multiple over-lapping software and hardware installations in houses and cars mean multiple points of vulnerability, especially when these systems need to communicate with each other. "All of these software bugs and security flaws have a cumulative effect on our global information grid, and that is why 75 percent of our systems can be penetrated in mere minutes. This complexity, coupled with a profound laissez-faire attitude toward software bugs, has led Dan Kaminsky, a respected computer security researcher, to observe that today `we are truly living through Code in the Age of Cholera'" [p 353].
  5. The Internet of Things promises to enable unprecedented levels of crime, mischief and just plain failure, as vendors are far more focussed on capturing market share than on protecting consumers from vulnerabilities. "Goodman’s law says that the more data you produce and store, the more organized crime is happy to consume" [p 86]. Frank Abagnale (both above and in this book) says that it's 100x easier today to commit the crimes he did 50 years ago.
  6. Google has no 800-number for users, as they are the product. Their 800-number is reserved for advertisers because Google makes 90 percent of its money from advertisements. (Facebook, likewise, was far more interested in $100,000 from Russian agents than in protecting the integrity of American elections.)
  7. Google was charged with violation of privacy when its "Streetview" cars grabbed private wifi codes, emails and photos as well as taking photos of the street. Facebook is tracking you across all websites with the Facebook like button, even when you're not logged in, even if you have no Facebook account. LinkedIn owns your data, your network, your CV, in perpetuity.
  8. All this data is sold, combined with other data and re-sold by data brokers: "Acxiom, Epsilon, Datalogix, RapLeaf, Reed Elsevier, BlueKai, Spokeo, and Flurry -- most of us have never heard of these companies, but together they and others are responsible for a rapidly emerging data surveillance industry that is worth $156 billion a year" [p 66]. 
  9. Free dating websites (OKCupid, Tinder) are not trying to find you love. They are selling your private information to anyone with a credit card. "Data brokers make money when they sell data, not when they protect it" [p 90].
  10. US privacy laws will not protect you, as social networks are considered "public spaces." Facebook has 2 billion users. Of these, 600,000 accounts are compromised every day. Kids are 50x more likely to be victims of identify theft. Their credit may be ruined years before they turn 18.
  11. Mobile devices are extra-vulnerable because users do not want to read fine print and apps can easily access other data on the phone. It only takes one rogue app ("Free game!") to open the door to your bank accounts or your company's "secure" wifi system. "Today 89 percent of employees are accessing work-related information on their mobile phones, and 41 percent are doing so without permission of their companies... more and more corporate information is at risk thanks to point-and-click spyware attacks against mobile devices" [p 111]
  12. Thieves and terrorists can use the GPS coordinates in photos to target you or your house (as happened in Afghanistan). Governments can use your phone's IMEI-identifier to penalize you for participating in a protest (as happened in Ukraine).
  13. Yelp, eBay, Amazon and TripAdvisor are not only allowed to change ratings for companies that  pay (good ratings) or not (bad ratings), but their sites are filled with fake ratings designed to rip you off. (Another reason to ban adverts.)
  14. Automated banking and air traffic control systems can be spoofed or hacked to steal your banking credentials and crash planes, respectively.
  15. China's 2 million "online propaganda workers" direct online discussions where the party wants them. Facebook's algorithms serve the same function: to push your attention where its profitable, not where you would want it, if you were in charge of your online life. How would you know you're being manipulated? You don't.
  16. Cyber criminals are not lacking opportunities but footsoldiers. With more people, they could steal 1,000x more. Underemployed but entitled youth are thus vulnerable to recruitment. (The guy behind Cambridge Analytica's theft of 50 million Facebook accounts, above, was 24 at the time.)
  17. Technology makes it easier to recruit: "Crime, Inc. uses freemium pricing, gamification, crowdsourcing, crowdfunding, reputation engines, just-in-time manufacturing, online training, and swarms for distributed project management in pursuit of the long tail of crime victims around the world" [p 193].
  18. Technology is making it easier for hackers to go after thousands millions of people at a time. In the past only banks needed to worry about robbers because a robber needed a big reward to justify their risk and expense. Now it's possible for someone to "rob" millions with a few clicks and network of bots to attack. "The computing and Internet crime machine has been built. With these systems in place, the depth and global reach of Crime, Inc.’s power mean that crime now scales, and it scales exponentially. Yet for as bad as this threat is today, it is about to become much worse, as we hand Crime, Inc. billions of more targets for them to attack as we enter the age of ubiquitous computing and the Internet of Things" [p 221]
  19. RFID identity cards and credit cards can be hacked, duplicated and used within minutes. At the moment, victims are often protected by fraud insurance, but that won't last if losses mount.
  20. Don't use the "public cable" to charge your phone. Hackers have already created cables that will inject a virus into your phone.
  21. Your laptop will not be attacked as it's not the weakest point in your home network. "Baby cameras, thermostats, toilets, lamps, and bathtubs [and other IoT devices bring] privacy and security risks. Many such systems use no authentication or encryption when communicating between an appliance, your mobile device, and the home system... attackers can now use the weight and strength of our own overgrown connections to defeat us. In effect, we’ve wired the world but failed to secure it—a decision we may well come to regret, especially as we begin connecting the human body itself to the Internet." [p 248&260]
  22. The technology already exists to build cheap drones that can target and kill people based on biometric identification. The video at the link is fiction, the technology is not.
  23. The "2008 Genetic Information Nondiscrimination Act makes it illegal for employers to fire or refuse employment based on genetic information. Though GINA applies to health insurance, it does not protect against insurance companies’ using genetic testing information to discriminate when writing life, disability, or long-term-care insurance policies" [p 336].
  24. It's possible to fabricate genetic evidence based on stored DNA data. Even worse, criminals can  recreate polio, ebola or Spanish Flu for around $1,000. WMDs at a discount.
  25. There's a need to re-align incentives. "The engineers, coders, and companies that create today’s technologies have near-zero personal and professional responsibility for the consequences of their actions. It’s time to change that...  These overreaching, entirely one-sided “agreements” [terms of service] should not absolve the companies that author them of all liability pertaining to how they keep and store our data. If they choose to keep every single bread crumb they can possibly gather on our lives, then they should be responsible for the consequences" [p 354-6].
  26. "A cyber CDC [Centers for Disease Control] could go a long way toward counteracting the technological risks we face today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world [p 370]. The US government's US Digital service is trying to help, but they cannot protect you.
To sum it up, we have Carl Sagan:
We have arranged things so that almost no one understands science and technology. This is a prescription for disaster. We might get away with it for a while, but sooner or later this combustible mixture of ignorance and power is going to blow up in our faces. [p 317]
So, now that you've made it past a delude of fear (most of it justified), what can you do?

First of all, don't think that your innocence or obscurity will help you. 

Some people are optimistic that man and machine can cooperate in symbiosis, but plenty of corporations are using machines to profit from you. Google and Facebook are giving "free" services in exchange for our data. Do you know how much they are collecting, and how much privacy and choice you are giving up? Read Weapons of Math Destruction to learn how the algorithms can ruin your life by putting you in the "wrong box" or giving you the wrong information. Forget spam, how about facing a computer that sets price to exploit your (assumed) income, a program that blocks your visa because you are in the "wrong club," or a denial of medical coverage because of who you slept with (your phone "slept" with theirs)?

Remember how an innocent Mr Buttle was arrested
because a fly fell into the arrest warrant for Mr Tuttle?
National Geographic Magazine recently published on the surveillance that surrounds us. Perhaps it's for our own good, but how would you defend yourself against a mistake?

Governments can easily deny your rights in the name of "public interest," e.g., "If I were going to move the American people into a condition where they might accept restrictions on their encryption, I would first engineer the wide-spread deployment of a key escrow system on a voluntary basis, wait for some blind sheik to slip a bomb plot around it and then say, `Sorry, folks this ain't enough, it's got to be universal.'"

The (most recent) Facebook abuses have put a lot of attention on the EU's General Data Protection Regulation (GDPR), which will do far more than any US law to protect EU citizens. It goes into force on 25 May, and I look forward to seeing it enforced. The Dutch, meanwhile, [appear to] have voted against the SleepWet (Dragnet) law that will permit its intelligence services to monitor internet and mobile phone traffic without notifying anyone. That referendum vote is NOT binding, so the government plans to implement the law anyway. It's time for ALL people to switch to encrypted email (see PGP below), text messaging (see Telegram below), and TOR for internet browsing.

Second, don't assume "someone is taking care of it"

"Our legacy institutions are struggling, whether in education, health care, or law enforcement; technology is far outpacing the ability of government to respond. Until this point, much of the government’s approach to technological security has been merely window dressing and missed opportunities... Regrettably, the immune system protecting this global nervous system is weak and under persistent attack. The consequences of its failure cannot be overstated. As a result, it is time to start designing, engineering, and building much more robust systems of self-protection -- safeguards that can grow and adapt as rapidly as new technological threats are emerging into our world. Though it’s easy to focus solely on the abundant benefits technology brings into our lives, we ignore the accompanying risks at our own peril. -- p 350 and 378

So what can you do to protect yourself as well as reduce your contribution to the problem?

Follow the UPDATE protocol:
  • Update your software frequently (After years of "let me decide," I switched mine to auto-update. I now use a Mac, which is more secure than Windows or Android because Apple puts more controls on   what's available and how it's installed.
  • Use a password manager and two-factor authentication for sensitive accounts (your email, bank, etc.)
  • Download software from trusted sites. Beware of "free" software as well as torrents.
  • Do not use your computer as the Administrator, to reduce the risk your "click" will compromise your system. I created an administrator account and removed admin privileges from my main account.
  • Turn off wifi, bluetooth, etc. when you're not using them, as those services are like an open door.
  • Encrypt your hard drive, phone, wifi connections
In addition to these steps, I have:
  • Reduced my footprint: deleting old accounts, uninstalling old software and apps
  • De-socialized: I quit Facebook last year and switched from WhatsApp (Facebook owned) to Telegram. I'm still on reddit and Twitter. Here's how to delete Facebook.
  • Turned off monetization on YouTube and unlisted my personal videos
  • Removed Google trackers from all my sites (except blogger, which hosts this one), as those cookies compromised people's privacy without giving me anything.
  • Installed PGP [Pretty Good Privacy] if/when I want to communicate via encrypted email. I find that few people do this now, but I'll be ready for the future: "Any number of citizens armed with PGP and such of its relations as digital cash and anonymous Net remailers can simply vanish from the governmental radar... they can effectively resign from the community of the governed and enter a condition in which their actions ordered by conscience and culture alone."
Looking for more?
Bottom line: I give this book FIVE STARS for clearly explaining why we're vulnerable to "future today's crimes" and what to do about it. You don't have to read the book to protect yourself, but you do have to act. Go now and set-up a password manager. Go now and set up two-factor authentication. Better now when you have some time than in the future when it will be too late.

For all my reviews, go here.


Brian Holtz said...

DZ wants the government to deny your right to see/display ads, then warns without irony that "Governments can easily deny your rights in the name of 'public interest'". Yup!

If "plenty of corporations are using machines to profit from you" is supposed to scare me, then I'm no longer the right audience for DZ. No, the only non-biotech items above that scare me are 1) government actions and 2) government reactions to such scare-mongering.

(Biotech is a very different topic, but re: Spanish Flu see https://www.cdc.gov/flu/about/qa/1918flupandemic.htm).

David Zetland said...

Sorry to see you go, Brian. Enjoy your corporate "newsfeed"

More seriously, which do you prefer: no adverts or adverts that deceive? Further, can you give a single example of corporate advertising that directly undermined government propaganda? B/c it seems to me that you're claiming free markets are not just better than fascist governments but their foil. I don't see that in history; I only see governments allowing free markets to prosper (i.e., rule of law, etc.)

Post a Comment

Note: only a member of this blog may post a comment.