Archive 5 min read

Don't Trust The Network

We trust the networks we connect to everyday but should we?

Don't Trust The Network

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning everybody. Um Sorry, I'm a little late this morning. Uh As you can tell I am not at home. I am actually at the airport lounge. Honestly, quite surprised. Um 74 episodes in how um I haven't done many of these from an airport, um which is surprising because I tend to be in an airport way too often.

I wanted to talk to you today about a few things flew across the wire. First of all, the intercept had a really fascinating article about how um AT&T S has hubs across the US that are a major intercept points for the NSA and other clandestine organizations.

Um And that's not a revelation. They have more detail than we have ever seen before, but we've known that for a really long time and also the WP A three standard was announced around wireless security. And I think you take those two things together and you start to realize that fundamental principle of not trusting the network.

Um So right now I'm broadcasting to over cellular and we know S seven as far as a protocol. Um There are some challenges and security there. So this is why we did encryption on top of the network.

This is why we want end to end encryption in our messaging app. So right now I'm doing a broad based encryption because this is essentially public information. So I have a secure connection up to Twitter. Twitter is blasting this out.

So my data between me and Twitter is probably not going to be intercepted. It should be secure and that's fine. That's this type of information, correct. But my personal text or my messages with friends and this, I want end to end encrypted.

I want to encrypt it on my end and only decrypted on their end because we can't trust, um, having um, the intercept points in the network, we can't trust the networks that we're on. This is a great example.

I'm sitting in an airport lounge. They offer free Wi fi. Well, that free wifi um, isn't under my control. This is under the airport lounge control or the airport's control and you want to make sure that you're, um, taking precautions to project yourself.

This is why we say use a VPN. Um However, VPN S aren't the end. All, be all. You need to understand what a VPN is trying to achieve. A VPN is trying to make a secure network on top of an insecure one, but you're still on somebody else's network.

So on youtube here, you'll see a bunch of ads for VPN providers and they have different abilities, different capabilities different logging levels. But at the end of the day, what they do is help you get a trusted connection over an untrusted connection.

But then the question is, how far do you trust that connection? So, really, um, if I have a VPN running on the Wi Fi here in the lounge, now, I'm trading the thread of the lounge for the threat of my VPN provider.

So if you're running your own VPN, that's a trusted system. If you are running on a commercial VPN, you need to understand the law under which that commercial VPN runs, you need to understand the, um, uh, the jurisdiction where that traffic is going.

So in the case of the intercept article around the NSA stuff, if I'm running, uh, VPN over those in intercept points, the only thing that's being intercepted is encrypted traffic. So it's a good thing I'm protecting myself against that threat.

But then the question is, can those organizations then simply subpoena my VPN provider to get the same logs? Are those logs actually in play, which is one of the marketing aspects you'll see around VPN providers lately is they are trying to say, hey, we don't log this or we don't log it all or we log for 24 hours and then it's destroyed.

Those kind of things. Help protect your security. But none of these are perfect scenario. Same with even the WP three A standard or the WP three standard, not perfect again. But they all help reduce types of threats, the risk posed by certain types of threats.

And that's really critical is understanding what those threats are. But of course, it's so complicated and there's so many layers of networking challenges. It's really difficult to understand those threats for anybody, let alone the average user.

So if you take the last example, I'm going to use, which is your home ISP connection by default, your home ISP connection uses the ISP DNS. And for years, we saw them intercept those DNS and serve up ads for misplaced domains and misspelled domains and things like that.

They're also keeping a pretty detailed record to create an ad profile, to try to sell you other services and to try to sell some providers who sell that data even to other people, which is, again, that's a threat model.

So the question is how can you reduce your, the reliance on your internet provider? Well, in that case, we need protection through regulation. You also can do the VPN as well and you can change the DNS service that you're using.

So you could leverage somebody like Cloudflare, you could pay for DNS services, there's any number of options there. But again, moving the threats around, but just because you have an internet connection don't trust it, especially on the road.

So for me, when I'm on the road, when I'm traveling and I do travel, unfortunately, quite a lot I use a third party VPN and that third party VPN, I've vetted out, I understand the risks posed by that.

So it's a US based company which means it falls under us law, they keep minimal logging. So I'm ok with that. But I also encrypt stuff on top of the VPN encryption. The only thing I use my VPN for is to protect me from the local networks I connect to and then I use other measures to protect me for other things.

So lots to think about there, lots of layers in this because that's the nature of the internet. We definitely have more on that, but I have to run to catch my plane. Thanks for jumping on online and watching the show today as always hit me up online at NC A um in the comments down below if you're watching this on youtube or on another network.

And as always by email, how do you protect yourself online? Um Period. How do you protect yourself when, when you're on the go curious to see what um people, how much they appreciate the threats, how much they appreciate the challenges or how much they're worried about it at all.

Let me know we'll talk to you soon. You guys have a fantastic day.

Read next