The good people of the chair for Network and Data Security at the Ruhr UniversityBochum, Germany are maintaining a blog at https://web-in-security.blogspot.de. Their current hobby is exploiting printers . All of them.
Kris: You said? Has somebody pwned your Skype?
Friend: That’s what happened. Skype is now Item 125 in 1Password.
While in most countries suspects cannot be forced to give up their passwords in order to give law enforcement access to data that could be used to indict themselves, it appears to be perfectly legal to force people to use biometric data to unlock said devices, Appleinsider reports
According to NetworkWorld, a man in Ohio with an implanted Pacemaker, was indicted as an arsonist, based on data seized by the Police from his device.
»[T]he cops wanted to know “Compton’s heart rate, pacer demand and cardiac rhythms before, during and after the fire.”« reports a local station, WLWT5.
Another news outlet reports »“A cardiologist who reviewed that data determined ‘it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.’”« The retrieved data helped to indict Comption, who also had gasoline on various pieces of his clothing.
The Council of the European Union discusses the “problem” of Carrier Grader NAT, and would like to see all Ip address logging and storage extended to port numbers, as well as all NAT state tables to be stored and preserved, in order to be able to resolve Internet accesses to subscriber identities, says Statewatch.
Among that horror stories such as
For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes.
and many more.The advice is
Antivirus software vendors are terrible; don’t buy antivirus software, and uninstall it if you already have it (except, on Windows, for Microsoft’s).
(Written on Mac OS 10.11.6, because…)
In order to communicate securely over an encrypted channel, both parties do not just have to agree on a common set of crypto keys, they also need to prove to each other that they are who they claim to be. If they do not, it is very easy for an attacker to mount a Man in the Middle attack.
The thing that is used on the web and elsewhere to prove identity are certificates, and because no one can know all certificates, certificate authorities are acting as trusted passport bureaus of the Internet. In theory.
In practice, that did not work out so well.
VanMoof is a hipster bike maker from Amsterdam with outlet stores in cities where Prada has stores, too.
S: Good morning, Kris, please excuse me. You are using WhatsApp, I presume.
If so, how are you dealing with the problem of WhatsApp uploading the address book? Ignore it? Change config? Edit address book contacts?
Why I am asking: by not using WhatsApp, I am more and more out of the loop (school, parents, sport clubs, etc). At the moment I am trying to resist, proably being the last person on Planet Earth doing that.
Kris: Just use it. ‘Complete upload of the address book’ is untrue, and uninformed bullshit, btw. WhatsApp hashes stuff, and uploads the hashes. Hashes equal -> match.”
Out-of-network numbers are stored as one-way, irreversibly hashed values. WhatsApp uses a multi-step treatment of the numbers, with the key step being an “MD5” hash function. The phone number and a fixed salt value serve as input to the hash function, and the output is truncated to 53 bits and combined with the country code for the number. The result is a 64-bit value which is stored in data tables on WhatsApp’s servers.
The findings complain about that, because it is not perfect, but I personally believe that to be a pretty good compromise, making you discoverable without pasting the actual numbers all over the place.
S: Thanks, didn’t know that. Problem solved.
The EFF reminds us that the general direction of current US politics is full steam backwards, and damn the torpedoes.
Trump’s nominee for Attorney General, Sen. Jeff Sessions said on the topic of encryption backdoors
Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.
The EFF comments:
Despite Sessions’ “on the one hand, on the other” phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It’s simply not feasible for encryption to serve what Sessions concedes are its “many valuable and important purposes” and still be “overcome” when the government wants access to plaintext.
So we are set to repeat the discussions from the crypto wars 25 years ago all over again. Math does not change, and the realities of key management aren’t, either.