Category Archives: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

Corona-Warn-App… und was ist mit dem Code von Google und Apple?

Wenn ich nicht falsch informiert bin, nutzt die App Libraries/Bibliotheken von Google und Apple – ist das korrekt? Sind die Open-Source ? Wie ist sichergestellt, dass die US-Konzerne unsere Daten NICHT bekommen? I am not convinced. 

Programmcode der Corona-Warn-App veröffentlicht – DER SPIEGEL

Die Entwickler der Corona-Warn-App des Bundes haben den kompletten Programmcode der mit Spannung erwarteten Anwendung offengelegt. “Über Pfingsten haben wir alle restlichen, noch nicht veröffentlichten Quellcodes für die App auf der Entwickler-Plattform GitHub publiziert”, erklärten Sprecher der Deutschen Telekom und der SAP AG. Damit seien alle Codes der vollständigen App für die Experten-Community einsehbar.

# selfdefeatingprophecy #securitytheater #preventionparadox #storyofmylife #kassandra

I love the term “self-defeating prophecy”. So many anecdotes I have to tell on that topic… In any case, sdp make a large part of reasons for why hackers and intruders are successful. 

“The prevention paradox was first formally described in 1981[1] by the epidemiologist Geoffrey Rose. The prevention paradox describes the seemingly contradictory situation where the majority of cases of a disease come from a population at low or moderate risk of that disease, and only a minority of cases come from the high risk population (of the same disease). This is because the number of people at high risk is small.

Especially during the COVID-19 pandemic of 2019 and 2020, the term “prevention paradox” was also used to describe the apparent paradox of people questioning steps to prevent the spread of the pandemic because the prophesied spread did not occur.[2] This however is instead an example of a self-defeating prophecy.[3]”

https://en.wikipedia.org/wiki/Prevention_paradox

#postcorona World in Wuhan and the Nonsense of Tracking Apps #securitytheater

Already a few days old, but still up-to-date about the facts. Tracking apps can’t replace adult behaviour and social distancing. Doesn’t matter if it’s done voluntarily or enforced by whoever that might be – state, reason or fear.

Post-lockdown life in Wuhan is a warning to the world | WIRED UK

“Coronavirus–related tech experiments in Europe are having their own issues. Researchers are torn over how to implement privacy protecting contact tracing. A report on one such app under development in Germany, found it could “only be installed on up-to-date Apple and Android phones, which will reduce its coverage to roughly 60-65 per cent of the general population,” says Sven Herpig, director for international cybersecurity policy at Berlin-based thinktank SNV. People may not want to be part of these infrastructures, or not have the means to join. If apps don’t work and scale, at some point we may have to decide to go non-digital.”

“None of the apps rolled out in China are replacements for traditional epidemic-fighting strategies such as human-led contact tracing – identifying those who fall ill, finding those with whom they have recently been in contact, and quarantining them. Despite the attention given to the health code, the country’s virus mitigation strategies are rooted in boots-on-the-ground management. Tech experiments have been layered over other epidemic-fighting infrastructure, so judging their utility is difficult. Often left out of the conversation is at what point tech applications become useful, and when they are no longer. “We don’t have proof that any of it really worked,” Herpig says.” 

“The health code is far from a silver bullet. Ultimately, what generates a green code is the commitment of individuals to stay at home for 14 days, and residential committees, which manage apartment compounds, to manage their designated inhabitants. But even as a pass to help with reopening, it has returned many to some level of normalcy.”

#securitytheatre Latacora – Stop Using Encrypted Email

https://latacora.singles/2020/02/19/stop-using-encrypted.html

… says:

Here’s why.

.

If messages can be sent in plaintext, they will be sent in plaintext.

Email is end-to-end unencrypted [1] by default. The foundations of electronic mail are plaintext. All mainstream email software expects plaintext. In meaningful ways, the Internet email system is simply designed not to be encrypted.

The clearest example of this problem is something every user of encrypted email has seen: the inevitable unencrypted reply. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached. This is tolerated, because most people who encrypt emails are LARPing. But in the real world, it’s an irrevocable disaster.

1998 article on Crypto AG: The NSA’s Trojan Whore?

I dont understand all that fuzzin these days. This news is no news, almost everything about the Crypto AG stuff has been published in 1998 by Wayne Madsen, and has been uncloaked in the early nineties: 

“The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG’s marketing representative in Teheran. The Iranian government charged the tall, 50ish businessman with spying for the “intelligence services of the Federal Republic of Germany and the United States of America.” “I was questioned for five hours a day for nine months,” Buehler says. “

Here’s the link: 

http://mediafilter.org/caq/cryptogate/

And here’s the source reference, if you need it.

as seen in the book “Shadow Government: How the Secret Global Elite Is Using Surveillance Against You” by Grant R. Jeffrey (avail on Google Books) 

On Wayne Madsen – Wikipedia … :

Wayne Madsen (born April 28, 1954) is an American journalist, author and columnist specializing in intelligence and international affairs.[1][2] He is the author of the blog Wayne Madsen Report.[3] He has been described as a conspiracy theorist.” (…)

“In 1990 Madsen joined Computer Sciences Corporation, working there from 1990 until 1997,[15] when he joined the Electronic Privacy Information Center (EPIC) as a senior fellow. In 1998, while at EPIC, Madsen was described by journalist Jason Vest in The Village Voice as one of the world’s leading SIGINT and computer security experts.[17] In late-January 2005, Madsen left EPIC.[15] While at EPIC he appeared as a guest on 60 Minutes,[18] ABC Nightline,[19] Voice of America,[20] and National Public Radio.[21]”

 

Dont worry, these cameras are there for your safety…

Reality update: The Rise of the Video Surveillance Industrial Complex … :

In a 2018 document, the data storage firm Western Digital and the consultancy Accenture predicted mass smart camera networks would be deployed “across three tiers of maturity.” This multi-stage adoption, they contended, would “allow society” to gradually abandon “concerns about privacy” and instead “accept and advocate” for mass police and government surveillance in the interest of “public safety.”

#safepasswords – Guess I told you so some years ago…

A good read, but not much new if you kept reading my writings… 🙂 

Get yourself cybersecure for 2020

 

With ever more tech in our lives, our data is vulnerable. Here are our six top tips to keep it safe in the new year

Random and unique passwords A study carried out by the Ponemon Institute found that 51% of individuals in the UK reuse an average of five passwords across different sites and services.

Random and unique passwords A study carried out by the Ponemon Institute found that 51% of individuals in the UK reuse an average of five passwords across different sites and services.”

 

#securitytheatre #bicyclehelmets – Where you really should wear a helmet:

Posting it again, because this topic has been hovering around and over my security theater talk for ages. It’s such a great typical example for why and when humans cannot assess dangers correctly. Here’s the facts.


A Guide To Head Injury Compensation Claims – How Much Can I Claim? – Accident Claims

The head and brain injury charity Headway has produced some statistics on the prevalence of head injuries in the UK. Some of the headline facts are as follows: In 2013/14 a total of 348,934 people were admitted to hospital with an acquired brain injury. That equates to an injury every 90 seconds across the country. Over the same period, a total of 162,544 people were admitted to hospitals for a head injury. This equated to one every three minutes. Whilst men are 1.6 times more likely to suffer a head injury, the number of women experiencing them has risen by 24% of the previous decade.

Here you can see the real dangers for your head: 

Boeing: »Fabrik im Chaos« stoppt die Produktion (neues-deutschland.de)

Perfekte Risikoanalyse:

Mehrfach wurde der Verdacht laut, dass auch die für die Zulassung von Maschinen zuständige FAA nicht so genau hingeschaut hat. Nach dem Absturz der ersten MAX-Boeing im Oktober 2018 ließ die FAA errechnen, wie wahrscheinlich ein weiterer durch die MCAS-Software verursachter Unfall wäre. Ergebnis: Es könnte maximal alle drei Jahre eine solchen Katastrophe geschehen. Was offenbar niemanden schockte. Man ließ die MAX-Maschinen im Geschäft und riet dem Hersteller lediglich, die Software nachzubessern und bei Routinechecks in die Bordcomputer einzulesen.

https://www.neues-deutschland.de/artikel/1130321.boeing-fabrik-im-chaos-stoppt-die-produktion.html