Sometimes red teams (the bad guys) are hired to test the capabilities of blue teams (the good guys). Some examples of this would be how Quick Reaction Forces (QRF) are pushed into a real-life scenarios to see how they’ll react, Infosec/IT teams are tested under pressure and Intel guys get a dose of deception.

One scenario we often play is the “rogue agent” or “underground criminal,” where part of the plan is to disrupt their listening capabilities.

In this situation, we communicate with someone inside the company or organization being tested and provide a way for their intel and QRF guys to test their skills. Of course we don’t make it easy for them.

Burner Phones

One tool we often use in red team operations are burner phones, which by definition are prepaid cell phones specifically purchased to be used briefly and then replaced.

To make it more interesting, I’ve made a point to collect prepaid phones from different parts of the world. The simpler the phone, the better. In the picture below, you’ll see a phone from the Netherlands, one from South Africa and another from India.

Burner phones from different countries

All of these phones were purchased with cash and not only have plenty of minutes loaded onto them, but are GSM phones that can work anywhere in the world. Let them try to figure these out!

The idea is to use a burner once, make contact and disable it by removing the battery before moving on to use the next one. Then all of the sudden, a different member of the team would use the first one to make a completely innocuous call, like ordering pizza. Only this call would have false information: “Excuse me sir, I’d like to order pizza for 8 people, how many do you think I would need?”

This usually confuses the heck out of the first timers and it’s good to see what they try to do with this information.

Burner phones allow the team to remain fully anonymous by switching between different phones. It also helps test the analysts’ attention to detail and teaches them to start separating solid intel from noise. Like I said, it’s fun to see then scratch their heads over these.

Civilian Applications

While some people might consider burner phones something only criminals use, you now know they’re utilized by red teams too. Law abiding citizens can also benefit from these phones too. Often we don’t want to leave our personal phone numbers when calling companies, due to them selling that information to telemarketers, or we want to set a separate line to be used when purchasing online.

In some other cases it’s a matter of survival. If you have a burner phone from another network, it may be the only one that works during an emergency. Redundancy is a great thing to have when it comes to cellular networks and the point here is to show that they’re a useful tool to have at your disposal.

Editor-in-Chief’s Note: U. Fridman is a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

Prepaid debit cards are sold as gift cards at many stores and offered by Visa, Mastercard and American Express. These cards are purchasable with cash, which enables them to be used for anonymous, cash-like digital payments.

Once purchased the cards can be used like normal debit or credit cards, but to be used online, they must be registered on a Website. Purchasing goods with these cards doesn’t make much sense, since any physical item will require a real shipping address, but it’s an attractive option for paying for services. One could use an anonymous debit card to purchase VPN and prepaid cell phone services, both of which will contribute to preserving the privacy of your electronic communications.

When purchasing a prepaid card for anonymous use, it’s important to avoid cards which are reloadable. The reloadable cards usually involve actual credit and, as such, require a social security number to be activated. Non-reloadable cards only require a name and address. This information is never verified. It is only used in Address Verification System checks, which is the system that merchants use to verify that a person using a card to make an online purchase, is in fact the card owner. As long as the name and address you enter while registering the card is the same that you provide the merchant, the AVS check will pass.

Options

Visa, Mastercard, and American Express prepaid cards can be purchased at most grocery and drug stores. These stores will usually have a rack somewhere with a wide selection of store-specific gift cards, for places such as Amazon and iTunes, as well as calling cards, prepaid cell-phone cards and reloadable debit cards. The non-reloadable prepaid cards that you’re looking for will be somewhere on the same rack. They’ll be labeled as gift cards and tend to only be available in fixed amounts.

The nation-wide chain of Simon Malls all offer gift cards that can be purchased in any dollar amount from $20 to $500. You can choose between American Express and Visa cards. These gift cards are no different from the prepaid Visa and American Express cards available at your local grocery store, save for the Simon logo.

Simon claims that American Express cards do not need to be registered for online use. I’ve had trouble with American Express cards, both registered and un-registered and tend to avoid them now. I’ve never had problems with Visa or Mastercard cards at any merchant.

I purchase both types of cards. I’ve always paid with cash and I have never been asked for any identification.

Fees

The Simon gift cards require a $2.95 activation fee at the time of purchase, which is regardless of the value that you place on the card.

The un-branded cards also require an activation fee at the time of purchase. This varies based on the fixed-amount of the card that you’re purchasing. It tends to be somewhere between $3.95 and $6.95. The fees are the same for Visa, Mastercard and American Express.

Some of the cards will expire after a period of years and some of them will have monthly fees deducted for inactivity after the first year. These terms will vary depending on the card that you choose, but they tend to be irrelevant. You are not purchasing the card as a long-term value store. You are purchasing the card to use it and it will likely be depleted within a couple months, at which point you can go buy another one.

Limitations

Prepaid debit cards do have their limitations.

• They cannot be used to withdraw cash at ATMs.
• They cannot be used for subscription services with recurring billing.
• They can only be used with US merchants.

The first limitation doesn’t affect us, since we’re discussing using these cards online. The second limitation may impact your intended use, but despite the card’s claimed limitation, I have successfully used them to pay recurring charges. I imagine that this depends on how the merchant does their billing.

The cards can be used to fund a new PayPal account, which allows us to avoid the final limitation, if the foreign merchant accepts PayPal. You can also sign up for subscriptions with a PayPal account funded by an anonymous debit card to address the second limitation.

Tor

Before they can used online, the anonymous debit cards must be registered so that they are able to pass AVS checks. Registration of the card can be completed anonymously through Tor. Tor is an implementation of onion routing, which is a technique used to anonymize digital communications by bouncing the packets through multiple nodes in the network. Before leaving your computer each packet is encrypted multiple times, such that each node in the Tor network can remove only one layer — like peeling off the outer layer of an onion. This prevents any of the nodes on the network from knowing both the origin and destination of the packet. Every node on the network, with the exception of the final exit node, is also prevented from reading the contents of the packet. If the packet was encrypted before being handed to Tor (such as with common web communications using the TLS/SSL protocol), the exit node will also be unable to read its contents.

The easiest way to use Tor is by downloading the Tor Browser Bundle. This is a version of Mozilla Firefox that has been tweaked for privacy, and communicates solely though Tor. The Tor Browser is available for Linux, OS X and Windows. It is simply a binary that needs to be extracted and run. It doesn’t require installation or any configuration.

Registration

Each prepaid card comes with activation instructions that include the URL of the registration page. After visiting this registration page in the Tor Browser, you’ll be asked to enter a name, address and phone number. Remember that this address will only be used for AVS checks. No other verification will be done. Whatever name and address you use, make a note of it so that you can enter the correct billing information when using the card.

Use

After the card has been registered it’s ready to use. Any online use of the card should also be done through the Tor network to preserve your anonymity. If you decide to use the card with a PayPal account, register a new PayPal account through Tor.

Most online purchases will require an email address. Since you’re already in the Tor Browser, head over to Tor Mail and sign up for a new address to use with the card. If you want a quick disposable email address, try Mailinator.

This is the final article of the Inside Red Team Operations series, which is a walk through the Red Team process of planning, preparing and executing a security vulnerability assessment and penetration test; bad-guys style.

Part 1 examined the elements and techniques necessary for planning the operation while Part 2 showed how information gathered during recon is used to implement the plan. This article uses the previous elements to show how the plan comes together.

Alright, we are ready. If you remember from the previous post, we were setting up a fake bird watching conference and expo. We bought the domain and built a basic website that provides information about the “expo.” We also have a C2 (command and control) server ready to receive any transmissions that our backdoors might send if we can install it on the target’s network. Now we just need a viable exploit.

Digging through all of the data we collected during our recon was a slow process, but it enabled us to discover several instances where IT personnel asked about specific versions of Windows, IIS and other applications. It’s a good start, but not enough. It’s time to start putting our social engineering skill to the test. We need to know what kind of operating system (OS) the Vice President or at least the majority of the users run so we can choose the perfect exploit.

I prefer redundancy so I’ll try an email approach and a direct approach via the phone.

First we craft our initial email to the VP of Marketing describing the conference and why we would like him to attend as a keynote speaker. We need to make this as convincing and official sounding as possible. Since we bought the domain for the conference we can create a convincing email address with a @conferencename.com in it. In the email we also point to “more information” on our website and we add snippets of comments from other “famous” bird watchers stating why the conference would be a success.

Before sending off this initial email, we need to write in a little bit of “code magic” to our website. It’s possible to retrieve the OS information through a code running in JavaScript. This code will be executed at the client side; the web browser running on the VP of Marketing computer or at least by his assistant. The code will then pass the information to another piece of code that is hidden from the user.

Now, the page we point to on the link is just a white page. There’s nothing on it other than a hidden use of the JavaScript code. Why? We are making sure that when we call and ask if they checked the website for more info, they would answer that the page was blank. We can then sound confused and ask what browser and OS are they running so we can “fix the page”… It’s all intentional.

Once all of this is ready, we can then send the email and one of two things will happen next:

1.) The VP or his assistant will open the email and go to the website. In this case we should have the OS and the browser information they used logged on our data dump.

or

2.) They don’t care and they will simply delete the email.

If the first scenario happens, we are good to go and we can choose to verify by calling them as a “follow up” to the email. This is optional, but I like to do it. Like I said, redundancy. If the second scenario happens, then we have no choice but to call them. In this case we need to be very careful as to not spook them. We want to sound friendly and convince them that this conference is going to be great and that it would be a privilege to have the VP as a keynote speaker.

So, the assistant opened the email and browsed to our website. We discover that she is running an old version of Windows XP without the latest service packs. It doesn’t surprise me. Now we can call and introduce ourselves. Another team member in the meantime is preparing the backdoor we want to install and the “weaponized” PDF that will make this happen. We call and of course she mentions that the webpage is blank. We can ask her what OS she is running and what browser is she using and tell her right there to try again. Of course we uploaded the actual page now so she can see it.

If we are lucky and she is friendly (shows interest) we can point her to the PDF we want the VP to read. This PDF “has useful information for the keynote speakers”. The PDF is a specially crafted document that will attempt to exploit one of two vulnerabilities found in the version of Internet Explorer that the assistant is running. Once this is exploited, the code will attempt to download the actual backdoor from our C2 server.

We can learn two things here: if the backdoor is downloaded successfully we then know that we can connect to the C2 server without any problems and that the security software on that computer didn’t detect us.

Of course, if the backdoor wasn’t successfully downloaded, it could be due to several reasons. The main two being that the exploit didn’t work or we were blocked and couldn’t connect to the C2 server.

Up to this point we were not sure whether we would need a physical penetration of the target. So, I’m going to divide the post in two now: what would happen if the backdoor was installed and what would happened if a physical entry is needed.

Digital Penetration

The weaponized PDF worked and now we have an initial entry into the target. We are now sitting inside the assistant’s computer. It’s tempting to start scanning for other computers connected to the same network, but we need to remember we wish to remain hidden and not be discovered. Our target is the VP of Marketing. Our focus should be him.

The backdoor we installed allows us to send other binaries that can help us recon the computer and eventually jump into the VP’s machine.

The first thing we do is install another, different, backdoor. This is done for redundancy and persistence. If the first one is discovered, we want to have another way in already in place. The second thing we do is to check the assistant’s email files. If she answered the VP’s email, she has access to his account. Maybe we don’t even need to access his computer to collect sensitive corporate information.

If we do need to jump on the VP’s computer, there are several things we can test. We can scan the network for the system names and see if we can spot this particular computer. This approach is usually noisy and can set off various alarms so it should be the last resort. If you do decide to go this way, create a very noisy piece of malware that will give IT and security something to chase after. While they are on the false trail, I’ll do a more silent scan of the actual network. Deception is key.

What I would start with is listing the shares on the Assistant’s computer. Maybe she is copying files to and from the VP’s computer. I would also check the list of past connections and the user names on her computer to see if maybe they are sharing the same computer. I could also send an email from her account to the VP’s and see if we can get the IP address from the email.

Moving inside the network is a delicate task. In our case we have a target, but what if we didn’t and we just want to find a possible target?

We are a red team, we need to think like an attacker. What are you after? Data? A specific computer or server? A specific person? Total disruption of the network? Once you know your target or what you want to achieve, make a plan. Create a diagram of what you know and what your next 4-5 moves will be. Create contingency moves for each one, you never know. It’s a useful thing to have when a good sysadmin or security guy on the other side discovered you and is trying to block you.

Modern networks, even in small to medium organizations, can have a lot of complexity and security features built in. Plan a stealthy recon and send a noisier bot somewhere else. Depending on how much time you have try to move slowly. Do not set off any alarms. Add each potentially good system you find to an overall map of the network as you know it. Record their names, IP address, OS, apps running, etc. The idea is to have as much information in front of you on the whiteboard as possible, then plan the next phase: where to go and what to extract. Plan the egress routes and the protocols you’ll use to extract the information. In our case, we can setup a good backdoor with a connection to the C2 server but sometimes extracting the information is not as easy. You should get different servers ready to receive the data (encrypted of course since it’s property of your customer). Have fallback servers as well; Mr. Murphy is always present.

Once you are done with the planning, execute. Again, stealth is key here. Unless you were specifically hired to test the reaction of the organization’s quick reaction teams, you should try to be as quiet as sign language. Move slowly and copy information in small bits. If you have a 2GB file you need to extract, partition it into smaller chunks and extract them using different protocols.

When you are done with the execution, vanish. Clean any backdoors and other tools you might have left on the network. This is done not only to avoid being detected, but if there is an actual bad guy in the network you don’t want to aid them with tools or backdoors. Do not erase logs. These are great educational tools for the security guys at the organization and they can learn forensics through them.

So, back to our target, the VP. Searching for a share or a connection didn’t return any leads. We can however send an email to the VP with the link to our website where the JavaScript code can grab his IP and other information. Using the Assistant’s email address we send him an email saying that she thinks the keynote invitation is a great opportunity and he should check out the website. This works. We now have the IP address for the VP’s computer.

By using a small port scanner (using a custom low-signature port scanner we wrote and uploaded via the backdoor) we discover that the standard Windows administrative shares are enabled. These are the classic C$, D$, ADMIN$, etc. These shares will allow you to browse the computer’s files remotely by doing a simple \\IP_ADDRESS\C$ (it’ll display the contents of the C:\ drive). In some cases these shares require login credentials, which are relatively easy to get by “sniffing” the network or grabbing them out of the domain controller (this is a subject for a whole different post…). So, we move into our target and after a quick search we find his documents. We compress them, partition the file into smaller chucks and began the slow and methodical process of data egress.

An offline analysis of the documents reveals that we now have a copy of the corporate marketing plan for the next 5 years.

Mission successful.

Physical Penetration

Sometimes a digital-only penetration is not possible. Ultimately we would still like to get those valuable documents but we can’t find a way in through the exploitation of digital vulnerabilities. This is when the physical recon we did in the early stages of the project comes in handy.

There are two types of physical penetrations: covert and overt. In a covert infil you find a way to breach the physical security of the perimeter and enter the premises without anyone knowing you were there. An overt infil, on the other hand, is one where you enter the building in plain sight, go through security and pretend to have a reason to be there. I’ll focus on the overt case because usually these are the most fun.

We first need to come up with a plausible backstory. Just as before, believability is paramount.

The company uses Software X to run its servers. X is a very expensive piece of software that requires a very specific license. It is known that big companies try to save money by acquiring one license and reusing it on more than one server (illegal). One scenario I found that often works is the guise that I am there to check their licenses. How can we do this?

Based on experience, security guards and receptionists at the main entrance of the company are often bored and tired, so a well placed call a day or two ahead of the operation will give us a good way to get in. We call and we can say something like: “Hi, my name is John Doe, I’m with Software X. We are currently performing our quarterly license test and we’ll be sending Mr. Some Name tomorrow to check yours.” Now, in some cases the security guards will transfer this call to an IT engineer or manager in charge of the servers. These people can challenge this by saying that they would talk to their Software X account representative and that’ll be the end of it. If you really did your homework you would have called Software X and asked to talk to the person in charge of this account, so you would know his name. You can tell the IT person that “Mr Account Manager Name” is up to speed and he would be calling him soon to let him know about the license check.

Most times, the security guards will eventually let the IT person know, but in a way so out there that the IT person would go something like: “OK, let me know when he is here.”

Now, I usually use a name I can back up with an ID. Either my real name so I can show them my drivers license, or one that I can have a fake license made. I also like to have an ID card with the logo of the company I’m supposedly working for, together with my name, picture and other little pieces of false info. You can find pictures of badges by searching for them online. It doesn’t have to be perfect, but it has to be good enough to make the guard believe you indeed are an employee of Software X.

This way, when we arrive in the building the next day, they are expecting us. We need to be dressed properly, suit and tie, etc. Go to the guard, give them your name and the drivers license and fake Software X ID card. Tell them you are here to check the license. Chances are you will be told to wait for the IT person to show you in. When that person arrives, introduce yourself, show them your ID card or give him a fake business card. You can mention “Mr Account Manager Name” and share that he sends his regards. Make it sound official.

If you are lucky you will be let into one of the server rooms. If you get to this point you are done. It would take little work to get to the good stuff from there.

If this first deception didn’t pan out as planned, there are other methods of overt infil you can attempt. Again, dressing up and playing the part is key. You need to arrive first thing in the morning, when everyone gets in. Try to find the smaller entrances, one that would get less attention by the security guard and just walk right in pretending to be on the phone. Hang a fake ID card on your pocket with the rear of the ID facing outwards. If someone is looking at you, they will see a badge and most likely won’t bother you (since you are also “on the phone”).

Once inside, you need to do a little recon and find those servers. Depending on what intel you gathered from your initial recon, you may actually have a pretty good idea of the servers location.

At this point I like to talk to the cleaning people if I can find them. I become very friendly with them, speaking in their own language if I can, talking about sports or other things you might notice on their cleaning carts, clothing (logo hat, uniform or t-shirt, etc) and other stuff. Once you have that conversation going, you could steer it towards something you want to know, like: “Wow, this is a huge building. How do you manage to take care of it by yourself?” He would reply: “Oh there’s a whole group of us that clean here.” Then you can go: “I bet they have the biggest computer rooms!” He at this point is your friend and chances are he would answer something like”: “Yeah, the room on the 3rd floor has 200 computers! It takes the whole floor.” Bingo, you have the info you were looking for.

It’s not always that easy, but you get the idea.

Physical penetration can be dangerous, especially on companies where the guards are authorized to use lethal force to stop an intruder. I’ve been there and have almost gotten shot a few times.

Anyway, this is in my opinion the most fun part of the project, however it should be your last resort. Training often and hard is the key. Go out and play safely.

Editor-in-Chief’s Note: U. Fridman is a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

Staying safe and protecting your valuables when away from home should always be a priority. Like most people, you might think that your electronically locked hotel door is secure enough to keep out the unwanted. There’s no physical lock to pick and you need a key card to get in, that’s good, right?

Unfortunately, it’s not. There’s a tiny device out there that can open approximately one third of all hotel doors in seconds.

Using an Arduino microcontroller and a few other components, almost anyone can build a device small enough to fit inside of a dry erase marker. This can then be used to unlock most hotel doors, including the dead bolt, in no time at all.

Watch the NBC News Report below and see what you think. What unnerves me the most about this situation is that the President of the American Hotel and Lodging Association doesn’t feel that guests are vulnerable. His statement? They have “extra security in a lot of the hotels.” It does look as if Onity is finally starting to fix this issue though. Forbes recently shared news of their progress a few days ago but with this being one of the most popular locks for hotel room doors, it may take a while to secure all of them.

Note: The purpose of showing this is to inform the public of this issue. Don’t be lulled into a false sense of security in anything you do. We’ve always advocated providing information educates on the illusion of security.

This hack was discovered by Cody Brocious who posted an excellent writeup on how and why it works to open these types of locks.

Matt Jakubowski, a pentester for Trustwave SpiderLabs, did a test at home with an Onity door lock and a device he built himself.

What You Can Do

So now that you know how it all works, how can you secure yourself and your belongings? It’s probably a good idea to call the hotel ahead of time and find out if they use Onity locks on the doors and if they do, ask if the locks have been upgraded. Ultimately, no lock is truly safe, but staying at a hotel with a massive security breach is obviously not a good idea.

If you are already in the hotel and in the room, use the chain on the inside of the door. If someone manages to open your deadbolt from the outside (as this device can), they would only be able to open the door a couple of inches which would provide you time to call for help. Just don’t think that the chain is the be-all end-all answer, but it is an added safety measure. This obviously only works if you’re in the room.

When you leave the hotel, use the safe in the room or one at the front desk if they have them. The easiest solution is to simply bring your valuables with you. If you do have to leave items in the room, it may be good idea to hide them in plain sight. Here are some interesting ways to store your stuff when you leave your hotel room.

• Rubik’s Cube Safe
• Dr Pepper Can Safe
• Hidden Book Safe
• Coffee Mug Hidden Safe
• Barbasol Shaving Cream Safe

Do note that these aren’t truly “safes” as they don’t lock. They do however allow you to keep small items relatively secure. If you want to save money, get creative and try and make some of these yourself.

Another option is something like the Pacsafe steel mesh cabling, which covers your entire bag or pack and could possibly deter a thief. What’s nice about Pacsafe devices like the image on the right, is that it completely covers your luggage, it’s not just a cable lock that leaves the majority of your bag still exposed.

Face it though, all security is ultimately defeatable by someone or something. Take the approach that we like to mention, all security is just simply buying time…

Editor-in-Chief’s note: This post was written by security expert U. Fridman and originally ran on his company blog, Red Teams.

A few years back, a customer asked us to test their newly installed (and very expensive) surveillance and security system. The product promised them an automated system that was so secure they wouldn’t have to place a security guard there.

After some recon we discovered that while the entrance was guarded by a very secure keypad + access card combination lock, the inside had an automated “unlock” sensor so if anyone wanted to come out, the door would unlock from the inside.

Using a high resolution night capable camera, we took photos of the door and lock. After careful review of the pictures we found out that the top and bottom of the doors were not sealed tight against the floor as we could see a tiny bit of light from there. A plan was set in motion.

Later when we arrived, we approached the door carefully and removed a piece of gear from our kit that would, hopefully, allow us to bypass the “very secure” lock: an old credit card.

We slid the old credit card under the door and… nothing.

After a few seconds we agreed that the sensor wasn’t picking the movement, maybe because we were too close to the door and sensors usually “look” a bit farther out.

We retrieved another credit card and we tied it up to a piece of metal string (essentially several springs from a pens click mechanism tied together). We pushed the card under the door again, then carefully we pushed it farther with the metal string. And farther, and farther and… voila! The motion sensor detected movement “from the inside” and unlocked the door.

We were in.

Big, expensive, digital lock defeated by an old credit card and a spring.

My phone started to ring. Was it really who I thought it was? The display said that the connection was secure but I had to be certain. We verbally verified that we were seeing the same two random words (secure authentication string) on our phones.

“skydive amulet”

The green “Secure” text appeared so we knew there was no one listening. This technology isn’t just for spooks. This is a $20 a month service you can sign up for today.

Yesterday, an app for the iPhone (Android coming soon) was released that promised to protect your privacy when calling and sending texts. Silent Circle uses TLS and ZRTP protocols to encrypt packets of your phone call across the Internet making each call secure.

It costs $20 a month (with different plans available) and all of the data from your phone goes through a custom built encrypted network, the Silent Network, providing you with a secure line. Check out their site for a full rundown on the capabilities of the Silent Network.

The Silent Phone app handles the call side while Silent Text app encrypts and secures your text messages. In the Silent Text app, you’re even able to set a duration for the visibility of that specific text. Once it hits the time you designate, the message “burns” and disappears.

Silent Circle is  careful to spell out what they do and don’t do. Of course, it’s worth noting that you have to use your best judgement when using the apps. If you are in a public place, people can still eavesdrop on your conversation.

While we are still trying out the app, the one thing that caught my eye is that the iOS app isn’t made for the larger screen of the iPhone 5. That’s probably just a problem for early adopters but it’s something I noticed right off the bat.

Does it Really Work?

While we consider ourselves a fairly techy crew at ITS, some of the specifics with this app and network are a bit foreign to us. We asked someone with more security knowledge to weigh in on Silent Circle:

“It’s a proprietary system, which means that nobody knows the real workings of it. The only choice is to trust that the company does what they claim they do, never makes any mistakes and always does the right thing. For a piece of software that is just a fun toy, that may ok, but for security software, it’s unacceptable.” As the Free Software Foundation said, “Proprietary security software is an oxymoron — if the user is not fundamentally in control of the software, the user has no security.” [0]

Furthermore: “In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols and security source code. For us, open source isn’t just a business model; it’s smart engineering practice.”[1]

[0] https://www.fsf.org/blogs/community/dear-microsoft-fsf.org-is-not-a-gambling-site
[1] https://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity

Until we get some further time behind this app to test it, we leave you with this appropriate web comic from XKCD: