A MESSAGE FROM OUR FOUNDER AND CEO -
Every decade or so we learn that bigger is not always better. The early years of "big" started with ships. The Titanic design showed the assumption of safety in "large concepts" was dangerously inadequate. The first big failure was not having enough back up in case of failure. In the Titanic's case, not enough life boats for all the passengers.
Another failure in the Titanic's "large" is better design was the ship itself designed with multiple segments so that if one was breached; it could be shut off from the rest, allowing the ship to continue to function. The iceberg that pierced the Titanic's hull breached several sections; far beyond what the ship could withstand and stay afloat, and thus, the combination of failures created a disaster.
The world of ship designs changed when the US Navy adopted a compartmentalization scheme. Each compartment could become its own water-tight hold and thus this cell like structure became the norm in modern ship design. Even if many cells across whole segments of the ship were breached it would remain afloat.
However, even the US Navy had its' own flaws and also put its faith in big. By 1941, the dominant design of warfare was the giant battleship; fast, sleek, heavily armored and heavily armed. Steel armor for battleships was measured at first in inches then later in feet. It seemed that nothing short of another battleship could sink a warship with over a foot of solid steel armor.
It was this failure in design that led to the tiny airplane, frail and light creations in the sky, to destroy the leviathans of sea war. The US put all its pacific battleship eggs in one basket, nine battleships floating in the idyllic base of Pearl Harbor. Those warships sank after tiny air machines pummeled them with bombs and torpedoes in a little less than an hour on a fateful Sunday morning.
The bigger is better failure has played out again and again; the Titanic was on the sea, the Hindenburg was in the air and the shuttle Challenger was headed into space. Mankind has carried the bigger/better design into the world of information warfare with the same predictable results.
We have witnessed in the past few years the big, centralized, data bases falling down like the Twin Towers into massive rubble; the hack of the US government Office of Personnel Management (OPM) resulted in over 20 million records being stolen, the Yahoo hack with over 500 million email accounts breached, and the most recent Equifax hack with over 143 million credit accounts stolen.
The very concept of centralized, large, data systems is an invitation for targeting by smaller, more nimble organizations and even individual criminals. Just as the Battleships floating in Pearl Harbor stood nearly helpless; the same can be said of today's modern data base server design.
The big design philosophy has bitten back at those it intended to serve. For example, there is the case of the 75,000 Turkish citizens either arrested or unemployed because they downloaded the ByLock encrypted app. ByLock like most messaging apps required a centralized server to house and link its customers.
However, ByLock did not protect that centralized server very well. Turkish authorities were able to determine that a server in Lithuania housed all the messages, passwords and ip addresses stored in plaintext. Thus, Turk security experts were able to hack the vulnerable server and downloaded nearly 3.5 million messages revealing thousands of users were involved in the failed coup.
Even when the data and messages are properly protected there is a great deal of concern about the integrity of large message services. The Facebook owned WhatsApp service recently noted that they had turned down a British request to build a back door into their encryption for UK authorities. While this seems okay on the surface; behind the scenes the news release quietly announced that the UK authorities were able to legally obtain massive amounts of "metadata" on WhatsApp users.
The metadata held by the central service WhatsApp includes whole lists of contact information, obtained from users phone books when they sign up. During the messaging app's installation it requests access to the phone book. This allows the app to import all contacts and enables the user to launch a chat easily. However, it also uploads the phone numbers of all the contacts in the phone's memory to the servers of the app developer. In other words, the phone numbers in the smartphone are copied to another system no longer under your control.
Metadata is very valuable. Messages sent by messaging apps are usually accompanied by additional user information, which is often transmitted in the background. By analyzing this metadata, other parties may be able to infer who was in contact with whom, at what time and how often. This data can also include the user status and even profile pictures.
What makes matters worse is that none of the contacts in the phone book have given their permission for the service to house and store their data. Yet, as we can see, WhatsApp and other services such as Signal and Telegram do the same. In fact, one way of outing political users of the popular app Signal was to check and see if their phone number was available for chat.
How important is this? Let's be very clear. The US NSA has given the same kind of information to the CIA which then used drones to launch a missile strike and kill the owner of the metadata.
While some may feel safe and secure, trusting their legal governments and big corporation server owners to protect them; the fact remains that this data is also vulnerable to third parties outside of government and corporate control. Both foreign intelligence agencies and criminal organizations are keen to intercept network traffic containing metadata and other logged information. There is no question that they also have the means to do so.
In addition, such data may be stored on servers in foreign countries, with different laws and regulations. This can legally allow third parties to access and share the data without seeking the permission of the user. Foreign intelligence agencies may request such data if they are stored on servers which fall under their jurisdiction, and as the UK/WhatsApp case illustrates; the data may be from users who do not live within the territories demanding access.
Of course, we do not want to ignore the usual result of giving Facebook access to names, phone numbers and email addresses; that of targeted advertising. Facebook is a for-profit company and not giving away the WhatsApp service for free. They are in business to sell you and your metadata as best they can - so while your message may be secure - nothing else is.
Which brings me back to "compartmentalization" - putting the data into its own little secure drive on cell phones and computers owned by the data user. Your address book is under your control and your metadata is not readily available on a single site but spread out over many sites, spanning all your contacts. This decentralized concept is already quietly taking over. It puts you in control of your data and hides your contact information in a vast sea of messages floating in an even larger ocean of data.
The vulnerably of centralized communications is what led to the compartmentalized design of the Internet; itself a child of the Cold War intended to survive a nuclear holocaust. Imagine if that was the case for Equifax; instead of a single house breached with millions of records; each of us individually would hold the access and give permissions. Each of us can become a compartment, a data-tight cell holding our information safe from the rest. Even if other cells are breached we would remain intact and operational.
I am sure the big guys will disagree but I wonder... did the dinosaurs know they were doomed?
CHARLES R. SMITH
CEO FOUNDER OF SOFTWAR INC.
BIG TIME VIDEO ON YOUTUBE