Shake anyone tailing you with Tails 5.0

After using this for a couple of years, i noticed Tails 5.0 was out so gave it a try. The result is this praise post for Tails and it’s people developing it.

What’s so great about Tails 5.0?

  • installation is a breeze. Previously 2 USB sticks were needed and now just one and download an image and burn this onto the USB
  • installation manual is fool proof and super easy and user friendly with even a QR code to continue reading the installation manual on your phone
  • website is so concise, to the point and in multiple languages, even in Portuguese and Russian
  • and you can donate in multiple ways
  • the people developing Tails and everyone around it are pro’s which can be seen by the Kanban board, the auto-reply-bot in development, transparent list of issues
  • the best thing of it all: it just works!

Any comments? @peterbaurichter on Twitter

AltaVista anyone? - by Peter Morville

Those were the days when AltaVista was one of the first search engines (together with Archie, Gopher, Excite) where you would turn to and wonder: why does anyone makes that for free? Then its bigger brothers came along like Google, Bing, yahoo, Baidu, DuckDuckGo. After Google i thought that everyone sort of gave up: too hard to beat. Until i discovered once more that I don’t know everything and that there are other search engines out there who don’t do evil and sometimes even privacy friendly like the first 5 listed down here. So they don’t do evil and don’t steal all your data. Then how do they make money?

and there are even more as you can see here and here.

Trojan Source: out in the open but invisible

In a previous century (1993), bugtraq was sprung to live to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. Now it’s a given that vulnerabilities are published and it’s not a matter IF vendors are going to issue fixes but more like WHEN this is going to happen.

If we would still be stuck in a reaility where the debate is about wether vulnerabilities allowed to be published and when up to a point that vendors will ripp out pages from textbooks, we would not be able to discuss the vulnerability itself, its potential exploit nor its potential impact. This is a benefit we have achieved in the world. Something to remember in these times when we realize that the internet has not fullfilled the dream of making the world a better place. The free open internet is now a place of firewalled countries, censored websites, tracking websites, spying applications and pushing encryption to the masses wherever possible to avoid mass surveillance. At least there is Full Disclosure now.

Without that kind of transparancy we would no tbe able to discuss the subtleties of the Trojan Source vulnerability/exploit, that it looks fine to the human eye (out in the open) but nasty to the computer that we are actually dealing with an invisible vulnerability. (Invisible to the human eye as pointed out by Ross Anderson in an interview with KrebsOnSecurity.

Standards versus culture

In my corporate technology risk working history, i have come across various situations where the emphasis is on the policies & standards and less on the implementation. There is a big disconnect. Various discussions can go on for weeks about what kind of data classification (rating high, medium or low for confidentiality, integrity and availability) is most appropriate for a certain asset (application) yet no discussions take place about what kind of security measures or attached to the classification or who is going to implement and maintain it. Or lengthy discussions about the interpretation of some kind of government security standard, regardless of what it does in terms of risk management.

However, I have always been surprised about the ethical standards in photojournalism. There seems to be some kind of standard but much more a widely accepted agreement of ‘thou shall not photo-shop images’. Whenever in a newsbulletin some kind of altered image is detected, the condemnation is always unanimous. The culture exceeds the standards

Same as here, where FoxNews posted a real badly sloppy edited image. See the sharp line on the right of the picture.

No idea who owns the standards (Associated Press?) and it doesn’t matter since everyone agrees with the same held belief that one should not alter images used in news reporting.

Examples of digital altered images are here and here.

Another twist in standards:

Source: XKCD


National Geographic: The best photos of 2019

Pedestrians, shoppers, and people-watchers stroll on Chuo-dori in Ginza, one of Tokyo’s busiest destinations. Cars travel on the street during weekdays, but on weekend afternoons a one-mile stripis closed to traffic and becomes a promenade. Cafés, high-end boutiques, and street performers attract local residents and visitors. Photograph by David Guttenfelder

The best photos of 2019
National Geographic’s 100 best images of the year–curated from 106 photographers, 121 stories, and more than two million photographs.
See them all here

The one displayed above is my favorite. It’s a bit of an artistic one by the way, as opposed to the other 99.

The missing Crowdstrike server story.

I just changed the picture as displayed on the Wired article from Brian Barret called “Trump’s Ukraine Server Delusion Is Spreading”. The beautiful picture just reminds me of a movie poster. The picture, made by Andrew Harrer, is super telling and would fit in a Magnum collection.

This conspiracy theory about a missing Crowdstrike server is not being fabricated by Trump. No, he truly believes in the story of Crowdstrikee hiding a server that contains evidence that Ukraine hacked the DNC and not Russia. The people around him know that all parts of the story are false but learned not to speak up against him.

Jan Steen (1626 – 1679)

The Feast of Saint Nicholas catholic version)
The Feast of Sant-Nicolas (protestant version)

The Feast of Saint Nicholas (Dutch: Het Sint-Nicolaasfeest c. 16651668 now also known as Sinterklaas), is a painting by Dutch master Jan Steen, which can now be found in the Rijksmuseum in Amsterdam. It measures 82 x 70.5 cm. The picture, painted in the chaotic Jan Steen “style,” depicts a family at home on December 5, the night celebrated in the Netherlands as the Feast of Saint Nicholas, or Sinterklaas.

You can read about the painting in detail here. The painting is like a story. To give you some examples about the catholic version:

  • The sobbing boy has been naughty so no gifts for him in his shoe
  • Grandma might have something for him maybe?
  • The girl’s doll represents John the Baptist and he is the Saint Patron of epilepsy and therefore it suggests the girl suffers from it as well (Wikipedia says so, i could not verify this and doubt it since he was the patron of many: builders, tailors, printers, baptism, conversion to faith, people dealing with storms and their effects (like hail), and people who need healing from spasms or seizures.)
  • They are pointing up the chimney, where the holy man must have entered and left the house.
  • The Child near the chimney is holding a symbol of the struggle between Catholics and Protestants, a gingerbread man in the shape of St. Nicholas. The delicacy, still enjoyed around the fifth of December, was seen as an example of Catholic worship of saints and was not approved of by Protestant authorities. In the seventeenth century, the baking of such figures of saints (especially St. Nicholas) was banned. In 1655 in the city of Ultrecht an ordinance was passed which forbade “the baking of likenesses in bread or cake”.[1]


Bellingcat: increased need & importance

Bellingcat logo.png

Just posting something about Bellingcat since I highly respect this organisation for its transparency and objectivity. Even though they cover the most political sensitive topics, they stick to their objectivity and use open source intelligence to fact-check stories, allegations and events.

The above picture is from their document that links to all open source investigation sources.

I also believe that the need for an organisation like Bellingcat is getting bigger because of the following trends:
– fake news
– deep fakes
– government lead operations/info wars to confuse people
– distrust in MSM (Main Stream Media)
– Threat intel companies not providing intel on their own country (basically they choose sides)
– Propaganda from news organisation (Fox News and Russia Today)

They are even training (free of charge and paid) other people in the art of open-source investigations

Notable cases/stories: MH 17, war in eastern Ukraine, civil war in Syria, El Junquito raid, Yemeni civil war, Skrippal poisoning, Christchurch mosque shootings.

This European press wining story from Christiaan Tiebert is very interesting The Turkish Coup through the Eyes of its Plotters, as you can follow the whatsapp messages chronologically.

OT and IT: love & marriage

One of my favourite topics that i had the pleasure to discuss various times and encounter in different organisation over the years: the differences between these 2 organizational entities, and almost species, well eh let’s call it cultures, within the same organization. Mostly the responsibilities are separated by a firewall separating the Enterprise network from the industrial network with. The DMZ is mostly the creation of a one-time set-up by the IT team and then assumed to be supported by the OT team.

Kris Krewson and Lesley Carhart describe it very clearly and vividly in this article called 5 Tips for a Happy Marriage Between IT Cybersecurity and Operational Technology Teams.
The article itself is a product of an OT and IT fling:
OT (Lesley Carhart from Dragos – OT Security)
IT (Kris Krewson from Crowdstrike – IT Security)

Dragos is from Bobby M. Lee and Crowdstrike is known for their DNC forensics and from Trumps free publicity.

Some quotes from the article that I recognize:

We’ve delivered tabletop incident response exercises at manufacturing plants where the OT personnel did not know they had a corporate IT cybersecurity team, much less that they could or should call them for support during an incident.

If process owners’ primary concerns are bodily harm, environmental contamination or loss of production, they may determine that a compromised computer or controller could not realistically lead to these outcomes. 

Build individual relationships across both teams. At many sites, we find operators and engineers who have worked at the facility for decades and know the process and people inside and out. These are people to seek out, respect and learn from. “

The picture is from Cisco’s blog entry called A Bromance for the Ages: When IT met OT


A new cybersecurity alliance focused on the security of operational technology: Operational Technology Cyber Security Alliance (OTCSA) Designed to mitigate risk and assess business impact from cyberattacks on utilities, manufacturing and oil and gas industries and physical control devices.

The group is launching as operational technology operators are increasingly targeted by nation-state actors as well as cybercriminals.

Initial members of the Operational Technology Cyber Security Alliance include ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, Splunk and Wärtsilä.

My 2 cents: these are not the typical OT security vendors. Is it then a new initiative to shine some OT security light on the traditional IT security players?