16 February 2017

The web of vulnerabilities The ecosystem of spies, criminals, and companies that compete to find and exploit software defects.


Software on smartphones, computers, and commercial equipment is riddled with defects. While tech companies regularly update products to fix known vulnerabilities, these flaws give attackers new ways of infiltrating emails, corporate networks, or critical infrastructure.

It’s not just malicious hackers who use vulnerabilities. Cybersecurity firms, tech companies, law enforcement agencies, defense contractors, and governments worldwide take advantage of them, too. Security flaws may give federal agents ways to infiltrate terrorists’ digital communications or track criminals’ smartphones, but they can also be deployed to spy on journalists, activists, and dissidents. And because bugs are so valuable, the hunt for them is driving a multimillion dollar industry.

In a joint project between The Christian Science Monitor’s Passcode team and Northwestern University’s Medill School of Journalism, we explore the growing arms race to discover software vulnerabilities – and what it means for national security and everyone’s digital privacy and safety.

The best defense: How to improve your digital security

Want to control your own digital security? There’s a wide array of options for secure messaging apps, email services and browsers that help you do-it-yourself. - Anna Waters & Jack Detsch

Privacy-conscious search engines: 

DuckDuckGo, a search engine that does not profile users or personalize search results to their users. There are nearly 11 million searches per day on the site. 

Startpage, a search engine that uses Google search results but allows users to open all search results via proxy, is another option. 

Encrypted email services: 

Tor Mail is an anonymous email provider based on the Tor network (which is required to use this email service). 

Lavabit is an encrypted email service once used by Edward Snowden that opted to shut down instead of complying to a US government request to hand over its encryption keys. It’s now back online, and plans to launch end-to-end encryption later this year. 

Proton Mail is an automatically end-to-end encrypted email service with servers based in Switzerland that doesn’t require users to hand over any personal information to create an account. 

Kolab Now is a Switzerland-based groupware service and web-based email. 

NeoMailbox is another Swiss email service that provides IP anonymity, spam and virus protection and disposable addresses hosted at a personalized Swiss domain name. 

CounterMail is a Sweden-based end-to-end encrypted email service. 

Other end-to-end encrypted platforms: 

Signal is a service that says it automatically encrypts messages and does not have access to their contents. Signal has earned praise from anti-surveillance activists Edward Snowden and Laura Poitras. 

WhatsApp has also adopted make the same end-to-end encryption protocol used by Signal the default for all communications on the service. 

Facebook Messenger Though it’s not a default, you can also opt-in to end-to-end encryption by going to your settings and turning on the “Secret Conversations” feature, which allows users to send secret messages from one device. 

Dust also automatically deletes messages from user phones as soon as they are read. 

Wickr has a similar timed deletion feature. 

Adium, another end-to-end encrypted messaging program, allows for encrypted chats across multiple networks for Mac users. 

And if you want to encrypt your browser yourself, you can install Tor, which keeps users anonymous using hidden relay servers. 

Dragon also has domain and URL filtering systems, and is set up as a more secure version of Chrome or Firefox. 

No comments: