Category Archives: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

Highlights from Facebook’s Libra Senate hearing | TechCrunch


Perhaps the most worrying moment of the hearing was when Senator Sinema brought up TechCrunch’s article citing that “The real risk of Libra is crooked developers.” There I wrote that Facebook’s VP of product Kevin Weil told me that “There are no plans for the Libra Association to take a role in actively vetting [developers],” which I believe leaves the door open to a crypto Cambridge Analytica situation where shady developers steal users money, not just their data.

Nein! Doch! Oooh! Office 365 verstößt gegen Europäischen Datenschutz!

Reality update: Datenschützer: Einsatz von Microsoft Office 365 an Schulen ist unzulässig | heise online … :

Microsoft Office 365 darf in der Standardkonfiguration an Schulen wegen Problemen für die Privatsphäre der Nutzer derzeit nicht verwendet werden. Zu diesem Schluss ist der hessische Datenschutzbeauftragter Michael Ronellenfitsch gekommen, weil personenbezogene Daten von Kindern und Lehrern in der Cloud gespeichert würden. Auch wenn die zugehörigen Server in Europa stünden, seien die Informationen “einem möglichen Zugriff US-amerikanischer Behörden ausgesetzt”.

Online Censorship Is Coming–Here’s How to Stop It | Linux Journal

That’s important, because the concerns and beliefs of that “novel alliance” are closely aligned with those of the Free Software community. The new-found interest in hitherto obscure aspects of the online world and its software are an opportunity for the Open Source world to increase awareness of what it does, and to garner support for its activities. The potential for spreading the word is huge: over five million people signed an EU petition against upload filters, and 200,000 took to the streets to protest. Where new digital rights initiatives are set up to harness the recent mobilization of “digital natives”, free software coders can help people understand that open source is a key part of the solution to the problems they seek to address.

Switch your PGP keyserver, upload your key, this is important.

Reality update: Massive attacks on PGP-Keyservers, gazillion old and untrusted keys. Sorry, folks, but the web of trust didn’t work, not with that infrastructure. Here’s what you might want to do, what might help: 

Goto and upload and confirm your key(s) – I took the liberty to highlight the important facts…:

Launching a new keyserver!

From a community effort by Enigmail, OpenKeychain, and Sequoia PGP, we are pleased to announce the launch of the new public OpenPGP keyserver!


Give me the short story!

Fast and reliable. No wait times, no downtimes, no inconsistencies. Precise. Searches return only a single key, which allows for easy key discovery. Validating. Identities are only published with consent, while non-identity information is freely distributed. Deletable. Users can delete personal information with a simple e-mail confirmation. Built on Rust, powered by Sequoia PGP – free and open source, running AGPLv3. Get started right now by uploading your key!

Bringing big tech to heel: how do we take back control of the internet? | World news | The Guardian

So true, and I am happy that I was allowed to partially witness that in Brussels. Its the right way to go, and others will follow

The project will reference the world-leadingGlobal Data Protection Regulation developed by the European Union. Under the regulation, the idea that you control your data footprint has been accepted and embedded with privacy protocols placing enforceable rules on how corporations harvest and then monetise personal information. Protections include the right to be unknown and the right to be able to delete your personal records from a business that is holding them. It also includes rights for portability of data allowing, for instance, a user to take their data with them when they change banks, obligations on a business to delete a customer’s records when the customer takes their business elsewhere, as well as stringent data-handling protocols. Adopting these principles in Australia would be a significant step towards taking responsibility for the way the digital economy affects our privacy.”

Opinion | Why Is America So Far Behind Europe on Digital Privacy? – The New York Times

Once again Europe just doesn’t realize how far ahead we are in some technical an economic and social things. Wake up, lady!

“G.D.P.R.establishes several privacy rights that do not exist in the United States — including a requirement for companies to inform users about their data practices and receive explicit permission before collecting any personal information. Although Americans cannot legally avail themselves of specific rights under G.D.P.R., the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.


Forward-thinking legislation — and the public hearings that would inform its passage — are urgently needed. Americans deserve a robust discussion of what privacy rights they are entitled to and strong privacy laws to protect them.”

Congress should seize the moment and the public momentum to enshrine digital privacy rights into federal law.

Nice. Now Apple can locate your offline Device. What could possibly go wrong?

Reality update: How does Apple (privately) find your offline devices? – A Few Thoughts on Cryptographic Engineering … :

The idea of the new system is to turn Apple’s existing network of iPhones into a massive crowdsourced location tracking system. Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lost device.

I wonder how long it will take until authorities want to use that for prosecution. I wonder if secret services not already are. What a brilliant idea. I suggest watching Iron Sky 2.

5G: Zu viel Sicherheit würde uns nur verunsichern

Wer bitte wählt solche Verfassungsfeinde?

5G: Justizminister wollen zu viel Sicherheit verhindern – SPIEGEL ONLINE … : 

Ende-zu-Ende-Verschlüsselung als Risikofaktor

die Tatsache, dass Endgeräte in 5G zum Teil direkt miteinander kommunizieren können, ohne Umweg über zentrale Server eines Providers – wo allerdings auch die Abhörschnittstellen der Polizei sitzen.

“Auch die Innenminister wollen eine ‘Mitwirkungspflicht der Provider'”

Google wants to disable Ad Blocking in Chrome, because it’s a business risk for them

This is interesting. Back to Firefox? Or will Google turn around? They have got a lot of shitstorms back, in advance – since this is not fully decided yet. But it shows a lot of the “Don’t be evil” attitude. Even Google is a business oriented enterprise, and thus wants to make money. What a surprise. I wonder what the security people say and think. A large part of successful attacks today utilize ads and ad-lookalikes…

Chrome to limit full ad blocking extensions to enterprise users – 9to5Google

The lead developer of uBlock Origin, Raymond Hill, has commented on the situation, both to The Register and on uBlock Origin’s GitHub, pointing out that allowing ad blockers goes completely against Google’s business model.

‘Google’s primary business is incompatible with unimpeded content blocking. Now that Google Chrome product has achieve high market share, the content blocking concerns as stated in its 10K filing are being tackled.’

Google themselves have even admitted as such in a recent SEC Form 10-K filing by Alphabet, uncovered by Hill, in which ad blocking extensions are labeled as a “risk factor” to Google’s revenues.

‘New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business.’

The article also links to the interesting FCC risk assessment paper Google has to file. A nice read. 


Free GDPR Templates on Github … get involved!

Reality update: GitHub – good-lly/gdpr-documents: 🇪🇺 Your Right to be Informed and Erased. The General Data Protection Regulation (EU) 2016/679 (“GDPR”) documents for personal use. … :

After one of the Equifax data breaches & one year after feared GDPR came into force, a team of lawyers decided to explore the state of data protection of European banks & credit scoring entities. At first, we did a research of available GDPR requests but found next to nothing. The vast majority of information is advising companies on how to fend off personal data inquiries. This saddened us, as financial institutions gather massive amounts of detailed information about us. We expected that more people would want to execute their right to know. To shift this imbalance a little, we created our own request templates. Currently is available only “Data Access” request but stay tuned – Erase template is coming soon.