Making Privacy Great Again (?) – The Blackphone Story – Part 4 – There’s a Snake in My Boot

Blackphone as an allegory to why the bad guys are winning, a step-by-step guide to unlocking your device, and to whom you should say “you’re welcome!”.

By Eh’den Biber

First of all, my apologies for the delay in writing. It was totally unintended, but life, as you all know, have a comic view of our perception that we are in control of it. We are funny.

So, back to the Blackphone. I must admit that I’m surprised with what I learned. It’s so true that until we experience something as a personal experience knowing about facts that are related to that experience are meaningless. A total colour-blindness, non-ability to grasp the vast spectrum of radiation most of us can do naturally.

But before we begin with the boot story, let me just highlight a surprising point – if you wanted a proof that no one cares about security, INCLUDING security people, take a look at the vast security reviews that were performed so far on the phone. I know, nothing out there.

Continue reading

Advertisements

Making Privacy Great Again (?) – The Blackphone Story – Part 3 – Being Matt Damon

The Awareness lessons Matt Damon Had Taught Me.

By Eh’den Biber

 

(This is part 3 in a series of articles I’m publishing about my investigation into the security of the Silent Circle Blackphone 2. I case you missed them, I invite you to read part 1 and part 2)…

Now that I have received the Blackphone 2 I was facing a dilemma – what would be the best way to investigate it? To answer that, I decided to ask myself what would Matt Demon do if he was me.

Continue reading

Making Privacy Great Again (?) – The Blackphone Story – Part 2 – Ride on Time

(to those who miss, here is part 1…)

Everyone wants to be secure, or so it seems, and that what makes the whole story of Silent Circle so sad. A group of extremely talented people (Phil Zimmerman (PGP), Jon Callas (Apple, OpenPGP), Mike Kershaw (Kismet) etc.) gathered and created Silent Circle… and developed phone that will be secure and focus on your privacy. The first phone, the Blackphone 1 was too slow and too restrictive, so Blackphone 2 came along and provided a much-needed boost in terms of usability and performance to clients who want to have a phone that gives them android experience. Blackberry did the same when they decided to ditch their own OS and move to the android domain, and … both seems to have failed to gain substantial market share. But don’t blame the players, blame the game – we live in a world where people talk about privacy like Trump is talking about America – endless use of slogans which are driven by personal motives.

Continue reading

Making Privacy Great Again (?) – The Blackphone Story – Part 1 – Introduction

Ever since my last post I’ve been more silent than usual. The reason for it was a phone called Blackphone‍ 2 or BP2, a “Private by Design” product of a company called Silent Circle‍.

What made me extremely interested in the product was the fact that in January Silent Circle started to brick phones which were not authorised for sale by them. You can read about it here.

I decided to go out and buy two units and see what they did it, and how can you bypass it.

There was one tiny problem – I’m not a mobile phone security expert, and while I can tell you as a security oriented end user that Android security sucks I couldn’t really pinpoint the elements which made it so bad. Sure, there is so many videos and guides out there that teaches you the ins-and-outs of an android system, and also discuss the security aspects of it but I decided to choose a different path. As you know (from my previous posts) I’m extremely interested in the subject of awareness, and my view is that the best path for learning is failure in a secure environment that allows you to fail. I did, for almost a month. My secure environment is my beautiful wife who allowed me to bring the phones to the bedroom, suffered heroically the sounds that came from my computer and the phone throughout many nights, and completely supported me. Most other partners would have been voting to brexit‍ me out from the bedroom to the living room until my insanity will pass.

It’s been a fascinating journey, and a painful one. I had days with zero progress, days with total setback, and days that I just wanted to smash the darn devices on the wall and get my life back. I didn’t. It reminded me how hard it is to learn something totally new, and how easy it is to make mistakes that are driven by a lack of understanding, and how easy it is to be afraid to admit it and get yourself into even bigger trouble. While it would have made much more sense to read a book or go via a training I wanted to see life is indeed so counter intuitive to our human logic.

See you soon…in part 2

Eh’den

PS

If you have good knowledge about android application security, please contact me. I still have some unanswered questions 😉

Awareness Myth Busting

Why attempts to raise the level of awareness to information security are failing, and what to do in order to change it.

Written by Eh’den Biber

Prologue – Battlefield

The field of information security is system and technology driven. This is why it is no wonder that the first attempts to make people act according to way we believed is best from information security standpoint was compliance. Oh, and it worked SO great, didn’t it? Dear auditors, this was a rhetorical, cynical question, so let me assure you: when it comes to humans, compliance doesn’t work, sometimes even when you put a gun against someone’s head.
We moved to from compliance to awareness, and we continue to fail.

This article will try to break down multiple elements to why we fail in our information security awareness activities. After years of looking into awareness from educational, psychological, neurological, biological and spiritual perspectives I realised that the reason we are failing to increase awareness is because we never did a true root-cause analysis.

Believe me, I’ve been doing everything I can to avoid writing this article. Like Arjuna the hero of the Bevagad Gita, I tried to avoid going into a battlefield, getting in a collision course with a community of people, some of which I know personally. Every time I wanted to write the article you’re about to read, my subconscious was re-living the times I’ve been ridiculed, judged, kicked around (physically, emotionally, verbally), and eventually, stabbed (yeh, in London). When in a battlefield, it is hard to remember that who you think you are is a mind running on ego operating system, which been optimised to increase your survival rate. This thing, my humanity, was preventing me from writing, in order to prevent the suffering, to increase survival rates. This is what the brain/mind is meant to do, and in my case, my brain was trying to increase my professional survival.

The reason for my long silence in recent months was due to the fact I came to the realisation that our profession is based on pseudo and proto science, that most of what we do can be qualified as cult behaviour (cargo, anyone?), and that our blindness is in the core of our failure to reduce the likelihood of future loss event that is caused by a “human vulnerability” which lead to wrong decision making.

Finally, I said it, and here I am experiencing how it feels to be honest and fearless. Blessed.

Continue reading