A praise of Folly – Security Theater and the OSI layers 8 and above
Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.
And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.
FBI Reports On Linux Drovorub Malware | Hackaday
This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.
#securitytheater
Me on COVID-19 Contact Tracing Apps – Schneier on Security
“It has nothing to do with privacy concerns. The idea that contact tracing can be done with an app, and not human health professionals, is just plain dumb.”
Wenn ich nicht falsch informiert bin, nutzt die App Libraries/Bibliotheken von Google und Apple – ist das korrekt? Sind die Open-Source ? Wie ist sichergestellt, dass die US-Konzerne unsere Daten NICHT bekommen? I am not convinced.
Programmcode der Corona-Warn-App veröffentlicht – DER SPIEGEL
Die Entwickler der Corona-Warn-App des Bundes haben den kompletten Programmcode der mit Spannung erwarteten Anwendung offengelegt. “Über Pfingsten haben wir alle restlichen, noch nicht veröffentlichten Quellcodes für die App auf der Entwickler-Plattform GitHub publiziert”, erklärten Sprecher der Deutschen Telekom und der SAP AG. Damit seien alle Codes der vollständigen App für die Experten-Community einsehbar.
I love the term “self-defeating prophecy”. So many anecdotes I have to tell on that topic… In any case, sdp make a large part of reasons for why hackers and intruders are successful.
“The prevention paradox was first formally described in 1981[1] by the epidemiologist Geoffrey Rose. The prevention paradox describes the seemingly contradictory situation where the majority of cases of a disease come from a population at low or moderate risk of that disease, and only a minority of cases come from the high risk population (of the same disease). This is because the number of people at high risk is small.
Especially during the COVID-19 pandemic of 2019 and 2020, the term “prevention paradox” was also used to describe the apparent paradox of people questioning steps to prevent the spread of the pandemic because the prophesied spread did not occur.[2] This however is instead an example of a self-defeating prophecy.[3]”
Already a few days old, but still up-to-date about the facts. Tracking apps can’t replace adult behaviour and social distancing. Doesn’t matter if it’s done voluntarily or enforced by whoever that might be – state, reason or fear.
Post-lockdown life in Wuhan is a warning to the world | WIRED UK
“Coronavirus–related tech experiments in Europe are having their own issues. Researchers are torn over how to implement privacy protecting contact tracing. A report on one such app under development in Germany, found it could “only be installed on up-to-date Apple and Android phones, which will reduce its coverage to roughly 60-65 per cent of the general population,” says Sven Herpig, director for international cybersecurity policy at Berlin-based thinktank SNV. People may not want to be part of these infrastructures, or not have the means to join. If apps don’t work and scale, at some point we may have to decide to go non-digital.”
“None of the apps rolled out in China are replacements for traditional epidemic-fighting strategies such as human-led contact tracing – identifying those who fall ill, finding those with whom they have recently been in contact, and quarantining them. Despite the attention given to the health code, the country’s virus mitigation strategies are rooted in boots-on-the-ground management. Tech experiments have been layered over other epidemic-fighting infrastructure, so judging their utility is difficult. Often left out of the conversation is at what point tech applications become useful, and when they are no longer. “We don’t have proof that any of it really worked,” Herpig says.”
“The health code is far from a silver bullet. Ultimately, what generates a green code is the commitment of individuals to stay at home for 14 days, and residential committees, which manage apartment compounds, to manage their designated inhabitants. But even as a pass to help with reopening, it has returned many to some level of normalcy.”
Here’s the Link: https://www.rsaconference.com/usa/agenda/hacking-society
https://latacora.singles/2020/02/19/stop-using-encrypted.html
… says:
Here’s why.
.
If messages can be sent in plaintext, they will be sent in plaintext.
Email is end-to-end unencrypted [1] by default. The foundations of electronic mail are plaintext. All mainstream email software expects plaintext. In meaningful ways, the Internet email system is simply designed not to be encrypted.
The clearest example of this problem is something every user of encrypted email has seen: the inevitable unencrypted reply. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached. This is tolerated, because most people who encrypt emails are LARPing. But in the real world, it’s an irrevocable disaster.
I dont understand all that fuzzin these days. This news is no news, almost everything about the Crypto AG stuff has been published in 1998 by Wayne Madsen, and has been uncloaked in the early nineties:
“The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG’s marketing representative in Teheran. The Iranian government charged the tall, 50ish businessman with spying for the “intelligence services of the Federal Republic of Germany and the United States of America.” “I was questioned for five hours a day for nine months,” Buehler says. “
Here’s the link:
http://mediafilter.org/caq/cryptogate/
And here’s the source reference, if you need it.
as seen in the book “Shadow Government: How the Secret Global Elite Is Using Surveillance Against You” by Grant R. Jeffrey (avail on Google Books)
On Wayne Madsen – Wikipedia … :
“Wayne Madsen (born April 28, 1954) is an American journalist, author and columnist specializing in intelligence and international affairs.[1][2] He is the author of the blog Wayne Madsen Report.[3] He has been described as a conspiracy theorist.” (…)
“In 1990 Madsen joined Computer Sciences Corporation, working there from 1990 until 1997,[15] when he joined the Electronic Privacy Information Center (EPIC) as a senior fellow. In 1998, while at EPIC, Madsen was described by journalist Jason Vest in The Village Voice as one of the world’s leading SIGINT and computer security experts.[17] In late-January 2005, Madsen left EPIC.[15] While at EPIC he appeared as a guest on 60 Minutes,[18] ABC Nightline,[19] Voice of America,[20] and National Public Radio.[21]”
Reality update: The Rise of the Video Surveillance Industrial Complex … :
“In a 2018 document, the data storage firm Western Digital and the consultancy Accenture predicted mass smart camera networks would be deployed “across three tiers of maturity.” This multi-stage adoption, they contended, would “allow society” to gradually abandon “concerns about privacy” and instead “accept and advocate” for mass police and government surveillance in the interest of “public safety.”“
Overspecific Denials are so beautiful.
https://m.phys.org/news/2020-01-fallout-false-nuclear-alarm.html
Anyone really using Skype anymore?
E-scooter injuries quadrupled in four years | (Engadget)
https://www.engadget.com/2020/01/08/study-says-scooter-injuries-quadrupled/?guccounter=1
A good read, but not much new if you kept reading my writings… 🙂
Get yourself cybersecure for 2020
With ever more tech in our lives, our data is vulnerable. Here are our six top tips to keep it safe in the new year
Random and unique passwords A study carried out by the Ponemon Institute found that 51% of individuals in the UK reuse an average of five passwords across different sites and services.”
Posting it again, because this topic has been hovering around and over my security theater talk for ages. It’s such a great typical example for why and when humans cannot assess dangers correctly. Here’s the facts.
A Guide To Head Injury Compensation Claims – How Much Can I Claim? – Accident Claims
The head and brain injury charity Headway has produced some statistics on the prevalence of head injuries in the UK. Some of the headline facts are as follows: In 2013/14 a total of 348,934 people were admitted to hospital with an acquired brain injury. That equates to an injury every 90 seconds across the country. Over the same period, a total of 162,544 people were admitted to hospitals for a head injury. This equated to one every three minutes. Whilst men are 1.6 times more likely to suffer a head injury, the number of women experiencing them has risen by 24% of the previous decade.
Here you can see the real dangers for your head:
