Teaching IT-Security and Math (since 2020 or forever, whatever came first)
Practicing Habitual Automation
(languages Deutsch and English, depending on topic)
| website | https://informatik.hs-bremerhaven.de/lafischer |
| coffee | tea |
| PGP | A2FE 7D7E A05C 92C3 F9EC F875 B296 0E33 A4AC D842 |
| Licence | Starting 2020-10-05 this work is licensed under CC BY-NC-SA 4.0 |
Let me borrow from Bruce Schneier @Schneier_rss: ‘We don’t issue letters of marque on the high seas anymore; we shouldn’t do it in cyberspace.’ [1]
He has gotten struck by a sentence in the 2026 US Cyber Strategy (linked in [1]) which seems to imply that the White House (signed by DJT) is actually planning to somehow incentivize private companies to attack adversaries in the "cyberspace". (Sorry, I still cannot write the word "cyber" without flinching, I have Wieners "Cybernetics" in my bookshelf.) Which would (excuse the former digression, hope you are still following), as Schneier puts it, be "an incredibly dumb idea".
Incredibly dangerous as well, like handing everyone a gun, a blindfold and incentivizing they shot whenever they feel threatened or attacked from any direction. Cascades of hacks and hack-backs. Maybe the best thing would be if companies would outsource the "disruption of adversary networks" to the same hacker-for-hire, because they then might realize that they have contracts with both sides and hopefully just stop disrupting any of the two networks.
Plus, I assume, it would be illegal in most jurisdictions — including the current USA.
[1] https://www.schneier.com/blog/archives/2026/04/is-hackback-official-us-cybersecurity-strategy.html
The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giving private companies permission to conduct offensive cyber operations. The Economist noticed (alternate link) this, too. I think this is an incredibly dumb idea: In warfare, the notion of counterattack is extremely powerful. Going after the enemy—its positions, its supply lines, its factories, its infrastructure—is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty...
And because it still is fresh in my mind, I quickly threw together a brief tutorial on ``sq``. This will be used in the summer term in the bachelor-course on IT-security.
Dear @sequoiapgp if you would be so kind as to throw an eye onto the page? I might have gotten things wrong at various degrees of wrongness and am still lacking a section on the #wot
Update:
The CheatSheet is found here: https://informatik.hs-bremerhaven.de/lafischer/tutorials/2026-03-26-sq-cheat.html
Short:
I had to rotate my OpenPGP-keys. The current key is now
63F831BAAAFEA6B63D9514E441D8FF5258F8FB4A
Get it from the usual keyservers.
Long:
I am switching from GnuPG to sequoia-pgp and at the same time I had two expired subkeys. A ``sq key rotate`` did not produce the results I intended (new subkeys) and adding two new subkey did not seem to be importable to thhunderbird. The easy way out was to generate a completely new key — also as a test to see if this one could be imported into thunderbird (it could and I simply made it my main key).
``sq`` has a very easily usable CLI and absolutely helpful ``--help``. Plus, it does not have https://gpg.fail sitting on its back. The switch is not going without a hitch because I now have to move my private MUA to something that is working with sequoia and notmuch.
I absolutely love that ``sq`` is giving you hints on further switches that could improve the output. It seems that you are never been left helplessly stranded.
So, kudos and thanks
@sequoiapgp
I think I'll give it a try for a while.
Plus, did you know that the IMPACT CA that "my" students built a year ago is using the sequoia library?
Not only students grow at this university. Its "applied", keep that in mind.
Put them in last week.
Nice, short read on vulnerabilities in two password managers. (Others seemingly have not been addressed.) Weaknesses like "missing authentication" might raise some hairs.
Short commercial for the standard Unix password-manager https://www.passwordstore.org/ here. Main advantage in this context is that the actual software is simply combining trusted and tested tools and concepts: pgp, files, git, ssh, pinentry, various tools to further use pass in different applicatios , and not trying to "re-invent". That also has the advantage of the passwordsbeing accessible if the password-store software becomes unusable.
Furthermore it is easier to estimate the achieved level of security, e.g. https://gpg.fail/ (Prectical hint, sequoia-chameleon promises to provide a stand-in replacement for gnupg.)
