Robert J. Hansen Profile picture
Personal account, opinions are my own. ∃_RT: RT ⇏ endorsements.
Apr 8, 2021 9 tweets 2 min read
In 2002 I was employed by a law firm. The prior sysadmin was a raging incompetent on many different fronts. How she interacted with our users was the worst.


Users just wanted their shit to work.

1/ So users became experts in sidestepping her, because she was actively unhelpful. She then pushed Management into draconian punishments for anyone who sidestepped her.

"The beatings will continue until morale improves."

This was the situation I came into.

Apr 8, 2021 5 tweets 2 min read
The user IS the weakest link. That's not the awful hot take.

The awful hot take is blaming the user for being a fallible human being who's not an expert in cybersecurity. It's the shittiest of all the shitty takes in infosec.

You cannot protect people while mocking them.

1/ The problem is that "the user is the weakest link, so let's take steps to better break the attacker's killchain before it reaches the user" starts with the same words as "the user is the weakest link, so let's blame and punish and mock the user".

Apr 8, 2021 6 tweets 3 min read
@gusandrews had a good thread on why integrating cryptocurrency into @signalapp is a bad idea. I'm going to rant a moment about why it's bad engineering. Tagging in @arclight for this thoughts, as a fellow curmudgeon software engineer. Belt in: we're taking a ride.

In grad school my software engineering prof, Jon Kuhl, said the black art of software engineering consisted mostly in being able to stop. He was a passionate advocate for delivering Minimum Viable Product, and for good reason.

Nov 27, 2020 7 tweets 2 min read
Some years ago Webb County, Texas asked me to look at a primary election where they had some strange reports from people. It was done entirely on ES&S iVotronic electronic voting machines. I found a number of grave irregularities, including machines being zeroed mid-election! 1/ This research ultimately wound up being presented at DEF CON, and was I believe DEF CON's first presentation on the risks of electronic voting machines. So, yes: I did discover irregularities in electronic elections for a living, and really do have a publication record. 2/
Nov 9, 2020 4 tweets 1 min read
To recap how this election could be challenged...

RECOUNT: Largest recount shift in a modern Presidential election was about 1250 votes in Florida during the 2000 election. If at the end of counting there’s a 5k margin there is effectively no chance of a recount affecting it. 1/ COURT: requires evidence. Yesterday something like 8 different lawsuits were dismissed by courts for failure to make a case. The relevant question isn’t how many court challenges are being filed but how solid the evidence is. So far we haven’t seen any. 2/
Nov 9, 2020 4 tweets 1 min read
I've seen this floating around. The big problem with it is it's factually wrong. E.g., Pennsylvania state law explicitly forbids the Legislature from appointing electors: electors are to ONLY be chosen by popular vote. 1/ Second, just because an election is contested doesn't mean the numbers are wrong, or even that the contestation has a solid foundation. Yesterday something like *8 different Trump challenges* were thrown out of court for failure to meet the basic requirements of a challenge. 2/
Nov 8, 2020 9 tweets 2 min read
Since we now have a President-Elect, I can make some political observations. Nonpartisan, but expect sacred cows to get slaughtered.

This was likely the most closely-observed election in human history. The entire world was watching. The entire world sent observers. The biggest international group is OSCE, the Organization for Security and Cooperation in Europe. There are many many others. 2/
Jan 7, 2020 5 tweets 1 min read
If you haven't read , go, do. This will have severe consequences for about the next decade or more. The tl;dr is the SHA-1 attacks we've been worried about since 2004 have finally arrived. SHA-1 is now not much stronger than MD5. 1/ There are two main problems with the Internet of Things. The first is that few devices ever update their firmware in response to security threats. The second is those that do tend to use SHA-1 to verify the new firmware. 2/
Oct 8, 2019 12 tweets 3 min read
Some reflections on OpenPGP, from the perspective of approaching Enigmail's end-of-life. Respect intended towards all, malice towards none, but a couple of sacred cows might get skewered along the way.

Everyone who says OpenPGP is embarrassingly ancient is right. Everyone who says it's bogus is wrong. The protocol itself is difficult to implement correctly and just feels clumsy and awkward by current standards. But for all that, it's still solid as a rock. 2/
Oct 8, 2019 7 tweets 2 min read
Good news, everyone: Enigmail, the OpenPGP plugin for the Thunderbird email client, is being abandoned! Yaaaaaay!

Better news, everyone: it's because native OpenPGP support will be included in Thunderbird starting in version 78! YAAAAAAY! 1/ Enigmail for Thunderbird 68 is the final iteration of Thunderbird, and will continue to be supported for at least six months after the introduction of Thunderbird 78. You'll have at least six months to migrate. *WE ARE NOT ABANDONING OUR USERS*. 2/
Nov 12, 2018 4 tweets 1 min read
When I entered an R&D lab in 2008, their rule #1 was written on the whiteboard: MOST OF IT IS WRONG. It was a good rule but incomplete, so I picked up a marker and added rule #2: WE FAIL FASTER.

On those two rules all R&D shops live or die. 1/ 99% of all new ideas are failures, and yet new ideas have such appeal that often we get overly attached to them. You have to resist this temptation. Remind yourself constantly that most of it is wrong, even — especially! — the ideas you like. 2/
Oct 29, 2018 7 tweets 2 min read
"I don't know much about cyberwarfare—"

Nobody does. Welcome to the club.

"—but why don't you believe the Bloomberg story about the Chinese rooting, uh, well, everything?"

Economics, not technology. You don't need to understand tech: you just need to be able to multiply. 1/ Imagine you have a skeleton key that can open anything from a twelve-year-old's locked diary to a bank vault. The problem is as soon as you get caught using it everyone's going to change their locks. 2/
May 14, 2018 7 tweets 2 min read
I got up at 6am yesterday. Shortly before going to bed last night, #Efail broke. Since then I've been deluged in messages from very scared people who have wanted and needed to hear things are not as bad as they're being made out to be. 1/ I am literally hallucinating from sleep deprivation. I'm still here. Still answering DMs, emails, Google Hangout messages, Signal messages, more. I'm talking to journalists who are trying to get another take.

I am *exhausted*. 2/
May 14, 2018 17 tweets 3 min read
GnuPG has an official statement out. (ObDisclosure: I was the principal author.) 1/ (This statement is only about the susceptibility of OpenPGP, GnuPG, and
Gpg4Win. It does not cover S/MIME.) 2/
May 14, 2018 10 tweets 2 min read
Long thread. If you want to know the high-level details of the Efail attack, read. Yes, it was embargoed; yes, we were respecting the embargo; but links to the paper are now easy to get, so... here goes. 1/ This is at its heart a malleability attack on OpenPGP's cipher feedback mode. These attacks aren't new. The IETF OpenPGP Working Group first knew about them in 1999. By September 2000, GnuPG had a defense. 2/