Category Archives: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

#securitytheatre Latacora – Stop Using Encrypted Email

… says:

Here’s why.


If messages can be sent in plaintext, they will be sent in plaintext.

Email is end-to-end unencrypted [1] by default. The foundations of electronic mail are plaintext. All mainstream email software expects plaintext. In meaningful ways, the Internet email system is simply designed not to be encrypted.

The clearest example of this problem is something every user of encrypted email has seen: the inevitable unencrypted reply. In any group of people exchanging encrypted emails, someone will eventually manage to reply in plaintext, usually with a quoted copy of the entire chain of email attached. This is tolerated, because most people who encrypt emails are LARPing. But in the real world, it’s an irrevocable disaster.

1998 article on Crypto AG: The NSA’s Trojan Whore?

I dont understand all that fuzzin these days. This news is no news, almost everything about the Crypto AG stuff has been published in 1998 by Wayne Madsen, and has been uncloaked in the early nineties: 

“The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG’s marketing representative in Teheran. The Iranian government charged the tall, 50ish businessman with spying for the “intelligence services of the Federal Republic of Germany and the United States of America.” “I was questioned for five hours a day for nine months,” Buehler says. “

Here’s the link:

And here’s the source reference, if you need it.

as seen in the book “Shadow Government: How the Secret Global Elite Is Using Surveillance Against You” by Grant R. Jeffrey (avail on Google Books) 

On Wayne Madsen – Wikipedia … :

Wayne Madsen (born April 28, 1954) is an American journalist, author and columnist specializing in intelligence and international affairs.[1][2] He is the author of the blog Wayne Madsen Report.[3] He has been described as a conspiracy theorist.” (…)

“In 1990 Madsen joined Computer Sciences Corporation, working there from 1990 until 1997,[15] when he joined the Electronic Privacy Information Center (EPIC) as a senior fellow. In 1998, while at EPIC, Madsen was described by journalist Jason Vest in The Village Voice as one of the world’s leading SIGINT and computer security experts.[17] In late-January 2005, Madsen left EPIC.[15] While at EPIC he appeared as a guest on 60 Minutes,[18] ABC Nightline,[19] Voice of America,[20] and National Public Radio.[21]”


Dont worry, these cameras are there for your safety…

Reality update: The Rise of the Video Surveillance Industrial Complex … :

In a 2018 document, the data storage firm Western Digital and the consultancy Accenture predicted mass smart camera networks would be deployed “across three tiers of maturity.” This multi-stage adoption, they contended, would “allow society” to gradually abandon “concerns about privacy” and instead “accept and advocate” for mass police and government surveillance in the interest of “public safety.”

#safepasswords – Guess I told you so some years ago…

A good read, but not much new if you kept reading my writings… 🙂 

Get yourself cybersecure for 2020


With ever more tech in our lives, our data is vulnerable. Here are our six top tips to keep it safe in the new year

Random and unique passwords A study carried out by the Ponemon Institute found that 51% of individuals in the UK reuse an average of five passwords across different sites and services.

Random and unique passwords A study carried out by the Ponemon Institute found that 51% of individuals in the UK reuse an average of five passwords across different sites and services.”


#securitytheatre #bicyclehelmets – Where you really should wear a helmet:

Posting it again, because this topic has been hovering around and over my security theater talk for ages. It’s such a great typical example for why and when humans cannot assess dangers correctly. Here’s the facts.

A Guide To Head Injury Compensation Claims – How Much Can I Claim? – Accident Claims

The head and brain injury charity Headway has produced some statistics on the prevalence of head injuries in the UK. Some of the headline facts are as follows: In 2013/14 a total of 348,934 people were admitted to hospital with an acquired brain injury. That equates to an injury every 90 seconds across the country. Over the same period, a total of 162,544 people were admitted to hospitals for a head injury. This equated to one every three minutes. Whilst men are 1.6 times more likely to suffer a head injury, the number of women experiencing them has risen by 24% of the previous decade.

Here you can see the real dangers for your head: 

Boeing: »Fabrik im Chaos« stoppt die Produktion (

Perfekte Risikoanalyse:

Mehrfach wurde der Verdacht laut, dass auch die für die Zulassung von Maschinen zuständige FAA nicht so genau hingeschaut hat. Nach dem Absturz der ersten MAX-Boeing im Oktober 2018 ließ die FAA errechnen, wie wahrscheinlich ein weiterer durch die MCAS-Software verursachter Unfall wäre. Ergebnis: Es könnte maximal alle drei Jahre eine solchen Katastrophe geschehen. Was offenbar niemanden schockte. Man ließ die MAX-Maschinen im Geschäft und riet dem Hersteller lediglich, die Software nachzubessern und bei Routinechecks in die Bordcomputer einzulesen.

The End of Blameware is Coming – Thanks to DSGVO!

Ich habe ja den Begriff Blameware erfunden, und es damit bis in die ZEIT gebracht, damals, vor vielen Jahren. Aber laut den deutschen Datenschützern hat die DSGVO das Potential, dem ganzen Vertriebskonzept und Businessmodell ein Ende zu setzen – hier im Bericht von der Datenschutzkonferenz DSK der obersten deutschen Datenschützer: 

Windows 10 lässt sich nicht oder nur schwer datenschutzkonform betreiben.  Rumms lasst das mal sacken. 🙂 


Es geht noch weiter: Blameware ist doof: 

“Der Verantwortliche ist also verpflichtet, die Anforderungen der DSGVO für die Beschaffung seiner Verarbeitungsmittel zu konkretisieren und dasjenige auszuwählen, mit dem er die Grundsätze des Datenschutzes bei seinen Verarbeitungstätigkeiten nachweisbar wahrt. Es ist ihm verwehrt, sich darauf zu berufen, er setze lediglich ein fremdes Produkt ein, auf dessen Entwicklung er keinen Einfluss habe. Art. 25 Abs. 1 DSGVO verpflichtet nämlich den Verantwortlichen und nicht den Hersteller zu Datenschutz durch Technikgestaltung.”