1
0

Upload files to 'content/posts/infosec'

This commit is contained in:
Olivier 2023-01-01 21:30:44 +01:00
parent 19f43fabdb
commit 44d599f5a2
5 changed files with 137 additions and 0 deletions

View File

@ -0,0 +1,24 @@
---
title: "7 in 10 smartphone apps share your data with third-party services"
date: 2017-05-31T12:05:00+06:00
draft: false
tags: ["tech","data privacy","surveillance","infosec"]
author: "9x0rg"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
cover:
image: "<image path/url>"
alt: "<alt text>"
caption: "<text>"
relative: false # To use relative path for cover image, used in hugo Page-bundles
---
> Our mobile phones can [reveal a lot about ourselves](http://www.pewinternet.org/2015/04/01/chapter-two-usage-and-attitudes-toward-smartphones/): where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits.
>
> The research that we and our colleagues are doing identifies and explores a significant threat that most people miss: [More than 70 percent](https://haystack.mobi/) of smartphone apps are reporting personal data to [third-party tracking companies](https://arxiv.org/pdf/1609.07190.pdf) like Google Analytics, the Facebook Graph API or Crashlytics.
>
> We found that more than [70 percent of the apps we studied](https://www.haystack.mobi/panopticon) connected to at least one tracker, and 15 percent of them connected to five or more trackers. One in every four trackers harvested at least one unique device identifier, such as the phone number or its device-specific unique [15-digit IMEI number](http://www.gsma.com/managedservices/mobile-equipment-identity/about-imei/).
>
>-- Narseo Vallina-Rodriguez & Srikanth Sundaresan in [The Conversation](https://theconversation.com/7-in-10-smartphone-apps-share-your-data-with-third-party-services-72404) May 30, 2017

View File

@ -0,0 +1,7 @@
---
title: Infosec & Privacy
ShowReadingTime: false
ShowWordCount: false
---
Stay secure out there folks

View File

@ -0,0 +1,57 @@
---
title: "A brief history of GnuPG"
date: 2017-10-13T13:33:00+06:00
draft: false
tags: ["infosec","gnupg","encryption","data privacy","floss"]
author: "9x0rg"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
---
![A brief history of GnuPG](/images/gnupg.png)
*A brief history of GnuPG: vital to online security but free and underfunded*
[Donate](https://gnupg.org/donate/) to GnuPG.
> Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.
>
> One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced [to fundraise](https://gnupg.org/donate/) to continue the project.
>
> GnuPG is part of the GNU collection of [free and open source software](https://www.gnu.org/philosophy/free-sw.html), but its story is an interesting one, and it begins with software engineer Phil Zimmermann.
>
> ## What is PGP?
> PGP implements a form of cryptography that is known as “asymmetric cryptography” or public-key cryptography.
>
> The story of its discovery is itself worth telling. It was invented in the 1970s by [researchers](http://www.zdnet.com/article/gchq-pioneers-on-birth-of-public-key-crypto/) at the British intelligence service GCHQ and then again by [Stanford University academics](https://cs.stanford.edu/people/eroberts/courses/soco/projects/public-key-cryptography/history.html) in the US, although GCHQs results were only declassified in 1997.
>
> Asymmetric cryptography gives users two keys. The so-called “public” key is meant to be distributed to everyone and is used to encrypt messages or verify a “signature”. The “private” or “secret” key must be known only to the user. It helps decrypt messages or “sign” them - the digital equivalent of a seal to prove origin and authenticity.
>
> Zimmermann published PGP because [he believed](http://philzimmermann.com/EN/faq/index.html) that everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.
>
> ## The challenge facing security software
> Despite Zimmermanns work, the dream of free encryption for everyone never quite came to full bloom.
>
> Neither Zimmermanns original PGP nor the later GnuPG managed to become entirely user-friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands - an anachronism even in the late 1990s, when most operating systems already used the mouse.
>
> Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.
>
> [The release](https://www.theguardian.com/us-news/the-nsa-files) of the Edward Snowden documents in 2013 spurred renewed interest in PGP.
>
> ## PGP today
> By todays standards, GnuPG like all implementations of OpenPGP lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermanns invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.
>
> Whats more, email reveals the sender and receiver names anyway. In the age of data mining, this is often enough to infer the contents of encrypted communication.
>
> Nevertheless, GnuPG (and hence OpenPGP) are alive and well. Relative to the increased computational power available today, their cryptography is as strong today as it was in 1991. GnuPG just found new use cases - very important ones.
>
> Journalists use it to allow their sources to deposit confidential data and leaks. This is a vital and indispensable method of self-protection for the leaker and the journalist.
>
> But even more importantly, digital signatures are where GnuPG excels today.
>
> Linux is one of the worlds most common operating system (it even forms the basis of Android). On internet servers that run Linux, software is downloaded and updated from software repositories - and most of them sign their software [with GnuPG](https://wiki.archlinux.org/index.php/GnuPG) to confirm its authenticity and origin.
>
> GnuPG works its magic behind closed curtains, once again.
>
> -- [Ralph Holz](https://theconversation.com/profiles/ralph-holz-389424) in [The Conversation](https://theconversation.com/a-brief-history-of-gnupg-vital-to-online-security-but-free-and-underfunded-80800), July 17, 2017

View File

@ -0,0 +1,29 @@
---
title: "Chiffrement de messagerie instantanée: à quel protocole se vouer?"
date: 2017-11-15T12:54:49+01:00
draft: false
tags: ["infosec","encryption","omemo","signal app","tech","xmpp"]
author: "9x0rg"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
---
![Comparaison des protocoles de chiffrement](/images/telegram-otr-openpgp-signal-omemo.png)
Vu sur le site de l'[ANSSI](https://www.ssi.gouv.fr/publication/chiffrement-de-messagerie-quasi-instantanee-a-quel-protocole-se-vouer/):
> Accompagnant la prise de conscience généralisée du besoin de sécuriser ses communications électroniques, de nombreuses applications de messagerie (quasi) instantanée ont fait leur apparition sur les ordiphones. Toutes annoncent un haut niveau de sécurité, laissant ainsi lutilisateur dans le doute, vis-à-vis du niveau réel de sécurité à escompter.
>
## Donc, que privilégier entre Signal, Telegram ou XMPP?
Je ne cite pas WhatsApp/Facecrook à dessein, hein.
Extrait de la conclusion de l'étude comparative [.pdf [disponible ici](https://www.ssi.gouv.fr/uploads/2017/10/chiffrement_messagerie_instantanee_fmaury_anssi.pdf "Chiffrement de messagerie quasi instantanée: à quel protocole se vouer?") - 303Ko] par Florian Maury *Chiffrement de messagerie quasi instantanée: à quel protocole se vouer?* :
> OMEMO, avec la stabilité de sa spécification, sa licence ouverte, ses primitives cryptographiques à létat de lart et son architecture répartie, offre aux utilisateurs de XMPP une méthode de communication sécurisée satisfaisante, et potentiellement durable. -- Florian Maury
TL;DR: utilisez XMPP avec [conversations.im](https://conversations.im/) + OMEMO pour le chiffrement, c'est bien.

View File

@ -0,0 +1,20 @@
---
title: "China blocks WhatsApp"
date: 2017-09-26T02:16:00+06:00
draft: false
tags: ["whatsapp","asia","china","data privacy","infosec"]
author: "9x0rg"
hidemeta: false
ShowReadingTime: true
ShowPostNavLinks: true
showtoc: false
---
*China has largely blocked the WhatsApp messaging app, the latest move by Beijing to step up surveillance ahead of a big Communist Party gathering next month.*
> The disabling in mainland China of the Facebook-owned app is a setback for the social media giant, whose chief executive, Mark Zuckerberg, has been pushing to re-enter the Chinese market, and has been studying the Chinese language intensively. WhatsApp was the last of Facebook products to still be available in mainland China; the companys main social media service has been blocked in China since 2009, and its Instagram image-sharing app is also unavailable.
>
> The disruption of WhatsApp comes as Beijing prepares for the Communist Partys congress, which starts Oct. 18.
>
> By blocking the heavily encrypted WhatsApp service while making less secure applications like WeChat available to the public, the Chinese government has herded its internet users toward methods of communication that it can reliably monitor.
>
> Full story: [Keith Bradsher](http://www.nytimes.com/by/keith-bradsher) in [The New York Times](https://www.nytimes.com/2017/09/25/business/china-whatsapp-blocked.html)