Tor Stupidity

  • Posted on August 21, 2016 at 10:30 pm

Some idiot posted a call to not use or work on Tor during 1 September 2016. I won’t explain what Tor users and developers are asked, nor will I explore the motivation for calling a strike. Not using Tor for a day is not an option. Not working on Tor is not an option. Disabling Tor node for a day is not an option. Publishing a demand like this is utterly stupid and irresponsible.

Tor is a very important tool. There is no place for petty-minded conflicts. Take your fight to the arena and let Tor users be.

New Year, Same Problems

  • Posted on January 2, 2015 at 10:49 pm

Welcome to 2015! I am pretty sure you are amazed what the year has in stock for you. Go ahead, figure it out. Meanwhile I know some things haven’t changed. Hands-free kits.

I like headphones. It saves yourself from listening to the verbal diarrhoea of people talking in public. Noise-cancelling gear is especially helpful. Or headphones that have a tight grip on your ears, so no acoustic bullshit can get to you. Usually headphones work fairly well.

Then there are hands-free kits. Basically these kits are headphones you can talk to, because they listen. They come in all forms and flavours. Wired, wireless, colourful, with/without battery, with/without blue LEDs, etc.; amazing. Sometimes they even work. Most of the time they don’t. The battery is low. Cables break. You lose your earplugs. It’s windy outside. It rains. The wireless kits disconnect and re-connect, turning your conversation into a bad rap song. Environmental noise drowns anything you say. Perfect.

So, yes, 2015 is great.

Mißbrauch von Crypto durch Marketing

  • Posted on August 10, 2013 at 9:53 pm

Die Deutsche Telekom, Web.de und GMX schalten nun die Transportverschlüsselung (nennt sich SSL/TLS) für versendete und empfangene E-Mails ein. Ganz toll. Andere verwenden diese Technologie schon seit etlichen Jahren. Die Branche feiert also eine Selbstverständlichkeit, die andere schon längst praktizieren. Fein, es gibt ja sonst keine guten Neuigkeiten über Telekommunikationsanbieter, die in den Wolken schweben. Zwei Dinge leistet SSL/TLS allerdings nicht.

  • Eine versendete E-Mail kann durch SSL/TLS nicht vor Dritten geschützt werden.
    Einem E-Mail-Server in der Zustellungskette stehen nach wie vor die Inhalte einer E-Mail zur Verfügung. Deswegen nennt sich die eingesetzte Verschlüsselung auch Transportverschlüsselung. Während des Transports wird die E-Mail verschlüsselt übertragen. An allen beteiligten Stationen liegt sie im Klartext vor. Transportverschlüsselung macht nur Sinn, um Dritten, die nur den Transport der E-Mails sehen (wie beispielsweise die Leute am Nebentisch im Internet-Café, der BND, GCHQ oder ein korrupter Mitarbeiter). Genau dafür war sie auch gedacht, nicht mehr und nicht weniger. Das jetzt als Schutz vor Überwachung zu feiern, speziell von Wolken- und Kommunikationsanbietern, die auf kompromittierter Infrastruktur sitzen, ist bestenfalls ein schlechter Witz.
  • SSL/TLS kann den Absender einer E-Mail nicht authentisieren.
    E-Mails können auch bei Transportverschlüsselung nach wie vor einen gefälschten Absender haben. Der Transportverschlüsselung ist es herzlich egal wer sie verwendet.

De-Mail ist übrigens auch nicht besser, egal was man einem da einreden möchte. Die Industrie folgt also der Politik und lügt Kunden an. Schöne neue Welt.

Wer sich für die Hintergründe interessiert oder wer auch mal große Firmen beim Lügen ertappen will, der/die/das schaue bitte zur nächstgelegenen CryptoParty.

Spy Service with Trust Issues

  • Posted on June 26, 2013 at 4:06 pm

You really should have heard about PRISM and Tempora. You should know that this is only the part that was published with a source and some evidence of what’s going on. Keep in mind that there is a lot going on that we do not know about yet and probably never will. The fall-out of the scandal may be an eroded trust in IT staff and systems. The director of the N.S.A., Gen. Keith B. Alexander, has confirmed the lack of trust by establishing a buddy system for NSA’s IT staff. The concept isn’t new, and it’s used by the military, other agencies or in the field of cryptography.

The consequence rephrased reads like this: PRISM and Tempora have effectively destroyed the trust in IT systems – both for the people being victims of surveillance and the surveillants. The NSA now resorts to “a two-man rule” in order to restore trust internally (which will not prevent further whistle-blowers from leaking information). The victims try to restore trust by using encryption and tools to anonymise their communication. Both implications do not help either side. Furthermore the government agencies will continue their efforts and hide them from the general public in order to pursue their Greater Goal™ or the War on Stuff™.  Meanwhile everyone else is shopping ebay for slightly used civil rights.

A job well done. Let’s burn some books, basic liberties, journalists, and system administrators to make the world a better place.

“No wall can stand against the yearning of justice…”

  • Posted on June 19, 2013 at 11:10 pm

Barack “I know what you did last Summer!” Obama held a speech in Berlin today. The Guardian has published the full text of it (and will probably be closed down and its staff will be sent to Guantánamo) on its web site. The speech contains a unique gem of sarcasm.

No wall can stand against the yearning of justice, the yearnings for freedom, the yearnings for peace that burns in the human heart.

I fully agree, but one of us is lying. NSA Director Keith “I owe him another friggin’ beer” Alexander has no interest in justice, freedom, and peace. Congratulations! You should have saved yourself the trouble of the American Revolution.

  • Comments are off for "No wall can stand against the yearning of justice…"
  • Tags:

PRISM, the „Cloud“ and Espionage

  • Posted on June 19, 2013 at 12:47 pm

There should be no surprise about the PRISM initiative and NSA‘s activities. Some people became a member of the EFF on 12 September 2001. It is an illusion to believe that any collection of data is safe from access by third parties especially if it is stored in centralised locations. Sane critics have criticised the „Cloud“ since marketing departments discovered the brand name for centralised storage (the „Cloud“ may be dispersed, distributed, virtualised or whatever, but there are still „Cloud“ providers who hold the key access to the whole infrastructure). Right after 9/11 the term Total Information Awareness (TIA) was coined. Take a look at what TIA entails. This is what you see now, but don’t assume that only the USA do this.

Russia, China and the USA are the Axis of Surveillance. The differences are merely semantics. Some European states also pursue total information awareness. They just don’t talk about it, and there are no whistle-blowers – yet (hopefully). Once you rely on the infrastructure of other’s, be careful.

The next CryptoParty in Vienna will discuss countermeasures against surveillance by totalitarian regimes.

No Work in Progress!

  • Posted on May 12, 2013 at 4:21 pm

Beim Vermeiden der gedruckten Tageszeitung zum Frühstück bin ich über einen Blogartikel gestoßen, der die Zeile „Dieser Artikel ist noch work in progress.“ gleich nach dem Titel enthielt. Der Hinweis ist zwar nett gemeint, aber leider hilft das dem Leser (in diesem Falle ich, also kein -in) nicht.

Ein Artikel ist zum Zeitpunkt des Lesens durch Dritte fertig. Die Idee mit den Versionierungen oder Datumsangeben helfen da nicht. Warum? Weil es sich nicht um Software-Entwicklung handelt. Ein Autor kann nicht davon ausgehen, dass alle Leserinnen in periodischen Abständen wiederkehren und die neue Fassung lesen. Niemand macht das, nicht in Blogs, nicht bei digitalen Zeitungen oder Magazinen, nirgendwo. Alles das, was sich ein Autor beim Schreiben denkt, muß zum Zeitpunkt des Publizierens im Text enthalten sein. Natürlich neigt man dazu gelegentlich Sektionen mit dem klangvollen Update: hinzuzufügen. Man sollte sicher aber im Klaren darüber sein, dass es Leser, die den Text schon gelesen haben, nicht mehr verfolgen und daher auch nie sehen werden.

Helft mit das Internet sauber zu halten! Publiziert keine Entwürfe! Danke.

How not to keep a secret #DCRI

  • Posted on April 7, 2013 at 12:59 pm

If you have a secret, then you probably will not talk about it. That’s a very basic fact about secrets. By not talking to others about your secret, these others will not know. So far so good. If your secret consists of a tower, an area and fences around it, then you have a hard time hiding this information. Your only option is to hide in plain sight, find a plausible explanation for the things people see and – again – not to talk about it. The French Direction centrale du renseignement intérieur (DCRI) has provided a lesson to show how it doesn’t work.

The Station hertzienne militaire de Pierre-sur-Haute is a French military compound. It has a Wikipedia page describing the location and its purpose along with photographs. Thanks to the DCRI everyone knows now that the article contains classified information. The DCRI summoned a Wikipedia systems administrator to their office and threatened him in order to force the deletion of the article. Keeping secrets by blackmailing is not going to work. In the age of satellites, Internet maps and drones there is no way you can prevent someone from taking photographs. De-emphasize, don’t make sure everyone focuses on your little secret. Distractions work, too. Area 51 is known for its UFO sightings and conspiracy theories. No one talks about the military prototypes being tested there. It’s all about aliens.

Maybe the DCRI should watch a couple of X Files episodes to get a clue.

Podcasts? Danke nein, keine Zeit!

  • Posted on March 24, 2013 at 2:30 am

Podcasts sollen ja ganz toll sein. Habe ich gehört. Angeblich ist das wie Radio, nur mit sehr viel mehr Themen, die man sich frei auswählen kann. Dank dem Internet kann man sie sich dann auch anhören wann man will. Und zum Mitnehmen sind sie auch, wie der Kaffee oder das fettige Fast Food. Leider liegen sie auch genauso schwer im Magen. Warum? Weil die Portionen total beknackt sind.

Ich habe es wirklich versucht. Es funktioniert leider nicht. Es gibt eine ganze Reihe von Podcasts, die schlicht und einfach zu lange sind. Da reden die Leute dann stundenlang (ja, Stunden!) herum und wollen einfach nicht zum Punkt kommen. Podcasten ist wie das Bloggen für’s Ohr und wie der Durchfall für den Darm. Silbenwüsten ohne Ende, wo selbst die flüssigsten Worte keine Inhalte vermitteln mögen. Es gibt sogar Podcasts, wo dann mehrere Leute miteinander reden. Die vergessen dann doch glatt beim Aufnehmen, dass es Zuhörer gibt. Das hört sich dann so an wie das Gespräch der Clique am Nebentisch in einem Lokal – nervig, laut, lästiger Hintergrund. Wo ist der Laustärkeregler? Wenn man es leiser stellt, dann geht es vielleicht als leichter Sommerregen durch, und man kann dabei einschlafen.

Woran liegt das? Genau, an den grenzenlosen Möglichkeiten. Wenn es mal egal ist wie lange eine Aufnahme dauern soll, dann wird auch der Inhalt rasch irrelevant. Weil. Man. Dann. Einfach. Nicht. Mehr. Zum. Punkt. Kommt. Kapiert? Ich nenne keine Namen, aber einige Podcasts würde ich vom Thema gerne anhören, jedoch sie sie mir einfach zu lang. Ich kann nicht immer stundenlang Busfahren nur um an Informationen zu kommen, die mir ein Profi auch in 5, 10 oder 30 Minuten erklären kann.

Liebe Podcaster und Audioblogger, nehmt euch doch bitte mal ein Beispiel an den vielen Journalisten und Journalistinnen, die Beiträge im Radio für eine breite oder schmale Öffentlichkeit aufbereiten! Die schaffen das. Das Tolle ist, dass diese Beiträge auch mit Internet (weil für viele Radios gibt’s auch Downloads) nicht an Qualität verlieren. Das höre ich mir dann auch gerne mehrmals an. In einen schlechten Podcast passen locker 10 bis 15 exzellente Radiobeiträge. Arge Sache, findet ihr nicht?

Code, Apps and Design Principles

  • Posted on November 17, 2012 at 4:13 pm

You probably know the term eye candy or dancing pigs. It applies to applications („apps“) running on computing platforms. It especially applies to apps running on devices that can be thrown easily. Widgets, nice colours and dancing pigs beats a sound security design every time. Since this posting is not about bashing Whatsapp (it’s really about sarcasm), here’s a list of advice for app „developers“.

  • If you in need of unique identifiers (UIDs), please always use information that can never be guessed and are very hard to obtain. Telephone numbers, names, e-mail addresses and device identifiers are closely guarded secrets which will never be disclosed, thus this is a very good choice.
  • If you are in the position of having to use easily guessable information for unique identifiers, make sure you scramble the information appropriately. For example you can use the MAC address of network devices, you just have to use an irreversible function on it. MD5(MAC) yields a result that can never be mistaken by a MAC address and cannot be reversed, so it is totally safe.
  • Everything you cannot understand is very safe. This is why you should never take a closer look at algorithms. Once you understand them, the attacker will do so, too. Then your advantage is lost. Make sure you never know why you are selecting a specific algorithm regardless of its purpose.
  • Always try to invent your own protocols. Since every protocol in existence was invented by amateurs with too much time on their hands, you can always do better.
  • Never reuse code. Libraries are for lazy bastards who cannot code. Rewrite every function and framework from scratch and include it into your software.
  • Put the most work into the user interface. If it looks good, the rest of the code automatically becomes very secure and professional. This goes for encryption as well. Most encryption algorithms can be easily replace by the right choice of colours.
  • Getting reverse engineered is never a problem if you explicitly forbid it in the terms of usage. Everyone reads and accepts this.
  • Aim for a very high number of users. Once you hit the 100,000 or 1,000,000 users, your software will be so popular that no one will ever attack it, because, well,  it’s too popular. Accept it as a fact, it’s too complicated to explain at this point.

Go and spread the word. I can’t wait to see more apps following these simple principles to be available in the app stores all over the world.


Tasks for Post-Privacy Advocates

  • Posted on October 28, 2012 at 10:45 pm

Privacy is old-fashioned – if you ask post-privacy advocates who have nothing to fear and have no secrets whatsoever. Your privacy and their privacy is a fossil from the Web 1.0. Now we expose ourselves everywhere and all of the time. To illustrate this new lifestyle, post-privacy advocates have a list of demonstrations prepared for you.

The list really is endless. And always remember, the best argument in favour of post-privacy is getting yourself killed or at least maimed or tortured.


  • Posted on July 13, 2012 at 8:50 pm

I use LaTeX for over 20 years now. I have no need for crappy office software. I skipped Microsoft Office, Word Perfect, Open Office and everything similar. However everything has its limits. I am trying to write a document that requires a couple of exotic language fragments (actually it’s only a collection of examples for homograph attacks). So the main text is German, then there’s some Arabic, Hebrew, Chinese, Japanese, Hindi and possibly Korean. This means using Unicode text, which is no problem. Up until now I used LaTeX and the beamer class template. Due to better Unicode handling I switched to XeLaTeX, which required to rearrange my \usepackage statements. German, Arabic and Hebrew co-exist now. Now I am trying to get Chinese text displayed correctly. When using LaTeX I did this by means of the CJK package (but only with a Japanese word). Worked fine. Now I am using xeCJK which is basically the same, and I’m getting blanks instead of Chinese characters. I am half-way through the fonts on my system, still trying to find a nice combination.

It’s probably easier to include homograph attacks in Tengwar. Illustrating the ancient spear phishing attacks  of Middle Earth, now there’s an interesting topic.

  • Comments are off for Characters
  • Tags:

The Filter Coffee Misunderstanding

  • Posted on July 4, 2012 at 9:13 am

We have to talk. We have to talk about coffee. Firstly because it’s not in the tag cloud yet, and secondly because I really like filter coffee. There you go, a blog posting about bad coffee’s coming up. No, it isn’t.

Usually in articles like these the second paragraph is reserved for some historical context. Since we got the introduction somewhat right, here’s the history (the conclusion will be in the next-to-last paragraph while the last paragraph is reserved for a witty pun such as “Or is it?” or similar). I grew up with this stuff. This is a good excuse. It doesn’t make the coffee better and it doesn’t excuse pouring hot water over crushed plant stuff (real coffee beans are optional given the taste of some cups I had). However once you use really good coffee material, ditch the milk and the sugar, you’ll really get something special. A big cup of filter coffee beats the crap out of any espresso or fancy café au bullshit any time. Filter coffee stays longer hot. This means you can drink it over a longer period of time. Yesterday I had a cup I could carry for over half an hour before taking bigger sips. You’ll experience the coffee through a wide variety of temperatures. The really good stuff can even be drunk cold. Try that with your stupid espresso!

So there’s the conclusion. Filter coffee rocks (even in German where it’s called Filterkaffee, easily recognisable). Throw away all the other coffee creations. End of discussion.

And here’s your witty pun: Go and get some!

  • Comments are off for The Filter Coffee Misunderstanding
  • Tags: