Modern Software Sales Strategy

I want to share an observation with you. The product is just a symptom. It’s all about the message. In modern IT environments there are countless (which is a lie, because you actually can count them) tools to do the same job in a variety of ways. How do you find the right tool? Well, you can try them for yourself, and then pick something you like. You can read the documentation, or you can read the feature list with the abstract. Gitkraken follows a new approach. If you click on Why Gitkraken you are confronted with this compelling list of non-arguments:

  • One Million GitKraken Users – Right, just like cholera.
  • Join Leading Companies – Eat shit, a billion flies can’t be wrong.
  • Hear Why Customers Love GitKraken – a.k.a. we don’t know why you should use it, but these people do. Ask them.
  • Share Your own GitKraken Success Story – Please provide advertising content we otherwise would have to pay for.
  • Hear Why Students Love GitKraken – Students usually write more for even less money! Plus if you get people addicted while in education, they will love your dealers. See Microsoft and Apple.

Why should I use a product whose benefits not even the vendor/developers can express? Is this what is being taught in marketing school? Of course it could be just a collection of customers’ opinions. But then again: Why, Gitkraken?

Shit Sells – Social Media Strategies

Since the invention of social media (which has nothing in common with either social or media) nobody should have writer’s block any more. Interacting with the world and your friends should be done often. Content is optional. This is why emojis are highly sought after. If you can’t write, post images. Cute animals always work. Social media has become a haven for astroturfing. Presidents tweet their misinformation now. The German minister of the interior has taken up this habit to be part of the pollution.

Facts dies fast these days.

The Blog is alive and encrypts Stuff now

  • March 22, 2018 at 4:44 pm in

Long time, no writing. It’s due to the ever diminishing time for leisure activities and clearing the mind. But this blog is alive – contrary to Schrödinger’s cat. Plus it is now using HTTP2 and TLS. I will also polish the theme a bit, because there are some glitches in the CSS matrix (speaking of cats). Enjoy the cryptographic algorithms in the meantime!

Tor Stupidity

Some idiot posted a call to not use or work on Tor during 1 September 2016. I won’t explain what Tor users and developers are asked, nor will I explore the motivation for calling a strike. Not using Tor for a day is not an option. Not working on Tor is not an option. Disabling Tor node for a day is not an option. Publishing a demand like this is utterly stupid and irresponsible.

Tor is a very important tool. There is no place for petty-minded conflicts. Take your fight to the arena and let Tor users be.


HBO’s John Oliver took a close look at the state of journalism. Everyone is in dire need of facts and story research. No one wants to pay, as it seems. This is not really the truth. It’s a simplification. Every newspaper has its online edition. Contrary to paper the digital articles allow for the sampling of statistics. The paper edition throws a few hundred grams of data into a mailbox. There is no feedback channel. You do not know who reads which article. You do not even know how many people read the paper. You may know some information about your readers from the data subscribers leave voluntarily. That’s it.

The online edition offers much more feedback. You can track users. You can record their favourite interests. You can take the time spent on the web site. You can do a lot more. What if I don’t want to be tracked? Where is the Do Not Track button in the online form for buying subscriptions? Someone isn’t paying attention.

I read a couple of news outlets (let’s use this term). I cannot afford to buy a subscription for all sources. This brings me to another business model that is absent from the market. I would like to read articles from many newspapers and pay by article at the end of the month. Trouble is that this requires a cross-newspaper identification which in turn can be used for tracking again (and it can only be done in an ideal world where copyrighted material can be syndicated easily, so it is pure fiction). Facebook and Google think about this for some time. I would prefer the news without the tracking.

So who wants to sell me some news?

Crypto Easter Eggs in Software

The Logjam paranoia is spreading. After decades of using software with cryptographic features, every couple of months researchers discover features and code from the dawn of communication over the Internet. DES, 40/56/64 bit keys, RC4, 16 bit primes (yes, you read that right), and a lot more legacy cruft is still in memory on computer systems all over the world. Unless the code bases get cleaned up LibreSSL-style, there will be more of these ghosts from the past.

Delete these lines of code, remove the dependencies. No excuses.

Urgency gone totally wrong

Every once in a while someone has a problem that needs to be fixed. Or someone wants to ask something. Often it’s just about a task, a piece of information, an appointment, or similar. What do people do then? Well, if it’s really urgent you usually resort to synchronous communication such as the telephone. You can also call it smartphone, but it doesn’t change the fact that you pick up the phone and talk to someone in real time. That’s the theory. In fact people send emails, text messages (which might not get delivered), or private messages on obscure social media platform where you log in every three months.

Stupidity is on the rise.

New Year, Same Problems

Welcome to 2015! I am pretty sure you are amazed what the year has in stock for you. Go ahead, figure it out. Meanwhile I know some things haven’t changed. Hands-free kits.

I like headphones. It saves yourself from listening to the verbal diarrhoea of people talking in public. Noise-cancelling gear is especially helpful. Or headphones that have a tight grip on your ears, so no acoustic bullshit can get to you. Usually headphones work fairly well.

Then there are hands-free kits. Basically these kits are headphones you can talk to, because they listen. They come in all forms and flavours. Wired, wireless, colourful, with/without battery, with/without blue LEDs, etc.; amazing. Sometimes they even work. Most of the time they don’t. The battery is low. Cables break. You lose your earplugs. It’s windy outside. It rains. The wireless kits disconnect and re-connect, turning your conversation into a bad rap song. Environmental noise drowns anything you say. Perfect.

So, yes, 2015 is great.

Postfix outbound SMTP via TOR Hidden Service

I have been looking to link my portable Postfix on my laptop with another Postfix reachable by a TOR Hidden Service. I did some tinkering with TCP proxies, stunnel and other setups. Yesterday I found the article SMTP over Hidden Services which will do the trick. The description uses Postfix’ transport map to send  individual domain via the SMTP Hidden Service uplink. If you want all e-mails for all domains to go through the SMTP link, use the line

*   smtptor:[78uhrgdnsawillgetyoughe746.onion]

in your transport map after the .onion line. Works like a charm. The only downside is that I had to give up server certificate verification, but this can be done in a separate setup on the server side.

  • Comments are off for Postfix outbound SMTP via TOR Hidden Service
  • Tags:

Sandman Chronicles #65

Came across my copy of The Sandman Chronicles by Neil Gaiman . Browsed a bit. If you never read it, you really should. Found a quote from #65. It is from Rose Walker.

Have you ever been in love? Horrible, isn’t it? It makes you so vulnerable. It opens your chest and it opens up your heart and it means that someone can get inside you and mess you up. You build up all these defenses. You build up this whole armor, for years, so nothing can hurt you, then one stupid person, no different from any other stupid person, wanders into your stupid life… You give them a piece of you. They don’t ask for it. They do something dumb one day like kiss you, or smile at you, and then your life isn’t your own anymore. Love takes hostages. It gets inside you. It eats you out and leaves you crying in the darkness, so a simple phrase like “maybe we should just be friends” or “how very perceptive” turns into a glass splinter working its way into your heart. It hurts. Not just in the imagination. Not just in the mind. It’s a soul-hurt, a body-hurt, a real gets-inside-you-and-rips-you-apart pain. Nothing should be able to do that. Especially not love. I hate love.

  • Comments are off for Sandman Chronicles #65
  • Tags:

CryptoParty Observations

The CryptoParty phenomenon is past its first anniversary. The interest in cryptography and secure communication has always been there. The existence of CryptoParty before Edward Snowden leaked the criminal practices of secret services around the world is a good indicator for that. The questions is if crypto flash mobs of tutors and students can make a difference. Cryptography has deep roots in mathematics (which can and have to be reduced to a minimum when explaining, remember that every formula in an article for a wide audience halves your readership). In addition most tools used for encryption are not point-and-click capable (which is partly due to the user interface, but the real reason is the fact that secure communication doesn’t feature an on/off switch). Too bad. Despite these difficulties CryptoParty events work somehow. At almost all local events here participants learned something, tutors did too.

A couple of days ago someone asked me for a „mini crypto handbook with just the essentials“. I have given this idea some thoughts, but I doubt that you can improve your data’s and communication’s security by a short laundry list of things to do or not to do. You might get to the point of encryption quite fast, but managing the keys and verifying the identity of your communication partner(s) is the most important aspect. Then there is the problem that once data is decrypted it tends to leave residue in clear text. Unless you use encrypted storage all of the time and everywhere there is a chance that traces of data will leak and stay without cryptographic protection. It’s a bit like dealing with radioactive material – always use secure containers and equipment.

Give the extra effort of security all of our lives will still have an „unencrypted component“. You cannot securely communicate with partners who do not support secure communication. Calling a taxi, ordering pizza, phone calls with friends & family, even communication with companies or public authorities are probably easy to intercept. Observing the communication of an individual or an organisation as a whole can therefore be very informative if the pattern of encrypted and unencrypted information is analysed. If you only use cryptography when important, then you betray the fact that something interesting is going on. Using cryptography indiscriminately would be better – if it were possible with every communication end-point. Intelligence services know this, so does everyone else.

There are not short-cuts, it seems.

A Beacon of Opinions

Having privacy is nice these days. However maintaining a sense of privacy is hard when it comes to social media, blogs or other ways where you can leak personal information. Creating different accounts is a first step, but separating personal and professional opinion only works if you maintain the division all of the time. This must also be true for all connections to others, be it people or organisations. Once you make an exception, the whole concept doesn’t work any more. Your opinion will be the strongest beacon, and everyone with an honest interest in you will use it to connect. Privacy gone.

It’s not follow the money in the digital world. It’s follow the opinion.

Mißbrauch von Crypto durch Marketing

Die Deutsche Telekom, und GMX schalten nun die Transportverschlüsselung (nennt sich SSL/TLS) für versendete und empfangene E-Mails ein. Ganz toll. Andere verwenden diese Technologie schon seit etlichen Jahren. Die Branche feiert also eine Selbstverständlichkeit, die andere schon längst praktizieren. Fein, es gibt ja sonst keine guten Neuigkeiten über Telekommunikationsanbieter, die in den Wolken schweben. Zwei Dinge leistet SSL/TLS allerdings nicht.

  • Eine versendete E-Mail kann durch SSL/TLS nicht vor Dritten geschützt werden.
    Einem E-Mail-Server in der Zustellungskette stehen nach wie vor die Inhalte einer E-Mail zur Verfügung. Deswegen nennt sich die eingesetzte Verschlüsselung auch Transportverschlüsselung. Während des Transports wird die E-Mail verschlüsselt übertragen. An allen beteiligten Stationen liegt sie im Klartext vor. Transportverschlüsselung macht nur Sinn, um Dritten, die nur den Transport der E-Mails sehen (wie beispielsweise die Leute am Nebentisch im Internet-Café, der BND, GCHQ oder ein korrupter Mitarbeiter). Genau dafür war sie auch gedacht, nicht mehr und nicht weniger. Das jetzt als Schutz vor Überwachung zu feiern, speziell von Wolken- und Kommunikationsanbietern, die auf kompromittierter Infrastruktur sitzen, ist bestenfalls ein schlechter Witz.
  • SSL/TLS kann den Absender einer E-Mail nicht authentisieren.
    E-Mails können auch bei Transportverschlüsselung nach wie vor einen gefälschten Absender haben. Der Transportverschlüsselung ist es herzlich egal wer sie verwendet.

De-Mail ist übrigens auch nicht besser, egal was man einem da einreden möchte. Die Industrie folgt also der Politik und lügt Kunden an. Schöne neue Welt.

Wer sich für die Hintergründe interessiert oder wer auch mal große Firmen beim Lügen ertappen will, der/die/das schaue bitte zur nächstgelegenen CryptoParty.