Category Archives: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

Bringing big tech to heel: how do we take back control of the internet? | World news | The Guardian

So true, and I am happy that I was allowed to partially witness that in Brussels. Its the right way to go, and others will follow

The project will reference the world-leadingGlobal Data Protection Regulation developed by the European Union. Under the regulation, the idea that you control your data footprint has been accepted and embedded with privacy protocols placing enforceable rules on how corporations harvest and then monetise personal information. Protections include the right to be unknown and the right to be able to delete your personal records from a business that is holding them. It also includes rights for portability of data allowing, for instance, a user to take their data with them when they change banks, obligations on a business to delete a customer’s records when the customer takes their business elsewhere, as well as stringent data-handling protocols. Adopting these principles in Australia would be a significant step towards taking responsibility for the way the digital economy affects our privacy.”

Opinion | Why Is America So Far Behind Europe on Digital Privacy? – The New York Times

Once again Europe just doesn’t realize how far ahead we are in some technical an economic and social things. Wake up, lady!

“G.D.P.R.establishes several privacy rights that do not exist in the United States — including a requirement for companies to inform users about their data practices and receive explicit permission before collecting any personal information. Although Americans cannot legally avail themselves of specific rights under G.D.P.R., the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.


Forward-thinking legislation — and the public hearings that would inform its passage — are urgently needed. Americans deserve a robust discussion of what privacy rights they are entitled to and strong privacy laws to protect them.”

Congress should seize the moment and the public momentum to enshrine digital privacy rights into federal law.

Nice. Now Apple can locate your offline Device. What could possibly go wrong?

Reality update: How does Apple (privately) find your offline devices? – A Few Thoughts on Cryptographic Engineering … :

The idea of the new system is to turn Apple’s existing network of iPhones into a massive crowdsourced location tracking system. Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lost device.

I wonder how long it will take until authorities want to use that for prosecution. I wonder if secret services not already are. What a brilliant idea. I suggest watching Iron Sky 2.

5G: Zu viel Sicherheit würde uns nur verunsichern

Wer bitte wählt solche Verfassungsfeinde?

5G: Justizminister wollen zu viel Sicherheit verhindern – SPIEGEL ONLINE … : 

Ende-zu-Ende-Verschlüsselung als Risikofaktor

die Tatsache, dass Endgeräte in 5G zum Teil direkt miteinander kommunizieren können, ohne Umweg über zentrale Server eines Providers – wo allerdings auch die Abhörschnittstellen der Polizei sitzen.

“Auch die Innenminister wollen eine ‘Mitwirkungspflicht der Provider'”

Google wants to disable Ad Blocking in Chrome, because it’s a business risk for them

This is interesting. Back to Firefox? Or will Google turn around? They have got a lot of shitstorms back, in advance – since this is not fully decided yet. But it shows a lot of the “Don’t be evil” attitude. Even Google is a business oriented enterprise, and thus wants to make money. What a surprise. I wonder what the security people say and think. A large part of successful attacks today utilize ads and ad-lookalikes…

Chrome to limit full ad blocking extensions to enterprise users – 9to5Google

The lead developer of uBlock Origin, Raymond Hill, has commented on the situation, both to The Register and on uBlock Origin’s GitHub, pointing out that allowing ad blockers goes completely against Google’s business model.

‘Google’s primary business is incompatible with unimpeded content blocking. Now that Google Chrome product has achieve high market share, the content blocking concerns as stated in its 10K filing are being tackled.’

Google themselves have even admitted as such in a recent SEC Form 10-K filing by Alphabet, uncovered by Hill, in which ad blocking extensions are labeled as a “risk factor” to Google’s revenues.

‘New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business.’

The article also links to the interesting FCC risk assessment paper Google has to file. A nice read. 


Free GDPR Templates on Github … get involved!

Reality update: GitHub – good-lly/gdpr-documents: 🇪🇺 Your Right to be Informed and Erased. The General Data Protection Regulation (EU) 2016/679 (“GDPR”) documents for personal use. … :

After one of the Equifax data breaches & one year after feared GDPR came into force, a team of lawyers decided to explore the state of data protection of European banks & credit scoring entities. At first, we did a research of available GDPR requests but found next to nothing. The vast majority of information is advising companies on how to fend off personal data inquiries. This saddened us, as financial institutions gather massive amounts of detailed information about us. We expected that more people would want to execute their right to know. To shift this imbalance a little, we created our own request templates. Currently is available only “Data Access” request but stay tuned – Erase template is coming soon.

Quantum Terrorism…

How quantum terrorists could bring down the future internet – MIT Technology Review … :

These guys have worked out how quantum terrorists could bring the quantum internet to its knees almost instantly and without revealing their identity. More worrying still is that there is no obvious way to counter this new kind of attack.


“The first computer virus is widely thought to have been a program called Creeper that infected Apple II computers in the early 1980s. It was written by a 15-year-old high school student in 1981 as a prank. Since then, an entire class of malicious software and activities have emerged that can destroy data or eavesdrop on communication. Recommended for You A new chemical process could turn a quarter of our plastic waste into clean fuel Russia plans to temporarily disconnect the entire country from the internet This new fabric will automatically cool you down when you get hot and sweaty The real reason America is scared of Huawei: internet-connected everything This stunning view of the far side of the moon was taken by a Chinese satellite.”

Break up Facebook – as long as it is possible …!

#Toldyouso: Facebook co-founder Chris Hughes calls for the company to be broken up … :

Facebook isn’t afraid of a few more rules. It’s afraid of an antitrust case and of the kind of accountability that real government oversight would bring.” Hughes called the FTC’s decision to let Facebook acquire Instagram and WhatsApp in the first place the regulator’s “biggest mistake” and said the three entities should be broken into separate companies before Facebook weaves them together.