Google gets patent for ‘heart’ shaped gesture, and I wonder if they also got the patent for The finger gesture since we all know, not everything that we’re not marking as ‘liked’ (as intendet by the like gesture) we also don’t like. In this world of friendface’s and google’s likes, I really getting the urge to stand against, to hate and be disgusted about stuff.
Heute erschien das Buch “Arbeitsfrei” von Frank Rieger und Constanze Kurz
Was kommt nach den Maschinen?
Wie werden wir morgen arbeiten? Diese Frage bewegt immer mehr Menschen, und doch wissen wir viel zu wenig darüber, wie die Arbeitswelt heute und in Zukunft tatsächlich aussieht. Das archaischste und ursprünglichste aller Lebensmittel, unser Brot, kann als Paradebeispiel für Automatisierung gelten. Hier zeigen sich viele Mechanismen und Technologiewellen, die in anderen Branchen erst noch kommen werden. Von der industriellen Landwirtschaft über die Produktion der Landmaschinen, die Backfabriken bis zur durchdigitalisierten Lieferlogistik – Menschen spielen dabei eine immer untergeordnetere Rolle. Wenn die Maschinerie läuft und den Takt vorgibt, sind sie nur noch Handlanger in Niedriglohnberufen.
Welche Umbrüche und Verwerfungen kommen auf uns zu? Sind wir Menschen zwangsläufig die Verlierer in der Maschinenwelt, oder haben wir die Chance, neue, positive Lebensbedingungen zu gestalten?
… bestellen, lesen!
I consider that the golden rule requires that if I like a program I
must share it with other people who like it. I cannot in good
conscience sign a nondisclosure agreement or a software license
agreement.So that I can continue to use computers without violating my principles,
I have decided to put together a sufficient body of free software so that
I will be able to get along without any software that is not free.
30 years ago Richard Stallman started GNU with his announcement of the GNU’s not UNIX project.
Congratulations, Richard!
“The matter for Apple was comfort, not Security”
For Jan Krissler (aka Starbug) it wasn’t a struggle to bypass the fingerprint scanner of the iPhone 5s. In an interview he explains why passwords mostly are more secure than biometry.
ZEIT ONLINE: You did hack the fingerprint scanner of the iPhone 5s, why?
Jan Krissler: Since 10 years I deal with security of biometric systems, especially how to override them. From time to time, when a new product emerges, I look at it and check if the old techniques of bypassing still work, or if there are new challenges. With the TouchID sensor I assumed challenges but unfortunately was disappointed.
ZEIT ONLINE: Are fingerprints qualified at all to secure a telephone, a door or other things?
Jan Krissler: As with all biometric systems one must ask, what data or things you want to protect with it. If their value exceeds the effort to crack a system, the choice of an easily bypassable biometric system might not be the best choice.
ZEIT ONLINE: Which means that biometry is easier to overcome than a password for example?
Krissler: That depends on the password and how the user deals with it and, of course, also the biometric system. At least I assume my passwords to be more secure than my fingerprint. The problem is that one leaves fingerprints everywhere, that faces can be photographed unnoticed. My password is in my head and if I’m careful typing, I will remain the only one who knows it.
ZEIT ONLINE: Which biometric data would be appropriate to establish access control?
Krissler: There are certain characteristics that are better and characteristics which are less suitable. The better ones include those which you do not leave anywhere, or the ones that cannot be taken off easily and unnoticed. Which means, characteristics that you can actually only be read with an appropriate sensor. The vein pattern is a good example. I had assumed that Apple would apply something of the kind. After all at the launch of the iPhone it was announced that the scanner will have a sub-epidermal finger recognition, i.e. one that not only relies on finger ridges on the surface. Frankly spoken, I was shocked by how easy it was to bypass it.
But also in other processes such as vein patterns it must be clear: if someone gets access to such a characteristic, he will find a way to replicate it and thereafter to overcome the system.
ZEIT ONLINE: So why is biometry presently so highly touted as a security mechanism?
Krissler: As there is a big industry behind it and because biometry also is capable of identifying people.
ZEIT ONLINE: But isn’t it that biometry works fine to clearly identify someone, but not as good to have something secured?
Krissler: One can customize systems quite well, as long as they only need to distinguish people from each other. In this case the error rate is quite low. But once you have the whole of humanity, or in this case all iPhone users as a target group, things get quite impossible. Simply because its characteristics vary greatly. Biometry just also has its weaknesses. Unlike passwords that are either right or wrong, there is always a certain probability of match. Therefore the TouchID scanner isn’t really a security method, but a comfortable method. Had Apple made the mechanism more secure, too many people would have struggled turning on their iPhone and too many people would have been rejected too often.
Many don’t use any passcode on their smartphone at all, whereas using a fingerprint is still better than nothing – as Apple said at the launch. But it’s obviously about convenience and ease of use, not about security. Therefore I would not even want to rate TouchID associated with security practices.
ZEIT ONLINE: The iPhone has a fairly high status, many find it great. Is it a problem if such a popular device relies on biometry, and thus spread a, shall we say, problematic security method to be used?
Krissler: This has already begun with the fingerprints in the German identification card and the passport. Thus, methods that were actually intended to identify criminals, carried out to the general public. This of course is problematic. On one hand, because data is gathered that would not have to be captured and could be abused for other things. On the other hand because this way everyone is getting used to biometry and then use it for all sorts of applications. The best example for this is Hamburg, where at one school all students had to submit their fingerprints to get their lunch.
The interview was conducted in written via Jabber.
Original Interview (in German) by Kai Biermann (with kind permission for publication of my english translation).
Links:
ZEIT Online Article
Chaos Computer Club
Raumfahrtagentur
Neusprech
[Update 1st of October 2013]
Dustin Kirkland, a GNU/Linux Ubuntu Developer writes:
But biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated. I will continue to advocate this within the Ubuntu development community, as I have since 2009.
Hackern des Biometrie-Teams des Chaos Computer Clubs (CCC) ist es gelungen, die biometrischen Sicherheitsfunktionen des Apple TouchID mit einfachsten Mitteln zu umgehen. Dazu genügte den Hackern ein Fingerabdruck, welchen sie von einer Glasoberfläche abfotgoraphierten, um einen künstlichen Finger zu erzeugen. Damit waren sie in der Lage, ein iPhone 5s zu entsperren, welches mit TouchID geschützt war. Damit demonstrierten die Hacker wieder einmal, daß biometrische Daten zur Verhinderung eines unberechtigten Zugriffs vollkommen ungeeignet sind. […]
=^.^= … here’s your alternative: order Jolla phone
[Update]
Go to Minute 0:46 in the video, grab the fingerprint of Starbug and reproduce it 😎
[Update]
Starbug just published another video how to deploy the respective hack:
سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
Allegedly “save” and “secure” e-mail services nowadays start popping up all over the net. – Here’s the latest Fuckup called whistle.im which was revealed by CCC Hannover:
Seit uns die Snowden-Enthüllungen gezeigt haben, dass die NSA und das UK nicht nur in der Lage sind, alle Verbindungen, die die Grenze passieren mitzulesen, sondern dies auch tun, ist eine deutliche Steigerung des Interesses an Verfahren für die Verschlüsselung von Kommunikation im Internet zu erkennen. Dieses begrüßenswerte Phänomen entwickelt jedoch zunehmend einen bitteren Beigeschmack durch neu entstehende Projekte, die aus Marketingzwecken grade jetzt aus dem Boden gestampft werden. Diese Projekte spielen mit dem gesteigerten Problembewusstsein der Bevölkerung, ohne dass sie einen wirklichen Schutz liefern.
Neben der “E-Mail Made in Germany” brüstet sich ein Projekt von zwei Studenten namens whistle.im damit, sichere Ende-zu-Ende-Verschlüsselung anzubieten. Auch sie legen Wert auf den lächerlichen “Made in Germany”-Slogan. […]
Here’s a quick howto which describes how to easily dump rtmp streams from dcpt.tv.
(You won’t need wireshark for it, just rtmpdump has to be installed on your *NIX system.)
1.) Go to the respective site, e.g. Abhören für Alle by Harald Welte and check the source code of the site (ctrl + u in Firefox). – Watch out for the following lines in the html source code:
$.ajax({
url: "/elastic_streaming_client/get_streaming_server/",
success: function(data) {
$("#stage").get(0).innerHTML = '< video id="player" width="' + width + '" height="' + height + '" controls="controls" src="http :// ' + data[0].server + '/vods3/_definst/mp4:dctp_completed_media/a2dd446bdf6a4c3584a320b7decc42f1_iphone.m4v/playlist.m3u8">Dieser Browser unterstützt kein HTML5 Video';
$("#player").get(0).play();
$('#play_button').hide();
}
});
2.) Extract the string in the line url: (e.g. “/elastic_streaming_client/get_streaming_server/) and consolidate it with “http://www.dctp.tv” to “http://www.dctp.tv/elastic_streaming_client/get_streaming_server/”. Visit the site and extract the information which appears in the browser window.
[{"endpoint": "rtmpe://ec2-107-22-34-75.compute-1.amazonaws.com/securestreaming", "type": "wowza", "server": "ec2-107-22-34-75.compute-1.amazonaws.com"}]
3.) Extract the information “src=” in the line #stage from the source code of the original page (e.g. “http://’ + data[0].server + ‘/vods3/_definst/mp4:dctp_completed_media/a2dd446bdf6a4c3584a320b7decc42f1_iphone.m4v/playlist.m3u8” and consolidate the info with the “endpoint” information from the second page. (substract “/playlist.m3u8” which isn’t needed.)
rtmpe://ec2-107-22-34-75.compute-1.amazonaws.com/vods3/_definst/mp4:dctp_completed_media/a2dd446bdf6a4c3584a320b7decc42f1_iphone.m4v
4.) Open a shell and enter the following command into the command line, whereas -r defines the rtmp url and -o the option of the output filename where the file is being dumped to.
rtmpdump -r rtmpe://ec2-107-22-34-75.compute-1.amazonaws.com/vods3/_definst/mp4:dctp_completed_media/a2dd446bdf6a4c3584a320b7decc42f1_iphone.m4v -o AbhoerenFuerAlle-HaraldWelte.flv --resume
5.) Use Arista transcoder or Miro converter to convert the dumped flv file into any format.
enjoy!
[Update 15FEB2014]
Georg wrote dctp-dl, a command line tool to download the video file as mp4 directly.
Are you thinking of buying the newest slick smartphone? Well then, get the latest “Blackberry Q10” with implemented sneaking high-end “suppa duppa” username & password delivery feature which sends your credentials directly to the NSA and all these “nice guyz” protecting us from “za thheRR0Riz”. – ’cause as you’ve nothing to hide anyways and ain’t give a shit about your goddam privvvazy! – Y0!1!!
When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.
Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.
Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP 68.171.232.33 (or others from RIM netblock)
Source: Frank at geekheim & Fefe
SRSLY: think about digital disobediance. – NOW!
