Murder Board Blog Series: Prequel

Sanna/ April 16, 2021/ Security, Stories

[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.]

It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small businesses to set up their websites and also their internal processes in a data protection-compliant way and so on. Perhaps a somewhat strange mixture: crime fiction and data protection. But actually it’s not on a closer look, and which will—hopefully—become apparent in the course of the following four blog posts. My friend’s inquiry was about a suspicion that information was leaking out of the company and being used by the competition.
I prepared quite a long list of questions, which was partly fed by my experience in data protection, but also by seven years of experience as a project manager in web development. I showed the question list to René, who works as a freelance pentester. Maybe some of you know him from the privacy podcast episode on “Pentesting” or also some of his talks at PrivacyWeek. It took a good half hour, then I got the answer: “Looks complete”. And I thought to myself: crime writer and IT-sec—a perfect mix for such a job! Criminalistic thinking can help to convict criminals. What would I attack if I were targeting a small company or even an individual?
A little later I got another message: “Make a murder board! A classic who – against whom – when – where – why.“
I thought: “I told you so, crime writer and IT-sec.”
And a third message followed: “I have an idea! Let’s write a murder board blog post series together!“
And here we are: where crime fiction, privacy and IT-security come together.

By the way, we are: René “Lynx” Pfeiffer, IT-security expert and organizer of the annual DeepSec conference, which brings together experts in IT-security and offers a select workshop and lecture program. And me, Klaudia “jinxx” (or “jinxxproof”) Zotzmann-Koch, author, podcast host, privacy expert and co-organizer of the annual PrivacyWeek since 2016.

You might wonder why we’re taking forever to write a blog post series. The answer is quite simple: we want to show you that #onlinecrime is much more common, easy and diverse than you might think. Add to that my experience from many workshops in schools, community colleges, self-organized webinars and more, that the questions asked are always the same in all age groups from 12 to 92. Plus the unanimous opinion that “I’m far too uninteresting for them”, with no further definition of who “they” are. And of course the ubiquitous “I have nothing to hide,” which reads more like “I don’t want to deal with this topic” and points to a popularity comparable to counting calories or testicular cancer. Above it all hovers a blind faith in technology; an expectation of salvation that technology can and will solve all our problems if we just let it. Coupled with naïve guilelessness toward companies and institutions, but also toward authorities and the state.

We want to show you what is currently (Spring 2021) actually possible and workable, how difficult or easy it is, and what interests are behind it. And we want to prepare some entertaining reading minutes. The topic is serious, but at least it can be told entertainingly.

The other posts in this series are (we will link them as soon as they get published, or you just use the Murderboard tag):

00 Prequel (German / English)
01 Chapter 01: Traces (German / English)
02 Chapter 02: Investigations (German / English)
03 Chapter 03: Serial Hackers (German / English)
04 Chapter 04: State Hacking (German / English)

Klaudia’s blog has also the German versions of the articles.

Our presentation at #pw20 (in German) can be found here:

Share this Post