Newsletter 2: January 15th 2024

Thank you for reading this newsletter. If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox.

Martijn
(martijn@lapsedordinary.net)

Don't know much about history

Last week, I spoke to Tom Uren and The Grugq from Risky Business’s Between Two Nerds podcast – for the occasion rebranded to Between Three Nerds – about the history of IT security in general and malware and viruses in particular.

It was a great honor to be a guest on the podcast and I really enjoyed talking about security history. It stung a little being called an “anti-virus veteran” (I mean, I’m old, but surely not that old), but I do go back many years and have seen security and our attitudes towards it change quite a bit.

The world is constantly changing and so is digital security. Understanding these changes and knowing a bit of the history is really helpful when you work in this space. It helps you understand commonly held opinions and the security advice that is often given, and helps you assess these critically.

For example, the leaks by NSA contractor Edward Snowden in 2013 led to many being reluctant to using services by US companies, as it seemed that all data these companies had access to would end up in the hands of the NSA. The reality is a lot more complicated (in part because many other countries' intelligence agencies are worse) and on top of that, it's fair to say the NSA isn't in every organization's threat model.

Another example is the warning against using public WiFi networks without a VPN, that continues to be repeated in security advice. The advice was once valid, as HTTPS was deployed sparingly and your browsing sessions were accessible by other people on the same network.

These days, however, HTTPS is used by pretty much all websites (and browsers let you block those that don’t) so that for most people, it shouldn’t be an issue checking their email, or even logging in to online banking, from a local coffee shop or airport lounge. I certainly do that without hesitation. I understand why high-risk individuals still want to use a VPN, as their threat models can be pretty complex, but even for them, it wouldn’t be my top security advice.

If you’re relatively new to digital security, the space can be pretty overwhelming, and that’s not even taking the history into account. You don’t need to know all the history. But it won’t hurt every now and again to ask yourself (or ask others) why we are doing things the way we do them. Not everything we do is for a reason that is still valid.

What else?

Bellingcat created a tool that uses the Wayback Machine to track historic Google Analytics tokens and explains how it uses it to link disinformation sites to each other. It’s a neat tool that I confirmed works as simple as advertised. It may work for other web investigations too, though I suspect very few malware and phishing sites will be using Google Analytics.

Security company Sucuri regularly publishes clear, simple guides for those securing websites that I recommend you read if you are tasked with protecting websites. In a recent blog post, they look at the ‘principle of least privilege’ (giving user accounts no more access than they need, as opposed to everyone having administrative privileges), which is relevant not just for websites but for any system or network where there are multiple users.

At the recent 37th Chaos Communications Congress, The Tor Project’s Roger Dingeldine gave a presentation on attempts to censor Tor in Russia, Iran, and Turkmenistan, as well as the changes the Project made to allow people in these countries to continue using Tor to access banned services. The presentation starts with a long introduction into Tor, which can be helpful if you’re not too familiar with how it works, or if you just want a refresher. Oh, and if you don’t want to watch a one hour video, Roger’s slides are pretty detailed and should be good enough to get the gist of his talk.

India’s Software Freedom Law Center (SFLC.IN), in partnership with Unesco, published a helpful guide in four languages (English, Hindi, Marathi, and Malayalam) with advice on defending online spaces against online gender based violence. And while this is a global problem, the various references to the India legal code make this mostly useful for those in the country, but therefore also likely more helpful than a generic guide.

Filterwatch, a project of the Miaan Group, got its hands on an app used by police in Iran for hijab enforcement. Analyzing the app, they discovered hidden features that suggest the app could in the future be used to report on other types of violations, such as drinking alcohol or participating in a protest.

The Markup is running a series of blog posts they call ‘Gentle January’, in which they share a simple and practical privacy tip each day. Many of the tips will sound familiar to those working in digital security and I don’t agree with all of their advice (I would rarely recommend someone getting a new router), but I really like their ‘gentle’ approach and think it is the right attitude to security and privacy.

Non-security things

A book I enjoyed: Paul Lynch’s Phrohet Song (it won last year’s Booker Prize) tells the story of a mother of four in an Ireland where a totalitarian regime has taken power, and in particular the choices she and her family members have to make. I was a bit skeptical about the novel at first (I mean, there are plenty of real world examples one can use to tell the same story) but maybe because Ireland seems one of the least likely countries for this to happen in, it makes for a powerful story. On top of that, Lynch (whose work I wasn’t familiar with) writes in dense, poetic prose, which makes it a slow but very rewarding read.

A song I like: I think I only knew of the Germany’s Lassie Singers by name when Spotify suggested I listen to three-decades old Hamburg (YouTube, Spotify) some time last year. It ended up being one of my most played tracks of the 2023. I do have a weak spot for simple pop songs with female vocals, but aside from that, it captures the feeling of traveling through Western Germany so well in its lyrics and music. I last visited Hamburg in 2004 and should really go back to the city where in the harbor, the fish and the ships sleep.