How Do VPNs Work?

After Congress clarified last month that ISPs have the right to monitor and use customer data I have read dozens of articles that recommend that people start using VPNs (Virtual Private Networks) to limit ISP access to their data. I’ve received several emails asking how VPNs work and will discuss the technology today.

Definition. A VPN is a virtualized extension of a private network across a public network, like the open Internet. What that means in plain English is that VPN technology tries to mimic the same kind of secure connection that you would have in an office environment where your computer is directly connected to a corporate server. In a hard-wired environment everything is secure between the server and the users and all data is safe from anybody that does not have access to the private network. If the private network is not connected to the outside world, then somebody would have to have a physical connection to the network in order to read data on the private network.

Aspects of a VPN Connection. There are several different aspects that are used to create the virtualized connection. A VPN connection today likely includes all of the following:

  • Authentication. A VPN connection always starts with authentication to verify the identity of the remote party that wants to make the VPN connection. This could use typical techniques such as passwords, biometrics or two-factor authentication.
  • Encryption. Most VPN connections then use encryption for the transmission of all data once the user has been authenticated. This is generally done by placing software on the user’s computer that scrambles the data and that can only be unscrambled at the VPN server using the same software. Encryption is not a foolproof technique and the Edward Snowden documents proved that the NSA knows how to read most kinds of encryption – but it’s still a highly effective technique to use for the general transmission of data.
  • IP Address Substitution. This is the technique that stops ISPs from seeing a customer’s Internet searches. When you use your ISP without a VPN, your ISP assigns you an IP address to identify you. This ISP-assigned IP address then can be used by anybody on the Internet to identify you and to track your location. Further, once connected your ISP makes all connections for you on the Internet using DNS (Domain Name Servers). For instance, if you want to visit this blog, your ISP is the one that finds PotsandPansbyCCG and makes the connection using the DNS system, which is basically a huge roadmap of the public Internet. Since they are doing the routing your ISP has complete knowledge of every website you visit (your browsing history).  But when you use a VPN, the VPN provider provides you with a new IP address, one that is not specifically identified as you. When you visit a website for the first time using the new VPN-provided IP address that website does not know your real location, but rather the location of the VPN provider. And since the VPN provider also does the DNS function for you (routes you to web pages) your ISP no longer knows your browsing history. Of course, this means that the VPN provider now knows your browsing history, so it’s vital to pick a VPN that guarantees not to use that information.

Different VPN Protocols and Techniques. This blog is too short to explore the various different software techniques used to make VPN connections. For example, early VPNs were created with the PPTP (Point-to-Point Tunneling Protocol). This early technique would encapsulate your data into larger packets but didn’t encrypt it. It’s still used today and is still more secure than a direct connection on the open Internet. There are other VPN techniques such as IPSec (IP Security), L2TP (Layer 2 Tunneling Protocol), SSL and TLS (Secure Socket Layer and Transport Layer Security), and SSH (Secure Shell). Each of these techniques handles authentication and encryption in different ways.

How Safe is a VPN? A VPN is a way to do things on the web in such a manner that your ISP no longer knows what you are doing. A VPN also establishes an encrypted and secure connection that makes it far harder for somebody to intercept your web traffic (such as when you make a connection through a hotel or coffee shop WiFi network). In general practice a VPN is extremely safe because somebody would need to expend a huge amount of effort to intercept and decrypt everything you are doing. Unless somebody like the NSA was watching you, it’s incredibly unlikely that anybody else would ever expend the effort to try to figure out what you are doing on the Internet.

But a VPN does not mean that everything you do on the Internet is now safe from monitoring by others. Any time you connect to a web service, that site will know everything you do while connected there. The giant web services like Google and Facebook derive most of their revenues by monitoring what you do while using one of their services and then use that information to create a profile about you.  Using a VPN does not stop this, because once you use the Google search engine or log onto Facebook they record your actions.

Users who want to be protective of their identities are starting to avoid these big public services. There are search engines other than Google that don’t track you. You can use a VPN to mask your real identify on social media sites. For example, there are millions of Twitter accounts that are not specifically linked back to the actual user. But a VPN or a fake identity can’t help you if you use a social media site like Facebook where you make connections to real-life friends. I recall an article a few years back from a data scientist who said that he only needed to know three facts about you to figure out online who you are. Companies like Facebook will quickly figure out your identity regardless of how you got to their site.

But a VPN will completely mask your web usage from your ISP. The VPN process bypasses the ISP and instead makes a direct, and encrypted connection to the VPN provider instead. A VPN can be used on any kind of data connection and you can use a VPN for home computers and also for cellphones. So if you don’t want Comcast or AT&T to monitor you and use and sell your browsing history to others, then a VPN service will cut your ISPs out of the loop.

The Blockchain in our Future

blockchainYou may have seen articles that predict that the blockchain will be a major software tool in the very near future. Or you may have seen that blockchains are at the heart today of cryptocurrency like Bitcoins. I’ve been following the development of blockchain technology and I think it’s something that will soon quietly sneak into all of our lives.

So what is a blockchain? It’s essentially a software technique for creating a permanent and unchangeable ledger of events – a record of events that are stored in sequential order and that can never be altered. There are many places in the business world where having a permanent record of events or transactions would be of great value.

Second, a blockchain relies on peer-to-peer verification of entries onto the chain. That means that the identity of the person making any entry into a blockchain is verified by somebody else. This verification process adds validity to the entries on the chain since every entry on the chain has a verified author.

Third, blockchain information can easily be encrypted, making it hard for anybody other than the people involved in the transactions to be able to read the information on the blockchain. This adds an automatic level of security because, unlike a standard data base, each entry can be separately encrypted making the task to decrypt daunting. In a standard database, once a hacker gains access to the database they can see everything. In a blockchain a hacker would have to individually unscramble each entry – something that will deter all except the most determined hacker.

So, what are some of the ways that a blockchain might be used? The short answer is that it will make sense to use the technology anyplace where there is merit in having a detailed record of events that can’t be amended or altered. I can think of hundreds of likely uses, but here are a few:

Accounting. Since a blockchain is basically a ledger it would make sense to use it during the accounting process. In a larger company where multiple people can make accounting entries, a blockchain could be established that would record the events of each entry made – not only the entry itself, but who made it and when they made it. There also could be a pointer to the underlying document that supported the entry. This would be of use to the head accountant in the company because they can now look back with certainty and know everything about any entry into the accounting system. This would give them a tool to pinpoint who made mistakes. But the real benefit would be for external auditors who could quickly understand every entry in detail. Blockchain also would provide the history of each entry and would show if and when an entry was ever changed or amended. A ledger backed up a blockchain creates an audit trail that will make it easier to do things like pass a tax audit years later after everybody in the company forgets the details.

Credit Card Security. I can picture a credit card company establishing a blockchain to record the events of each credit card transaction with the goal of cutting down on credit card fraud. For a credit card used in a store it would establish an exact time stamp of a transaction. But there also might be a picture snapped of the purchaser or some biometric test like taking a thumbprint. Biometric credit transactions are being tested in China, and using a blockchain adds the ability to make a permanent and indelible record of the events involved in each transaction. Something similar could be done with online purchases where a blockchain could be used to record the IP address of the purchaser of other identifying information that might make it easier to track down fraud.

Personal Blockchains. I think people will be interested in keeping track of events in their life. We do a lot of things electronically today and those records are fleeting. You inevitably get a new smartphone or change cellular providers and your personal history is lost. And even if you somehow keep every text you’ve ever made, for example, there is no current easy way to search through them to find a specific text you might have made years ago. A blockchain creates a ledger that can then be searched. For some reason that is beyond my understanding, my wife likes to read things I wrote to her years ago, so she is going to love this! In essence a personal blockchain could create a searchable log of events in your life, large and small.

I can easily think of hundreds of uses for the idea of keeping track of the things we do at work or in our personal lives. The blockchain provides a tool to create a permanent and searchable ledger of past events. For any business that does a lot of transactions of any kind, this gives them a new tool to create a record of their business – something that businesses are largely not very good at today.

The Security / Privacy Battle

SpyVsSpyEvery time there is some traumatic terrorism event like what just happened in Paris there is a renewed call by governments for better surveillance and security measures. And every time that happens, the advocates of privacy sound a loud warning. What I find most interesting about this back and forth between the two sides is that it’s not events or even public policies that are driving the battle between security and privacy, but technology.

Just during the last decade there has been a number of technologies that have assaulted our privacy – encryption, big data, cloud computing, and advertising spyware. And we are fast approaching new threats from drones and from Internet of Things sensors everywhere.

The real battle between security and privacy happens when we introduce new innovations that can invade our privacy followed by countermeasures against those new technologies. There are plenty of politicians on both sides of the privacy issue who think that creating new laws is the way to protect privacy. But there are no laws that are going to flexible enough to keep up with the new threats we are constantly seeing in the real world.

Consider the traditional privacy laws. There have been wire-tapping laws on the books for decades which are now completely obsolete. The FBI convinced the FCC a few decades ago to create a set of laws called CALEA that gives the FBI the right to subpoena ISPs and get the records of suspected law breakers. ISPs and telcos spend a lot of money to stay compliant with these rules and yet I can’t think of one of my clients that has actually gotten a CALEA request from the FBI. ISPs do often get requests from local law enforcement asking for calling records under older wire-tapping laws, but not a peep out of the CALEA folks.

And this is because those laws were obsolete before the ink was dry on them. The CALEA rules were written not long after we had migrated from dial-up to DSL and there was no such thing as the dark web and disposable cell phones and all of the other ways that serious criminals use to avoid law enforcement.

What typically happens with a new technology is that it gives one side – the police or the bad guys – a temporary advantage. But there is always a technological counterpunch as somebody on the other side figures out how to defeat and neutralize each new technological development.

Edward Snowden showed us that law enforcement sometimes is so desperate for an edge that they collect data illegally in violation of the basic rights granted to US citizens by the fourth amendment. But even that is only a temporary edge. There are now numerous groups developing strategies to counteract widespread government surveillance.

There have been numerous attempts to pass surveillance and security laws starting with the Patriot Act. But industry experts say that most of the laws that try to give the government more power are ineffective, again because technology moves a lot faster than legislative bodies.

So what we see is a cat and mouse game. The NSA spies on us and so companies like Apple develop encryption that makes it hard or impossible for the NSA to gather anything useful. And there are more and more web services that either automatically encrypt or which offer that as an option.

It seems that the privacy advocates are winning the long term fight, and this is because there are ways around almost any tool the government or big business can use to spy on people. I’ve read several articles recently that talk about how even in China people are finding ways to bypass the strict security of the Great Firewall of China. But the fight is a long way from over because there are always going to be tools that come out that can be used to spy on people and there will then be ways to defeat those measures. We are likely to see this battle for decades to come.

The Battles for the Internet

The InternetIt’s always interesting to think about how the Internet might change in the future and what it might become. It’s likely that the outcome of several current industry battles will determine the Internet we have five and ten years from now. Each of these conflicts is important in its own right; taken together they add a lot of uncertainty about where we are headed.

Ad Blocking vs Advertisers: One fairly recent battle is between ad blocking technology and those who make a living through web advertising. Today much of what we think of as the free internet is paid for through advertising placed on web pages. Very few people like the ads on the Internet, particularly as they get more customized and individualized and are aimed at each of us personally.

But a really large portion of the things that most us like on the web are paid for by ads. That includes things like social media sites and news services. Right now the ad blockers are gaining the upper hand. I saw a recent report that over 200 million users worldwide are now using ad blocking software, and it’s growing fast. And companies like Apple are building ad blocking into their OS, probably in an attempt to poke a stick in the eye of some of their other large rivals.

If advertisers don’t figure out a way to fight back, then the revenues that can be made on the web will be on a fast and downward spiral, and that is going to effect a lot of web businesses. But advertisers are already working on ways to punch through ad blockers and so this is likely to morph into a continuous cat and mouse game as the two sides each get the upper hand at times.

Hackers vs Web Security: For the last several years large companies have sat nervously in the crosshairs of the hackers who are working hard to take them down. But to a large degree a lot of the tactics used by hackers in the past have been defeated by web security companies and it’s no longer easy to breach firewalls by brute force. But hackers are probably more successful than ever today because they have shifted tactics and now concentrate on tricking insiders to let them into a network.

This is a critical battle, and big companies look at what happened to Sony and they now understand how devastating it can be to lose control of their network. The companies that fight hacking are getting better all of the time and they will find ways to beat the current tactics deployed by the hackers. But unless we someday migrate to a web run by a superintelligent AI, it’s likely that this battle is going to go on for a long time.

Surveillance vs Encryption: The NSA revelations opened a lot of eyes about how vulnerable we all are to surveillance. We now know that governments can gather huge amounts of information about us, and many people are worried about how access to our data is going to lead to a government abuse of power. But perhaps even worse is that large corporations are gathering data about us, too, and unlike the government they are more likely to immediately put that knowledge to use.

But there is a counter-movement working to make us safer against surveillance. This involves encryption but also in developing safer ways to communicate such as through bit-chains. Surveillance relies on being able to capture data at central nodes, and so perhaps having an Internet that no longer uses centralization will reduce the amount of knowledge that can be gained from us. Ideally, the outside world would only learn what we choose to give out about ourselves, but for now the surveillance forces are winning this battle.

Open Internet vs State-specific Control. Sparked by those same NSA revelations we now see governments looking at ways to protect their citizens and themselves from outside surveillance. China has already done this in an extreme way and it looks like Russia might be headed down the same path as China. But half of the countries in Europe are looking at ways to keep the data generated in their country safe within their country. If we end up with an Internet that is different in each country, with pockets behind different firewalls, we will have killed much of what is great about the current Internet.

I don’t think anybody can predict where each of these trends are going with any certainty, and it’s hard to say how the various battles affect each other.  There is a big chance that the Internet of ten years from now will be a very different place than today. There will be some ugliness along the way and we are going to keep seeing major hacker success bringing down companies. But none of these issues is insoluble and there is also the chance that over time we will end up with an Internet far safer than today’s.

To Encrypt or Not to Encrypt

SpyVsSpyWe are seeing a major policy tug-of-war about privacy on the Internet. On one side are law enforcement and national security agencies that want to be able to monitor everything that happens on the web. On the other side are those that value privacy the most. This is not a new debate and has been going on since the 90s.

Encryption has been around for a while, but it’s generally believed that agencies like the NSA have cracked most existing encryption schemes and are able to readily decipher communications between most parties on the web.

Recently, Michael D. Steinbach, assistant director of the FBI’s Counterterrorism Division, testified to Congress that the FBI has no problem with encryption as long as the government still has access to the underlying data. He thinks that encryption between people is a good thing to keep personal data from being intercepted by bad guys on the web, but he still thinks that there are law enforcement and national security concerns that are more important than individual privacy concerns. The real concern is that encryption will allow criminals and terrorists to go ‘dark’ and evade detection or monitoring.

But the revelation that the NSA is spying on everybody has really upset the technology community that run the Internet. The  vision of the Internet was to be a place for the free exchange of information and many technologists believe that widespread surveillance squelches that. And very few people like the idea that the government knows your every secret. And so we see companies that are working to find ways to make communications private from snooping—including from the government.

Apple is the largest company to take a stance and they have initiated end-to-end encryption on the iPhone. The way they have done this only the sender and receiver of a communication can unlock a given message and Apple is not maintaining any way to crack the encryption themselves. This means that Apple is unable to reveal what is inside customer communications even if served with a court order. I am guessing that one day this is going to be put to a legal test and I can picture laws being passed that stop companies like Apple from doing this. And I am sure Apple will fight back, so ultimately this might have to be determined by the Supreme Court.

But there are other groups working on a privacy solution that even laws might not be able to touch very easily. One such company is Ethereum. This is a crowd-funded group in Europe who is building upon the early work with bit coins to build a decentralized communications system where there is nobody in charge because there is no centralized network hub – there is no company like Apple at the core of such a network. In such a hubless network it’s much harder for the government, or even companies like Google and Facebook to spy on you.

This requires the establishment of peer-to-peer networks that is a very different way of structuring the web. Today the basic web structure is based upon software sitting at specific servers. Things are routed today because there is a massive database of DNS addresses that list where everything can be found.

But Ethereum is taking a totally different approach. They have built apps that find space on millions of customers’ computers and servers. Thus, they are located everywhere, and yet at no specific place. Ethereum is using this distributed network and building upon the block-chain technology that underlays bit coin trading. The block-chain technology is so decentralized and so secure that nobody but the sender and receiver can know what is inside a communications chain.

Ethereum isn’t really a company, but rather a collective of programmers that intend to disband once they have established the safer communication methods. And they are not the only ones doing this, just one of the more visible groups. This creates a huge dilemma for law enforcement. There is a huge amount of web traffic dedicated to nefarious purposes like drug trafficking and child pornography, without even considering terrorists groups. Governments have had some limited success in shutting down platforms like Silk Road, but the systems Ethereum and others are building don’t have a centralized hub or a place where the system can be stopped.

I have no doubt that the government will find ways to crack into these systems eventually, but for now it seems like the privacy advocates are one step ahead of them, much in the same way that hackers are one step ahead of the web security companies.

I don’t know how I feel about this. Certainly nobody benefits by enabling huge rings of criminals and terrorists. And yet I get angry thinking that the government is tracking everything I am doing online. I’ve read all of the sci-fi books that explore the terrible consequences of government abuse due to surveillance and it’s not pretty. I am sure that I am like most people in that I really have nothing to hide. But it still makes me very uneasy to think that we are all being watched all of the time.

How We Deal with Surveillance

SpyVsSpyThe fact that governments spy on us has been in the news a lot in the last two years since Edward Snowden revealed the extent of the US spying. It’s not just the US government; similar revelations have come out even in countries like Canada.

The folks at the Pew Research Center asked Americans how the knowledge that they are being watched has changed their behavior. Not surprisingly, a pretty large majority of people have made no changes. But the survey found that some people have changed their behavior, and here are some of the key findings in this survey:

  • 87% of people said that they had heard about the government surveillance. Only 31% said they had heard a lot about it and 56% said they had heard a little about it.
  • 34% of those who were aware of the surveillance had made at least one change to shield or hide their information from the government.
    • 17% changed their privacy settings on social media
    • 15% have used social media less often
    • 15% have begun avoiding apps that want access to their personal data
    • 14% say they are speaking to friends in person rather than communicating online or using the Internet
    • 13% uninstalled apps
    • 13% have edited themselves so as not to use what they consider to be sensitive terms online
  • Those who have made changes tend to be younger than 50 and also to be in the category of those who heard a lot about the surveillance, or who thought that the surveillance was not in the public’s interest.
  • Many people just cut back on using certain applications or have modified the way they use them. 18% did this with email, 17% with search engines, 15% with social media sites, 15% with cellphones, 13% with mobile apps, 13% with text messages, and 9% with landline phones.
  • 25% of people have started using more complex passwords.
  • Most people either do not know about or have not considered using tools that make it harder to track them. The percentages of people in these categories for various anti-surveillance tools include: 68% for search engines that don’t track you, 59% for email encryption software, 74% for browser plug-ins like DoNotTrackMe or Privacy Badger, 74% for proxy servers, and 70% for anonymity software like Tor.

The survey also asked how people feel about government surveillance and the results were mixed. 40% of Americans found it acceptable to monitor other Americans, 54% to monitor citizens of other countries, 60% to monitor leaders of both the US and of other countries, and 82% for monitoring ‘terrorists’.

Of those who are aware of the surveillance, 61% said that they are not confident that surveillance is serving the public interest. Republicans and those leaning Republican were more likely than Democrats to say they are losing confidence in surveillance.

In an interesting divide of opinion, 49% thought that courts were doing a good job of balancing the needs of intelligence against the rights to privacy while 49% thought they were not.

And finally, when asked how people felt about the government looking at their own personal data, 38% were concerned about emails, 39% were concerned about search engine results, 37% were concerned about cellphone usage, 31% were concerned about social media, and 29% were concerned about mobile apps.

I know I personally have cut way back on my viewing of cat videos. After all, I don’t want the government knowing I am a crazy old cat man (which unfortunately might be the case!).