Seeing Like a Network

Don’t call it threat modeling

Practical privacy and security is just a part of digital literacy. Right now, for most people, learning how their computers work seems hard enough, learning how the network works seems impossible. But it’s not, it’s just learning a new perspective about the world we live in.

A lot of us are scared of computer threats, networks, and the internet, but we don’t have to be. The new tools we use every day should be scary exactly the same way being handed a free Ferrari is scary. Kind of intimidating, but mostly awesome. And you’ll have to learn a thing or two in order to not end up wrapped around a tree.

Digital literacy is getting a sense of your networks. It’s like learning a new city, invisible but beautiful, and baffling when you don’t know how a new city works. But then, as you roam around, it can start to make sense. You get more comfortable, and in time, your rhythms come together with its, and you can feel the city. You can cross the street safely and get what you need from the city. You can make friends there, and find safety, and love, and community. We all live in this common city now, and we just need to learn to see it.

We live in an age of networks, and it’s an amazing age.

We live with and in networks every minute of everyday. These networks lay over each other and touch all over the place. Once we start thinking about them, what they’re shaped like, where we are in them, our contemporary world starts to make more sense. Consider this partial list of networks we live in, and think about where you are in them at any given moment:

  • internet (obviously)
  • cell tower networks
  • telephone wires
  • road networks
  • electrical grids
  • cable networks
  • legal networks
  • manufacturing networks
  • material goods distribution, shipping
  • water and sewage
  • social networking sites
  • social networks (different thing!)
  • food networks
  • etc. ad nauseam

Networks have shapes and geographies, and once you can see them you can use them. Many of these networks work together. It’s useful to think about how they interface and how you traverse the interfaces between networks. The internet lays over telephone networks, cable networks and cell towers, and all of them rely on the electrical grid to function. It interfaces with shipping and manufacturing when you order something off the internet, financial and legal networks to manage payment, and uses a road network to arrive. You connect all that to social networks when you tell your friends about it, looping it all back to another part of the internet if you tell them about it on Facebook, which is a social networking site.

Networks overlay each other and touch each other and affect each other all over the place. In this phase of human civilization the interaction of the vast networks we’ve built is just about where everything happens. Understanding how networks function isn’t esoteric specialist knowledge anymore than being able to read is.

Think about what a network sees when it sees you. On some you look like a billing point, little more than an amount of money, with a individual ID number. On some you look like a series of paths — think about cell phone towers and ATM withdrawls. In a medical network, you look like a series of diagnoses, vital statistics, and a place where medical professional time and drugs vanish. That’s what the you-shaped hole in that network looks like. To the electrical grid your house looks like a point where power vanishes and money comes out. On a smart grid, that portrait is a little more complex. What do you look like on a phone network? You look like data, metadata, and paths from tower to tower.

Oh, cell phones, so scary and so wonderful. We’ve learned in the last couple years that our smart phones are tracked and tapped, and that’s the scary part. But the phones themselves are amazing. We have the sum of human knowledge in our pockets, the explicit parts on the net, and the implicit parts when the right person picks up on the other side. It’s not always easy to get to either, but wow, what an amazing thing to be true. How many kings and philosophers of old would have given their lives for 10 minutes with your smart phone? And that’s all yours, for a monthly contract with a shitty telco.

Phones can only work when they know where they are and are telling the phone company that. It’s not surveillance, it’s how radio waves work. This is the first reason for the network to work the way it does. The second? Billing. In fact, most of the surveillance networks in the world weren’t built to surveil at all, but to make things work at a fundamental level, and to bill people. Surveillance and intrusion are opportunistically inserted into good infrastructure.

The Internet

The internet also has to know where/who you are, through something your service provider gives your computer called an IP number, and the internet does amazing things with that knowledge. It allows you and other people to put things on and get things back from the internet — and the vast majority of those things are empowering to you. Your computer has a bunch more senses than you have, network senses, and it serves you completely, which is pretty neat. It senses different kinds of information coming off the network, and translates those into meaningful things for you, like webpages and instant messages. Most of its sensing work is something you never see.

The internet and its constant signals are based on a simple way of passing around information. It’s called packet switching and it’s a lot like passing notes in 8th grade homeroom — it can take a while, and go through a lot of hands. From the moment you start your computer, it’s reporting in with all sorts of things on the net, but instead of one long note, computers pass out many tiny notes called packets. You don’t want to look at all those notes, either on the net or even the ones your own computer is sending and receiving anymore than you want to study whales by looking at their cells. (Which is to say sometimes you do, but you don’t really see the whole whale that way.)

Communicating and Cryptography

The problem with passing notes in 8th grade homeroom is that anyone who gets a hold of them can read them, see where they come from, know who sent them. People can find out who has a crush on whom, and if the teacher intercepts them, it’s detention for everyone involved. Packet switching networks have all the same problems, even if who plays the nodes and teachers is different. The internet solves this the same way I did in 8th grade — by writing the notes in code.

The main tool computers have to communicate privately is cryptography. It’s taking things and scrambling them up (encrypting them) with a mathematical key, which only the computer on other side of the net which you’re sending the message to can decrypt.

It’s exactly like writing things in code, but codes you only share with the person or machine you want to be able to read them, or that you want to be able to read yours.

You use encryption all the time, you use it whenever the browser address is given in https instead of http. (We call this SSL, because computer scientists are terrible at naming things.) Just like 8th grade homeroom, on a network where everyone shares the same space, encryption is the only way to ever be private. (Encryption is largely based on something else you discovered in school: some math is really easy to do, but undoing it is really hard. Remember how you got the hang of your multiplication tables, but then along came division and factoring, and it was much harder and just sucked? Turns out computers feel exactly the same way.)

Every message you send out, whether it’s one you see or one you don’t, has your identity tied to it, and every one you get also tells the story of where it’s from and what it’s doing. That’s all before you get to the message you care about — that’s still all metadata. Inside of messages is media, the words and pictures we think of as our information.

What do passwords have to do with cryptography?

How to do passwords better, care of the eternally wonderful XKCD

Nothing. In fact, if you go back to passing notes in class, passwords can get passed around in the clear text like anything else. Passwords authenticate you, they tell the computer that you are who you say you are, but they don’t encrypt or hide or secure you in any way. That’s why you need your passwords to be encrypted before they go online. Authentication is very important for getting things done on a network, since anyone can say they’re you, and because computers are fast, they can say it 6 million times in a row until they get believed. This is why we talk about multiple factors of authentication. A password is a thing you know, but when you turn on two factor authentication on Google, Facebook, Twitter, etc — which you should do — the other side of the network replies on both something you know and something you have, like your cellphone. That means in order to break your security and privacy, a thief would have to know your password and have your phone. This is a lot harder, and make the majority of attacks go away.

Why do we constantly tell people not to reuse passwords? Because you have to trust the people who save it on the other side of the network to not screw up, and the network not to expose the password in transit. That’s a lot of trust, and your casual gaming site isn’t going to work as hard to protect you as your bank is, so don’t use your bank password to save your Bejeweled scores.

Malware, Viruses, Trojans, and Other Nasty Things

Here is the history of computer science in three sentences: One day, a man name Alan Turing found a magic lamp, and rubbed it. Out popped a genie, and Turing wished for infinite wishes. Then we killed him for being gay, but we still have the wishes.

Computers as we know them are what’s called Turing complete, which means any of them can do anything any other computer can do, given enough time. It’s the computational equivalent of having infinite wishes, even if sometimes it’s a very slow genie that glitches and runs too hot on summer days. But still! Your own personal genie!

Hacking the Gibson, from the notorious movie Hackers. The internet doesn’t look like this, but we constantly wish it did.

You are the immensely powerful Master of the genie in your life, your computer. You are a magic person to your computer, which we call the administrator, or sometimes superuser, or root, instead of Supreme Master of the Universe, as it should be. (Again, computer scientists missed the ball on naming things) You have the right to do anything you want on your computer, which is fantastic. You can take pictures and talk with people and record everything you do and tell the world everything you want. You can use it to paint and talk and record your innermost thoughts and even make another computer inside this computer, because you still have infinite wishes. This is one of the most powerful things humans ever created, and you’re currently surrounded by them, and the total master of yours.

But that means that anything that pretends to be you also has the right to do all those things. That’s where problems come in — where things come to your computer and pretend to be you. We have many names for these things, they are viruses, trojans, spyware, malware, etc. They can record everything you do, take pictures, tell the world, and even make another computer inside your computer — but only because you can do those things. They can only steal your power by imitating you.

How do they do this? Your computer can get passed a note from the network that says it’s from you, and this note tells your computer to do things you don’t want it to do. We call this a security flaw, and it’s why we tell you to do updates — so that your computer can learn to be safe from the very same network. It is the accepted practice of software creators that when these flaws are discovered, they fix them and give everyone that fix. But you have to take the fix — by updating your computer — because you are the ultimate master of this machine.

These days malware mostly comes from bad websites, through your browser, links you click on in emails, or in email attachments. Attacks can come through the net connection itself, but that’s rare.

Sadly, the internet mostly looks like this phishing attack email. (Look closely)

The other way someone can pretend to be you on your computer is that they can pass you a note that doesn’t do what you think it does. The majority of these come through email. They look like they come from a friend or someone you know, or they just look interesting. There’s a file connected to them, and when you double click that file, you’re telling the computer that you, the all-powerful one, are doing this now, no matter what it is. If that command is record everything I say and send it to a server owned by the Estonia Mafia, well then, the Master of the Genie has spoken! Sometimes malware come from a friend because your friend clicked on something that wasn’t what they thought it was, and in doing so, gave the all powerful command to send that thing back out to everyone they know.

There’s ways to tell if attachments aren’t what they seem, but they’re not always easy. if you can open them on someone else’s computer, that’s the way to go. This is what you’re doing with them when you open them in Google Docs — which is awesome, because then the bad stuff can be Google’s problem, not yours. But then Google also gets a copy of whatever your friends (or not friends) send you.

This is because your computer is also a copying machine. Everything you see on your computer *is* on your computer, and copied on your computer, and stored and copied, and much of it is a copy from the network, which has multiple copies, and so on. In order for you do anything on your computer, the information pretty much has to be in two places on your machine minimum *already*. Then if it’s on the net, and you can see it, it’s on a computer out there in two places minimum, and your computer two places, so now it’s in 4 places minimum, and probably more like hundreds or even thousands.

Your computer is a powerful genie of copying and calculating that you are the absolute master of, talking to a world full of other genies, connecting you to all the information and people in the world. Our networks are literally awesome — so huge and powerful and inspiring of awe that it’s a bit scary. It’s a cool time to be alive.

The End of the Beginning

The best part of learning to deal with all the scary threats scaring these days isn’t that you learn how to avoid threats, it’s that you learn how to use these amazing, outlandish super powers being part of networks gives you.

It’s the first days of the internet, but the truth is, that this is better for normal people than for the megapowerful. The network is ultimately not doing a favor for those in power, even if they think they’ve mastered it for now. It increases their power a bit, it increases the power of individuals immeasurably. We just have to learn to live in the age of networks.

Internet map (in orange) is from The Opte Project.