Security – blog.soldierer.com

GDPR Craziness / DSGVO Irrsinn

Webvet — Mon, 04 Jun 2018 07:59:41 +0000

Today I decided to make this website „GDPR compliant“. No more Cookies, Google Analytics, personal data processing, and log files. Not sure if that will protect me from potential legal consequences of not being GDPR compliant but this is a simple personal home page after all and I’m afraid it is all I can currently do to protect myself. I would otherwise need to do all sorts of things, like publishing a long water proof privacy policy, explain the purpose of all cookies, provide an opt out technology for them. I already registered and installed an SSL certificate to protect your personal data contained in comments and contact requests.

If you want to comment on one of the blog posts, you can use the site’s contact form. If you tell me that you want your comment to be public, I will consider adding it to the post in question.

Heute habe ich mich entschlossen, diese Website an die Datenschutz-Grundverordnung anzupassen. Keine Cookies, kein Google Analytics, keine Verarbeitung personenbezogener Daten und keine Logdateien. Dies ist eine einfache persönliche Homepage und ich brauche das alles nicht wirklich.
Ich hoffe, dass die Website damit den Anforderungen der DSGVO entspricht, kann mir aber nicht sicher sein, ob mich das in unserer schönen regulierten Welt tatsächlich vor allem juristischen Fallstricken und Abmahnwellen schützen wird.
Ich fürchte, das ist alles, was ich derzeit tun kann, um mich zu schützen. Ich würde sonst viel Zeit investieren müssen, wie zum Beispiel in das Verfassen einer langen wasserdichten Datenschutzrichtlinie. Auch müsste ich den Zweck aller Cookies erklären, eine Opt-Out-Technologie dafür bereitstellen. Ein SSL-Zertifikat ist bereits installiert, um persönlichen Daten in Kommentaren und Kontaktanfragen zu schützen.

Wer einen der Blogposts kommentieren möchte, sollte also das Kontaktformular der Website verwenden. Der Kommentar kann dann gegebenenfalls zum betreffenden Beitrag hinzugefügt werden.

Ironkey

Webvet — Tue, 02 Sep 2008 12:05:06 +0000

When I heard Steve Gibson talk about the Ironkey I wanted to have one. Its basically a USB storage device with strong hardware encryption built in. In a earlier post about encryption I said

Some USB drives (SanDisk, Lexar, Kingston, IronKey) have hardware encryption built in, but when it comes to encryption, I prefer to stay away from proprietary implementations.

Well, the Ironkey is proprietary of course. However, after Steve’s interview with Ironkey’s CEO I was very curious how the thing would actually work. For my daily needs Ironkey’s level of security is more than I need anyway. And I’m not a big fan of conspiracy theories. Ironkey is very likely not a subsidiary of the NSA. And should I ever be concerned about some government agency breaking into it, I can still encrypt the data on my Ironkey with PGP. Call me paranoid but actually I run a copy on the Ironkey and use it to encrypt the hundreds of entries in my master passwords file.

Free encryption software (4) – Gnu Privacy Guard

Webvet — Mon, 25 Aug 2008 16:36:27 +0000

Gnu Privacy Guard (GPG) is an open source PGP clone. It uses strong encryption to protect emails as well as files and folders. For encrypting drives, folders, and files I use a different piece of software (Truecrypt). GPG is my encryption tool for email. The majority of email traffic on the Internet still goes unencrypted, which still amazes me. Many email users don’t know that their email can be easily intercepted and read. PGP’s documentation compares sending email to sending paper postcards, and rightly so. There is no envelope. Any person having access to a mail server or a router could read or automatically filter the many emails that are processed every day. Wireless connections are even more of a problem. There is software which can make email data visible if it is sent over an unencrypted WLAN connection.

So do I encrypt all my email? No. I wish I could, but none of my friends and colleagues uses email encryption. There is only two things I can do: Download my mail with a secure protocol to at least encrypt the last hop, and never forget that emails are like paper postcards that not only the postman can read.

Free encryption software (1): Introduction
Free encryption software (2): File encryption on USB flash drives
Free encryption software (3): Hard disc encryption

Free encryption software (3)Hard disc encryption

Webvet — Mon, 24 Mar 2008 18:25:18 +0000

[Update Nov. 11, 2014: The Truecrypt developers no longer support this product]

Since version 5, released on February 8, 2008, Truecrypt can encrypt an entire drive or partition, including the one that contains the operating system installation. Truecrypt’s implementation of strong drive encryption is particularly impressive. Listen to Security Now episode 133 for more information. Finally high quality free open source software is available for encrypting an entire hard disk. I immediately encrypted my Laptop’s hard disk. Truecrypt 4 was already installed and all private data was stored in an encrypted volume. Full disk encryption with pre-boot authentication is a much better solution though. Now the entire hard disc contains nothing that anyone could ever read. The encryption ran as a background process while I was surfing the web and took 2.5 hours on an 80 gb hard disk.

Don’t leave the data on your portable computer unprotected. Download Truecrypt for your PC, Linux box or Mac.

Free encryption software (1): Introduction

Free encryption software (2): File encryption on USB flash drives

Free encryption software (4): GNU Privacy Guard

Free encryption software (2)File encryption on USB flash drives

Webvet — Wed, 12 Mar 2008 20:21:14 +0000

I am a PGP user since 1996 and I still use Ståle Schumacher’s international DOS version 2.63i to encrypt files on my USB flash drives. All I need is PGP’s small exectutable file (pgp.exe, 237.737 kb). On first use, PGP will create a second small file that contains some random seed data for the encryption. With this minimal setup, PGP will warn you about a missing configuration file, but this does not affect the strength of encryption. The USB drive on my key ring contains an encrypted passwords file and pgp.exe, providing easy access to the many cryptic passwords I use. All I need is one strong master pass phrase to decrypt the file and get instant access to more passwords than I could ever remember.

I insert the USB drive and open a command prompt window (Start > Run > cmd).

PGP file encryption:

pgp -c filename

PGP file decryption:

pgp filename.pgp

In conventional -c encryption mode PGP uses a symmetric block encryption algorithm (IDEA) with a key size of 128 bits. Together with a good pass phrase this is really strong encryption.

Don’t forget to securely delete the plaintext file afterwards:

pgp -w filename

Since this version of PGP was developed for DOS, it only supports 8 character file names (8.3).

PGP 2.63i is still available from Ståle’s pgpi.org site [download].

Back in 1996 I contributed the “self-sign FAQ” to the PGP community.

Other Flash drive encrytion options for Windows, Mac and Linux

Many different free and commercial PGP versions and clones are available. See pgp.com, pgpi.org, and gnupg.org. I still use PGP 2.63i because it is an easy-to-use lightweight program that provides strong encryption and can be put on any device by simply copying one small file.

Truecrypt in “Traveller Mode” can be used to create an encrypted file container on Flash memory. Truecrypt is free and provides super strong encryption, too. However, you need to have administrator privileges on all machines that you decrypt the container on. I’m not an admin on my machine at work but need access to the passwords on my keyring there, too.

Some USB drives (SanDisk, Kingston, IronKey) have hardware encryption built in, but when it comes to encryption, I prefer to stay away from proprietary implementations.

Free encryption software (1): Introduction

Free encryption software (3): Hard disc encryption

Free encryption software (4): GNU Privacy Guard

Security Now Episode 108

Webvet — Tue, 11 Sep 2007 17:13:49 +0000

One of my favorite podcasts is Security Now with Steve Gibson and Leo Laporte. I am a long term subscriber, actually I didn’t miss a single episode so far. Finally, after 2 years of enjoying Security Now and applying the lessons learned both at home and at work, I was able to give something back. Steve:

One of our listeners, actually very courteous, a Walter Soldierer I think is how I pronounce his name, he provided me with the name of the guy at VeriSign, and email address, who’s in charge of the whole PIP technology program. His name is Gary Krall at VeriSign. I sent Gary a piece of email saying, hey, I was really glad to get your name and email.
[play audio]

In episode 103, Steve and Leo had interviewed PayPal’s Michael Vergara who is in charge of the PayPal Security Key. It’s a small 6-digit number generator to allow two factor authentication. When I heard about it, I immediately ordered one and now use it on both my PayPal and Ebay accounts.

The PayPal/Ebay Security Key is based on the VeriSign Identiy Protection (VIP) system. Verisign is setting up a network of VIP providers like PayPal and the same Security Key can be used for all sites in the network. Verisign also offers an OpenID implementation of VIP called Personal Identity Provider (PIP) which I registered to add the second factor to my OpenID authenication, too.

While researching PIP I came accross a number of posts from Verisign’s Gary Krall on secutrity discussion forums. He manages an application prototyping team at Verisign and is in charge of PIP. When Steve Gibson covered PIP in Security Now I thought he might want to know who the technical person behind this great initiative is. Actually I was hoping that Steve would interview Gary Krall too…