Data Security within a CN

Q1 : While comming up with CNs and promoting the growth and resilience, Do we consider data security and if yes how do we propose to curb this ?
Q2 : Is it possible that we CNs can have their own central Data centre or Private Cloud to manage our universal demands such IaaS,PaaS ?

Hi Alphonce, welcome to this community!

Can you share a little bit more what are your concerns about data security in relation to Growth and Resiliance? Do they come from a concrete experience that you would like to share, or any article or conversation that inspired you to digg deeper into it?

ps, introduce yourself can help people have some more context of your question too… you can do it by adding information on your profile or/and by sending a message to this post.

On the matter of having Data centers or private clouds, I would recommend you to create a separate thread for this topic, as I guess it would be lost in the other convesation and is a topic that many people have things to say about it! (me included )

Thank you very much Nico for your follow up.
Just be precise and on topic , we understand that our community networks are at a better position to solve a number of problems such as giving internet access to end users among others. But I am much concerned about the data security aspects right from availability, integrity,and authenticity. This actually cuts across questions such as; who owns our data, where and how safe is it. As CNs , the need to have our own data centers has ever been a demand ,perhaps to to locally manage our services but the underlying factor which is common to all CNs is uniformity of resources , affordability and and resiliency which can be realized when CNs come up with one central Data Centre of Cloud in away of solving the issues of Infrastructure costs. Am interested in how we can have resilient networks by cutting costs.
Eng. Alphonce , TunapandaNet CN

Hi Alphonce

Q1: Educate people in password use, SIM registration and 2FA, I would say. And help those more technically inclined to run servers on their laptops to experiment with and learn from - and to computer security courses online.

Q2: I think this will be most valuable and I am working hard to make server infrastructure freely available for CN’s who can’t afford it. We will soon have 4 servers with 16 CPU’s each, 64 CPU’s in total, and will gladly accept any donations to fill them up with harddrives. They will be connected to a 10Gbps backbone in South Africa, and we should be able to purchase international connectivity for as little as $1/1Mbps. The plan is to create a learning environment for CN’s who want to host services or platforms, or share those, or learn about the issues pertaining to those - and it would be great to come up with some standards to share similar infrastructure in other countries - for redundancy and failover. I’d most like to see these redundant architectures - and their failure conditions, well documented.

In a way, the issues you are addressing is exactly what “the internet” is, and what ICANN and the RIR’s and the IETF and ISOC and our governments and laws are for. The biggest problem with those is that some people have had parents and grandparents that have saved up and helped them get ahead, and that many services caters to those with money. But technology keeps getting better and more powerful and allows you to do more at the same cost, so it has an incredible democratizing effect.

What I like most about CN’s is that we are going back to the very roots of the internet! So from that perspective I think what we do are great learning opportunities - and maybe also opportunity for us to innovate and find better ways.

As for sharing infrastructure - I have some servers that I will soon put in a datacenter - and I will have a lot of spare capacity - I will advertise it here then you are welcome to use it and we can build things on it together. But until then, you can accomplish a lot by just using an old laptop as a server - or if you can’t find one or you don’t have reliable power or internet to connect it to, you can just hire a server from companies like Linode or Digital Ocean for $5/month - on which you can do a lot. (Although I would much rather make a contribution to a CN’s hosting…)

Then, talking more generally, it was very overwhelming for me to learn about the different scales of things. I think what you are talking about is very important - to keep it simple, for me, I like to reduce security to 4 main areas: Personal Security, Device Security, Service Security and Legal Issues.

I think the item that is relevant to everybody, is the first one - Personal Online Security. The others are more complicated for people to learn about and understand, and it is unfortunately too technical for most people - but it doesn’t need to be and I think that the more people understand it, the more people can help to make the decisions that shape our collective future.

1. Personal Online/Internet Security

This is about passwords and identity theft. What everyone needs to understand is that if they put a password on a website, that the owner of the website can see their password - and use it to impersonate them at another website. Many services scramble the password, so its not that easy for the owner of the website to do this, but it is always possible with the right tools.

What many people don’t realize is that anybody anywhere in the world can try to log into your accounts, and also that anybody can make fake websites that look like the real ones, but are fake.

That is why it is important to have a good password on your phone, and to save your passwords in a password manager so that you can have different passwords for different sites, as well 2-factor or multi factor authentication.

What many people also don’t realize is that a computer program can sometimes try millions of passwords per second, and can very easily guess some passwords that you might think are hard to guess - but they are easy for a computer to guess.

I hope we can all come together to make simple videos that we can easily translate (or that doesn’t need translation) that can explain these issues - and how to identify secure websites and networks - and why it is a very bad idea to click through to a website with certificate problems - unless you are a network technician setting up a network.

You might think it is not too important, for example, if you don’t have an electronic bank account - but someone could even tell the bank that they are you and then get a loan - and then it is up to you to prove to the bank that it wasn’t you, otherwise you have to pay back some other criminal’s loan, according to your country’s law. If your documentation and security numbers and passwords are protected, then it is more difficult for people to impersonate you.

What many people don’t realize is that many games and applications come with hidden programs designed to steal your passwords as you type them. Two factor authentication gives you some protection against this.

There is also the issue of SIM cards and how they are registered - many services nowadays are linked to your phone number. If you did not register your SIM card yourself, then it is possible for the person who registered it to obtain a new SIM card with your number, so that they can receive your OTPs instead of you. What criminals will do is they will do this “SIM swop” after they have obtained your passwords, so they can log into your bank account and transfer your money to them.

Being safe and secure online takes some practice and training. In general, if your phone is updated, and you have registered your own SIM card with your ID Card or Passport, and you don’t have a lot of copies of those lying around, then you are fairly safe - and you are at least somewhat protected by laws.

2. Online Device security

This is about your computer or laptop or phone, but because a server in a data center is just a big computer, it applies to that too. For the data center, there are many standards and laws that it needs to comply to before the banks will store their bank account and financial information there, but many do - because the data center is physically secured too - and has very good logs of who is accessing it and cameras to monitor it, and so on, and they pay a lot of people a lot of money to try to guarantee the safety and security.

As for your personal devices - it is important to do updates because the people that make computers and phones make mistakes, and then bad people can use those mistakes to bypass passwords and access your information. But here too, a lot of people are paid a lot of money to fix the problems and find security issues. (If you find a security issue, you can earn a lot of money if you have the right credentials and you report it in the right way.) With every update some of these problems get fixed. For a long time I used to resist updates, because they sometimes also make your devices slower or sometimes they introduce new problems - but there is a big active community of security researchers that expose problems and we can be very thankful for them - the best way for most people to remain safe is to update. Unless you are completely offline of course - but a computer or phone that has been offline for some years, will get hacked within hours of connecting to the internet.

Some people keep a “secure device” for their banking and an insecure device for other things, but not everyone can afford this. In general, the less apps you install, the safer you are. But even the smartest most vigilant people can get caught, so again 2 factor authentication gives you an added layer of security.

3. Online Service security

This is the security of a service that you are using, like your bank or a message server - for example Whatsapp’s servers.

Sometimes people who maintain the service make mistakes, or they get robbed - and then your information gets stolen or shared. If you use the Firefox browser, it will tell you if you are logging into a service where the passwords was stolen or sold. If you use a password manager with different passwords for every site, then at least your password will not be able to be used to compromise your information on other services.

4. Legal Security

This is to do with the laws of different countries. For example, sharing some information might be a criminal offense in some countries, but not in others - and then people will try to cheat the laws by leasing a server from a data center in another country, or by using a VPN to bypass geographic restrictions, or just download and copy it and don’t share it online. This is mostly applicable to journalists or whistleblowers in countries where people are suppressed by their governments, and we can be thankful for the freedoms that many people fight for, but not everyone is willing to do it, and the issues are very controversial and cultural.

As you know, a server or datacenter is just a computer, and in the grand scheme I don’t think it matters where you store your pictures, whether it is on Google’s server, or your spare harddrive or laptop in a box or cupboard somewhere, or on your community network tower.

The reason for this is that Google has to comply with very strict laws, and if they are caught to violate them, they have to pay huge fines - In the US there are a lot of rich people who value justice and who can afford to fight big companies, and we can thank them for keeping the big companies in check. Europe arguably have even stronger laws, so maybe it should be even easier to trust European owned services, but remember that every company is controlled by people, and people can have bad ideas sometimes. Google and other companies are forced to open new companies in many different countries, to comply with all their laws. But it is helpful to remember that often the law is not about right and wrong, but about the rules and who knows them best.

Today we have another layer of security in “decentralized” services that are broken up into millions of different pieces that is almost impossible to tell in which country it is or who it belongs to.

I think there are people in this community who knows a lot more about all this than I do, and there are people fighting to keep the big companies from exploiting us that we can be thankful for too. In my opinion the real risk in for example storing all your photos on a big service, instead of your own computer, is that their law enforcement agencies might be able to use it to prosecute you in some countries, even if you did nothing wrong, but just because you did something that your government didn’t like - or in some countries you can be prosecuted for things that your family did wrong. If you are a whistleblower, or you value your privacy and you don’t want the security and guarantees that the laws and cloud services give you, then there are many alternatives.

In addition to these security issues, there are also privacy issues - such as your phone sending your location to many websites and services, and websites keeping and sharing cookies that show about other websites that you have visited - all so that people can find out who you are, and what you want, so that they can sell that information to the people who are trying to sell their products.

Some people like this personalization, and say it makes their life easier and saves them time - and many other people find it creepy, because they were not asked for permission. The EU has forced a lot of companies to ask for basic permission with their “GDPR” laws, and other countries have followed this. This seems like a good thing, but often we don’t feel like we have a choice, which is a bad thing.

The over arching way for me to make sense of this is to realize that our country borders protect us from the experiments in governance that are taking place in other countries, but at the same time that we have a global villiage in the internet and that there are some issues that can freely go across borders - like information, and that war has become more about ideas than bullets - and I think we can be thankful for that.

It might be possible that someone is building a super smart computer with the knowledge that they can find about everybody, and that they can use that computer to manipulate us to their benefit - but what often also happens is that if this information is being collected, it is often shared and made available to anyone to use, or for research.

If you host your own server or data, it is a good way to start learning about this - and on the other end of the spectrum might be if you are studying data science and you get a well paying job for a big company where they pay you to make their systems smarter.

But I think the most important thing to remember is: Don’t panic. And we are all just ants in a big colony. Some of us want to travel to space, and some of us just want to grow cabbages and see our community happy.

I personally love software that respects my freedom, and that I can study to see how it works, and learn from, and I try to use it as much as possible - but if other software can save me time, I will sometimes use it too. People can use bad things for good and good things for bad. Everything is still controlled by someone, and it is what they think of you that seems to matter most - if you offend people and it looks like you have stuff that they want then it is more likely for you to get targeted and you will need to do more to protect yourself. People are very different and raised with very different norms, and becoming part of a global community can expose you to things you might not be ready for or believe until it happens to you, but many of us are in the same situation and can learn from each other.

Hi DageIf,
This is a good and in depth insight, but following the EU regulations (GDPR) which gives users right to discover where their data lies, what processes are being undertaken using their data among others . In short , we need to have a say on our data whether or not it should be used. And while basing our concern to Community Networks do you see our networks achieving these goals to a point where someone somewhere will not engage our clients’ data into a business maybe for personal use. Remember even Tweeter recently faced a challenge when it realized that users’ data was used for unintended use.

This week, i presented a paper on data-sovereignty at the WebScience 2020 conference (online). Possibly, insights provided in the paper can help to think about the rights and plights of those at the source of data.

https://www.researchgate.net/publication/342466792_Data_Sovereignty_A_Perspective_From_Zimbabwe