Early in February 2018 I was happy to give my Security Theater speech at FOSDEM, in Brussels. They booked me after Howard Chu and the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to, and it was big fun – have a look at the video. Before that event, I had enjoyed meeting politicians from the European parliament and had given an interview to the Radio Berlin Brandenburg about the darknet.
The interesting thing about this story (thanks to Fefe!) is not that BMW is using Blockchain now. And it’s not that they go for Cobalt from Congo for their batteries. That all makes perfect sense, given that you want to prove with a probably unhackable certificate story that your Kobalt mining activities do not harm locals or the environment. No, the really interesting part of the story is: BMW and Apple are now competitors. Yep, read that again.
(Alchemist-hp (talk) (www.pse-mendelejew.de), Pure (99%+) Cobalt, Wikimedia)
They used to be alliance friends, partners and we may remember iDrive and similar naming stuff – and the fact that you could only attach your iPhone to the BMW in a reasonable way. Now there’s Samsung-only keyless features for BMWs and Apple cars out there. Since Apple is investigating its capabilities in the electric, autonomous driving market, they more and more become a competitor to BMW.
At least when it’s about batteries and the much needed Cobalt ressources. These are mostly available in Africa, in Congo (80% says the article), and customers are very well aware by now of the blood diamonds and similar painful stories of exploitation.
So only a few days after Apple announced “that it will be negotiating directly with miners“, BMW’s partner Circulor steps in and snarkily comments “We believe it makes economic sense to start with sources that aren’t a problem” and:
“… the trial of their blockchain supply chain solution allows supplying of a barcode to what is known as clean cobalt”, ie. cobalt that has been ethically sourced, and adds the key destinations of its trip to a ledger on their blockchain solution. Apart from proving the source of the cobalt and providing a record for it, the solution will likely also bring down regulatory compliance costs.“
OpenVPN – the best VPN solution that’s around – Not only because I authored the first book and am still offering classes, but also because I have been using it every day since 2003 without any major outages or problems.
Haven – Also comes with the strong recommendation of Edward Snowden. This tiny Android app turns your old smartphone into a NSA device. Well, just kidding – that has already happened when you first switched it on. No, with Haven your smartphone becomes a motion detector, sound or movement activated alarm system for your home, car, whatever. Free of charge, open source. Here’s a review Techcrunch: “Edward Snowden’s new app turns any Android phone into a surveillance system”.
I wonder how much money our government has thrown out of the window for this, and I wonder how the truely great work from Microsoft pays off here. They claim to block Finfisher which is a large part of our German Bundestrojaner, and here is a wonderful and detailed blogpost about how they did it and about the amazing findings they made in the multiple layers of virtualization and obfuscations. “FinFisher is such a complex piece of malware that, like other researchers, we had to devise special methods to crack it.”
Finfisher is using an onion-like shell system of six layers around their payload (whatever that may be). And it has several virtual machines built-in with up to 32 opcodes specifically created for this system, all but to protect, obfuscate and hide the payload. But what does the payload do? On that, Microsoft’s engineers write:
“It is evident that the ultimate goal of this program is to steal information. The malware architecture is modular, which means that it can execute plugins. The plugins are stored in its resource section and can be protected by the same VM. The sample we analyzed in October, for example, contains a plugin that is able to spy on internet connections, and can even divert some SSL connections and steal data from encrypted traffic.”
A really good read this article is. And if you find the time, read this amazing work by Tora.
Troy Hunt did it again: After August 2016, where he provided a password checking service testing against list with 320 million passwords (“HIBP” and “Pwned Passwords”) he now launched “Pwned Passwords V2” with more than half a billion passwords. If you dare, and if you trust him, you can enter your favorite password here and with the blink of an eye you will see if it is on Troy’s list. If so, then it has been cracked, used before or similar. The Password “password” e.g. has been seen 3 million times, as the new counter in Troy’s tool shows. Plus, the website holds some healthy information and guidelines from NIST on password reuse. Continue reading 500 Million passwords leaked→
The error is on OSI Layer 8, and even the best technology won’t help you if you use it wrong. In this article about the Darknet (Heise I’X, in German) I demystify many “given” assumptions. No NSA, no police, nobody needs to crack your cryptography if you do the same silly mistakes like so many others before you.
In this article for Heise I’X (in German) I present statistical and empirical evidence why it usually is a bad idea to force your users to change their password regularly. In fact, you’ll maybe push users to use patterns for their passwords that are cracked much easier than their password. What is a good password, and why you should only change it when you have reason for doubt. “You will need good reason to push your users into regularly changing their passwords – and only in few cases or insecure environments this may make sense at all…”
Open Source. Security Theater. Leadership. Journalism.