Im Kampf um unsere Privatsphäre wird die Reform der ePrivacy-Richtlinie im 2017 das wichtigste Schlachtfeld. Ein geleakter Entwurf zeigt: Die EU-Kommission macht zwar gute Vorschläge zur besseren Kontrolle von Web-Tracking – grundsätzlich dürfen uns Unternehmen und Staaten aber weiter analysieren.

I see two alternatives. The first is to recognize that the digital world will be one of ever-expanding features and options, of ever-faster product releases, of ever-increasing complexity and of ever-decreasing security. This is the world we have today, and we can decide to embrace it knowingly.

The other choice is to slow down, simplify and try to add security. Customers won't demand this--the issues are too complex for them to understand--so a consumer advocacy group is required. This solution might not be economically viable for the Internet, but it is the only way to get security.

Warum gibts in AT eigentlich keine Data Breach reports? Sind wir wirklich sooo sicher?

Und was sagen ELGA bzw. BMGF dazu?

Dutch hospitals reported 304 separate incidents of patient data loss since January 1. According to the Authority for Personal Data (AP), the hospitals rarely encrypted the data. They also reported that the majority of the data loss occurred due to human error.

Etwas, das so gut ins Bild passt, das als tragische Heldengeschichte daherkommt und endlich einen Sündenbock und einen Grund für den Wahlsieg Donald Trumps liefert – etwas, das gerade jeder hören möchte, das fast schon zu perfekt klingt, um wahr zu sein, sollte man vielleicht zweifach, dreifach, vierfach auseinandernehmen. Schon grundlegende journalistische Reflexe müssten da greifen.

Dann wären da die ganz einfachen Handwerksfragen: Ein so großes Ereignis wie das Wahlergebnis in den USA auf Big-Data-Analysten zurückzuführen und als Belege dafür Aussagen von gerade mal zwei Personen heranzuziehen, nämlich Erfinder und Verkäufer der Analysen, die ihr eigenes Produkt selbstverständlich für das Nonplusultra halten – journalistisch ist dieses Vorgehen mindestens schwierig. Aus wissenschaftlicher Sicht wiederum fallen die vielen Korrelationen im Artikel auf. Dabei lernen Statistiker schon im ersten Semester den Unterschied zwischen Korrelation und Kausalität.

Und dann wären da die konkreten Punkte, an denen der Artikel nicht die ganze Wahrheit liefert.

Clickbait of course, but still some food for thought:
Amidst the anxious grumbling of his audience at last week’s Structure Conference in San Francisco, billionaire Vinod Khosla asserted that 80% of jobs in an IT department could be replaced by AI-type systems. “I think that’s exciting,” added Khosla, founder of Sun Microsystems and Silicon Valley venture firm, Khosla Ventures.

Der Psychologe Michal Kosinski hat eine Methode entwickelt, um Menschen anhand ihres Verhaltens auf Facebook minutiös zu analysieren. Und verhalf so Donald Trump mit zum Sieg

Look at the homepages of Tim Berners-Lee, Bjarne Stroustrup, and Donald Knuth. All three together have 235 kB, less than one Google SERP. Images are optimized, most of the content is above the fold, and their pages were "responsive" two decades before responsive design became a thing. But they are all ugly. If the father of the WWW, the father of C++, and the father of computer algorithms were in an evening web development class, they would all get an F and be asked to do their homepages again.

from the "no shit, sherlock" department:
Cybersecurity wird laut IT-Experten Peter Singer zu sehr vernachlässigt. Auch der Mangel an IT-Sicherheitsspezialisten wird in Zukunft ein Problem.

It ought to be a criminal offence to sell or import IoT devices that don’t meet specific security criteria.

Just about two years ago, Tim Medin presented a new attack technique he christened “Kerberoasting“. While we didn’t realize the full implications of this at the time of release, this attack technique has been a bit of a game changer for us on engagements.

Thanks to an awesome PowerView pull request by @machosec, Kerberoasting is easier than ever using pure PowerShell. I wanted to briefly cover this technique and its background, how we’ve been using it recently, and a few awesome new developments.

Nobody wants to say it outright, but the Apple Watch sucks. So do most smartwatches. Every time I use my beautiful Moto 360, its lack of functionality makes me despair. But the problem isn’t our gadgets. It’s that the future of consumer tech isn’t going to come from information devices. It’s going to come from infrastructure.

HTTP/2 (or "H2" as the cool kids call it) has been ratified for months and browsers already support or have committed to supporting the protocol. Everything we hear tells us that the new version of HTTP will provide significant performance benefits while requiring little to no change to our applications -- all the problems with HTTP/1.x have seemingly been addressed, we no longer need the "hacks" that enabled us to circumvent them, and the Internet is about to be a happy place, at last!

But maybe we should put the pom poms down for a minute! Deploying HTTP/2 may not be as easy as it seems, since the protocol brings with it new complications and issues. Likewise, the new features the spec introduces may not work as seamlessly as we'd hope. In this session, we'll take a practical look at HTTP/2 and examine some of its core features and how they relate to real-world conditions. We'll discuss positives, negatives, and new caveats and practical considerations for deploying HTTP/2. Specifically, we'll cover:

• The single-connection model, and the impact of degraded network conditions on HTTP/2 vs HTTP/1

• How server push interacts (or doesn’t) with modern browser caches

• What HTTP/2's flow control mechanism means for server-to-client communication

• New considerations for deploying HPACK compression

• Difficulties in troubleshooting HTTP/2 communications, new tools, and new ways to use old tools

The audience will walk understanding the basic concepts of HTTP/2, and its pitfalls, allowing them to properly implement it.

I study the impact of technology for a living, and I’m a former programmer. I happily bank online, and use my smartphone to message friends and family. I support and trust encryption to protect ordinary people’s communication. I even believe computers will probably turn out to be safer drivers than too-easily distracted humans. I’m not averse to technological solutions.

In this case, though, we need to stick with methods that allow a paper trail that is verifiable after the election. No matter how you vote, there should be a tightly guarded paper record that can be used for audits, if not for the initial counting. This is not just because paper verification is more tamper-resistant than our insecure voting machines. Our elections need to be open to oversight without the need for voters to understand how encryption works. We can’t tell them to simply trust the experts, especially when people are deliberately sowing distrust.

“What we’re getting with the IoT is actuation in the real world. If I take a bunch of thermostats offline for 24 hours in the UK in winter, I’ll probably kill a bunch of pensioners. There’s your cyber terrorism attack.”

The trouble with writing fiction is that, as a famous novelist once said, reality is under no compulsion to make sense or be plausible. Those of us who make stuff up are constantly under threat of having our best fictional creations one-upped by the implausibility of real events. I'm pretty much resigned to this happening, especially with the Laundry Files stories: at least space opera and fantasy aren't as prone to being derailed as fiction set in the near-present.

Now that I’m using OpenPGP cards for GnuPG, I may as well start using them for their other bells and whistles too. The first and most useful such extra feature of those cards is using the authentication key for SSH.

Getting this working is actually surprisingly simple...

Please don't advocate learning to code just for the sake of learning how to code. Or worse, because of the fat paychecks. Instead, I humbly suggest that we spend our time learning how to …

+) Research voraciously, and understand how the things around us work at a basic level.
+) Communicate effectively with other human beings.

Darüber freuen sich auch Politiker, die neben Steuern und Verboten noch ganz neue Werkzeuge in die Hand bekommen, das Verhalten ihrer Bürger zu beeinflussen. Im vergangenen Jahr erst hat Bundeskanzlerin Angela Merkel eine entsprechende Truppe in ihrem Kanzleramt aufgebaut. So viel steht fest: Ihre Verhaltensforscher haben einige Lehren von Fehr und seinen Schülern mitgenommen. Und selbst wenn die Organisation Foodwatch eine Kampagne gegen zuckerhaltige Lebensmittel anstößt, profitiert sie davon, dass Menschen heute als weniger rational gelten als früher.

Sometimes, people ask me why I don’t keep a sticker over my webcam. “If you’ve already owned me enough to turn on the webcam,” I say, “The least I can do is force you to watch me pick my nose.”