Upload files to 'content/posts/infosec'

content/posts/infosec/7-in-10-smartphone-apps-share-your-data.md

@@ -0,0 +1,24 @@
+---
+title: "7 in 10 smartphone apps share your data with third-party services"
+date: 2017-05-31T12:05:00+06:00
+draft: false
+tags: ["tech","data privacy","surveillance","infosec"]
+author: "9x0rg"
+hidemeta: false
+ShowReadingTime: true
+ShowPostNavLinks: true
+showtoc: false
+cover:
+  image: "<image path/url>"
+  alt: "<alt text>"
+  caption: "<text>"
+  relative: false # To use relative path for cover image, used in hugo Page-bundles
+
+---
+> Our mobile phones can [reveal a lot about ourselves](http://www.pewinternet.org/2015/04/01/chapter-two-usage-and-attitudes-toward-smartphones/): where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits.
+> 
+> The research that we and our colleagues are doing identifies and explores a significant threat that most people miss: [More than 70 percent](https://haystack.mobi/) of smartphone apps are reporting personal data to [third-party tracking companies](https://arxiv.org/pdf/1609.07190.pdf) like Google Analytics, the Facebook Graph API or Crashlytics.
+> 
+> We found that more than [70 percent of the apps we studied](https://www.haystack.mobi/panopticon) connected to at least one tracker, and 15 percent of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique [15-digit IMEI number](http://www.gsma.com/managedservices/mobile-equipment-identity/about-imei/).
+> 
+>-- Narseo Vallina-Rodriguez & Srikanth Sundaresan in [The Conversation](https://theconversation.com/7-in-10-smartphone-apps-share-your-data-with-third-party-services-72404) May 30, 2017

content/posts/infosec/_index.md

@@ -0,0 +1,7 @@
+---
+title: Infosec & Privacy
+ShowReadingTime: false
+ShowWordCount: false
+---
+
+Stay secure out there folks

content/posts/infosec/a-brief-history-of-gnupg.md

@@ -0,0 +1,57 @@
+---
+title: "A brief history of GnuPG"
+date: 2017-10-13T13:33:00+06:00
+draft: false
+tags: ["infosec","gnupg","encryption","data privacy","floss"]
+author: "9x0rg"
+hidemeta: false
+ShowReadingTime: true
+ShowPostNavLinks: true
+showtoc: false
+---
+![A brief history of GnuPG](/images/gnupg.png)
+*A brief history of GnuPG: vital to online security but free and underfunded*
+
+[Donate](https://gnupg.org/donate/) to GnuPG.
+
+> Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.
+> 
+> One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced [to fundraise](https://gnupg.org/donate/) to continue the project.
+> 
+> GnuPG is part of the GNU collection of [free and open source software](https://www.gnu.org/philosophy/free-sw.html), but its story is an interesting one, and it begins with software engineer Phil Zimmermann.
+> 
+> ## What is PGP?
+> PGP implements a form of cryptography that is known as “asymmetric cryptography” or public-key cryptography.
+> 
+> The story of its discovery is itself worth telling. It was invented in the 1970s by [researchers](http://www.zdnet.com/article/gchq-pioneers-on-birth-of-public-key-crypto/) at the British intelligence service GCHQ and then again by [Stanford University academics](https://cs.stanford.edu/people/eroberts/courses/soco/projects/public-key-cryptography/history.html) in the US, although GCHQ’s results were only declassified in 1997.
+> 
+> Asymmetric cryptography gives users two keys. The so-called “public” key is meant to be distributed to everyone and is used to encrypt messages or verify a “signature”. The “private” or “secret” key must be known only to the user. It helps decrypt messages or “sign” them - the digital equivalent of a seal to prove origin and authenticity.
+> 
+> Zimmermann published PGP because [he believed](http://philzimmermann.com/EN/faq/index.html) that everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.
+> 
+> ## The challenge facing security software
+> Despite Zimmermann’s work, the dream of free encryption for everyone never quite came to full bloom.
+>
+> Neither Zimmermann’s original PGP nor the later GnuPG managed to become entirely user-friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands - an anachronism even in the late 1990s, when most operating systems already used the mouse.
+>
+> Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.
+>
+> [The release](https://www.theguardian.com/us-news/the-nsa-files) of the Edward Snowden documents in 2013 spurred renewed interest in PGP.
+>
+> ## PGP today
+> By today’s standards, GnuPG – like all implementations of OpenPGP – lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermann’s invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.
+>
+> What’s more, email reveals the sender and receiver names anyway. In the age of data mining, this is often enough to infer the contents of encrypted communication.
+>
+> Nevertheless, GnuPG (and hence OpenPGP) are alive and well. Relative to the increased computational power available today, their cryptography is as strong today as it was in 1991. GnuPG just found new use cases - very important ones.
+> 
+> Journalists use it to allow their sources to deposit confidential data and leaks. This is a vital and indispensable method of self-protection for the leaker and the journalist.
+> 
+> But even more importantly, digital signatures are where GnuPG excels today.
+>
+> Linux is one of the world’s most common operating system (it even forms the basis of Android). On internet servers that run Linux, software is downloaded and updated from software repositories - and most of them sign their software [with GnuPG](https://wiki.archlinux.org/index.php/GnuPG) to confirm its authenticity and origin.
+>
+> GnuPG works its magic behind closed curtains, once again.
+> 
+> -- [Ralph Holz](https://theconversation.com/profiles/ralph-holz-389424) in [The Conversation](https://theconversation.com/a-brief-history-of-gnupg-vital-to-online-security-but-free-and-underfunded-80800), July 17, 2017
+

content/posts/infosec/chiffrement-de-messagerie-a-quel-protocole-se-fier.md

@@ -0,0 +1,29 @@
+---
+title: "Chiffrement de messagerie instantanée: à quel protocole se vouer?"
+date: 2017-11-15T12:54:49+01:00
+draft: false
+tags: ["infosec","encryption","omemo","signal app","tech","xmpp"]
+author: "9x0rg"
+hidemeta: false
+ShowReadingTime: true
+ShowPostNavLinks: true
+showtoc: false
+---
+
+![Comparaison des protocoles de chiffrement](/images/telegram-otr-openpgp-signal-omemo.png)
+
+Vu sur le site de l'[ANSSI](https://www.ssi.gouv.fr/publication/chiffrement-de-messagerie-quasi-instantanee-a-quel-protocole-se-vouer/): 
+> Accompagnant la prise de conscience généralisée du besoin de sécuriser ses communications électroniques, de nombreuses applications de messagerie (quasi) instantanée ont fait leur apparition sur les ordiphones. Toutes annoncent un haut niveau de sécurité, laissant ainsi l’utilisateur dans le doute, vis-à-vis du niveau réel de sécurité à escompter.
+>
+
+## Donc, que privilégier entre Signal, Telegram ou XMPP?
+
+Je ne cite pas WhatsApp/Facecrook à dessein, hein. 
+
+Extrait de la conclusion de l'étude comparative [.pdf [disponible ici](https://www.ssi.gouv.fr/uploads/2017/10/chiffrement_messagerie_instantanee_fmaury_anssi.pdf "Chiffrement de messagerie quasi instantanée: à quel protocole se vouer?") - 303Ko] par Florian Maury *Chiffrement de messagerie quasi instantanée: à quel protocole se vouer?* : 
+
+> OMEMO, avec la stabilité de sa spécification, sa licence ouverte, ses primitives cryptographiques à l’état de l’art et son architecture répartie, offre aux utilisateurs de XMPP une méthode de communication sécurisée satisfaisante, et potentiellement durable. -- Florian Maury
+
+
+
+TL;DR: utilisez XMPP avec [conversations.im](https://conversations.im/) + OMEMO pour le chiffrement, c'est  bien.

content/posts/infosec/china-blocks-whatsapp.md

@@ -0,0 +1,20 @@
+---
+title: "China blocks WhatsApp"
+date: 2017-09-26T02:16:00+06:00
+draft: false
+tags: ["whatsapp","asia","china","data privacy","infosec"]
+author: "9x0rg"
+hidemeta: false
+ShowReadingTime: true
+ShowPostNavLinks: true
+showtoc: false
+---
+*China has largely blocked the WhatsApp messaging app, the latest move by Beijing to step up surveillance ahead of a big Communist Party gathering next month.*
+
+> The disabling in mainland China of the Facebook-owned app is a setback for the social media giant, whose chief executive, Mark Zuckerberg, has been pushing to re-enter the Chinese market, and has been studying the Chinese language intensively. WhatsApp was the last of Facebook products to still be available in mainland China; the company’s main social media service has been blocked in China since 2009, and its Instagram image-sharing app is also unavailable.
+>
+> The disruption of WhatsApp comes as Beijing prepares for the Communist Party’s congress, which starts Oct. 18. 
+> 
+> By blocking the heavily encrypted WhatsApp service while making less secure applications like WeChat available to the public, the Chinese government has herded its internet users toward methods of communication that it can reliably monitor.
+>
+> Full story: [Keith Bradsher](http://www.nytimes.com/by/keith-bradsher) in [The New York Times](https://www.nytimes.com/2017/09/25/business/china-whatsapp-blocked.html)