'Likes' for money | Cryptography in the time of quantum
CyberInsights #133 - Inside a business model that sells 'likes' | Industry goes into implementation mode of post quantum cryptography
How many followers do you have?
Sadly, whatever gets measured, gets done. A look at deep and dark ‘like’ factories that get you more likes and followers.
I spent an inordinate amount of time, trying to figure out if this article has anything to do with cybersecurity at all. After all, CyberInsights focuses on 2 cybersecurity articles a week, right?
Despite my doubts, I decided to have this as a part of this edition. ‘Integrity’ is a part of the holy CIA (Confidentiality - Integrity - Availability) triad of cybersecurity. Buying and selling likes impacts the integrity of a post on social media.
It’s a grim reminder that Black Mirror’s episode ‘Nosedive’ is how some people live their lives.
When you chase ‘likes’ on social media, eventually, there will be a business that will sell those likes. There are businesses in South East Asia flourishing on selling likes [LINK].
What I found interesting was that these organisations invest large amounts in the infrastructure required to connect thousands of phones together to speed up the process. Another interesting point is that the people doing the work do not believe that they are breaking the law. It’s just another boring job for them.
Take Action:
This is more of a philosophical post, so I ask you to contemplate on the impact of this article. First, you will begin to question everything you see of social media. Is that restaurant really worth going to, just because it has a million likes? What is the truth? Is there anything that can be called the ‘truth’ anymore?
If you are a cybersecurity, privacy or ethics professional in technology, study the impact that these types of click factories have on people. If you are a business that displays ratings - likes, stars, etc. on your website, what steps can you take to avoid fake profile boosting? I am sure that big tech has some tricks up their sleeve, but it might not be very effective.
Cryptography to protect us from quantum computers
Easy to use quantum computers are not available yet, but the fear of quantum computers breaking cryptography as we know it is real. Some companies are implementing what is known as post quantum cryptography (PQC)
A few days ago, Apple added PQC to iMessage [LINK]. A few months ago, it was Signal that led the brigade. [LINK]. And then it was Tuta Mail [LINK]
Then I could not resist. I had to try and understand what is happening.
The Apple blog is a good starting point to understand PQC. The first question to answer is this: If there are still no quantum computers, why start using PQC?
The attack vector that PQC prevents is an attack called “Harvest Now, Decrypt Later”. This is easy to understand - collect all encrypted messages and store them in huge servers, so that you can decrypt them later, when the technology is available. It is a bit like storing your DNA by using cryonics in the hope that in the future, there will be technology available to resurrect you.
Data gets encrypted using two keys - a post quantum Kyber-1024 key encapsulation public key and a more run-of-the-mill 256 bit ECC (Elliptic Curve Cryptography).
In 2022, NIST announced the first 4 quantum resistant algorithms. [LINK]. Out of the algorithms, the one that seems to have caught the fancy of implementers is the Cyber protocol in hybrid mode [LINK].
Take Action:
It seems a little complex at first, but if you stick to the basics, things start to get clearer. Read through the Apple blog post first. Then read the NIST release and follow it up with the Signal post.
I do not see the necessity for organisations to rush through with implementing PQC, so just watch the space - unless you have that kind of attack vector targeting you.
Liked what you read?
Buying likes certainly stretches the concept of what is considered ethical or moral.
In this particular case who wins or loses?
The brand or an individual benefits because it helps boost their profile.
The business makes money for increasing the brand engagement.
The bot developers make money.
The people who spend time doing random clicks get money for their effort.
Who loses?
The other brands or people who put their money on people or companies by looking at such metrics.
The people who get overawed with the count of followers and associate the account with popularity and reliability and may end up becoming a part of the herd or transacting with the brand.
There is definitely a reputation risk to the brand or company that engages in this practice , if this becomes public knowledge. So my key takeaway as a risk manager would be to advise the business not to indulge in such practices.