Wie, Du bist nicht bei Whatsapp?

“Wer Whatsapp liebt, sollte besser nicht weiterlesen, oder vielleicht gerade dann, denn Liebe macht ja bekanntlich oft blind.” Boris Pohler, selbst Lehrer und Vater von zwei Kindern, bennent den Preis für die Verwendung des weit verbreiteten Dienstes und erklärt, warum jeder Nutzer gegen deutsches Recht verstößt.
blog.pohlers-web.de

How not to get phished

“Most humans can tell the difference most of the time, but if they are tired, or stressed, or in a rush, or have any number of other common obstacles to computer use, there’s a good chance they won’t notice the difference, will type their password into the wrong site, and will have their account taken over by bad guys.” Jacob Hoffman-Andrews identifies password managers as the average human’s best defence against phishing attacks.
jacob.hoffman-andrews.com

Conversations

“Welcome to this introduction to Conversations. It is gonna be a great introduction. It’s gonna be fabulous. Other instant messengers have fought Conversations for many years, but they couldn’t beat it. Just couldn’t do it. Total loosers. They’re all dead now. All the other messengers have failed. Forget WhatsApp, okay? Signal …total disaster. Threema is so bad, it’s not even a real messenger. It’s fake. Threema is a fake messenger. Converstations has got to be the best messenger in the world. It’s huge. OMEMO. You’ll love it. Best protocol. Tremendous. Absolutely fantastic. Nobody has messengers better than Conversations. This messenger is so big, you can even see it from the moon. And I am going to make you pay for it. It’s true. Important people tell me that Conversations is so great, it’s unbelievable. So great, it’s beautiful. Conversations is the best instant messenger that God ever created.”
conversations.im

The swedish kings of cyberwar

“Among the many questions posed by Scandinavia’s embrace of mass surveillance is one that has lingered at the margins throughout the Snowden debate: Are advanced democracies any different than their authoritarian counterparts in seeking to gain broad access into the private lives of citizens?” Hugh Eakin shines a light on the underreported activities of Sweden’s FRA in spying on people everywhere.
www.nybooks.com

With thanks to Michael August

What we give away when we log on to a public Wi-Fi network

“Already 20 smartphones and laptops are ours. If he wanted to, Slotboom is now able to completely ruin the lives of the people connected.” Wouter Slotboom is one of the good guys, demonstrating to Maurits Martijn his effortless ability to retrieve people’s passwords, steal their identity, and plunder their bank accounts.
decorrespondent.nl

Signal

“I am regularly impressed with the thought and care put into both the security and the usability of this app. It’s my first choice for an encrypted conversation.”
Bruce Schneier

Signal offers private messaging and calling in one simple app. It is both free and open source. Development is supported by community donations and grants. This means that there are no hidden strings attached. Use Signal as an alternative to WhatsApp or, better still, its replacement.
signal.org

Mail-Dienste sehen alles

“Die elektronische Post kam mit kostenlosen Diensten in Mode. Für sie zahlen Kunden nicht in harter Währung, sondern akzeptieren Werbung und meist auch die Verwertung der aus ihren Daten gespeisten Kundenprofile.” Mittlerweile bekannt gewordene Abhörpraktiken der NSA rücken immer mehr auch Fragen nach der Sicherheit von E-Mails in den Vordergrund. Die Stiftung Warentest hat 14 Provider unter die Lupe genommen: Als Testsieger gehen Mailbox.org und Posteo hervor.
www.test.de

Edward Snowden: the untold story

“The question for us is not what new story will come out next. The question is, what are we going to do about it?” James Bamford interviews Edward Snowden, who regards the use of strong encryption in your everyday communication as a viable means to end mass surveillance.
www.wired.com

Also watch United States of Secrets, a two-part series detailing how the US government came to monitor and collect the communications of millions around the world.

OpenKeychain

“OpenKeychain helps you communicate more privately and securely. It uses high-quality modern encryption to ensure that your messages can be read only by the people you send them to, others can send you messages that only you can read, and these messages can be digitally signed so the people getting them are sure who sent them.”
www.openkeychain.org

How the NSA betrayed the world’s trust—time to act

“And whoever tells you that they have nothing to hide simply haven’t thought about this long enough. ‘Cause we have this thing called privacy. And if you really think that you have nothing to hide, please make sure that’s the first thing you tell me because then I know, that I should not trust you with any secrets because obviously, you can’t keep a secret [sic]”
Mikko Hypponen

Threema

“Threema is a mobile messaging app that puts security first. With true end-to-end encryption, you can rest assured that only you and the intended recipient can read your messages.” Threema is my favourite instant messaging application and has been described as “a much flasher version of WhatsApp”. Its source code has recently undergone an external security audit and was found to provide a ”security level which compares favourably with the state of the art in similar messaging services“.
threema.ch

Why passwords have never been weaker—and crackers have never been stronger

“The RockYou dump was a watershed moment, but it turned out to be only the start of what’s become a much larger cracking phenomenon. By putting 14 million of the most common passwords into the public domain, it allowed people attacking cryptographically protected password leaks to almost instantaneously crack the weakest passwords. That made it possible to devote more resources to cracking the stronger ones.” Dan Goodin details the many reasons you should choose your passwords even more carefully.
arstechnica.com

NSA surveillance: a guide to staying secure

“The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.” Bruce Schneier works on the assumption that the NSA is able to decrypt most of the Internet.
www.theguardian.com

On the same subject, David Meyer felt moved to pen an open letter titled ‘Dear stupid, stupid NSA’.

Still sending naked email?

“In a world of repressive governments and a growing reliance on insecure networks, there’s no way anyone can be sure their most sensitive messages aren’t intercepted by the forces of darkness. But you can make it mathematically improbable that all but the most well-funded snoops could ever make heads or tales of your communications.” Use Dan Goodin’s step-by-step guide to email encryption and keep your communications private.
www.theregister.com

Public/private key authentication with SSH

Updated 09/10/2016

SSH is a protocol that enables secure logins over a network. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

On the local machine

Use the following command to generate a new key pairs for the local user schmidt:

schmidt@exhaustpiano:~$ ssh-keygen -t ed25519 -o -a 100
schmidt@exhaustpiano:~$ ssh-keygen -t rsa -b 8192 -o -a 100

Use an appropriate passphrase to secure the private key (don’t be tempted to use an empty passphrase).
Deploy the public key with the following command:

schmidt@exhaustpiano:~$ ssh-copy-id schmidt@pizzaposition

On the remote machine

Delete any unused host keys with the following command:

root@pizzaposition:~$ rm /etc/ssh/ssh_host_dsa_key* /etc/ssh/ssh_host_ecdsa_key* /etc/ssh/ssh_host_rsa_key*

Create the group ssh-users with the following command:

root@pizzaposition:~$ addgroup --system ssh-users

Add the local user schmidt to the group ssh-users:

root@pizzaposition:~$ adduser schmidt ssh-users


Make the following changes in sshd_config to improve on the default configuration:

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Specify allowed key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org# Specify the ciphers allowed for protocol version 2
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128
gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Specifiy the available MAC (message authentication code) algorithms
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256
etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128
etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac
128@openssh.com

# Logging
LogLevel VERBOSE

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

RSAAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

ClientAliveInterval 15

MaxStartups 3:60:20

UsePAM no
UseDNS no

Restart the SSH server on the remote machine with the following command:

root@pizzaposition:~$ systemctl restart ssh.service

Setting these options will make root logins impossible. Only users belonging to the group ssh-users may establish a connection. Access is strictly tied to the private key and the passphrase used to encrypt it. Using the private key stored on exhaustpiano, local user schmidt should now be able to remotely log into pizzaposition:

schmidt@exhaustpiano:~$ ssh pizzaposition
Enter passphrase for key '/home/schmidt/.ssh/id_ed25519':
Last login: Sun Oct 9 15:51:15 2016 from 12.34.56.78
schmidt@pizzaposition:~$

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.
stribika.github.io

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.