Now that we have enough details about how the NSA eavesdrops on the internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

The idea we had was to build an “unattended self-deploying” instance of Kali Linux that would install itself on a target machine along with a customized configuration requiring no user input whatsoever. On reboot after the installation completes, Kali would automagically connect back to the attacker using a reverse OpenVPN connection. The VPN setup would then allow the attacker to bridge the remote and local networks as well as have access to a full suite of penetration testing tools on the target network.

I write this post because I've noticed a sort of "JUST USE BCRYPT" cargo cult (thanks Coda Hale!) This is absolutely the wrong attitude to have about cryptography. Even though people who know much more about cryptography than I do have done an amazing job packaging these ciphers into easy-to-use libraries, use of cryptography is not something you undertake lightly. Please know what you're doing when you're using it, or else it isn't going to help you. § The first cipher I'd suggest you consider besides bcrypt is PBKDF2. It's ubiquitous and time-tested with an academic pedigree from RSA Labs, you know, the guys who invented much of the cryptographic ecosystem we use today. Like bcrypt, PBKDF2 has an adjustable work factor. Unlike bcrypt, PBKDF2 has been the subject of intense research and still remains the best conservative choice.

According to leaked internal documents from the German Federal Office for Information Security (BSI) that Die Zeit obtained, IT experts figured out that Windows 8, the touch-screen enabled, super-duper, but sales-challenged Microsoft operating system is outright dangerous for data security. It allows Microsoft to control the computer remotely through a built-in backdoor. Keys to that backdoor are likely accessible to the NSA – and in an unintended ironic twist, perhaps even to the Chinese.

Forty-four per cent of those questioned said they didn't believe the phone would interfere with the plane's instruments, but — perhaps more worryingly — 27 per cent said they couldn't cope without a switched-on phone and nine per cent said they couldn't turn off their phone as being uncontactable was unacceptable (we're assuming they weren't the brightest in the sample). § There's much debate about whether phones really can interfere with instrumentation, with the general feeling that the risk isn't worth taking and that as they generally won't work anyway it's not a big deal to ask flyers to turn them off. Some planes do have in-cabin coverage, but that only gets switched on above 10km to avoid interfering with ground networks.

Now you can quickly view your DomainKeys, DKIM, and SPF validitay, and SpamAssassin score in one place. Just send an email to any address @www.brandonchecketts.com. Then check here to see the results.

It’s taken a long time but today we bring the first installment in a series of posts highlighting VPN providers that take privacy seriously. Our first article focuses on anonymity and a later installment will highlight file-sharing aspects and possible limitations.

The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years – or nearly 900 million devices– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

Without the support of two major browsers and major websites most internet users are missing out on the security benefits of perfect forward secrecy. Without the protection of PFS, if an organisation were ever compelled — legally or otherwise — to turn over RSA private keys, all past communication over SSL is at risk. Perfect forward secrecy is no panacea, however; whilst it makes wholesale decryption of past SSL connections difficult, it does not protect against targeted attack on individual sessions. Whether or not PFS is used, SSL remains an important tool for web sites to use to secure data transmission across the internet to protect against (perhaps all but the most well-equipped) eavesdroppers.

Spotify supports unicode usernames which we are a bit proud of (not many services allow you to have ☃, the unicode snowman, as a username). However, it has also been a reliable source of pain over the years. This is the story of one time when it bit us pretty badly and how we spent Easter dealing with it.