Seegras Logbook

Digital Restrictions Management is an abomination. I try to avoid it, but ever so often you stumble upon something, and you need it in readable, unrestricted form. Turns out, the mechanisms for removing DRM are just as an unholy mess of outdated software and scripts for proprietary systems as the DRM systems themselves.

The first thing you get when stumbling upon Adobe DRM is an .acsm (Adobe Content Server Message) file. It’s an XML that tells Adobe Digital Editions (and Apps that implement it) where to download the data.

Apparently, there’s several versions of Adobe DRM, and you can enforce an earlier one with a downgrade attack, by using Adobe Digital Editions 2.01 for Windows, apparently still available from Adobe, as it’s the last version to run on Windows Vista and Windows 7.

And yes, you need to create an account at Adobe to use these.

I actually tried ot the newest one (4.5.11) as well. Installation is straightforward:

WINEPREFIX=~/.wine.ade4 winetricks corefonts dotnet40; \
WINEPREFIX=~/.wine.ade4 wine ADE_4.5_Installer.exe

According to winehq.org this should work, but upon trying to download anything with it, it returned E_ADEPT_DOCUMENT_TOO_SHORT.

ADE 2.01 is a bit trickier, it needs a 32bit wine prefix, and dotnet 3.5, servicepack 1. As 4.5.11 it needs corefonts too.

WINEARCH=win32 WINEPREFIX=~/.wine.ade2 winetricks corefonts dotnet35sp1; \
WINEPREFIX=~/.wine.ade2 wine ADE_2.0_Installer.exe

Again according to winehq.org this should work as well, but also returned E_ADEPT_DOCUMENT_TOO_SHORT, which might point to some network-problem, winbind-error, crypto-library too new or somesuch. In any case, you can’t find anything useful by searching for the error.

So I’ve been looking for other apps, some open source on github or somesuch, that could use .acsm files for download. And I found at least one: Aldiko, on Android. It’s apparently also abandoned, but it still can be found on Google Play. I got myself Aldiko Classic 3.1.3.

Upon loading a .acsm File in Aldiko (from anywhere, basically, I copied some I downloaded with the Browser on my Workstation into /sdcard/Download), you get prompted to enter your Adobe acocunt; after that it downloads the books to /sdcard/eBooks. And you can copy over these to any device that has the keys for your adobe account. Like your wine-prefix.

I initially tried to get DeDRM working standalone or with my Calibre on Linux, but it turned out this thing is a collection of dozens of scripts, which all demand python 2.7. Which is EOL, and which no sane person should use aynmore. As you can see from the pull-requests and issues, there’s some efforts of making these work on contemporary python, but these went nowhere so far (“Python tests (2.7) failed” — duh!).

Also, as it turned out, after I fixed one of the scripts to run with python 3, these things rely on the existence of ADE on your system; and you either need to somehow convert registry-entries or get files from MacOS to get the device key and the licence key. Which then are pumped through some assembler(!) to get a useful .der file. All in all, too complicated,

What I did instead was to install python-2.7.msi, pycrypto-2.6.win32-py2.7.exe and calibre-3.48.0.msi into the wine-prefix and run from there:

WINEPREFIX=~/.wine.ade2 wine msiexec /i python-2.7.msi; \
WINEPREFIX=~/.wine.ade2 wine pycrypto-2.6.win32-py2.7.exe; \
WINEPREFIX=~/.wine.ade2 wine msiexec /i calibre-3.48.0.msi

Within calibre, finally, in “preferences -> Plug-ins -> Load Plugin from file” I installed DeDRM_Plugin.zip from DeDRM_tools_6.7.0.zip.

The books downloaded with Aldiko on Android and copied over can now be added to the collection in calibre, and have their DRM removed automatically.

The biggest threat to cyber-security is surveillance. Or rather the will, ability and legal status of organisations who prioritise surveillance and active attack abilities above defence and security.

The point is, that surveillance does not mean passive wire-tapping. It means attacking infrastructure where the data you want is available unencrypted, or infrastructure through which the message or data travels. Infrastructure which might not be under control of the entity trying to gain these surveillance-capabilities. For instance it might target the sender or the recipient of an encrypted e-mail or instant-messenger message. Or an intermediary, in order to know who communicates with who in the first place. All these actions are not comparable with passive wire-tapping, in fact, these attacks are indistinguishable from hacker-attacks aimed towards any other goal, like the enactment of botnets; and they also enable the attacker not just to eavesdrop, but to do whatever else he pleases, from launching man-in-the-middle attacks to denial-of-service, ransomware, attacking somebody else and so on. So surveillance is an attack as any other.

The problem now stems from the fact, that in order to attack somebody, you need knowledge of insecure systems, vulnerabilities, on their part. Typically, what you use are exploits, and if they’re not published yet, they’re called zero-day-exploits. Now, as long as you don’t tell anyone, these vulnerabilities don’t get fixed. They might be found by somebody else, and published or not. As soon as they get published, they loose their value for attack. Now, during that period when you have a zero-day-exploit on your hands, you might mitigate that vulnerability on your systems. But you actually can’t mitigate them on all systems of your allies, because then the secret would go out. So you don’t. Which leads to one outfit having knowledge of vulnerabilities leaving every other outfit at risk.

In a practical example, 2013 a server was hacked, that was used by the NSA as staging system for attacks. The Shadow Brokers hack was made public only in 2016, and it turned out, the NSA had stashed a load of zero-day-exploits there, some of which were still zero-days in 2016, but the majority of them had already been made public. Now, not only illustrates this that independent researches will find these “secret” vulnerabilities eventually, but also something much more sinister: The NSA had actually put every other US-agency, including FBI and DOD, the government, critical infrastructure (including power plants, water supply and hospitals) and finally all its own citizens at risk.

With all the secret services world-wide, and often also police-units (For instance, the Zürich Police bought surveillance software from Hacking Team containing three zero-day-exploits) involved in ramping up their cyber-attack-capabilities, most often with the goal of surveillance, we can see an extreme effect on creating a market for zero-day-exploits. Where fifteen years ago no noticeable market existed at all, we now have one whose prices start at USD 40’000 and go up to USD 500’000 per exploit, as evidenced by the price-list published by Zerodium In other words, secret services and police are actively undermining the security of everyone on this planet, friend and foe alike.

The trouble is, highly technological societies are much more vulnerable to this. For guerillas, insurgents and terrorists the benefits of being able to exploit vulnerabilities is much greater, and they don’t really have to defend any friends from such attacks. So the ones that suffer the most, are the people and governments of exactly the same nations and states whose secret services and police are actively undermining their security. This is a grave situation, as most governments have not even realised what it is they have their secret services and police doing, and are actively trying to destroy their own security with initiatives that call for weakening of crypto or for government back doors. Or at least, trying to explicitly legalise these practices as seen with Switzerlands NDG, which of course will have a very much adverse effect of security.

The solution is surprisingly simple, the only impediment is, as usual, the widespread incomprehension of the problem itself. Since every vulnerability that is made public eliminates the exploitation of it for everyone, the only solution is to make every vulnerability public as soon as possible. The usual, and in fact “best practice” of the computer industry, is called “responsible disclosure”, where the manufacturer of a software or product is informed a few days or maximum weeks in advance, so he can fix the vulnerability, before the issue is made public. And in the end, it’s the only solution that will really make us more secure.

Spätestens seit den späten 80er Jahren ist bekannt dass die NSA alles überwachen möchte, namentlich wurden da Details über das ECHELON Projekt, welches Funksignale auch in Europa z.b. via den Abhörstationen in Menwith Hill (UK) oder Bad Aibling (DE) abhört bekannt. Der Spiegel berichtet 1989 darüber: NSA: Amerikas großes Ohr.

Nicht nur der Funk wurde abgehört, sondern schon damals war es ein offenes Geheimnis dass die NSA in Frankfurt “in unmittelbarer Nachbarschaft der Postzentrale” hunderte von Telefonleitungen betrieb. Und in den 90ern war bekannt dass die NSA im selben Gebäude wie der DE-CIX ein Büro unterhielt, später dann aber nach gegenüber umgezogen sei (Scheinbar ist das nicht ganz korrekt: Die NSA hatte offenbar ein Büro über dem Hauptpostamt, aber das war vor der DE-CIX Zeit. Was aber nichts daran ändert dass die NSA später in unmittelbarer Nähe vom DE-CIX Büros unterhielt).

Dass die NSA versucht im Ausland alles zu Überwachen war also schon in den 90ern klar, und wem sich dafür interessiert hat auch bewusst. Auch klar war dass da mindestens eine Billigung durch entsprechende Behörden in den UK, Deutschland und anderen Ländern vorhanden sein musste.

Was weder mir noch der Öffentlichkeit klar war, ist das Ausmass in dem die NSA, zumindest im 21. Jahrhundert, damit erfolgreich war.

Der Skandal in den USA

Der eigentliche Skandal ist aber ein anderer. Einerseits hat den die USA selber: Die Überwachung der eigenen Bevölkerung war weder Auftrag der NSA, noch legal. Die versuchte Rechtfertigung mit “National Security Letters” und esoterischer Gesetzesauslegung sind nicht mehr als ein Feigenblatt, um die Verfassungs- (und eigentlich auch Gesetzes-)widrigen Machenschaften der NSA und der Regierungen Bush Jr. und Obama zu decken. Aber das ist erstmal das Problem der US Bürger.

Der Skandal hier…

Andererseits haben wir auch einen Skandal. Nämlich wie die Taten der NSA durch lokale Geheimdienste und Regierungen gedeckt wurden. Ja, die USA dürfen nach ihren eigenen Gesetzen bei uns spionieren. Aber nicht nach unseren. Und während die meisten Europäischen Geheimdienste, im Gegensatz zu den US-Amerikanischen, auch die eigenen Einwohner bespitzeln dürfen, so dürfen sie eines nicht: Daten über die eigenen Bürger an fremde Mächte weitergeben. Und statt Spionage-Abwehr zu betreiben haben wohl einige europäische Geheimdienste, darunter ziemlich sicher der BND, wohl genau das Gegenteil getan und ihre eigenen Bürger verraten.

..und der Skandal wie damit umgegangen wird

Und der dritte Skandal an der ganzen Sache ist wie die betroffenen Regierungen damit umgehen. Statt sich sofort hinter die eigene Bevölkerung zu stellen und die Übeltäter im eigenen Land vor Gericht zu ziehen, der NSA die Dependencen zuzumachen und den Datenfluss abzuwürgen übt man sich in lahmen Verleugnungen (“es gibt keinen Skandal”), Relativierungen und Rechtfertigungen.

Klar, einige Leute in den Regierungen wussten vermutlich etwas zuviel, aber das ist weder ein Grund nicht sofort die Geheimdienste an die Leine zu nehmen oder zuzumachen, noch ein Grund die ganze Sache herunterzuspielen. Und für die Parlamente ist das schon gar kein Grund nicht sofort Gesetze zu erlassen die so eine Massenüberwachung in Zukunft verunmöglichen. Stattdessen gibt es immer noch Politiker die die Vorratsdatenspeicherung fordern, was schlussendlich nichts anderes ist als die Bereitstellung von Datensammlungen für fremde Geheimdienste und Kriminelle. Ebenfalls ist es unerklärlich weshalb nicht sofort die Staatsanwaltschaften gegen die Beteiligten zu ermitteln anfangen.

Und dann haben wir noch die Presse, welche sich vor allem in den USA als NSA-Apologet hervortut und statt die Missetäter anzugreifen den Überbringer der Botschaft mundtot machen will.
Aber auch in Europa ist die Reaktion noch moderat, und statt Köpfe rollen zu fordern wird abgewiegelt.

Ja, wir haben einen Skandal, aber der ist nicht dass die NSA alles abhört, sondern dass sie dabei von Kollaborateuren in unseren Ländern unterstützt wird, und dass unsere eigenen Regierungen nichts dagegen unternehmen.

(Der Grund warum der Artikel nicht mehr auf die Schweiz eingeht ist dass hier noch sehr viel offen ist, und eine mögliche Zusammenarbeit von Schweizer Geheimdiensten mit der NSA noch nicht wirklich untersucht, und auch nicht derart offensichtlich wie beim deutschen BND oder beim englischen GCHQ ist).

Some time ago, I read Lock down your Android APK permissions by benn from Intrepidus Group.

I decided to automate the whole procedure, at least the unpacking, signing and repacking. Each app has to have it’s own key (lest the apps signed with the same key can access each others ressources!) which was the thing that most needed automation.

So I wrote some shell-scripts. The scripts are not only useful for changing the permissions of an app from any source (unpack, edit AndroidManifest.xml, resign), but also for android developers themselves. it’s much easier to manage keys and sign different apps with them.

So here they are:

• android-unpack Stupid script to decode .apk-files, all of those in a directory, actually.
• android-resign Script to pack .apk-files, and sign them. Each project with it’s own key.

Of course, if you re-sign foreign apps with your own key, they won’t be the same ones as on the Android Market, and thus not automatically upgradeable and will not use the same configuration.

I’ve been sceptical about offerings of Security as Service. It’s sounds an awful lot like “Outsourcing Security”, and security is a process which involves every aspect of business or life.

However, I’m working now in a company which does just that, selling Security as Service. And I think it can work. As opposed to any other company which sells you a product, or some other services, if you’re selling security, you’ve got an interest in your customers security not being breached. Because you will loose that customer.

If you’re a Bank, you sell banking services. As long as the cost of one of your clients accounts being misused is not really your cost, the security of your clients is a total non-issue. The same goes for vendors of security-appliances. The client bought it, and already paid it, so if somebody hacks it, it’s not really your problem, unless you get bad publicity out of it.

And we’ve seen with the whole “full-disclosure”-debate, that bad publicity is a very weak instrument, and some companies can take hideous amounts of it before they improve security. Microsoft is the classical example; it took them aeons to do something about security, and the security of its products is still very weak.

On the other hand, if you get paid by subscription, you have a very real interest in keeping the customer. That means you have an interest of providing the services you are being paid for. If it’s not security the client pays for, this also means that security is probably not your concern (as seen with banks and credit card companies).

Of course, security embedded in you company will be much more capable and resilient. You can design every process with security in mind. You can choose specific products with a good security track-record. You can have system administrators with a very intimate knowledge of your network and IT-landscape, who can provide for a very fine-grained incident-response and emergency management.

But most smaller companies can’t have that. Because they don’t have the expertise, the money to hire specialists, and most of all, an IT-landscape that is not modeled by security-considerations but by habit. And habit is of course the biggest foe of security. It could be his friend too, but old habits die hard, and most people today grew up in a world where not everything was networked, and where systems of a company which gave a damn about networks and security were, and still are, prevalent. So the people in these companies don’t have the slightest clue about security, e-mail their passwords around, get their negotiations eavesdropped on mobile phones, infect their computers with viruses and get their e-banking accounts phished.

And this is where Security as Service can help. It can’t make you into a company where everything is secure. But it can mitigate some of the effects the security-unconscious acts of your employees cause. It can filter out malicious emails before someone can click on it, or some stupid mail client executes the malware-payload on its own. It can encrypt the emails at least between hosts. It can keep the botnets at bay that try to penetrate your servers. And it can provide incident-response if something goes wrong.

And finally, Security as Service is the fundamental better idea than Security as Product. Because Security is a Process, it never ends; and because with any product you bought, the sale is done, and the supplier is only interested in selling you another product, but not in making the already sold product better. Furthermore, if you lack the expertise, will you even be able to manage the product correctly?

There are those who can, with in-house security expertise, where it would be stupid to outsource it. But for the rest of us, there’s at least a certain measure of security available with Security as Service.

Die Credit Suisse will auf ein neues SMS-Sicherheitsverfahren umstellen. Benutzbar mit a) Einem Handy b) welches eine Schweizer Landesvorwahl hat c) eine Vorwahl von 076, 077, 078 oder 079 hat.

Sobald man auf der DirectNet-E-Banking-Seite einzuloggen versucht wird einem mitgeteilt dass die bisherige SecurID-Authentifikation noch 7 Tage lang gültig sei.

Was haben die Sicherheitspezialisten der Credit Suisse geraucht? Oder sind die aus einer Anstalt entflohen?

Wer auch nur die geringste Ahnung von “Sicherheit” hat, dem fallen sofort einige ganz gravierende Probleme (abgesehen von “Usability”-Problemen, für Leute im Ausland z.b.) mit diesem “SMS-Sicherheitsverfahren auf:

• SMS sind abhörbar. In Real-Time. Das wurde am Chaos Computer Club Congress 2009 bewiesen (und sämtlicher SMS-Traffic auf dem Kongress gleich live auf einem Beamer angezeigt).
• Smartphones werden immer mehr als Ziel für Malware interessant, je mehr sie Funktionen übernehmen für die früher ein ausgewachsener Computer benötigt wurde.
• Das “Token” (das Mobiltelefon nämlich) an das die Authentifikation gebunden ist, ist DER Gegenstand weltweit der am meisten verloren und gestohlen wird.
• Es ist eine enorme Datenschutzverletzung. Nun ist jedes Konto mit einer Telefonnummer gekoppelt. Gleichzeitig ist es auch noch möglich den Standort von Mobiltelefonen zu Triangulieren.

Und das ist nur das was mir sofort eingefallen ist.

Der einzige Vorteil der ersichtlich wäre, ist dass die Authentifizierung Out-Of-Band erfolgen könnte, was für Benutzer mit kompromittierten Windows-Kisten einen Vorteil darstellen kann. Der ist aber sofort wieder weg wenn man a) dasselbe Smartphone gleich fürs E-Banking benutzt b) sich Malware auf den Telefonen verbreitet. Aber vorallem c) muss der Code den man per SMS erhält so wie es jetzt implementiert ist trotzdem per Browser zurück übermittelt werden. Was die ganze Übung hinfällig macht.

Es gäbe schon ideen wie man sowas wirklich sicher machen könnte, aber die involvieren dann Karten mit Keypads und Methoden zur Out-Of-Band Übermittlung. Und nicht dasselbe wie vorher, bloss neu nun auf einem Gerät welches abgehört, gestohlen und verloren wird.

Es handelt sich hier um eine offensichtlich reine Geschäftsentscheidung. Für die CS ist die Frage einzig und allein die: Was kostet das System, was sind die zu erwarteten Aufwände für den Token-Verlust und schlussendlich, was sind die Aufwände wenn es von Dritten misbraucht wird. Mit dem SecurID-System bestehen die Aufwände in der Ausgabe der SecurID, und den Auswechseln derselben bei Verlust. Mit dem SMS-System ist es im Betrieb das senden der SMS, der Aufwand bei Verlust ist für die CS geringer da der Hauptaufwand da vom Benutzer getragen wird. Bei den Aufwänden durch Misbrauch seitens Dritten dürfte die CS erwarten dass die in etwa dieselben bleiben, da das neue System etwa die selben Schwachstellen hat wie das alte (respektive die Kosten für neue Schwachstellen nicht von der CS getragen werden müssen, z.b. in Form von Privatsphäreverlust) und Entwicklungen wie Smartphones die das ganz Ad-Absurdum führen könnten hat man vermutlich ignoriert, da bisher noch keine entsprechenden Misbrauchsfälle aufgetreten sind. Man hat sich wohl gegen eine wirkliche Out-Of-Band-Authentifizierung entschieden, da das vermutlich wesentlich teurer würde, und sich die momentanen Aufwände bei Misbrauch offenbar in Grenzen bewegen.

Die Sicherheit für den Endbenutzer war für die CS nie das Thema. Solange sich die Kosten der CS für misbrauchte Konten im Rahmen bewegen, und sie nicht übermässig schlechte Publicity wegen mangelnder Sicherheit bekommen, hat die CS nicht das geringste Interesse daran E-Banking sicherer zu machen. Nur billiger.

Ganz schlimm ist auch dass man den Kunden offensichtlich nicht die Wahl lassen will, die für sie meist sicherere SecurID weiterzubenutzen. Wenn die nicht von Fall zu Fall einlenken (in meinem nämlich ganz bestimmt), dann werde ich das tun was man in einer Marktwirtschaft in so einem Fall tut: Mit den Stiefeln wählen gehen.

Addendum: Ich habe angerufen, und scheinbar haben sie nun die Laufzeit für meine SecurID verlängert. Mir wurde aber mitgeteilt dass sobald eine andere Lösung für nicht-schweizer Mobiltelefone etc. exisitert, das SecurID-System abgeschaltet würde.

Addendum Zwei: Seit ich das im April 2010 geschrieben habe, haben endlich auch andere bemerkt dass das eine schleichte Idee ist: Telcos declare SMS ‘unsafe’ for bank transactions Selbstverständlich wird es auch schon misbraucht Präventionshinweis für Onlinebanking im mTAN-Verfahren

Stupidity and misunderstanding on how security works has reached new heights in the USA: TSA: Enhanced screening for people flying to U.S. from certain nations.

How bloody stupid must one be to react this way to a failed attack? Yes, failed means exactly that a security measure — in this case a terrorist attack that was thwarted by passengers(!) — works. But instead of relying more on what obviously works, the TSA (and of course, this one is backed by the government; proving that Bush and Obama really do the same bollocks) has decided to implement something else, something incredibly stupid which will actually lower security.

Security professionals worldwide don’t even know if they should laugh or cry at such a bold display of imbecility. I’ve not yet seen what Bruce Schneier has to say about this specific idiocy, but here’s an essay which essentially explains the issue: Screening People with Clearances. Just so you can see that I’m not the only security professional who thinks this way, and Bruce Schneier has rather more clout than me. ;)

Do you really think terrorists won’t be likely to fly NOT from those 14 countries? Or — gosh — use a false passport? Hell, they might even recruit people from a country deemed “safer”, the USA itself for instance. And of course, increased scrutiny of certain passengers will draw resources from scrutinizing other passengers.

Congratulations, you’ve just implemented a fast lane for terrorists while harassing other passengers coming from some 14 countries. Mindbogglingly stupid. According to Hanlon’s Razor I’m forced to conclude that the USA is run by drooling idiots.

Addendum: Bruce Schneier has now put it nicely: Christmas Bomber: Where Airport Security Worked. I can only add “and in whose aftermath common sense did not”.

Switzerland tries its take on a surveillance-system which could be used to
monitor all satellite-based communication, inlcuding mobil phones, some
internet traffic and more. Such a system already exists, operated by the
USA, Canada, New Zealand, Australia and Great Britain, called Echelon (see
the Statewatch Report from 1997 on Echelon). The Satos 3 project was slipped
half-covertly into the budget as “renovations for military buildings” and
is now built in the town of Zimmerwald and Heimenschwand. The following
are resources, mainly press coverage, on the subject of Satos 3.

References

• 11.11.1999:
  Weltwoche: Schnüffler träumen von der All-Macht
• 20.11.1999: Tages Anzeiger: Lauschangriff via Satellit
• 24.11.1999: Tages Anzeiger: 386 Millionen für Militärbauten
• 24.11.1999:
  Le Temps: Les «grandes oreilles» des services secrets inspirent la méfiance
• 29.11.1999: parlament.ch: Kommission stimmt der Immobilienbotschaft Militär 2000 zu
• 02.12.1999:
  Weltwoche 48/99: Ohne Spürsinn, Biss und Argwohn
• 08.12.1999: Tages Anzeiger: Blind und taub fürs grosse Abhorchprojekt
• 08.12.1999: NZZ Online: Controversy over Intelligence Wiretapping
• 09.12.1999:
  newswindow.ch: “Big brother is watching you”
• 10.12.1999: Tages Anzeiger: Zweites Ja zum Abhorchprojekt
• 10.12.1999:
  Le Temps: Le parlement octroie des crédits pour l’espionnage
• 13.12.1999: Swiss Internet User Group: Internet-Insider zu SATOS 3: ziel- und zwecklos
• 14.12.1999:
  Computerworld: Protest gegen Schnüffeldienst
• 14.12.1999:
  newswindow.ch: Beratungen über das Bundesbudget 2000 aufgenommen
• 15.12.1999: Tages Anzeiger: “Satos 3” zum Dritten
• 16.12.1999:
  Woz 50/99
• 27.07.2000:
  Weltwoche 30/00: Die Welt der grossen Ohren

Webpages

• clinch.ch: The Big Brother is watching you
  [german]
• Das Ministerium für Wahrheit: Informationen zu ECHELON
  [german]
• Der lange Arm aus dem Dunkelkammer
  [german]

Related issues

• 
  ENFOPOL Papiere
  [german]

Peter Keel,

Security has its price, and
the price is user-friendlyness. To type a password each time you turn on
your machine is not very pleasant, but the benefit is big. So you have to
decide how much security you want. The following are some guidelines, most
of them are crucial.

• Don’t use Microsoft Explorer. ActiveX-technology permits anyone to
  get any file on your computer and maybe even to turn the computer off.
• Don’t use DOS nor Windows nor Windows95. These Operating Systems
  have completely zero security, and Microsoft is just so fucking
  stupid; they have no idea about security. Besides that, 99% of
  all virii grow and spread on these systems. Unix knows no virii.
• Don’t use any Microsoft program which features a macro-language,
  such as Excel and Word. Unless you want virii.
• Use a secure operating system such as Unix or VMS. Maybe Windows NT,
  But take care on your applications in case of Windows NT…
• Netscape or any other browser does not need to transmit information
  from you to any other site.. link the cookies to /dev/null or remove
  the write-permission.
• Use no words as password. Not even words from other languages. No
  permutations of your own name too. Use different password for
  different machines. If you want to make it perfect, use PGP to
  generate passwords.
• If you don’t need it, turn it off. If you’re standalone, you presumably
  don’t need to run a finger or a telnet or an ftp server. Turn it off.
• Watch you traffic. Which program transfers unwanted information from
  your machine to elsewhere? Take special care using software to which
  you haven’t the sourcecode – e.g. that Microsoft stuff.
• Apropos sourcecode: Real security needs the sourcecode. If you don’t
  have the sourcecode to a crucial tool – an encryption routine, for
  instance – nobody can know if it is secure. If it is secure, knowing
  the sourcecode won’t help to decrypt it (take PGP as an example).
  Don’t trust an algorithm which is not released publicly. Never.
• Encrypt confidential Mail. Use PGP. That may not be 100% secure,
  but you’ll need much much time. It’s presumably the most secure
  thing we’ve got.
• If it’s really secret, you might use steganographic techniques as
  well. Hide your encrypted messages in unsuspicios-looking ones.
• Make copies, backups, whatever. Most information most people got,
  is not as critical that other people do not have to have it, but
  you do not want to loose it. Au contraire the army, for
  instance: They don’t care if they loose information, as long as
  no one else gets it. So make backups – best encrypted.
• For data-encryption, you can use low (crypt) middle (des) or high
  (pgp) security. These should all be available on a reasonable
  operating system by default.
• After all, man is the biggest break in security.. people talk too
  much, give away their passwords too easily, write their passwords
  down, use stupid passwords, use no passwords, use operating systems
  with no passwords, and so on and so on and so on.

Okay. Now another thing… What are the threats?

• Brother state might read your data (not very likely)
• Big Brother Bill might use your data for marketing (likely)
• A hacker might (ab)use your machine (unlikely)
• You might get a Virus (likely your problem, get another OS)
• You might loose data (very likely)
• Your system might crash (likely(DOS/Windows95) to unlikely(linux))
• A person you know might mess with you data (very likely)

So you see whats the most crucial point? Make backups. Second is, use
A system which permits the use of a password (NOT Windows95, this is
ridiculous). Third, do not let anyone snoop information from your machine.
The rest is hackers of any colour, including the state and corporations.
And that’s a pretty little threat, according to the probability to happen.

Ehm.. So have a nice night.

An make backups!

Peter Keel,