Five great security tools: SecureDrop, PGP, Signal, OpenVPN and Haven

The Blog Choosetoencrypt has presented three great tools for encryption. Under the title “Three Ways To Communicate Anonymously and Privately Online” they present and evaluate SecureDrop for filesharing (like a whistleblower, not a pirate), PGP for E-Mail and Signal for Instant messaging.

SecureDrop or similar is a mandatory category of tools for those who are dealing with journalists and can’t afford to be tracked.

The instant messenger Signal is being used and recommended by Edward Snowden, I use it every day, with all my phone numbers.

And so do I use PGP every day – find my Key(s) on the servers, among many old and lost and expired ones … Yes, I did many trainings in my life :-(.

And I was happy to meet and interview PGP-founder Phil Zimmermann, in late 2013, while deep in the belly of an old container ship named San Diego in the Hamburg harbor.)

But I also want to add two more tools:

OpenVPN – the best VPN solution that’s around  – Not only because I authored the first book and am still offering classes, but also because I have been using it every day since 2003 without any major outages or problems.

Haven – Also comes with the strong recommendation of Edward Snowden. This tiny Android app turns your old smartphone into a NSA device. Well, just kidding – that has already happened when you first switched it on. No, with Haven your smartphone becomes a motion detector, sound or movement activated alarm system for your home, car, whatever. Free of charge, open source. Here’s a review Techcrunch: “Edward Snowden’s new app turns any Android phone into a surveillance system”.

Winning the Microsoft Fussball (Kicker-) tournament 2008 – well almost

I somehow love this story… we had great fun and made it from total outsider with no chances into the final, almost winning against the overlords. My dear colleague Marcel Hilzinger and me were so close to really, really embarrassing Microsoft – but in the end, Sauron’s powers were stronger. Maybe next time, we thought, but they never invited us Linux-Magazine Journalists again. I guess they had good reason to do so. 🙂

Here’s the original (short) reference to the Linux-User editorial with a paragraph about the sensational event.

Microsoft and Finfisher: The end of the Bundestrojaner as we know it?

I wonder how much money our government has thrown out of the window for this, and I wonder how the truely great work from Microsoft pays off here. They claim to block Finfisher which is a large part of our German Bundestrojaner, and here is a wonderful and detailed blogpost about how they did it and about the amazing findings they made in the multiple layers of virtualization and obfuscations. “FinFisher is such a complex piece of malware that, like other researchers, we had to devise special methods to crack it.

(Image source:  https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)

Finfisher is using an onion-like shell system of six layers around their payload (whatever that may be). And it has several virtual machines built-in with up to 32 opcodes specifically created for this system, all but to protect, obfuscate and hide the payload. But what does the payload do? On that, Microsoft’s engineers write:

“It is evident that the ultimate goal of this program is to steal information. The malware architecture is modular, which means that it can execute plugins. The plugins are stored in its resource section and can be protected by the same VM. The sample we analyzed in October, for example, contains a plugin that is able to spy on internet connections, and can even divert some SSL connections and steal data from encrypted traffic.”

A really good read this article is. And if you find the time, read this amazing work by Tora.

500 Million passwords leaked

Troy Hunt did it again: After August 2016, where he provided a password checking service testing against list with 320 million passwords (“HIBP” and “Pwned Passwords”) he now launched “Pwned Passwords V2” with more than half a billion passwords. If you dare, and if you trust him, you can enter your favorite password here and with the blink of an eye you will see if it is on Troy’s list. If so, then it has been cracked, used before or similar. The Password “password” e.g. has been seen 3 million times, as the new counter in Troy’s tool shows. Plus, the website holds some healthy information and guidelines from NIST on password reuse. Continue reading 500 Million passwords leaked

Do good things and talk about it – Lessons learnt in 20 years of Open Source PR

This is a talk that I first gave as a workshop, together with my wonderfully skilled and experienced colleagues Jake Edge (LWN) and Deb Nicholson (OIN) during the 12. KDE Akademy in Tallinn, Estonia in 2012. Where then we did it as a full-day workshop, this video is from QtCon 2016, and it’s more a presentation of 1:00 hour. This is one of my favourite presentations and the one booked the most – I did it at SUSECON, openSUSE conference and SUSE Labs, too and for a variety of other hosts.

This talk will tell, teach and train open source community members, company leaders, developers and open source project leads how to deal with the press.

Leadership Antipatterns

Leadership Anti Patterns are a special variant of Antipatterns. They are dangerous, they kill productivity and they very often come together with Crocodile Management (Link is German), Mushroom or Bulldozer Management (a new manager comes in and guess what he does first?). You might also like to read about Leadership Behaviour patterns … but that’s Harvard Business School… or Antipatterns in Project Management.

Collaborative Editing? Not for Professionals…

Documentation is team work, yes – but can you do it collaboratively? Yes, but not in collaborative editing. Git is your friend, a good workflow needs to be chosen, and then everyone on your team may choose the editor he loves. Etherpad, Google Docs and such are tools for short texts, but not for professional editing. In this article for Linux Magazine Germany I explain how we work at SUSE.

Darknet demystified – The Limits of Anonymity.

The error is on OSI Layer 8, and even the best technology won’t help you if you use it wrong. In this article about the Darknet (Heise I’X, in German) I demystify many “given” assumptions. No NSA, no police, nobody needs to crack your cryptography if you do the same silly mistakes like so many others before you.

Darknet demystified

Update: Early in February I was interviewed by Radio Berlin Brandenburg about the my opinion on the darknet.

Open Source. Security Theater. Leadership. Journalism.