November 2012 Archives

Code, Apps and Design Principles

  • Posted on November 17, 2012 at 4:13 pm

You probably know the term eye candy or dancing pigs. It applies to applications („apps“) running on computing platforms. It especially applies to apps running on devices that can be thrown easily. Widgets, nice colours and dancing pigs beats a sound security design every time. Since this posting is not about bashing Whatsapp (it’s really about sarcasm), here’s a list of advice for app „developers“.

  • If you in need of unique identifiers (UIDs), please always use information that can never be guessed and are very hard to obtain. Telephone numbers, names, e-mail addresses and device identifiers are closely guarded secrets which will never be disclosed, thus this is a very good choice.
  • If you are in the position of having to use easily guessable information for unique identifiers, make sure you scramble the information appropriately. For example you can use the MAC address of network devices, you just have to use an irreversible function on it. MD5(MAC) yields a result that can never be mistaken by a MAC address and cannot be reversed, so it is totally safe.
  • Everything you cannot understand is very safe. This is why you should never take a closer look at algorithms. Once you understand them, the attacker will do so, too. Then your advantage is lost. Make sure you never know why you are selecting a specific algorithm regardless of its purpose.
  • Always try to invent your own protocols. Since every protocol in existence was invented by amateurs with too much time on their hands, you can always do better.
  • Never reuse code. Libraries are for lazy bastards who cannot code. Rewrite every function and framework from scratch and include it into your software.
  • Put the most work into the user interface. If it looks good, the rest of the code automatically becomes very secure and professional. This goes for encryption as well. Most encryption algorithms can be easily replace by the right choice of colours.
  • Getting reverse engineered is never a problem if you explicitly forbid it in the terms of usage. Everyone reads and accepts this.
  • Aim for a very high number of users. Once you hit the 100,000 or 1,000,000 users, your software will be so popular that no one will ever attack it, because, well,  it’s too popular. Accept it as a fact, it’s too complicated to explain at this point.

Go and spread the word. I can’t wait to see more apps following these simple principles to be available in the app stores all over the world.


Make sure to undress when using Skype

  • Posted on November 4, 2012 at 5:49 pm

Communication is a basic need. This is why phone companies are in the best position to charge whatever they want and why others always try to cheat (others being other companies and clients of phone companies alike). Tapping phone lines is a basic need, too. Ever since people had communications, someone else was trying to eavesdrop. This tradition has been proudly continued with Internet technology. The sad part is that most of us are not aware of this.

Skype is a popular communication tool. It is being used for instant messaging, audio and video calls. At the same time it is a popular surveillance tool. It has been used for locating users way before Microsoft changed the network topology by hosting all Skype servers. Surveillance is the crucial point here. Of course only the “legitimate” cases are published in the media. You may feel safe, but mentioning the words “pork”, “cloud” or “Mexico” may get you on the target list. That could be all it takes, and there are a lot of cases that will never be discussed in public, because of matters of national security.

So if you use Skype or similar services, always bear in mind that you speak and chat in the middle of a public space completely naked. Once you start a communication, you have no privacy any more. There should be no surprise, even for the Web 2.0 generation. All communication services in the US are subject to the Communications Assistance for Law Enforcement Act (CALEA). CALEA was born in 1994, long before Skype. Which doesn’t matter since someone had sufficient foresight to ensure surveillance even today. Have fun with your naked phone calls!