Jan 7, 17 / Aqu 07, 01 12:20 UTC

Security concerns  

With the recent "don't share your ID" notice I started wondering about how Asgardia treats online security issues. Not very well in my opinion, at least as far as I can tell since nobody really addressed any concerns raised by me or others. First let's talk about this ID Number. It was sent to us in an email, as plain text. Now, whatever the server that sent it does, as soon as a plain text email is out on the internet, it's practically defenseless. Which means that every device between there and our computers had a chance to read and store it. Now, because it has the line ID Number followed by a number in it, it's probably stored by countless bots immediately and linked to our names and email addresses, by now everybody doing data mining has it all over the world. Also services like gmail and outlook can also read and store unprotected emails, and although they might not be a single person who ever reads any of them, their algorithms certainly scan and fetch seemingly important information. Not to mention that in many countries all service providers are legally bound to make every information stored and going through their servers available to the authorities, which is not just unethical but also a serious security risk. So there's a 99.99% chance that none of our IDs are actually private anymore, if this ID will be used as a future method of validating our identity, they are already compromised. Also the emails were not just unencrypted, they didn't even have digital signatures. There's a reason why no authority, bank or any serious organization sends or asks for sensitive information by email. So why does Asgardia?

Furthermore, what does Asgardia do to protect our identities and personal information anyway? We don't know where the servers are (or if there are no dedicated servers owned by AIRC, who hosts everything we use), what security measures they take against attacks, how do they keep Google and other search engines out, what will Asgardia do when some authority asks for its database containing our personal information, etc. Even this website uses the Let's Encrypt service which is fine for private use of a single person's own website but very far from what you'd expect from a project that intends to create a new nation in the future.

I know this is the beginning, but every serious undertaking must have a detailed plan, especially if it concerns online privacy, and even the initial stages must have appropriate security measures to protect the participating individuals and address their concerns.

Jan 7, 17 / Aqu 07, 01 14:02 UTC

Hello Korvin!

Thank you for raising your concerns. I agree that they are very serious.

I do not have a full answer for you so I am waiting for Asgardia Official to give me answers that I can pass along to you. Please have patience as this may take a couple of days.

Thanks! Rebekah Berg, Lead Community Administrator, Asgardia

Jan 8, 17 / Aqu 08, 01 13:17 UTC

How they treat security issues? Apparently they just lift up the carpet a little bit, sweep it under and then hope it goes away. I asked for much of this information, and more, weeks ago.

Yes, the use of email for "sensitive" data isn't generally considered intelligent - the plaintext nature of the transmission being the cause. It's not probably stored, it's assuredly picked up by many long term data storage and analysis projects, state level, corporate, and independant. It's not a 99.9% chance, it's a 100% chance.

Why does Asgardia attempt to send such information through such mediums? Probably the same reason they allowed a commercial spam engine to collect citizen data when they first opened up, and the same reason they thought amazon's public cloud was a sane place to store data, and the same reason they entertained the use of facebook, and the same reason they thought it clever to deploy services with no form of assured authentication, the same reason they thought they would have no use for ticketing services, the same reasons they have made no attempts to address anything commonly adressed before undertaking such an effort etc etc.

Complete lack of thought applied to the task in hand, and no care taken to consider the consequences.

The server is hosted in Germany, specifically Hetzner's DC - I'm unsure if it's colo or dedi. Unsure if locked cage. Even if it is a locked cage I suspect no measures have been taken to sanitise hardware on the attempt of forced entry, and with previously demonstrated abilities would honestly question if they understand what FDE is, let alone applied it. CA authority, tbh, is kind of trivial - as long as you can ascertain the fingerprint you're being served is actually valid. The less thrid parties trusted the better, IMHO. As well as making that fingerprint known(and keeping it updated) they possibly would be wise to think about displaying a warrent canary.

There's been no effort to keep search engines out, and no efforts made to provide a private area that isn't under public review.

I know this is the begining, but that's no excuse. With that sort of attitude to deploying things, expect a lot of deaths when we finally get into space.

  Updated  on Jan 8, 17 / Aqu 08, 01 13:24 UTC, Total number of edits: 1 time
Reason: typo

Jan 8, 17 / Aqu 08, 01 21:33 UTC

Security is important. MySQL is not secure.

Jan 9, 17 / Aqu 09, 01 03:01 UTC

Sure it's MySQL and not Maria? or postgreSQL ... or SQLight.....

Commonly, SQL isn't the failure as much as implimentation of higher layer technologies that interface it - like the website itself, or other software requiring access.

Jan 10, 17 / Aqu 10, 01 02:21 UTC

Hello!

I just wanted to follow up, your questions have been seen internally and have been posted for input from the team. I cannot give an exact time frame in which a reply will be forthcoming but they are very much aware of your concerns.

Kind regards, Rebekah Berg, Lead Community Administrator, Asgardia

Jan 10, 17 / Aqu 10, 01 09:39 UTC

Asgardia First Nation in Space

Well I may as well chime in here being my first post. It is the responsibility of all Asgardian's to educate themselves. At least to the point of having some common sense in how they submit their personal information. I treat this no different than I treat my online banking.

Personally I would never submit personal information if possible over an unencrypted network. Which is why I sent my form through a VPN tunnel. As time goes on I am confident that clearer security protocols will be more forthcoming. But we have to realize that this all is very much a work in progress.

With that said this is actually an area I'm quite interested in. Not to mention feel is certainly very important. However much like our new nation is going to be something never attempted before. I feel we need to take that same mindset to everything we do. Just as Tim Berners-Lee did a British scientists at CERN.

Who invented the World Wide Web. Anyways without getting into too much detail for now. It is my absolute honor and privilege to be part of this community. Something of which I never felt I'd have the opportunity to contribute to in my lifetime. So with that said I look forward to what the future has for our new nation. :)

Jan 11, 17 / Aqu 11, 01 00:34 UTC

First up, this has definitely been done before. The only "new" angle being "in space".

The VPN only really protected you from your ISP - which should in theory of been unable to penetrate the TLS(assuming they can keep this master key secure) which naturally wraps the website - your exit node is still just as likely tapped, as it's the backbone nodes where the intercepts happen. I'd assume you'd sensibly have this deployed two hops or less from... The real worry is what happens to the data when it gets there. There's already an alarming array of fail demonstrated on this subject, and the way they are not publishing details - even when requested of such expressly - regarding pretty much anything doesn't help increase the already shattered trust. It just increases the perception they have literally no clue what they are doing, just acting without thought to what they are doing, why, or the consequences.

The way they haven't taken advantage of the assistence offered is at best irresponsible. With other people's data. I'm not suggesting everyone has root access, or anything stupid. I'm not even suggesting they should have write access, or even an account to login to the shell. It's clear there's a lot more people thinking about things a lot deeper, and likely in a lot of cases - better. That should be leveraged. Only a simpleton would not take advantage. What I seem to be able to deploy in an hour seems to take them weeks, so if that was scaled up to community level input almost any task could be completed in under an hour and then begin heavy mass testing ready to move from the develserver to the production server in much under a week. For a bare minimum, as a community the most intensive phase - testing - could be achieve in a few hours and cover more than that small team could achieve in weeks. Sensibly, a mirror service would of been provided loaded with testing data in order that the security analysts and pentesters in our midst can freely take a swing at it without impacting services.

The timeframe it's reasonable to expect a response with regards to questions of a security nature would be instantly. As if this was actually considered beforehand, then all the materials required to be published would already exist. Should these already exist, and they are not being published, that would suggest there's a large number of problems they are aware of, but haven't fixed - and put it on the production server anyway for use, which IMHO is actually worse that not looking for defects in the first place. The delays otherwise suggest that this topic is only just now being approached and only just now being researched - the systems currently audited so they can see and fix the defects before they run the audit again in order to provide a nice clean sheet that makes them look competent.

Jan 12, 17 / Aqu 12, 01 16:08 UTC

Already at this point, and after having tried to get data in several post, I think they aren´t interested in participation outside the existing IT team. I don´t know why this happens or what is the thought that is leading them to not use the most important resource currently on the planet, human knowledge.

Surely needless to say, but I would rather someone publicly say that this is an issue that wasn´t initially considered and start working right now.

Anybody makes mistakes, I'm the first to make mistakes day after day. The important thing is to recognize it and move on.

Jan 12, 17 / Aqu 12, 01 17:34 UTC

If poorness of skill is an indicator we could measure it at the quality of the delivered work at the website. I would change a lot here, to turn it into a secure environment (regardless where the servers are) and to turn it into a website that represents a nation, not a space project something.

And please, don't expose any server software related information to a public accessible forum.

  Updated  on Jan 12, 17 / Aqu 12, 01 17:36 UTC, Total number of edits: 1 time