Security through obscurity1 is not working. This is not an allegation, it is a proven fact. Today’s proof has a particularly large impact on worldwide Microsoft Windows installations. The Windows Security Centre (WSC) API2 has been made to accept any program as an anti-virus solution. The WSC works as follows: If a manufacturer of an AV security solution wants to install his snakeoil, he/she first has to be able to switch off the anti-tempering mechanisms so that it is not identified as malware. Hence the extremely strict non-disclosure of this API until now. Read more

Why is the ransomware business model so successful? How do criminals manage to steal data, encrypt it and often also destroy data backups? According to a representative survey conducted by BITKOM over the past 12 months, 60% of companies in Germany have been affected1. A brief excursion into this topic, my work and how I was able to help a company save EUR 17,000. As always, no claim to universality and completeness. Your mileage may vary. Read more

10 years ago, the buzzword and digitalisation project “Industry 4.0” first emerged with nothing less in mind than the intention of unleashing a fourth industrial revolution.1 Revolution as a term and metaphor is, of course, nonsense. Anyone with the slightest sense in the matter knows that digitalisation is rather like a marathon with many intermediate stages and does not come overnight to a company as a result of a management decree. Read more

Hard-wired networks are usually provided with numerous security features. With wireless networks, however, admins often remain blind to intrusion attempts, which can be carried out by inexperienced users thanks to affordable gadgets. The remedy is a Wireless Intrusion Detection System (WIDS). Sounds expensive, but it isn’t. A Raspi, a Wi-Fi stick and free open-source software are all you need. In the upcoming c’t edition 19/2021, starting on 28 August, I will show in a “hardcore” article of several pages how to better protect your own wireless network1. Read more

Recently I was looking for a very particular music track. It is a song from the 2017 anime adaptation of “Ghost in the Shell” with Scarlett Johansson. More precisely: the official trailer music1, which was not included in the sound score and therefore cannot be found in any of the mainstream music stores. That’s the downside of a few keeping an entire industry under technological and legal control. The coveted piece of music is the cyberpunk cover version of the 80s song “Enjoy the Silence” by Depeche Mode, reinterpreted by Joel Burleson2 aka Ki:Theory3. Read more

There is an unwritten law in software development and IT operations. An anti-pattern1 for effective problem solving and complexity reduction. No one is crazy enough to adopt it. No customer on earth willing to pay for it. But they exist, the bright moments in the life cycle of a company, where this law can be applied. Here’s how it can be defined: If you have a task or problem and you know how to solve it, then throw away your code after completion and tear apart an installation again. Read more

This picture is for all the people I have had discussions with in recent years about Digitisation in general or, more specifically, about the integration of tablets or notebooks within a corporate network. My recommendation then and now: Zero Trust! Isolate and segment potentially insecure, closed-source AD infrastructures! Keep smartphones, tablets or laptops out! This also applies to unknown, untrusted applications. " jumper laptops" are the better places for them. Put business applications on RDP/RDS terminal servers1 and create uniform, web-based, open interfaces that can be monitored and controlled. Nextcloud2 is suitable for accessing SMB files, Apache Guacamole3 for RDP access via HTTPS. Use RFC-standardised4 multi-factor authentications! Technologies like Keycloak5 or PrivacyIDEA6 make this possible throughout the enterprise. Read more

Everyone knows the alert when visiting a website with expired certificates. At least once a month I stumble into one or I receive tickets with questions asking what to do. “Nothing” is my reply in most cases. “The mistake is on the other side”. On this occasion, my very special appreciation to the owners and/or administrators of such sites for the extra work required. The obvious solution to avoid such embarrassments: A software or service with periodic checking and notifications. Sounds obvious, but unfortunately doesn’t always work. Read more

Within just a few days, the German EU Representation warns people about phishing emails.1 This is the 4th warning regarding data theft since July 20202 by Reinhard Hönighaus, press spokesman and head of the press and media office. Obviously there is an urgent need for action. In his current warning dated 26.11.2020, only two days after the previous one, he identifies T-Online users as targeted by phishing mails and also provides the explanation: Read more

Black Friday is here. And with Christmas ante portas the final countdown with the toughest end-bosses in IT support begins: The own parents, partners or children with their new or old digital devices. The fundaments are laid in the upcoming days and weeks when stuff with more or less technical debts1 is bought. Basically at the moment of your purchase it’s already junk and an environmental mess. One example, representative for many others: Read more