Archive

Posts Tagged ‘1984’

CCC proudly announces honorary members Chelsea Manning and Edward Snowden

August 24th, 2014 No comments

Congratulations, CCC!

Chaos Computer Club supports Chelsea Manning and Edward Snowden
2014-08-24 00:52:00, 46halbe

Since its founding more than thirty years ago, the Chaos Computer Club (CCC) holds strong beliefs in the freedom of information. Consequentially, freedom fighters and whistleblowers deserve our utmost respect and support. For this reason we will help the European legal team of Edward Snowden financially.

Asylum, legal counsel and protection are costly. This is why we decided to support Snowden’s six European lawyers with 36.000 Euro to cover their expenses. Earlier this year, the CCC general assembly also decided to offer Edward Snowden the honorary membership, which he accepted gladly.

“The long lasting dedication of the CCC and others for citizen’s rights and against mass surveillance paved the road for a broad public debate after Edward Snowden’s revelations”, said Snowden’s German lawyer, Wolfgang Kaleck. “Both the commitment as well as the support for Snowden require perseverance. The financial support provided will help sustain these efforts.”

Edward Snowden is the source of many leaks about the so-called Intelligence Community and their hacking and surveillance operations, which made news headlines all over the world. He ignited the necessary global discussion by informing journalists about how much and how deeply we are being spied on by the NSA and their partners, how they infiltrate telecommunication and Internet service providers. One of our central claims and part of our hacker ethics is: “Public data should be utilized, private data should be protected.” Edward Snowden had the guts to live by our principles.

Undoubtedly, Chelsea Manning’s courageous actions also stand in line with these values of ours. To express our support and respect, the CCC bi-annual general assembly unanimously voted for offering her the honorary membership. She agreed to accept our offer. Needless to say, it is an outstanding honor for us to count Chelsea Manning as one of us!

The former US private Chelsea Manning, stationed in Iraq in 2009 and 2010, was sentenced for violations of the Espionage Act and other offences in August 2013. Allegedly, she transferred hundreds of thousands of military and U.S. State Department documents and the infamous “collateral murder” video to Wikileaks. Detained as a political prisoner in 2010 under unduly harsh conditions without minimal standards of humane treatment and stripped of her clothing in custody every night, Manning is now serving a 35-year sentence for her courageous acts. [1]

Links:
[1] Alexa O’Brien at the 30th Chaos Communication Congress (30c3) reporting on the secret trial of Chelsea Manning
[2] Edward Snowden Interview Transcript

Brave! – Become a CCC member yourself today!

Swiss Lawful Intercept Report 2014

March 16th, 2014 No comments

Die Digitale Gesellschaft veröffentlicht heute einen Report zu den Überwachungsaktivitäten der Kantone und des Dienstes Überwachung Post-
und Fernmeldeverkehr (Dienst ÜPF). Der Swiss Lawful Intercept Report
2014 besteht aus mehreren Teilen:

  • Der Rückblick über die letzten Jahre zeigt den steten Anstieg der Überwachungsmassnahmen.
  • Die Statistik 2013 beleuchtet die Überwachungsmassnahmen nach Delikten und zeigt signifikante kantonale Unterschiede auf.
  • Ein Kapitel widmet sich der Gewichtung schwerer Straftaten, mit welchen immer wieder für Überwachung argumentiert wird, und zeigt auf,dass diese Straftaten nur einen geringen Teil an der Gesamtmenge an Überwachungen ausmachen.

Eine politische Einschätzung beleuchtet die Totalrevision des BÜPF (Bundesgesetzes betreffend der Überwachung des Post- und Fernmeldeverkehrs).

Der Swiss Lawful Intercept Report 2014 (PDF) steht online zur Verfügung.

Source

“ZEIT Online” Interview with Starbug

September 26th, 2013 No comments

Starbug-TouchID“The matter for Apple was comfort, not Security”

For Jan Krissler (aka Starbug) it wasn’t a struggle to bypass the fingerprint scanner of the iPhone 5s. In an interview he explains why passwords mostly are more secure than biometry.

ZEIT ONLINE: You did hack the fingerprint scanner of the iPhone 5s, why?

Jan Krissler: Since 10 years I deal with security of biometric systems, especially how to override them. From time to time, when a new product emerges, I look at it and check if the old techniques of bypassing still work, or if there are new challenges. With the TouchID sensor I assumed challenges but unfortunately was disappointed.

ZEIT ONLINE: Are fingerprints qualified at all to secure a telephone, a door or other things?

Jan Krissler: As with all biometric systems one must ask, what data or things you want to protect with it. If their value exceeds the effort to crack a system, the choice of an easily bypassable biometric system might not be the best choice.

ZEIT ONLINE: Which means that biometry is easier to overcome than a password for example?

Krissler: That depends on the password and how the user deals with it and, of course, also the biometric system. At least I assume my passwords to be more secure than my fingerprint. The problem is that one leaves fingerprints everywhere, that faces can be photographed unnoticed. My password is in my head and if I’m careful typing, I will remain the only one who knows it.

ZEIT ONLINE: Which biometric data would be appropriate to establish access control?

Krissler: There are certain characteristics that are better and characteristics which are less suitable. The better ones include those which you do not leave anywhere, or the ones that cannot be taken off easily and unnoticed. Which means, characteristics that you can actually only be read with an appropriate sensor. The vein pattern is a good example. I had assumed that Apple would apply something of the kind. After all at the launch of the iPhone it was announced that the scanner will have a sub-epidermal finger recognition, i.e. one that not only relies on finger ridges on the surface. Frankly spoken, I was shocked by how easy it was to bypass it.

But also in other processes such as vein patterns it must be clear: if someone gets access to such a characteristic, he will find a way to replicate it and thereafter to overcome the system.

ZEIT ONLINE: So why is biometry presently so highly touted as a security mechanism?

Krissler: As there is a big industry behind it and because biometry also is capable of identifying people.

ZEIT ONLINE: But isn’t it that biometry works fine to clearly identify someone, but not as good to have something secured?

Krissler: One can customize systems quite well, as long as they only need to distinguish people from each other. In this case the error rate is quite low. But once you have the whole of humanity, or in this case all iPhone users as a target group, things get quite impossible. Simply because its characteristics vary greatly. Biometry just also has its weaknesses. Unlike passwords that are either right or wrong, there is always a certain probability of match. Therefore the TouchID scanner isn’t really a security method, but a comfortable method. Had Apple made the mechanism more secure, too many people would have struggled turning on their iPhone and too many people would have been rejected too often.

Many don’t use any passcode on their smartphone at all, whereas using a fingerprint is still better than nothing – as Apple said at the launch. But it’s obviously about convenience and ease of use, not about security. Therefore I would not even want to rate TouchID associated with security practices.

ZEIT ONLINE: The iPhone has a fairly high status, many find it great. Is it a problem if such a popular device relies on biometry, and thus spread a, shall we say, problematic security method to be used?

Krissler: This has already begun with the fingerprints in the German identification card and the passport. Thus, methods that were actually intended to identify criminals, carried out to the general public. This of course is problematic. On one hand, because data is gathered that would not have to be captured and could be abused for other things. On the other hand because this way everyone is getting used to biometry and then use it for all sorts of applications. The best example for this is Hamburg, where at one school all students had to submit their fingerprints to get their lunch.

The interview was conducted in written via Jabber.

Original Interview (in German) by Kai Biermann (with kind permission for publication of my english translation).

Links:
ZEIT Online Article
Chaos Computer Club
Raumfahrtagentur
Neusprech

[Update 1st of October 2013]
Dustin Kirkland, a GNU/Linux Ubuntu Developer writes:

But biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need a password or passphrase. Something that can be independently chosen, changed, and rotated. I will continue to advocate this within the Ubuntu development community, as I have since 2009.

read Fingerprints are Usernames, not Passwords

FaaS – Fuckup as a Service

August 19th, 2013 No comments

whistle.im-logo-bigAllegedly “save” and “secure” e-mail services nowadays start popping up all over the net. – Here’s the latest Fuckup called whistle.im which was revealed by CCC Hannover:

Seit uns die Snowden-Enthüllungen gezeigt haben, dass die NSA und das UK nicht nur in der Lage sind, alle Verbindungen, die die Grenze passieren mitzulesen, sondern dies auch tun, ist eine deutliche Steigerung des Interesses an Verfahren für die Verschlüsselung von Kommunikation im Internet zu erkennen. Dieses begrüßenswerte Phänomen entwickelt jedoch zunehmend einen bitteren Beigeschmack durch neu entstehende Projekte, die aus Marketingzwecken grade jetzt aus dem Boden gestampft werden. Diese Projekte spielen mit dem gesteigerten Problembewusstsein der Bevölkerung, ohne dass sie einen wirklichen Schutz liefern.

Neben der “E-Mail Made in Germany” brüstet sich ein Projekt von zwei Studenten namens whistle.im damit, sichere Ende-zu-Ende-Verschlüsselung anzubieten. Auch sie legen Wert auf den lächerlichen “Made in Germany”-Slogan. […]

Source

Categories: Technology Tags: , , , ,

“le dernier cri”: PRISM implementation

July 18th, 2013 No comments

orlyAre you thinking of buying the newest slick smartphone? Well then, get the latest “Blackberry Q10” with implemented sneaking high-end “suppa duppa” username & password delivery feature which sends your credentials directly to the NSA and all these “nice guyz” protecting us from “za thheRR0Riz”. – ’cause as you’ve nothing to hide anyways and ain’t give a shit about your goddam privvvazy! – Y0!1!!

When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recipe for own experiment:
1. set up your own mail server with full logging
2. create throw-away IMAP account
3. enter IMAP account credentials into Blackberry 10 device, note time
4. check mail with Blackberry
5. look in logfiles for IP 68.171.232.33 (or others from RIM netblock)

Source: Frank at geekheim & Fefe

SRSLY: think about digital disobediance. – NOW!

Dependence Day – 4th of July

July 4th, 2013 No comments

DependenceDay

moar Cryptoparties!1!!

July 2nd, 2013 No comments

cp-logo-200x67
Worried about surveillance and control? Still living in 1984? Get your copy of the Cryptoparty handbook and organise your Cryptoparty today!

ADS 95 Ranger drones

May 1st, 2013 No comments

An ADS 95 Ranger Drone manufactured by Ruag has been spotted, circling over SIERRA (see VFR map at the bottom of the page) on approximately 4000ft at Zurich due to 1. Mai event.

This is how they look like in a close-up:

ADS 95 Ranger by Ruag

drokdo84.parsysrelated1.57627.Image drokdo84.parsysrelated1.72724.ImageLinks:
Drohnenstaffel 7
Drohnen Kommando 84
Dro Staffel 7

LSZH Tower therefore diverts departing traffic through a non-standard DEGES 2W departure route…
Non-Standard DEGES dep 01MAI2013

VFR map LSZH (point SIERRA):
VFR map SIERRA LSZH

Here’s a document written by a Colonel of the Swiss Air Force, published in the ILA magazine on 11th September 2012.

[Update 2nd May 2013]
In 2002 the swiss government prohibited the use of drones for surveillance of manifestations such as the 1st of Mai, arguing the application of drones to be unlawful. Though the law for public surveillance hasn’t changed meanwhile, the military application of the drone yesterday seems to have been legally admitted.

Extract of 10v10 swiss TV 1st of May 2002:

Apple corrupting RFC 6352 (by Apple)

December 1st, 2012 No comments

In the nice setup of my own “un-clouded” PIM (personal information manager), in which DAViCal plays a major role, OS X Lion (10.7) & OS X Mountain Lion (10.8) seemingly can’t handle the groups in the address book (Contacts.app) any longer. – When connecting through CardDAV, the groups just remain empty.
In the respective paragraph 7.1.1 of RFC 6352, which Apple released in August 2011, states:


Description: The CARDDAV:addressbook-home-set property is meant to
allow users to easily find the address book collections owned by
the principal. Typically, users will group all the address book
collections that they own under a common collection. This
property specifies the URL of collections that are either address
book collections or ordinary collections that have child or
descendant address book collections owned by the principal.

… though Contacts.app sets the value of addressbook-home-set to /caldav.php/foobar/ instead of /caldav.php/foobar/addressbook/ in ~/Library/Application\ Support/AddressBook/Sources/XYZ-123456-FOOBAR/Configuration.plist, which is a violation of RFC 6352.

Simply said: OS X 10.7/10.8 Contacts.app cant handle its own technical specifications…

[Update: The very same bug has been reported to the sogo bugtracker.]

[Update: Here is a fix for this OS X bug.]

Why OS X Lion is crap

August 30th, 2011 No comments

1. Unconsiousness
With the OS X 10.7 software release Apple fulfills and nurtures the users unconscious handling of his computer. The users data, such as photos, documents, etc. are geo- and meta-tagged and the accordant applications connect to the respective servers, such as Google maps, “the Cloud”, several Akamai servers, keeping the user in the dark about how and where his personal data is shared.

2. Self-surveillance
Further the operation system entrap and mislead the user to activities of self-surveillance, by eliminating “Big Brother” and leading the operator through “sexy” and technically well designed applications, which conceal where data and meta-data is shared and stored. The nebulous “Cloud”, easing the users data replication, inducing potential privacy hazards, assuming that the user has “nothing to hide”.

3. Anti-Social
By implementing Social Media applications and functionalities, explicitly based on proprietary standards and formats, caching cookies that track their users continuously, even after having logged out, complete patterns on the users behaviors are tracked, locally stored and shared on obscure servers and nebulous “Clouds”. The friends counter remains a real-time raising number of people whom the user never meets in real life (any more)…

4. Average
Apple Macintosh used to be a product of computers that come together with an operation system that is designed for professionals. Graphic Designers, Film Directors and Musicians. Since OS X 10.7 the system is designed to merge into the needs of a mediocre human to nurture his archaic behavior by caressing a touch-pad with his finger. A built-in baby comforter may follow in upcoming versions…

5. status_msg > /dev/null && userinfo > /apple/survey && echo –bold “WTF!”
By suggesting the user to improve the functionalities of programs, the operation system shares system data which can explicitly identify the computer and the user. Users privacy is deliberately violated.

6. Contemptuous
No ext2, ext3 or ext4 support. Gimme back my control over my data & choice of filesystem!