Archive for the ‘Security’ Category

Stories About Code Obfuscation


(FTB stderr) – Marcus Ranum:

Code Obfuscation is really neat stuff. Or, it can be.

Other than the rare programmer such as the one guy I encountered in a certain university’s database research group in 1988, most programmers write somewhat readable code. It has to be readable because the compiler/interpreter’s parser is almost always more strict than a human would be – programming languages have a specific syntax that strikes a balance between the computer’s ability to be sure what the programmer wants to do, and the programmer’s laziness about expressing it. There are fun philosophical debates among programming language proponents as to the degree to which the computer should try to figure things out. …

If I’ve got to give you a copy of my source code, why not turn “prompt” into “0x000010” or something less readable? Why not turn all my variables into unreadable crud? What if my variables look like: “01oI00”, “0I00Ioo” and so forth? And all my function names can be changed, and my strings can even be removed. …

stderr 2017/04/17 stories

Stunnix obfuscation

Using a Password Vault


(FTB stderr) – Marcus Ranum:

With passwords, there are two really important things to understand, which most people don’t remember in time:

  1. The biggest danger with passwords is using the same password in multiple places
  2. If you forget your password you can almost always recover it

The best way of dealing with 1) above is to not ever actually know any of your passwords. That’s the big secret benefit of using a password vault: you never know your password, so you’ve got zero chance of reusing it and if you’re not reusing it that prevents one of your accounts being broken from leading to all of your accounts being broken. …

stderr vault


Strong Encryption Makes us all Safer


(Guardian Comments) – Editorial:

There are many things the web giants could do to help combat terrorism, but weakening privacy protection is not one of them. …

theguardian 2017/mar/27 strong-encryption

Conspiracy Size


(FTB stderr) – Marcus Ranum:

I suspect that there is an optimal and a peak conspiracy size, beyond which it becomes nearly impossible to keep a secret.

That’s one of the reasons why I tend to disbelieve conspiracy theories that involve a lot of moving parts. I completely suck at math but if I recall how this is calculated, you take the probability that any individual will leak, and then the probability your secret remains secret is the combined probability that all the individuals don’t leak. The way I think of it (because I suck at math) is that you make a saving throw on your Leak Table every year and sooner or later you’re going to come up ’01’. …

stderr 2017/03/07 conspiracy

German Parties and Ministries Vulnerable To Hacking Attacks


(Spiegel) – Fabian Reinbold:

Politicians in Germany are warning about the threat of hacking attacks, but when it comes to their own data, many are too careless. Some German political parties are failing to take advice from the country’s information security authority seriously enough. …

spiegel 1137570

Signal Adds Video Calls


(Wired) – Andy Greenberg:

Signal’s creators at the non-profit Open Whisper Systems announced a beta version of the update that, in addition to video calling, adds the ability to answer calls from a locked screen, and what they promise will be better call quality. …

wired 2017/02 signal-enables

Encrypted Signal voice call in Android

Surveillance Self-Defense


(The Intercept) – Micah Lee:

Americans have handed the U.S. presidency to a racist, xenophobic, authoritarian, climate-science-denying, misogynistic, revenge-obsessed ego-maniac — and with it control over a vast and all-too-unaccountable intelligence apparatus; and in a speech less than three weeks ago, Trump promised to sue all of the women who have come forward with sexual assault accusations against him. …

Thanks to 16 years of relentless and illegal expansion of executive power under Presidents Bush and Obama, Trump is about to have more tools of surveillance at his disposal than any tyrant ever has. Those preparing for the long fight ahead must protect themselves, even if doing so can be technically complicated.

The best approach varies from situation to situation, but here are some first steps that activists and other concerned citizens should take. …

theintercept 2016/11/12 surveillance

Encrypted Signal voice call in Android

Keep Smartphones From Betraying Their Owners


(The Intercept) – Micah Lee:

In dangerous environments like war-torn Syria, smartphones become indispensable tools for journalists, human rights workers, and activists. But at the same time, they become especially potent tracking devices that can put users in mortal danger by leaking their location.

National Security Agency whistleblower Edward Snowden has been working with prominent hardware hacker Andrew “Bunnie” Huang to solve this problem. The pair are developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. They argue that a smartphone’s user interface can’t be relied on to tell you the truth about that state of its radios. …

theintercept 2016/07/21 research

iPhone 6 disassembly

Signal Security Tips


(The Intercept) – Micah Lee:

There are dozens of messaging apps for iPhone and Android, but one in particular continues to stand out in the crowd. Signal is easy to use, works on both iOS and Android, and encrypts communications so that only the sender and recipient can decipher them.

Although Signal is well-designed, there are extra steps you must take if you want to maximize the security for your most sensitive conversations — the ones that could be misinterpreted by an employer, client, or airport security screener; might be of interest to a snooping government, whether at home or abroad; or could allow a thief or hacker to blackmail you or steal your identity.

I discuss these steps at length below, in order of importance. …

theintercept 2016/07/02 security-tips

Encrypted Signal voice call in Android

How Signal Beats WhatsApp


(The Intercept) – Micah Lee:

There are now at least three different instant-message services that implement robust encryption: WhatsApp, Signal, and Allo. How is someone who cares about their privacy and security to choose between them? …

theintercept 2016/06/22 battle

mobile battle