Norsk
Dansk
English
Nederlands
Suomi
Deutsch
Français
ItalianoSome IT security risks when using Darkside
| Short summary (TL;DR:) Given the context in which Darkside is used, certain risks which one usually ignores on other social networks may become more relevant here. This document aims at raising the relevance of, at least, two of them: gallery material downloads and verification/friend stuffing. For obvious reasons, in the document you will not find specific methods to exploit any of the issues in it (unless the method is obvious). This document may be updated later as more operational security issues become relevant. Introduction In one of my diary entries, I already wrote (in Swedish) about some of the issues involved in using Darkside, specially when it comes to gallery downloads. There are some other issues that are relevant though, for example sybil attacks as a way to inflate trustworthiness measurements. Hopefully, after reading this document, you will be more aware on the different risks involved in using social networks like Darkside. Needless to say, although the document focuses on Darkside these issues are present on any other social network with open registration as they are implicit to their design. Gallery downloads If you can see it, you can copy it. ― Pirate saying Although Darkside has certain techniques to make copying pictures from the gallery harder, it is still possible to copy the content. The simple and obvious way would involve making a screen capture (which is how this is usually done) although more advanced techniques exist to copy the original image or video. This risk is unavoidable since Darkside needs to pass the content to your browser in some way so it can display it. Consequently, even if Darkside encrypted it, the content would need to be decrypted on the browser before being displayed allowing the attacker to just replicate the decryption process. The term for these kind of approaches in the IT world is DRM and even the approaches used by large companies (like Netflix or Disney) can be bypassed by an individual with the appropriate tools. Controlling risks An old saying states that the best way to keep a secret is to never share it. Second best to it is sharing it only to those who need to know. After all, once somebody knows a secret it is only their ethics and intentions that prevent them from sharing it. When it comes to limiting who can view your diary entries and pictures, Darkside offers two ways: a denylist (bad approach) and a allowlist (good approach). No matter which approach you choose, you should assume that anybody able to view your pictures has a copy of them and decide how to act accordingly. Let's start with allowlists. Darkside offers you the possibility to create lists to limit who can view your pictures or diary entries. Once you have created a list you can choose it using the "Custom" visibility option for a specific entry or gallery. There you also have other options for your comfort including friends, public friends of friends, and people with 2 or 5 verifications (trusting this last option is a bad idea since people could artificially raise their verification number as I will explain later). These options are additive, that is, an account who matches any of the criteria (or lists) you select will be allowed. The other option are denylists. These affect all your publications and your profile and are created simply by blocking members. Since a blocked member can still create a new account, block lists do not really fulfill their purpose and should only be used as a secondary measure to keep somebody away from your entries. Validity of verification/friendships You don’t get to 500 million friends without making a few enemies. ― The Social Network movie tagline A very different issue are sybil attacks. You have already seen an example in the prior section with a blocked member creating a new account. The question is: what happens if instead many accounts are created? These accounts could then "verify" each other and be friends to each other so you would end up seeing an account with a lot of verifications and friends. In that case, fake accounts verifying and befriending other can be made even less obvious by automatically generating their content. In conclusion, the problem is that: since anybody can verify others and, similarly, anybody can mark others as friends, neither of these measurements should be used as a way to trust the person behind the profile. Controlling risks It is always up to you to decide who to trust and how you decide to trust them. In the library you will find various guides covering this. You could still use friendships/verifications in a different way to be a bit more secure: checking who has verified/befriended the person. Accounts do not have control over verifications and therefore seeing a lot of fake accounts should not be a red flag in itself. Instead, you should look for people you know and trust in the list of verifiers. Friendships are mutual so a large number of bots (and other "suspicious" patterns) should raise an eyebrow. Nevertheless, you should still check for shared friends instead. Also, before trusting the criteria of your friend, it is never a bad idea to ask them about the other user. It could be they met the person long ago or that they have forgotten they verified/befriended said person. So, to sum things up, look for people you know in the verfiers/friend lists and ask them about the profile! Breaches and hacks You thought your secrets were safe. You were wrong. ― Hackers movie tagline I would like to finish making a mention of the elefant in the room: breaches and hacks. As with any other service, Darkside may be affected by vulnerabilities which could allow attackers to expose any data you have uploaded or allow them to modify or delete any data in Darkside. Said vulnerabilities might expose information even if you have marked it so that it is only accessible by you. Similarly, your account could be hacked either by guessing your password or because somebody has accessed or compromised the device (computer, phone, tablet...) you use to visit Darkside. Controlling risks Regarding breaches, there is not much you can do other than to avoid uploading to Darkside any data that you want to keep only to yourself. It is unclear how data elimination policies work (data can survive on backups for example) so deleting uploaded data does provide some security but never as much as never uploading it in the first place. Similarly, when it comes to passwords, you should use a long password that has no relation to you or your environment. At best you should use a password manager to generate and keep track of your password for you. Anyways, since this might not always be possible, you can use systems like Diceware to generate your password. You should not trust web applications other than Darkside with generating or handling your Darkside password since they could just store the password for the attacker's to use. Finally, regarding devices, you should always keep your device and the browser up to date and not allow people you don't trust to use them (or, ideally, ensure only you use the device). Conclusions The best approach to protect your pictures/entries is to never upload them. Despite that, since you might want to share them, you should use allowlists to control who can see those pictures you would not want to be completely public. Remember that anybody who can see your pictures or diaries can keep a copy of them. Similarly, you should not use the number of friends or verifications as a measure of trustworthiness. Instead, check if you know anybody of those who have befriended or verified said person and ask them about that person. Finally, be careful to use a long password not related to you or your environment, keep your system and browser updated, and prevent people you don't trust from using your device (preferably, nobody at all should use your devices). Keeping these things in mind, your Darkside experience will probably be safer and you will avoid some undesired surprises. EDITED: Removed mention of the legacy allowlists since these now work exactly the same as the newer ones. |
Explanation of some commonly missunderstood security risks in Darkside, including picture download and verification/friend stuffing and how to mitigate them
Tillagd 3 jan 2023 Guider, tips och instruktioner #Samhälle #Vår kultur #darkside #opsec #itsecurity
Du kan inte se eller skriva kommentarer eftersom du inte är inloggad.