Why no one should be surprised by the Facebook / Cambridge Analytica “breach”

As I’m someone who is concerned about privacy and the invasiveness of technology in our lives, you might be startled by my response to the alleged “data breach” in the Facebook / Cambridge Analytica saga.

My reaction: “It’s not a breach if data was supplied with consent!”

Of course, the important word is “if”.

How often have we seen our friends post on their Facebook profile the results of some new personality test, IQ test, or super addictive free game? In the (very few) cases I might click through to see more, I then get a consent form, more or less saying that “App XYZ requests access to your Contacts, Photos, Posts, Messages, First Born Child and Bank Account.”

So I was confused about why people were calling it a breach.

Of course, further details are coming to light, and Facebook is currently under FTC investigation. It may emerge that there were legal violations. But from a purely technical viewpoint, I don’t consider it a technical breach. Harvesting data is what Facebook and many other companies do – it’s their business model. Here, profile data was scraped by one or more apps, and consent was provided by users who voluntarily used those apps, and this happened within the technological limits and boundaries in place.

But morally, was it a breach? That’s a different question…

Let’s say that I’m person “A”, and my friend is person “B”, the app developer is “C”, and Facebook is “D”. Let’s say I shared private messages and photos with “B” on Facebook.

If “B”, my friend, clicks “Agree” to use an app from “C”, then that’s complicit acknowledgement that the user is happy for his or her own data to be accessible to some unknown 3rd party – which is a very brave move in my view to share your life with someone (or more likely, a company) that you’ve never met. One has to assume that it will be downloaded, mined and stored, even if the original Facebook account is deleted. (Note: GDPR Article 17 will be very welcome.)

I think it’s fair enough; “B” provides that consent to “C”, so the data is fair game.

But how far should consent extend?

As person “A”, I didn’t consent to “C” taking a copy of all messages that I had sent to “B”, or having access to my posts and photos. I have given them to “B”, not “C”. So does “B” have a right to then give copies of that data to “C”? And does “D” have the right to facilitate it?

This raises numerous legal questions, and with laws varying worldwide I’m sure there’ll be different answers.

As a technologist, I really want everyone to realise something.

Facebook is not your friend. It’s a money-making machine, and it makes money by collecting and commercially exploiting your data. No one should be surprised when that data can be used to manipulate our thoughts.

Nor are 3rd party app developers your friend. Especially if the app is free, they’re probably making money by commercially exploiting your data.

Further, data that is posted to Facebook is voluntarily provided by its users. Facebook never forced anyone to use its service or to upload information to it. Every time you visit Facebook, it knows your IP address and connection time. It knows what links you click on, it knows your behaviours, preferences, interests. It’s Big Brother.

Facebook doesn’t force anyone to upload photos or comment on posts. Facebook doesn’t force anyone to use 3rd party apps, or to click on a consent button to share that information with others. It’s voluntary.

It really should come as no surprise to anyone that the data is scraped, harvested, mined, analysed, stored, and can be used to manipulate you.

And once data is “out there”, you have to be prepared for the consequences, good and bad.

It’s not the advertising that I think we should be worried about. It’s all the unintended consequences that should be concerning.

Let’s take an example. Say you’re an avid user of social media, and you also happen to enjoy posting your holiday photos and getting likes and positive comments from your friends. Maybe you’re even careless enough to post photos of your airline boarding passes. Your photos probably contain geo-tags of your location and the date/time of the photo (as Paris Hilton found out when she unknowingly tweeted her home address). This means you’re giving Facebook a history of your movements – information that users know will be used by Facebook and other parties that you consent to share your information with.

But it’s not just Facebook or app developers that can use the data. Let’s say a clever cyber stalker befriends you with a fake account… then suddenly they can see your photos too. And when they see you’re on holidays, they know you’re not at home. That’s very useful information for a thief. (Just ask Paris Hilton.)

With awareness of how our data can be used, I hope individuals can better protect themselves from these situations.

I strongly believe that the only way to have privacy in the age of the cloud is to do several things:

1. Firstly, recognise that using cloud services can easily leak your data – even if legally they shouldn’t. A technological malfunction, like a bug in the cloud provider’s systems, can cause a data breach, or a hacker can compromise your cloud account or a friend’s cloud account. Be careful what information you put out there, and with whom you share it. In the worst case, private data can be made public, as the nude celebrity photo incident revealed.
2. Take control over your own data by using client-side encryption (sometimes called end-to-end encryption). That’s the only guaranteed way to have privacy because you control your own key.
3. Delete unnecessary data in the cloud when it’s no longer relevant. Hopefully over time the data will be deleted off the cloud provider’s systems, and future leaks will be prevented.
4. Pay for data hosting and use only companies with clearly stated data handling procedures. And avoid companies that provide free services. At the end of the day, you can either pay with money, or you pay with your privacy.

If you want complete privacy, you don’t have to live in a cave. Just encrypt everything and keep your keys private. You can still enjoy a lot of the benefits of the cloud, but without the drawbacks. Some good encryption products featuring client-side or end-to-end encryption are:

  • ScramFS and ScramExplorer for encrypted file storage
  • Wire for encrypted instant messaging
  • GPG for encrypted email

Let’s all stay safe.

Origin Energy phishing alert – do not pay any bills until you read this post!

Today I received an email that looked like a bill from Origin Energy.

It looked very authentic – there was good attention to detail, and I’m sure that this will deceive many people.

Do not pay any bill from Origin until you learn how to identify a fake

I’ll cover several ways to spot a fake.

Sign 1: suspicious Pay Now link

Here’s what the email looks like:

When you mouse over the links, most of the links go back to originenergy.com.au, which is Origin Energy’s real website.

However, the View Bill link goes to this address:



This is the first sign of a fake email – when the most important link (the pay link!) goes to a different website.

However, the crim has done a good job here – Energy Australia is a legitimate entity, and the domain name looks plausible. Many phishing domain names look immediately dodgy (e.g. paypal.deoihgw.com). So this deserved further investigation.

Sign 2: Website

The next thing I do is to visit the website of the domain. Here, it’s obvious that the crim has done a good job. Here’s what the website looks like:

Because it looks legitimate, many people will assume this is real, and then click on the link. However, it’s actually very easy to create a website that looks like the original – simply download all their assets (HTML files, CSS, images) and host it on your own site.

This started to look like a very good fake, so I had to dig deeper.

Sign 3: Free HTTPS certificate

The next suspicious sign is the certificate that was used on the phishing domain. It is a free certificate from Let’s Encrypt – this only guarantees the privacy of the website traffic, not the authenticity of the website owner.

This is important to understand – encryption does not guarantee authenticity.

Sign 4: The giveaway: DNS records

The absolute giveaway is in the DNS record for the website, energyaustralia.info.

Here you can see that the website was registered today (27th March 2018), to an address in China.


In contrast, the actual Origin Energy website is registered to a company in Australia.


This is a phishing scam. It looks authentic and is well done, and I expect it will fool many people.

Do not click through on the link, and definitely do not pay any “bills”!

To look for a phishing scam, follow my process above. Please share this post so hopefully no one will fall for this scam.

Hackers Can’t Hide Forever… Even the Allies of Powerful Russian Politicians

The 32-year-old son of a Russian parliamentarian and an ally to Vladimir Putin has been sentenced to 27 years in prison by the U.S. government for causing damages worth $169 million. Roman Selenev, known as “Track2” in the cybercrime underworld was described as a “pioneer” of credit card data theft. His modus operandi was hacking point-of-sale systems to steal credit card data. Not only did he drive several U.S. firms to bankruptcy, but also established an entire market for stolen credit card information.

Hackers are now going to prison for 20-30 year stretches. The number of hackers being successfully prosecuted and receiving prison sentences has grown in recent years. In the murky mix of state-sponsored hacktivism and criminality, authorities in Russia and China have assisted the US in capturing hackers. The criminal hacker who stole a vast amount of customer data from JPMorgan Chase was arrested with the assistance of Russian intelligence in December. He had been hiding out in Moscow. Chinese authorities arrested hackers in connection with records theft of staggering 22 million U.S. federal employees. This is just a small sample of successful captures.

The growing issue of cybercrime

The reality is that cybercrime does pay and is difficult to defend against. Law enforcement resources are overstretched and hackers are getting away with it. Even though more criminals are being apprehended, that number is most likely being dwarfed by a greatly increasing cybercrime wave. It is reasonable to assume that the ratio of incidents to arrests is growing larger by the year.

The statistics on cybercrime are frightening. Approximately half of all reported security breaches are caused by hostiles, with the remainder due to system or human error. The cost of a data security breach is estimated at $4 million on average. Actors in the cybercrime underworld can be categorized into four distinct groupings: pranksters, super-criminals, hacktivists and nation-state attackers.

Detection and prosecution of the criminal elements are restricted by global reach of the Internet. The law enforcement agencies of nation states already have a full case load of local crime issues without the added difficulty of seeking cross-border cooperation. Also, the skills required to pursue hackers are still in relative short supply within law enforcement agencies.

Stay clean, stay safe

Young people, especially those who possess the necessary technical skills, can be easily seduced by the seemingly easy pickings. Criminal activities can be launched from their own bedroom these days – what the FBI calls “criminal computer intrusion”. Phishing, fraud, ransomware are all on the rise. Often the perpetrators are 18 and 19 year olds.

For regular law abiding citizens or “netizens”, it pays to utilize a heightened sense of awareness online. Scams and get rich quick schemes abound. The old adage of “if it looks too good to be true, then it probably is” certainly holds true more often now than it ever did before.

Simple precautions include never clicking on email attachments from a source you do not know or completely trust, and not using the same password for every online account (an extremely common security weakness, apparently).

The cavalry will not come over the hill

For companies and individuals, it is important to realize that every device with the capability to access the Internet, can also be accessed from the Internet. This means that hackers can infiltrate equipment, systems and confidential information. The authorities can only do so much and it is not their responsibility to come to the rescue of every person or company that has been attacked and suffered a data security breach.

Microsoft Word 0-Day Exploit – and the State Sponsored Hacktivism Behind It

Zero-day vulnerability is a flaw that hackers can exploit on the same day it’s identified, leaving zero days of warning for the unaware, unsuspecting victims. In the case of Microsoft Word Zero-Day vulnerability, hackers knew about it since at least Nov 2016. Forensics have detected traces linked to attacks on Russian targets in addition to the mundane cybercriminal attacks that surfaced recently. A UK company that sells spyware systems to governments was named as the supplier, suggesting potentially state sponsored hacktivism in action.

The vulnerability affects almost every version of Microsoft Office out there. It was found in the Encapsulated PostScript (EPS), a graphics filter functionality. Victims were emailed a Word document that bypassed the standard warning about enabling macros. That server than sent a malicious payload, an RTF file disguised as a Word document to infect targeted systems. The external content was not accessed until users said OK to the standard warning about remote content. You can read more details in the Microsoft announcement of the security patch and their advice not to switch on that particular filter. The Sophos site describes the mechanics of the exploit. This article claims that three groups were exploiting the vulnerability prior to its discovery.

The Upsurge in State-Sponsored Hacktivism

State sponsored hacktivism is nothing new. Many observers believe that the Russian group Fancy Bear is attached to Russian military intelligence. The recent embarrassing public dumps of the NSA hacking tools appear to indicate a similar role for them. Some recent suspected state sponsored hacktivism targets included the UK Brexit referendum ad the US presidential election.

Governments are increasingly harnessing hired-in hacking skills as a weapon, both against internal dissidents and external states. It’s obvious why – low cost, very difficult to detect when done successfully, even more difficult to trace and next to impossible to find proof and pin blame with any degree of certainty. It’s also not thought of as being in the same destructive category as dropping bombs or invading countries. Russia and China have been in the headlines recently as prime suspects. No doubt western allies have been active too. The incidence will increase, not go away. Government funding attracts hacking groups to offer their services and the advantage is all too often with the attacker.

Will State Hacktivism Affect the Average Business?

Yes and no. It’s no secret that governments collect and store all digital phone calls, for example, and endeavor to do the same with email. Innocent personal communications are in the mix but it’s difficult to perceive any sense of threat for law abiding citizens. However, this touches on the great privacy debate and the balancing act between a state protecting its citizens and prying too deeply into personal lives. It is not going to go away.

The age-old advice about not opening email attachments still holds strong. If you’re not aware of the sender’s true identity, you must not click unsolicited links or download attachments no matter how innocent or attractive it may seem.

This attack depended on users ignoring the standard Microsoft warning that some content is on external servers. Users should pay heed to warnings like that, and stop to think for a moment before proceeding.

An anti-virus system with real-time scanning will detect and block many attacks, although not all.

You can find more advice here.

U.S. Senate Votes to Kill Privacy – Here’s How to Mind Your Browsing Habits

The U.S. Congress has passed the repeal of the broadband carrier privacy rules that required ISPs to seek consumer consent before selling Web browsing and app usage data to advertisers. The law was approved by the Obama administration and scheduled to take effect by the end of this year. It means that ISPs are legally entitled to sell their users’ browsing history to the highest bidder by default and without requiring permission.

Of course, free services like Google and Facebook have been doing this for years but people pay for a broadband connection. That makes it quite a bit different. While ISPs should provide an opt out, the measure erodes any vestige of privacy for surfing. People who are not reasonably tech-savvy may be totally unaware of the new playing field and fall victim by default.

So What Can You Do?

The usual precautionary measures such as clearing browser history and deleting cookies, setting browser to incognito or private mode, or installing software designed to prevent tracking by advertisers are rendered ineffective since your browsing sessions take place via servers and network of the ISPs. Instead, here’s a list of viable solutions to prevent an ISP from selling your Web data:

1. Apply to opt out

ISPs should provide this option. If not, users should contact them. It’s not exactly ironclad because many ISPs are vague about exactly how they track the online activity of their subscribers. The FCC fined Verizon $1.35 million last year because it neglected to tell smartphone users that it was using “supercookie” technology to track their browsing habits, regardless of privacy settings, and did not initially provide an opt-out.


2. Switch to a different ISP

Not all ISPs will implement this legal data sharing opportunity. Some smaller ISPs actually protested against the repeal. Changing ISPs may be easier said than done for users in rural locations where choice is limited or non-existent. However, expect some ISPs to develop a non-sharing policy as a marketing strategy. Watch this space.


3. Invest in a VPN

A Virtual Private Network is like an encrypted tunnel between a computer or phone and the Internet. In theory it guarantees privacy but not all VPNs are equal. Buyers should perform due diligence by way of researching expert reviews. That One Privacy Site is an excellent review and monitoring service run by a knowledgeable enthusiast for the tech and privacy savvy individuals. It’s probably best to avoid the free services because, who knows, maybe they might as well sell the browsing history of their subscribers. After all, they must generate revenue somehow. A VPN will slow down surfing and users may not be able to view high quality video streams on Netflix, for example.


4. Use Tor

Tor supplies a browser and service that hides your location and conceals your surfing activity so that it cannot be tracked. There are many thousand computers, called relays, in the Tor network, all provided on a voluntary basis by fans of the service. The service bounces the web traffic of its users between several of these relays on a random basis. Like a VPN, it slows surfing speeds. Also, it is for the technically minded only – or perhaps configured by a technically minded friend.

The privacy law repeal only impacts ISPs in the U.S., but the implications are applicable to Internet consumers across the world. Many countries have not enforced strict privacy laws to prevent ISPs and internet companies from freely selling consumer Web data. In this case, consumers are at their own discretion to adopt Internet privacy best practices.

Encryption Apps Let Trump Aides Break the Law – Would You Compromise Transparency for Privacy?

Senior members of the Trump administration have resorted to encrypted communication apps amid email hacking concerns that disrupted Hilary Clinton’s presidential election campaign and exposed sensitive conversations of Democratic National Committee (DNC) members to WikiLeaks.

The use of encrypted and disappearing messaging apps at the White House may violate the Presidential Records Act, which necessitates archival and retention of work related communication for transparency and litigation requirements. Trump aides are reportedly using the messaging app Signal that offers end-to-end encryption for personal communication. Maintaining a complete record of email communication at the White House is already a tough endeavor, and adding encrypted communication to the mix will only make it difficult to enforce the public disclosure laws.

At the same time, the Trump administration also fears White House staffers are using the technology to expose the government’s darkest corners without leaving a digital trail. The messaging app Confide with its SnapChat-like features of disappearing messages is allegedly being used specifically for this purpose by some U.S. government officials.

How Encrypted Messaging Works

Encryption is the process of converting information into a random and apparently meaningless data (cyphertext). Various mathematical functions or algorithms may be used to convert original data into encrypted cyphertext. The process of converting cyphertext back into its original form is called Decryption.

Modern cryptographic protocols utilize numeric codes known as Encryption Keys encrypt and decrypt the data. The Keys are available only to the sender and recipient of encrypted information. Third parties including hackers, government agencies, Internet Service Providers and even the encrypted messaging service providers such as Signal and Confide cannot legally access Encryption Keys. Private communication between end-users therefore remains elusive and untraceable by legitimate means.

Privacy or Transparency?

The concept of secure encrypted messaging is widely popular and appreciated for personal use, even in the White House. Regulations that necessitate data retention apply only to work-related communication that involves senior government officials to ensure transparency. To enforce public disclosure laws for communication that takes place via end-to-end encrypted messaging apps, the government will also need decryption keys to make sense of the encrypted data archived by the sender and recipient. To make matters more complex, apps such as Confide go a step ahead with disappearing messaging features that prevent users from archiving or even taking screenshots of the communication.

Third-party encrypted communication apps are skewed toward privacy, to a point where end-users cannot be held accountable for their communication, since the paper trail is entirely inaccessible and eliminated. In a public office or collaborative workplace, excessive privacy compromises transparency. The concerned authorities should therefore remain on top of the communication technologies used by employees and may need to regulate the use of end-to-end encrypted communication apps for work purposes. The tradeoff between privacy and transparency will emerge as a pressing need of the corporate world in response to rapid adoption of encrypted communication technologies by security-aware end-users.

Catastrophic Data Storage Failure in Australia – Could You Be Next?

“. .this is the first time this problem has been encountered anywhere in the world,” said acting CIO Steve Hamilton of the Australian Tax office (ATO). Except that maybe it has happened before. It’s a reasonable assumption that he was merely repeating a line that was fed to him by somebody he believed. I wonder who that could be?

The ATO transferred their data storage capability from end-of-life EMC/HPE equipment to a new HPE 3PAR SAN (Storage Area Network) ‘as-a-service’ model in Nov 2015. It failed “catastrophically” just over a year later. The ATO lost 1 Petabyte of data because the automatic failover to the second SAN did not come online. Corrupted storage blocks on the main SAN had been faithfully copied to the second SAN.

The ATO does have another backup source, so the data loss is not total or permanent. It knocked out the operation of a large portion of a nation state’s government department for two days. Undoubtedly there will be financial repercussions for HPE and it’s another major blow to the Australian government’s reputation for technical capability in a short period of time after the recent census disaster.

Who are HPE and what is 3PAR?

Hewlett Packard Enterprise invites large enterprises to outsource: “We deliver high-quality, high-value products, consulting, and support services in a single package. That’s one of our principal differentiators.” HPE and Dell fought a bidding war to acquire storage systems supplier 3PAR in 2010. HPE won and paid $2.35 billion. 3PAR SAN systems utilize solid state flash storage that takes advantage of virtualization and cloud resources to promise faster processing speeds.

What went wrong?

The backup design seemingly allowed undetected corrupted data storage blocks to be duplicated to the second SAN, which may indicate a lack of data integrity checking. The root cause analysis of high profile incidents like this is rarely made public. The culprit could be a defective firmware upgrade or simple human error. We will probably never know. The symptom has surfaced previously with 3PAR SAN solutions, like this incident two months earlier. Anecdotal evidence seems to indicate other similar occurrences but IT failures at regular commercial enterprises rarely make it into the headlines.

What could have been done to mitigate the extent of the impact?

From what we know, the design revolved around a single data domain. That appears to represent a single point of failure no matter how much redundancy is built in.

Who is the usual victim of incidents like this?

Large enterprises up to government level are key clients to vendors such as HPE. Outsourcing deals of this nature are big budget projects. The ATO installation was part of a $92 million (AUD 1.29 billion) IT investment, to put it in perspective. Finger pointing inevitably occurs but the client typically puts its faith in the perceived capability and reliability of the vendor for technical design and support of a fit-for-purpose delivery.

How can this scenario be avoided?

It all boils down to the robustness of the design and whether or not the client is willing to spend sufficient budget for the safest possible option. That is not to criticize the ATO. The optimum solution could involve multiple vendors and come in at a cost that any financial controller would blanch at. As always, the delivered solution is a compromise between suitability and affordability. The ATO incident generated interesting technical debate on forums such as Whirlpool that sheds some light on SAN design and similar incidents.

Whenever an organization outsources an operational function, it places its reputation in the hands of the supplier. The bigger the organization, the harder the fall if things go wrong. And it does not get much bigger than a government’s reputation and the consequent slap-in-the face to the politicians in charge. The media exposure and feeding frenzy guarantees a major hit to the supplier also. For the client, the old tried and trusted avenues of due diligence and assigning qualified experts to perform rigorous scrutiny of the vendor’s proposed solution remain the best defense.

Are the Chinese Reading your Texts Right This Minute?

About 700 million Android phones were sending the contents to a server address in China every 72 hours. The owners of the phones had no idea it was happening. The data known to be extracted included:

  • Location information (where you were, at all times)
  • Call logs (who you spoke with)
  • Text messages (including deleted messages)
  • Contact lists

The backdoor was in the firmware in a chip of a component part that was supplied to a large number of Asian phone manufacturers and at least one American one. It was only discovered when a security analyst bought a $50 infected phone for testing and noticed an unusually high level of network traffic when he powered it up.

Was this a one-off occurrence?

Roughly 5 to 6 new Android phones are released by manufacturers on the worldwide market every day on average. The greatest growth surge is in the Asian market where there is a proliferation of extremely cheap devices. Intense price competition means that manufacturing costs must be kept low, which invites supply of the cheapest components whose cost may be secretly subsidized by an interested party. The company involved, Shanghai AdUps Technology, supplies software to phone component manufacturers that can also remotely install apps on a smartphone and update them on demand.

Just how private is my phone’s data?

Forget any notion that a simple passcode keeps your phone data confidential. There are companies, many of them, who specialize in developing and selling equipment that can crack most any phone’s security and suck out the data contents in seconds. Those companies sell that hardware to government security agencies like the FBI and NSA both domestic and foreign, police forces, corporate clients, and most anybody who can pay the price. They may present a veneer of ethics by checking the credentials of potential clients but that is a flimsy defense against allowing the equipment to fall into the “wrong hands”. That is in addition to the shadier activities of software and component suppliers like the China company.

Why would they want my information?

A state actor would have zero interest in the phone data of the average person – only of individuals with access to facilities, organizations or activities (including criminal) of interest to them. The biggest usage by far is in the field of Big Data that is used for marketing or product development purposes by manufacturers and software system vendors. That is the purpose that the Chinese company said was behind their theft of phone data. But don’t for one moment think that a government agency would not suborn that data if the need arose.

How can it be justified?

All nation states have their own specific security interests and prioritized list of targets. They can use the excuse of national security, counter-terrorism, policing criminal activity, or any other rationale they choose. History is littered with examples of government agencies acting outside the law in most any country you choose to name. The Internet enables state actors to easily access any other state, attempt to hack into its agencies, government departments, defense contractors, banks, and even the general population as evidenced by the China mass phone hack.

Why is it so important?

Some people naturally think “what the heck – I don’t care because nobody would be interested in my boring old texts etc.” But that misses the point. Privacy is as vital a concept as freedom of speech or the right to vote. Just because you don’t bother to vote does not mean you don’t care about that freedom or right. Erosion of personal rights is a characteristic of despotic states. Any weakening of those rights and freedoms is a move in that direction.

Surprising Developments in Artificial Intelligence Cryptography

You may not have heard of the Google Brain team. They are a pretty fringe department, based out of Mountain View, California. Google Brain is, as the name suggests, all about A.I. development. Specifically, A.I. functionality achieved using neural networking.
Recently Google Brain took it’s 3 resident neural networks named Eve, Bob and Alice and gave them a little problem to work on. Alice was instructed to encrypt and send a message to Bob. Bob was instructed to decrypt the message from Alice. And Eve was instructed to try and snoop on the message. Alice and Bob were each given the same unique key to use as the encryption key for the message.
That’s it. They were not given any information or data on cryptography. They had to work from scratch, building their own cryptography algorithms. Over several runs of the test, Alice could develop a cryptography technique that Bob matched, and decoded the message. Eve managed to partially snoop on the message on several occasions, which only resulted in both Bob and Alice improving their cryptography algorithms!
Sci-Fi sexiness aside, the big takeaway here is that these neural networks invented cryptography algorithms that the operators didn’t understand. They were truly groundbreaking.

The Human Weakness in Cryptography
So far, the Google Brain team have managed to work on symmetric encryption of data. The current state-of-the-art in this field, that was designed by humans, is still AES. Provided the key is kept secret and side channel attacks are mitigated, AES is regarded as impossible to break with today’s technology, and when used with a 256 bit key, AES-256 is regarded as secure against tomorrow’s quantum computers.
However, the weakness is still key management. Us mere humans need to manage and secure our encryption keys. This means physically storing them somewhere and involving physical security, and also protecting physically stored keys with passwords. In the entire mathematical scheme of things, it’s the human factor that remains the weakest point.

Where to from here?
Is it possible that a computer can design a better cryptosystem than humans?
At first glance, this seems like something out of a Sci-Fi movie, but other areas of machine learning have seen machines become as competent if not better than humans. In 2014, the DeepFace project at Facebook achieved a level of facial recognition on par with that of humans, and automated facial recognition machines are commonplace at immigration desks in airports around the world, replacing human agents. Self driving cars are now safer than human drivers, with Elon Musk foreseeing a future where manual driving will become illegal..
In the view of the author, AI cryptography does have a long way to go. In particular, current “human” cryptography allows cryptographers to provide mathematical proofs of security. The challenge with AI is that no one understands how it works – so is provable security possible?

What Happens When a Smart City Gets Hacked?

It was only recently that a major hack took place that targeted Internet infrastructure in the US with one of the largest DDoS attack ever recorded. The root cause was tracked back to overlooked security vulnerabilities in hundreds of thousands of compromised connected video cameras. Similar IoT-enabled cameras and sensors are driving forward the Smart City initiative that depends on these devices to manage the entire city’s infrastructure and assets.
Essentially, this dependency suggests that even the smallest of security weak points within the Smart City infrastructure can escalate security exploitation to unimaginable and uncontrollable levels.


Is a Smart City a Dumb Idea?

Just think about it a moment. If we take the concept of a Smart City to its goal, we have a very real potential for catastrophe if security vulnerabilities exist within the technology used.
Consider for a moment that a) by 2050 it is predicted that over 66% of the world population will live in an urban area and that b) smart technology is going to be the only way to manage these huge urban populations.
Smart cities are not simply a pipe dream, amusing on the potential of creating a digital utopia. They are going to be a fixed requirement for the changing shape of the global population. In effect, they are an unavoidable byproduct of the steady shift towards global urbanization.
So, what are the implications of a Smart City being hacked? In a worst-case scenario, we have death and mayhem. At the other end of the scale, we have day to day life for residents interrupted and hindered.

A Public Exposed to Harm Through Bad Technology

Currently, most successful hacks target network infrastructure that is responsible for carrying data. So, if one is successful, we might lose access to our favorite website or TV channel for a while. An annoyance, buy hardly life threatening.
Now fast forward, to a time when smart cities are helping to ease traffic by routing and possible driving our smart cars. When emergency services and law enforcement is centrally controlled and managed via smart technology. When public transport is scheduled and managed using tech. And when everything down to booking a tennis court at the local community center is the responsibility of the technology running the smart city.
Hackers for almost the very first time, can start getting physical in their attacks. These could be relatively harmless attacks such as block booking that tennis court for the next 100 years. But they could also be life threatening if they gain the ability to begin rerouting traffic whilst sending the emergency services elsewhere on a wild goose chase.
Smart cities are fast becoming a reality. However, the technology we are using to build these digital urban playgrounds is far from being secure. There is a clear and present danger in rolling out smart city deployments before the standardization of IoT device security is first specified, and then adhered to by every manufacturer.