Ein anderer Vorschlag zu Facebook

Markus Sulzbacher schlägt im Standard vor, Facebook aus Datenschutz/Kartellrechtsgründen zu zerschlagen.

Ich hätte da einen andere, deutlich subtilere Idee:

Facebook (das social media network) selber halte ich nicht für wahnsinnig wichtig, diese Netze kommen und gehen und Facebook wird hier keine Ausnahme sein. Ich halte WhatsApp für die langfristig deutlich spannendere Plattform, weil sie ein deutlich grundlegenderes Thema mit noch stärkerem Metcalfe’s Law Effekt behandelt: Die simple (text/voice) Kommunikation zwischen zwei Menschen und (fast noch wichtiger) in Gruppen.

Es gibt aus regulatorischer Sicht dafür aber bereits eine klare Lösung, die beim Telefonnetz super funktioniert hat und die Monopole erfolgreich aufgebrochen hat: Die Pflicht zur transparenten Vernetzung der Telefonanbieter inklusive Nummernportierung.

Daher: es wäre einfach an der Zeit, IM Systeme mit einer gewissen Marktmacht, also etwa Skype, WhatsApp, Facebook Messenger, iChat, … genauso zu behandeln, wie Telefonnetze und SMS und deren Interoperabilität vorzuschreiben.

Ja, das kann Österreich nicht im nationalen Alleingang machen, aber die EU hätte die Macht dazu.

Ob die EU auch die Eier dafür hat, ist die offene Frage.

Windows 10

A nugget from the Windows 10 Event log

While investigating why Outlook stopped working, I found the following in the EventLog:


2117? WTF?

Pet Peeves Windows 10

Win10: controlled folder access

I’ve enabled controlled folder access on my work Windows 10 machine.  Now it is giving me notifications like:


The idea is fine, of course I need to finetune the settings (and one click brings to the relevant settings page), but how the §$%& should I know which program to white-list? I cannot find a way to get the full path of the offending program.

I need to search.

Why is there no “Application ‘full path’ is trying to make changes: whitelist y/n” dialogue?

Windows 10

Windows accounts for Kids

While being logged in with my Microsoft Account I did not manage to create local accounts for the kids. There is this nice and fluffy “Create accounts for your family” system, but that implies that you create Microsoft Accounts for everybody.

I refuse to do that for kids. Sorry Microsoft, they are kids, they should not need cloud-based accounts yet.

Apparently you can create additional local account if you’re logged in on a local account. Great.

But there is no GUI to set the time limits for the kids if they are using a local account. You have to do this one the command line. e.g. with

net user kid1 /times:Sa,08:00-20:00

See this article.

Pet Peeves Windows 10

Windows 10 peeves

I’m not a computer newbie. Neither am I a first-time Windows user.

Windows 10 has proved to be a very mixed bag for me. Some things are very clever and nicely done, and then there are a bunch of “what the f*ck were they thinking” moments for me.

I’ve now added the category “Windows 10” to this blog to keep track of my peeves and my workarounds.


System Administration

Testing …

Is this thing still on?

My old wordpress installation has been suffering from bit-rot and the upgrade to Debian jessie completely killed the wordpress installation. I’m moving over posts and pages manually, let’s see if I get this blog (including pictures) up and running again.



CERT Internet Pet Peeves

Of Ads and Signatures

Both advertisements and signatures have been with us in the analogue realm for ages, the society has learned about their usefulness and limits. We have learned that it’s (usually) hard to judge the impact of a single ad, and that the process of actually validating a contested signature is not trivial. There is a good reason why the law requires more than a single signature to authorize the transfer of real estate.

Both concepts have been translated to the digital, online world.

And in both cases, there were promises that the new, digital and online versions of ads/signatures can deliver features that their old, analogue counterparts could not do.

For ads, it was the promise of real-time tracking of their effectiveness. You could do “clickthrough rates” measuring how often the ad was clicked by a viewer. The holy grail of ad effectivity tracking is the fabled “conversion rate”: you can measure how many people actually bought your product after clicking an ad.

For signatures, it was the promise of automated validation. If you get a digitally signed document, you should be able to actually verify (and can have 100% trust in the result) whether it was really signed by the signatory. Remember: in the analogue world, almost nobody actually does this. The lay person can detect crude forgeries, but even that only if the recipient has access to samples of authentic signatures. In reality, a closer inspection of handwritten signatures is only done for important transactions, or in the case of a dispute.

So how did things work out after a few years of experience with digital ads and signatures?

Digital ads are in a midlife crisis. We’re in a death spiral of low clickthrough rates, more obnoxious formats, ad-blockers and ad-blocker-blockers. Just look at the emergence of Taboola and similar click-bait.
Digital signatures are at a cross-road as well: The take-up rates of solutions based on smart-card readers have been underwhelming so far. This applies to the German ePerso as well as to the Austrian citizen card. The usability just isn’t there. So there has been a push to increase the take-up rate by introducing alternatives to smart-card technology. That won’t make it more secure. Not at all.

So what’s the common lesson? In theory, both digital ads and signatures can offer features that their old, analogue counterparts just cannot deliver. In practice, they are killing themselves by over-promising. As long as click-through rates are the prime measurement of online ads, their death spiral will continue. And as long as digital signatures continue to promise instant, high-confidence validation, they will not achieve the take-up rates needed for broad acceptance.

Continuing the current trajectory will lead to a hard crash for both technologies. On one side it’s the ad-blocker, on the other side it’s malware.

The level of spam in the email ecosystem meant that no mail-service can exist in the market without a built-in spam-filtering solution. And given the early ad-excesses every browser includes a pop-up blocker these days. If the advertisers continue on their path of getting attention at all costs, ad-blocking will become a must-have feature in all browsers, and not just an optional ad-on (as right now).

Any digital security solution that protects actual money has been under vigorous attack. The cat and mouse game between online-banking defenders and attackers is a good lesson. The same will happen if digital signature solutions start to be actually relevant. And good luck if your “let’s make digital signatures more user-friendly” approach is actually less secure than what online-banking is using these days.

So what’s the solution?

In my opinion the right way to approach both topics is to reduce the promise. Make digital ads static images. No animation. No dynamic loading of js-code (which is its own security nightmare). Don’t overtax the visitor’s resources (bandwidth, browser-performance). No tracking. Tone it down. Don’t expect instant effects. Don’t promise clicktrough rate.

For digital signatures: Mass deployment is only possible for “non-qualified signatures”. Don’t promise “you can fully and solely rely on our solution”. Just sell “this is a good indication”, or “use this as one factor in your security design”. Prepare for it to be attacked and broken. Only use it when you have a pre-planned way to recover from such a breach. The real word is full of applications where signatures are used in a very low-security / low-impact settings. The state-sponsored digital identity solutions needs to think of those, too. For the high-impact, high-confidence settings I always have to think about the mantra we use at work: “You can’t mandate trust.”

CERT Pet Peeves

The Edge browser

Wasn’t one of the main goals of junking the Internet Explorer codebase and building a brand new browser “Edge” the hope that there won’t be the monthly batch of patches for remote code execution vulnerabilities?

I haven’t tabulated the advisories but somehow I don’t have the feeling that things have gotten substantially better.


It looks to me like we still aren’t using the right programming environments for such complex pieces of software. There is still way too much basic security tooling the programmers have to do by themselves. Just like you shouldn’t do string operations in pure ANSI C, we need to rise the level of abstractions that all these browser bugs (that lead to RCE) just are not possible any more.

Pet Peeves

StartSSL, S/MIME and Thunderbird

This cost me an hour or two:

If you try to get a free S/MIME certificate from StartCom / StartSSL, this worked fine and in Firefox the certificate was shown as valid. But once I transferred it to Thunderbird, I got an unspecified certificate error.

Solution: Turn off OCSP.

Pet Peeves

Positive Surprise …

Wow, they put up new ticket vending machines at Brussels Central train station.

So instead of accepting only the Belgian-only cards, they finally work with international cards (Maestro, master/Visa), too.

Progress indeed. Welcome to 2014.