All your data are belong to us

Why I think we need to bring back the user to the security and privacy scenario

Every nerd who is reading this piece of my mind is probably thinking: “Man! That’s a cool reference to the hilaros bad translation of the game Zero Wing!”. You are right… but I have to confess that it is merely a catchphrase to have your attention…

All Your Data Are Belong To Us (S3lab)

But, haven’t you felt like you are no longer the full owner of your online security?

I definitely have. For me, computing scenario has changed a lot in 5-7 years. I remember that 6 years ago, when I used my computer I only had two possible scenarios: using my computer at work and using my computer at home.

Obviously, I didn’t use the same way in both scenarios but basically, a typical workday looked like this: First, I turned on my computer, then, I performed the scheduled tasks — ok.. most of them were not scheduled at all but I need to create the fake impression of an organized man even back on those days ;-)– and finally, at the end of my turn (or when I finished all I wanted to do at work), I turned off or hibernate the computer and go back to my place. There, I would have dinner and turned on my personal computer to just surf the web a little bit.

My typical workday have changed a lot from this 2 single platform scenario. Now, I wake up at 5:30AM, and the first thing I do is to check my email inbox in my smartphone. If there is an email that only requires a simple reply to remove it from my task list, I even reply it. After that, I have a shower and have my breakfast, I dress (it will be kind of weird to appear naked in the work), then I go to my car and I drive to the university. Indeed, I am installing this week a Parrot Asteroid Smart, which will allow me to read emails even while I am driving… When I arrive to work, I have another cup of coffee and I connect my laptop in my office. If have a meeting I may or may not carry my laptop with me. But it doesn’t really matter, because I always carry a Nexus 7 tablet with me at work. When I go back from work to house, if I drive, I will not use my smartphone but when I take the underground to go back, I will always use my smartphone for both work-related and personal-related computing interactions. Sometimes, I go to a bar and there, I may connect my smartphone to the WiFi — Yeah! I know! A security man like me, connecting to a public WiFi?? Sometimes commodity beats utility, you know that! Back at home, I will use either my smartphone, my tablet or my personal computer to connect to social networks, read news, or whatever you may think about.

For me, there are far more scenarios or contexts in my 2014 version of a typical workday. Of course, not only computing has changed but also myself but I think that the comparison speaks for itself:

Contexts & Platforms (2008) Contexts & Platforms (2014)
Laptop SmartPhone
Work Computer Tablet
Personal Computer Car Android System
House Laptop
Work Personal Computer
House Work
Underground
House
Work
Bars

There are a lot of different contexts and platforms we use for computing currently, and we do not use the same applications in all of them, we do not have the same security and privacy care in all of them… in other words, our security and privacy standards depend on the context.

Computing has evolved to a state where we can talk about a true ubiquitous computing and we are really near of what visionaries like Mark Weiser or Andy Hopper describe in their research work. Cloud Computing has also evolved and has also contributed to a more ubiquitous computing, where our data is available whenever and wherever we want. The future, as it seems right  now, will bring more contexts in very interesting systems such as wearable devices, cyber-physical systems and who knows what else.

But, what is the price we pay? Because, there is always a price to pay for. Our commodity certainly has one, and when I log in to a social network to connect with some long-forgotten high-school fellows, I know that this kind of power, needs to be paid someway. When I upload my files to a Storage as a Platform service and access to them, I am also aware that there are some risks I am assuming by using that awesome functionality. When I use my smartphone in the bar, I know that if the encryption is too weak, someone may be sniffing my personal conversations. But is everyone aware? I do not think so.

When I started working on systems security back in the year 2007, I learned that security experts like myself, have always considered the end-user as no more than a moron with no privacy or security concerns at all. The main reason to think like that, is that this assumption is usually true, and yes, end-users sucks. We, security experts, always learn about the particular platform, we may attack it in an offensive computing way, find some vulnerabilities and, finally, make the systems more secure and robust. This way of working have not changed in the 7 years I’ve been working in this fascinating area, but computing certainly has. We are all users now. You may think you are not, but you are fooling yourself and you know it. And as users, we have become the morons we’ve complaining about for years.

Yes, we are aware of the risks, but since everyone around the world has surrendered him/herself to the power of modern computing, we’ve just ended up doing the same. Even system administrators are using some PaaS, SaaS, or any cloud system, instead of working with their own servers. So security colleagues, in my humble opinion: System Security in its current form IS DEAD.

There is no place in the future for a security that only studies and secures thoroughly each platform. Systems Security and Privacy research area needs to make a 180º flip, moving towards a user-centric approach, relying on users’ needs and demands from the beginning, instead of just securing every possible platform in the world. But why? There are too many platforms, contexts, and even user personalities to secure. Going back to my typical workdays, the only aspect in common in every computer interaction is me: THE USER. If we are capable of securing the user, we will be securing nearly everything.

I am not sure if the S3lab is the first one to notice this, I personally doubt it, but, as far to my knowledge, the S3lab is the first one proposing a clear working agenda to change the security paradigms into an ongoing project that we have called “User Centric, Context Aware, Cross Platform Online Security and Privacy”.

There are three main aspects of this ongoing project. First of all, center the security and privacy in the user from the beginning, moving from the static and rigid security and privacy models that rely on the platform to more dynamic user-centric models. Secondly, take into account the context of computing use, dynamically changing security and privacy policies to adapt them to every possible user context. Finally, make these approaches to work in every current and future platform by monitoring the most generalized attacks and providing forensics tools for the users, creating a more security and privacy aware scenario for the users.

This is a really hard and long work, there is no problem for the S3lab since our goal is clear: making the users the center of the computing experience with security and privacy models centered on them.. Because, remember… we are all users, and, going back to this article’s starting catchphrase:

ALL YOUR DATA ARE BELONG TO YOU!

Igor Santos
About
Cybersecurity Researcher
Expertise: Systems Security; Project Management