Author Archives: Tobias Boelter

Secure Communication, Finally!

A beta version of the Signal Desktop client is now available and What's App integrated the Signal protocol into their widely used messenger. TLS certificates are now available for free, many websites provide https, and certificate transparency is on a good way to solve the CA problem. It really seems like the world of computer security has become a bit less broken over the past few years. I'm wondering why it took humanity so long to create a usable secure communication platform that supports multiple devices and group chats, but I'm happy that this problem finally solved. Nobody should have an excuse to communicate insecurely anymore!


  1. How do we get rid of insecure e-mail?
  2. When will What's App hide the meta data?

Von Niehl in die Welt

This German article appears in the anniversary magazine of my high-school, the Erich Kästner-Gymnasium, Köln Niehl.

Hallo liebe Mitmenschen, die ihr noch im Käfig „Schulsystem“ gefangen seid und sehnsüchtig auf den Tag wartet, an dem Ihr einen Zettel mit der Überschrift “Abitur” überreicht bekommt, der euch endlich erlaubt in die schöne Welt hinaus zu gehen und eure Träume zu verwirklichen. Ich habe den Sprung geschafft. Ich promoviere aktuell an der UC Berkeley bei bestem kalifornischen Wetter und in Gesellschaft mit einigen der klügsten und interessantesten Menschen, die diese Welt zu bieten hat.

Auch wenn ich ausgesprochen ungern in die Schule gegangen bin, muss ich fairerweise sagen, dass das EKG noch ein ertragbarer Käfig war. Die Offenheit der Schule für neue Initiativen und die gute Beziehung zu ein paar Lehrern waren ein wichtiger Baustein für meine Karriere.

Das EKG ermöglichte mir mit verschiedenen Angeboten, mich neben dem normalen Unterricht meinem eigenen Tempo entsprechend zu entwickeln. Es war kein Problem, fachspezifisch den Unterricht eines höheren Jahrganges zu besuchen. Und ein sehr engagierter Herr Müller-Alander, hatte sich dem Projekt Schülerfirma verschrieben, das uns die Möglichkeit gab einen gewissen “entrepreneurial spirit” zu entwickeln. Am wichtigsten aber war das Projekt “Schüler an der Universität”. Das hieß für mich: Schulfrei und stattdessen spannende Vorlesungen an der Uni. Zwei Wochen Mathestudium an der Uni entsprechen im Umfang gut und gerne zwei Jahren Mathe LK. Erstaunlich, was man erreichen kann, wenn man nicht mehr an die Geschwindigkeit des Lehrers gebunden ist. Also: Auch wenn das Schulsystem sehr einschränkend wirkt, es gibt Möglichkeiten, seinen eigenen Weg zu gehen, auch schon vor dem Abitur.

„If you can dream it, you can do it“ (Walt Disney) und „Spaß ist nicht gleich Freude“ (Norman Mellein).

UC Berkeley spies on all Students, Staff, Faculty 24/7

The University of California Office of the President (UCOP) has been secretly monitoring university network traffic since about August 2015. ALL data including all private E-Mail communication and everything else sent from or to the UC Network is analyzed by a not disclosed third party and retained for at least 30 days. Sources: SF Chronicle, Blogpost, Letter from Raechel Nava, Executive Vice President — Chief Operating Officer

The people responsible for implementing the unconditional and extremely invasive surveillance of all people on campus claim that this installation will enhance individual's privacy as it is necessary for improving campus security, and security is a requirement for privacy. lol. or cry. idk.

Yes, security is a requirement for privacy, but analyzing and storing all data, including the most private information, is a particularly bad attempt to achieve the goal. First, it is only a matter of time until the skillful attackers break into the surveillance system and get all data served on a silver tray. Second, the main use-case would be to analyze attacks after they happened, not prevent them. Third, parts of the UC IT are quite outdated and presumably contain lots of security holes. Fixing them first would be much more effective. Fourth, giving a third party access to all private data is a bad idea because it greatly extends the set of trusted people, devices, and networks. Fifth, today they promise to only use the data for protecting the network. When we already store all this data the next generation will legitimately ask, why it is not used to resolve other crime cases as well. A few years later, the government just slightly changes how to define crime.

Again we see the security argument applied as a plain decoy to justify peoples nasty surveillance dreams. Or maybe they just don't know better? Idk. Btw: Berkeley is worldwide one of the top research institutions in Computer Security. Apparently non of the faculty or students were asked to assist with making the network more secure. Instead an external party was secretly contracted.

Notice that the security fence is full of holes

Notice that the security fence is full of holes

So, what can we do against this. I don't know. Convincing the administration that this form of surveillance it no good might be fruitful in case they just did not know what else to do. I doubt it. And even then other actors are monitoring all your communication anyways. So it seems like as long as there is no better solution available, we all have to protect ourselves a little bit more. We can


Not to care about privacy because you have nothing to hide is like not caring about free speech because you have nothing to say. - Edward Snowden

Comments allowed and welcome.

The day I almost became stupid

Today is Friday, Jan 22, 2016. I will remember this day. In discussions we security researchers often talk about the dumb average computer user. Today I almost became one of them. I received the following email from a spoofed sender address [email protected]:

Screen Shot 2016-01-22 at 5.40.26 PM


It tells me that because I am a non-resident alien in the US I need to submit additional information to the IRS because I opened a bank account and I am exempt from "tax withholdings on interest paid". All this was true to me and because I only very quickly skimmed the e-mail I did not detect any major flaws in the language. I would never expect a German authority to send me such an request by email but the Americans do many sensitive stuff online so I was not really surprised by the fact that "IRS" was communicating with me via email. I also gave them my email address on another form a few month ago.

What finally helped me to identify that it was a phishing attempt was that a google search for the indicated Fax number did not give any results. I would have expected to find it on some IRS website. Then I looked at the mail headers which revealed that the sender address was spoofed and finally made it clear that this is indeed a phishing attempt.

Screen Shot 2016-01-22 at 5.33.31 PM

I am glad I realized this in the last minute as the information I would have provided on the form would be enough for an attacker to try to call my bank and reset the password with the information or something similar.

I am wondering why the phishing email was so well targeted at me. Or is my view just biased because I directly delete all other phishing mails?

By the way, the IRS never communicates by email. More information on their website.

New Series: Business Ideas for Cryptographers

As you know I like startups. I like doing startups. I like the culture of startups and I like to see startups disrupt and overtake the world. But now I'm doing a PhD. And I love what I'm doing. So no startups for me. At least until I finish my PhD.

So why don't you take my business ideas and build your start-ups. While you do so, put me into your advisory board. Hence I'm starting this series of blogposts. Each of them will have a cool crypto primitive in it and an idea how to make money out of it. I did not do any market validation for those ideas, that's your job, but I think they are all pretty cool and worth investigating. This first article is more about why doing a startup in cryptography. Continue reading

32c3 - Highlights from the 32nd Chaos Communication Congress

Here is my personal shortlist of talks that I found most interesting. All talks are available online at!

Fun Talks

Beyond your cable modem

In a short and entertaining talk, Alexander Graf shows how he by accident discovered how to gain complete control over three million routers in the network of the German ISP Kabel Deutschland. With this access he could dial expensive 0900 phone numbers, intercept phone calls and all other traffic through the router, and attack other devices in the local network like IP cameras or other “smart” devices, which often do not require additional authentication. This again shows that many systems are built without any security in mind and this was especially true 10 years ago and many systems do not get security audits as long as they work.

The exhaust emissions scandal („Dieselgate“)

In this exciting talk, Daniel Lange and Felix "tmbinc" Domke give more background information on the exhaust emissions "scandal", based on their knowledge. Daniel gives insights on what is driving the Car Industry today and Felix Domke explains his findings when reverse-engineering the ECU, the “brain” of the car engine.


Continue reading

Simons Institute Summer Program on Cryptography

Today started the 2 month Summer Program on Cryptography at the Simons Institute in Berkeley. The Simons Institute for the Theory of Computing is an exciting new venue for collaborative research in theoretical computer science. The Institute typically hosts two concurrent programs per semester, where each is led by a small group of organizers who are recognized experts in their fields, and involves about 40-50 invited long-term participants (a mix of senior and junior researchers) who spend at least one month (usually longer) at the Institute.

The Cryptography program started today with an one week bootcamp that is intended to bring every participant on the same page regarding the recent developments in crypto. This day was extremely instructive because the lectures were not only very up to date but also very well taught, as opposed to the standard conference talk.

And what is really amazing is that the lectures were recorded and are now available online! So have a look at them!


CryptoSaarland: A new meetup for Saarbrücken

I am already very excited to spend the next semester at the Saarland University CS grad school. To find new friends as well as enhance collaboration in cryptography research and development in the area I had the idea of founding a Meetup group in Saarbrücken.

In this group all enthusiasts for cryptography and security are welcome. We will discuss recent achievements in cryptography and related areas such as secure systems, implementation, offensive security, theory of computation, and hardware security in weekly meetings. Every meeting has a designated topic and a member will hold a casual presentation on this topic leading to a onward discussion with accompanied dinner. In the course of the evening, different topics may also be discussed with the present members. As the blood alcohol level raises, the discussion will become more and more informal ;)

For our first meetup I proposed the following topics:

  • BlindBox: How Network Middleboxes like Firewalls and IDS can deal with encrypted traffic without having the secret key
  • SEEED: How SAP can still crunch data when it is encrypted by the customer
  • Zero Knowledge Proof: An Overview, zk-SNARKS and how to use them to make Bitcoin really privacy preserving
  • Bitcoin: An Introduction
  • Secure Multiparty Computation: An Introduction
  • BigInteger Libraries: An Overview of available libraries, their design, and how I try to speed up modular multiplication


Saarbrücken, DE
1 Cryptographers

In this group all enthusiasts for cryptography are welcome. We will discuss recent achievements in cryptography and related areas such as secure systems, implementation, offen...

Next Meetup

Hello World! Our first Meetup!

Wednesday, Apr 8, 2015, 6:00 PM
1 Attending

Check out this Meetup Group →

If you live in the area, please join the meetup group and help to find a time and place for our first meetup!

Joining UC Berkeley in Fall 2015

Today I have got wonderful news to share: I just accepted an offer from UC Berkeley to start a Computer Science PhD program there in fall his year. Reading the admission e-mail some days ago was a sheer breathtaking moment in my life. I'm absolutely thrilled to be working with the great researchers at Berkeley and my motivation just reached the next level.