Privacy and anonymity in the modern world

Chris Sienko: Hello and welcome to today's edition of Infosec Institute's weekly video series and podcast. Today our guest is Lance Cottrel, chief scientist at Intrepid, and he'll be talking to us about his long history of online security and the importance of online anonymity in the world we live in, in which it seems like our every move, choice, and even click is logged, filed, or exploited.

Lance Cottrel founded Anonymiser in 1995, which was acquired by Intrepid, then Abraxis, in 2008. Anonymiser's technologies form the core of Intrepid's internet misattribution and security products. As chief scientist at Intrepid, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats.

Lance is a well-known expert on security, privacy, anonymity, misattribution, and cryptography. He speaks frequently at conferences and in interviews. Lance is the principal author of multiple internet anonymity and security technology patents. He started developing internet anonymity tools in 1992, while pursuing a PhD in physics, eventually leaving to work on those technologies full time.

Lance, thank you for being here today.

Lance Cottrel: Thanks very much.

Chris: Great. So let's go way back here. It says you began creating online anonymity tools going back to 1992, and I thought that was really interesting because, you know, that was right about the time that I got on the internet, and the internet felt a lot smaller and maybe less all-encompassing than now. So what was it that caused you to focus on anonymity and personal security online so early?

Lance: There was a couple factors. So being in physics at that time, we were the people using the internet. The web was invented that year, so I was setting up a website when there were no search engines and we were doing experimental astrophysics. We were going out to telescopes and it turns our you've got a lot of bright people with a lot of time on their hands at telescopes, and so protecting the target lists that you're going after became important, and so we started doing cryptography.

And this was about the same time that the government came out with its flipper-chip initiative. It was an idea that in a ... Cryptography is important. Security is important, but we're not really comfortable with strong crypto and so we think that we should have a piece of hardware where the government gets to keep a copy of all the keys, and many people thought that this was a substantially bad idea, and a group called the Cypherpunks started building open source software as fast as they could, and I got involved with that.

So in my spare time, because of a political belief that we needed to create these tools and open source them, because the claim was that they were gonna release this chip but then you could use your own crypto but no one believed that. It's not gonna work unless you outlaw the other stuff, so create a fait accompli.

So I started building anonymous email systems at the time. Released them open source. They really started to take off. They were getting a lot of interest but they weren't very usable like a lot of ... kind of hacker made tools, you had to compile it on your Linux workstation which was never gonna be useful for mom.

Chris: Right.

Lance: And so I started Anonymiser as a vehicle to create these tools and these capabilities for the average user. Something that was gonna be user-friendly, would work on Windows and Mac, wherever you happened to be, and of course the web was really starting to take off at that time as well.

Chris: Do these tools that you've created, do they still work on similar principles to privacy tools that we use today or has technology sort of changed significantly that these are sort of relics of the past?

Lance: Many of the core concepts still apply, so with Mixmaster, you had multiple hops, like you do with Tor and things like that, trying to hide the path. Hiding things is a lot easier with things like email because you can store them forward and mix things much more easily. Once you're getting into a situation where you're doing real time data transfers, where I'm trying to hide, say, streaming video? Ttat's a lot of data to try to hide over a long period of time and it becomes much more difficult to obscure it, but really I think that the big challenges to privacy now are less about pure anonymity and hiding yourself completely, and becoming more about how do you manage your identity and privacy in the context of social media and things like that?

We're hemorrhaging information. We're putting up photos of ourselves on these public platforms all the time, building a fantastic data set for anyone who wants to do facial recognition or anything else. Hell, it's become a much more multi-faceted thing. Privacy used to be much simpler.

Chris: When did it become apparent that fraudsters and phishers were starting to take over the internet?

Lance: Yeah, you know, it's funny. In the early days of the internet it was this real trust environment. You know, people —

Chris: Yeah, that's what I was gonna say. It seemed like it was a long time ...

Lance: — Other scientists and it was small and, you know, there was a handful of bad people but I have to say, it was the early 2000s that I really felt like it was shifting. Before that the hackers were mostly counting coup right? They wanted to deface your website. They wanted to do something else and suddenly in the early to mid 2000s, this became a profit making enterprise, and the hackers went from, you know, "let me show you what I can do," to, "how much money can I make from this?"

And that completely changed the equation. It professionalized the hackers in an amazing way. It led to specialization and division of effort. The guy who hacks your computer is not the guy who wrote the software is not the guy who will monetize the stolen information.

Chris: Right, it ... sort of infrastructure of crime this way that's starting to build up.

Lance: Yeah, there's a real ecology and economy, you know, happening under the surface and it's made the problem much worse because these people can then specialize in these areas and get really good at the thing they do.

Chris: You think there's maybe a shift around that time in terms of ease of access? You were saying that the early internet was just scientists and people who really wanted to be on there and stuff. It seems like maybe in the early 2000s ... like you say mom and more people were sort of getting on the internet. Do you think that the rise of the internet of this "for everyone" culture that also sort of parallels the rise of the crime?

Lance: Absolutely. I mean I think there's a lot of conflating factors that went into that. For example, you had more targets. More people on it. Probably less sophisticated people, but you also had a lot more E-commerce going on. In the early days of the internet, it was all sharing information but there was very little money actually happening on the internet, but by the time you're getting into the 2000s, big online retail, lots of credit cards flying around, online banking, E-Bay auction frauds, all these other things that provided mechanisms for monetizing it.

And even businesses moving so much of their communications online, you can do business email compromise, and so as more of the economy went there ... I really think, fundamentally, it's just that the criminals followed it.

Yeah, and I mean you can really out yourself as an old guy and ... there was a time before PayPal when you could just send a check, but once money is sort of like passing back and forth in credit cards on the computer, that changed everything.

Chris: Absolutely. I was just looking ... I am forced to write a check today to someone and my checkbook has an address that's four houses ago.

Lance: Yeah, yeah, see. Same thing. You know, there's four empty check books that go from X amount and then the last one goes for about a four year span from when I started it to when it ran out. So because everyone's sort of susceptible to it, what are some of the most effective social engineering techniques and attack vectors that are currently being used to phish or hack victims? Like what should people ... what's the thing that they easily fall for that they should really be watching out for?

People need to be aware that this is a thing and be really suspicious of every link from a financial institution, from a bank. I think that habit of not clicking the links but rather going to the browser and typing in your bank is probably one of the best protections, unfortunately I think that well-crafted phishing attacks are almost unavoidable. You will fall for them and that's where you need to be relying more on systems that are resistant to that.

I guarantee you an experienced attacker could phish me if they tried. If they really spent their time researching it. So things like multifactor then come in. Making sure that just because I clicked and typed something in doesn't mean I gave you ownership of my life. You still have other things you need to do to try to get in, and that is, to me, the real crux, is making sure you are a hard target.

Chris: What are your thoughts on sort of the newer versions of two-factor? I mean obviously there's the phone and the numbers and stuff, but there's also we're moving toward facial recognition or thumb-print identification. How does that sort of fit in with anonymity and the internet?

Lance: So it's interesting. We think about biometrics and facial recognition, but there's really two very different flavors of these things. There's one which is, "I want to authenticate myself to my device," you know, I want my phone to recognize my face or my thumbprint and unlock, and there really is no large scale attack against that. If you steal my phone, you could build a mask that matches my face and maybe break into it, but you know seriously, it's probably much easier just to beat me with a stick until I do it for you, and you probably don't need to beat me that hard.

Whereas the public facial recognition where every time I'm walking down the street, I walk into a store, they know who they are, they're targeting pricing and marketing messages and whatever else they want to do. That’s kind of the more scary implications of this form of from a privacy point of view. I think that frankly, the phone, as long as it's well designed with a good enclave and with biometrics can actually be a very effective second factor. The only thing I worry about is if it really takes off, people are going to attack it more.

Right now, there's not a huge amount going against it because it's not protecting that many people. You know, if I'm going to attack a thousand people, the one who's using it ... I'll just move on right. I'll just attack the other guys. But we're seeing now, that for example SMS-based multifactor is getting popular for things like protecting bitcoin wallets and things like that. That's now a tasty attack vector and we're seeing, sure enough, people are going in and launching these SIM-swap attacks where they're redirecting the SMS messages, the authentication, to their phones, so now I can log in as you and steal all your money.

So we thought, oh yeah, texting your phone, that sounds like it's good and out of band and easy to protect, and it turns out it isn't that locked to you, and I'm afraid we might find that with some of these other techniques, but they certainly are a vast improvement over just password, and with most people, a simple password that they use everywhere, right? I mean unfortunately that's the status quo that we're coming from.

Chris: Yup. Password123 and all that.

Lance: Yes.

Chris: You were saying that even you and I can be, you know security savvy people, could be scammed or phished. Have you ever been scammed or phished?

Lance: To my knowledge, I've never been successfully scammed but I've certainly seen a lot of people try. I've seen a lot of phishing emails come by, some of which were pretty impressive. They do a good job of sending you something that seems pretty plausible. My systems are fairly locked down, so I'm a little more resistant than probably most people, but for example, I got hit with a death threat scam, where I get an email saying someone has taken out a hit on you and you seem like a nice guy, so I will agree not to shoot you if you will pay me more than he is. Now, I did some research and found out that the IP address he was using was in Australia and so ... pretty certain this is not legit, but you know that's the thing that ... If you're not kinda savvy. You don't know how to look at this. You're not familiar with these kinds of scams. That’s gonna really freak someone out.

Chris: Yeah, that'll give you pause for sure.

Lance: It would and this was before Bitcoin when it was easier for them to get that payment. I'm fascinated that as far as I can tell, the only two uses of Bitcoin, really, are speculation and extortion, and maybe some drug buying. Almost no legitimate commerce is going on with Bitcoin.

Chris: Yeah, yeah. That is interesting. You know, my dad got hit by one of those social engineering attacks and it was via the phone. He was told that his son was in trouble and he needed money, and it was supposedly a call from the operator and some other kid was on the other line going, "Dad? Dad? ..." You know? It can be really insidious and he put his credit card through and these things will happen and I did that in 1997 or something. My credit card company called and said they needed to verify something and that first time, they'll zing you but ... I think you—

Lance: I just saw a kind of clever one in terms of scamming people to get that multifactor.

Chris: Yeah.

Lance: Which was someone had experienced a guy text them and says, "hey, I used to have your phone number and I've got this old account that was registered to that and I'm trying to recover my old password. You're gonna see a text come through in a couple of minutes. If you could just send me the code, that would really help."

Chris: Oh my god. That is clever. Man that —

Lance: And most people want to be helpful.

Chris: Yeah. Yeah.

Lance: And it was well written and it seemed non-threatening.

Chris: So do you, in your current position, do you run social engineering attacks or tests against organizations that requested you to test their employees and if so, have you got any good stories in that area?

Lance: We don't. We don't do any direct testing. We focus on building the platforms that, for example often red teams are using, so that when they go after a client, they're not recognized as themselves, because we've actually seen where the blue team will actually set up different firewall rules so that they look better during the penetration testing, so then we help people sneak in under the radar.

Chris: Very interesting. So why ... we talked about two-factor, we've talked about just generally keeping your data safe and so forth, but why is anonymity online important specifically?

Lance: Now I think there's a lot of reason why people would want to protect their privacy and their anonymity online. Yes, certainly if you're discussing or researching medical conditions. There's a lot of things that are embarrassing. People might be exploring sexual orientation and not ready to divulge that. Financial information.

And of course, we often look at this from a US-centric point of view. There's a lot of countries where expressing a political opinion publicly is dangerous, if not deadly, and so in many contexts this is actually a life or death thing to be effectively anonymous online and in fact there's a whole number of corporate reasons to want to be anonymous.

Right, if you're say thinking about acquiring another company, when you're doing the research if they can see you doing it and it leaves a pretty distinct footprint, they can then start taking countermeasures or know that you're interested and negotiate differently and play that game. We've worked with litigators. We've worked with, of course, law enforcement.

The equivalent of being undercover is being anonymous online and so there's a lot of different groups that need to be anonymous on the internet for the same reasons we want to be anonymous in the real world.

Chris: So what are some of the tools or methods that people could be easily using right now to be more anonymous online but maybe they're not taking advantage of because they don't know about them or don't think it's a big deal or what have you.

Lance: I mean there's certainly a lot of tools out there that will hide your network identity. So hide where you are, who you are, maybe what your house is. The trick is then separating that out from the activities. If you use some tool to hide yourself and then go log into your Facebook account it's sort of undone all of that, so making sure that you keep these things separated from each other. That you're not ever overlapping this pseudo-anonymous identity that you're managing here from your real accounts over there.

Frankly I recommend using virtualization for that, to make sure that cookies, super-cookies, browser fingerprints, I mean there's this huge number of identifiers that can be used to re-acquire you. Just going into incognito mode is not gonna work probably even against sophisticated advertisers, let alone sophisticated adversaries.

Chris: That's interesting. So I guess that means that you really kind of need to separate out ... but it also sounds like to me like you're sorta separating out the things you need to research anonymously can be done anonymously but the things you do in your social life, Facebook, Instagram, emails or whatever, it almost seems like those are sort of unhidable.

Lance: I think that for all practical purposes that's exactly right.

Chris: Okay.

Lance: You know, your social network is so unique to you that if you had a different name on Facebook with the same social network, I'd know it was you, and your friends are gonna post photos of you and all those things. So yeah, my advice generally is don't try to protect everything. If you try to protect everything, it's equivalent to protecting nothing. Think about what are those things you actually care about? What are the things that matter? Think carefully about what you put on that social media.

Remember, this is a postcard. This is going out in the newspaper. It's all public. Don't say anything there that you don't want to immediately get released and get monetized and get used against you, and then for those things you care about, really pay attention to protecting them, managing them separately, and I find personally it's a very small fraction of my life falls into that.

I really care about this. As long as you're not really addicted to drunk selfies or something.

Chris: Right. So I mean, shy of changing legislation or whatever, it seems like that there are certain parts of the internet that are going to actively resist being sort of secretive places.

Lance: Absolutely. That's one of the big changes about how the internet works, is in the early days it was mostly about consuming content that existed out there where as now, most of our interaction with the internet is actually about sharing content and putting things out there, and that really completely transforms the whole equation.

If you're willing to use the internet in an internet 1.0 kind of way, then anonymity is pretty manageable, but as soon as you want to be engaged in these communities, then what you even mean by anonymous becomes somewhat complicated, but we do have these tools like Signal that are strongly secure, not necessarily anonymous chat mechanisms, but bring those conversations off the public network, and so a lot of the time people will use, say, private messaging in Twitter or in Facebook to share private conversations, not realizing look, your friend didn't see it, the company did and the company can monetize it.

So moving that off into a secure and encrypted environment can at least help you capture a privacy if not necessarily the anonymity.

Chris: What do you mean by using the internet in a web 1.0 kind of way? Just in terms of just using it to look things up and that sort of interacting with the world of it?

Lance: Exactly. Yeah. In an almost purely consumptive way. So you're gonna go out and google things. You're going to look at web pages, read news websites, read blogs —

Chris: Like a library database or something?

Lance: Yeah, as long as you're just passively consuming it, you can do that with basically total anonymity. You can hide all of those footprints, but as soon as you need to establish an account and interact and discuss things with people, then that changes.

Chris: One of the things that, you know, I got your information and some of the things that you're a specialist in, one of the things that really stuck out to me was you said you were sort of an expert on risky behaviors with technology that people engage in while traveling. Is it because travel makes you feel like you're free of all your obligations that people throw away the lessons that they learn at home?

Lance: I think that's true. They are often off their guard. They think, "I'm on vacation, so therefore it's more casual," but you're also spending a lot more time using other people's networks. You know, you're using a lot more public WI-FI, you're carrying around your laptop in public, and certainly if you're in business and traveling, there's a lot of countries where you may want to keep that laptop physically in your possession, because there are intelligence organizations that will rifle a room if you're a person of interest, and try to inject Malware, or pull off data, or things like that.

So it moves you out of your controlled environment. At home you have control. It's your network. It's your devices. You have physical control of the space. You have familiarity with what the situation is. All that goes out the door when you're traveling. And depending on where you're going, it can go way out the door. And some of these attackers get really sophisticated.

There was an attack that I read about where these hackers went in and compromised the reservation system at a high-end Asian hotel and then they had a list of people of interest. When one of them was scheduled to check into the hotel, they hacked the Wi-Fi and when that person then logged into the Wi-Fi - what do you type in to log into the Wi-Fi? Last name and room number — well they know what their target's last name and room number is. They would then hack only that person's computer, inject malware which would then sleep for six weeks until they got back home and, you know they've passed all the checks, and then wake up and hack them.

Very very targeted, but you're then on your opponent's home turf when you check into that hotel and they were very effective.

Chris: That seems almost beyond being able to defend yourself against. Is there any way to defend against something like that? That sounds like the plot of a movie or something.

Lance: Yeah. It gets really hard. If that's the kind of threat environment you're in, you need to be thinking about running off bootable CDs that immediately spin up a VPN that don't allow any patching, that are immutable. You do everything over a remote desktop over a secure channel, and then basically you bring a burner computer.

If you're going to certain places, assume that computer's compromised. It could be going to some Asian countries, or Russia, or Las Vegas this week. Right, if you're going to Defcon.

Chris: Yeah. Oh, yeah.

Bring a burner computer.

Chris: Yeah. They have a bit of a different end for that but they ... prestige points. So with the advent of regulations like GDPR in Europe and California's new set of security and privacy laws, do you think it's gonna get easier to stay anonymous online?

Lance: Yeah, I don't think it's gonna help much with anonymity. I think it will help with some privacy. It gives a lot of ... more control over what information people capture and what they do with it, although it's one of those interesting things that it's what's kind of like HIPAA. As soon as the HIPAA law happened, now the doctor gives you a sheet of paper that basically makes you waive all your rights as soon as you walk into the office.

Well the websites are all doing that too. We are GDPR compliant, click here to let us do everything we were doing before.

Chris: Yeah, just slightly more transparent.

Lance: Yeah, you're right. So it's a little more cards out. There are some restrictions about what they can do and how they have to handle things. There are some nice data minimization things that they're supposed to do, which will certainly help with the scale of breaches when they happen, and the amount of information selling that goes on.

But yeah, it's not gonna really improve your anonymity at all because you're still logging in. They still are tracking you. They still have all that information. But it may shrink the circle that that information's shared in a little bit.

Chris: So if you were able to draft your own sort of legislation that would sort of get all of the sort of your particular interests, sort of in line, what would your GDPR, you know obviously we'd have a different acronym, but what would your version of that be for ... what would you enforce to allow for better privacy, better security, and so forth? What are the things that you would love to see go into effect?

Lance: Yeah. Yeah if I'm privacy king for a day. I mean I think one of the things I'd love to see would be some extreme regulations on what ISP and background carriers can look at. I'd like to make sure that your ISP doesn't watch all of your activities and try to monetize that and monitor it. I think maybe limitations on retention of data. I heard a great talk where the speaker said, "data is a toxic asset," and I think I'd like to see it viewed that way a little bit more. You know, how little can you keep and still accomplish what you're trying to do, and how short a time can you keep it? Can we really pull this down and then maybe more limitations on sharing as well. I mean, right now once you opt into the site you sort of have to opt into everything. There's no granularity.

I would love to pass a law that requires companies to give you an option to pay them the equivalent of your advertising monetization value to not be tracked.

Chris: Yes.

Lance: Which is, you know, certainly regressive and unfair to people who can't afford but at least there's some option to pay. Yeah, in this case I want to opt out of that and I would love to see people value privacy enough to support privacy-friendly and enhancing network platforms, but so far I've seen a lot of them launch. I've advised a lot of these companies. None of them have ever taken off. It's hard enough to be successful as a social media company, but when you're trying to do it in a privacy friendly way, now you're trying to compete with Facebook with one hand tied behind your back a little bit, because some of the things that make Facebook huge, third party integrations and stuff, are exactly the things that are terrible from a privacy point of view.

Chris: Do you think that there's a ... there seems to be an overarching cynicism about well we're ... there's no privacy on the internet. It's too late. The horse is out of the barn and stuff like that. Do you think that's also kind of a problem to some of this?

Lance: You know, there is certainly that cynicism and ... you cannot be private all the time, everywhere, right? If you're gonna be on Facebook, you're not private. If you're on Twitter, you're not private. But, I would like to think that it's possible to engage in certain ways, do certain activities, in a way that are quite anonymous and quite private. It just takes a lot of work and I think most people, while they give lip service to really caring about privacy, aren't willing to take those steps and sometimes those steps are not easy. They're complicated and they're easy to screw up. I mean, I build all these tools and have been doing it for years, and when the privacy goes wrong it's almost always human error.

Chris: Yeah.

Lance: I've been studying the Mueller indictment of those Russian hackers and it is full of mistakes that we made.

Chris: Like what?

Lance: They used the same payment account for DC links website where the leaks were posted, which claimed to be American hactivists and Goosefer, which claimed to be a Romanian hacker, but they paid for both of those with the same PayPal account, or with the same BitCoin account, you know? So they were tying things together. They forget to turn on the VPN once which allowed people to expose the GRU headquarters. They used the same email addresses to set up multiple pieces of their networking infrastructure. A lot of these little errors which just go to show, these are professionals, it's really hard to do, which is why kind of my fundamental recommendation is the less you're trying to do that with, the better your chances of succeeding.

Chris: Speaking of human error and sort of general education, what are your thoughts on privacy certs like IAPP and their effectiveness on overall privacy, security in the workforce?

Lance: Yeah, I think it's really helpful primarily from a policy point of view, that businesses, when you get someone with these certifications, they're now kind of aware of the overarching issues and it helps bring that thought to the forefront. Ideally you want to be like security, baking privacy in, early in the process and having someone with these certifications and with some status in the company really helps get that voice and that perspective into the process earlier, gives it a seat at the table, and I think makes it possible to do things like I'm talking about. How do you limit the amount of data you're keeping? Can you achieve your business goal without having every possible record that, in fact, you don't really need?

Chris: So to wrap everything up here, do you feel that a semblance of privacy can be salvaged and what do you think the future of privacy and anonymity online is gonna be?

Lance: Absolutely it can be salvaged but it's really changed. When I started out, it was fundamentally an anonymous internet with small islands of identification, and we're now in an ocean of strongly identified content and tracking, but it's still possible to carve out little pockets of anonymity when and where you need it and I suspect that's probably in the long run the best case that we can expect.

Chris: Well thank you very much for your talk today Lance. That was fantastic and thank you all for listening and watching. You can find more of these videos on our YouTube page. Just go to YouTube and type in Infosec Institute and you will find our videos. If you would rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search for CyberSpeak with Infosec Institute on Apple podcasts, Stitcher, or wherever you get your podcasts. IF you'd like to read more about security awareness topics please visit resources.infosecinstitute.com for thousands of articles, labs, videos and more, and for those of you who are interested in the security health of your friends and your organizations, check out SecurityIQ.infosecinstitute.com. It's a new service we have where you can send out fake phishing emails to your friends. Customize them with templates, make them look very realistic and then when they fall for them, they can check out little educational videos and so forth.

So thank you again Lance Cottrel for being here.

Lance: Thanks for having me. It was fun.

Chris: Great. And thank you all again for watching and listening and we will talk to you again next week.