Skip to content

Category: Hackerterrorcybercyber

Seized pacemaker data used to indict arsonist

Image: LukeBam06

According to NetworkWorld, a man in Ohio with an implanted Pacemaker, was indicted as an arsonist, based on data seized by the Police from his device.

»[T]he cops wanted to know “Compton’s heart rate, pacer demand and cardiac rhythms before, during and after the fire.”« reports a local station, WLWT5.

Another news outlet reports »“A cardiologist who reviewed that data determined ‘it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.’”« The retrieved data helped to indict Comption, who also had gasoline on various pieces of his clothing.

Disable Your Antivirus Software (Except Microsoft’s)

Robert O’Callahan explains in a blog article and an even more interesting link how Antivirus Software breaks Firefox (and many other pieces of software).

Among that horror stories such as

For example, back when we first made sure ASLR was working for Firefox on Windows, many AV vendors broke it by injecting their own ASLR-disabled DLLs into our processes.

 

and many more.The advice is

Antivirus software vendors are terrible; don’t buy antivirus software, and uninstall it if you already have it (except, on Windows, for Microsoft’s).

(Written on Mac OS 10.11.6, because…)

Google starts a root CA

A certificate as seen in a network debugger

In order to communicate securely over an encrypted channel, both parties do not just have to agree on a common set of crypto keys, they also need to prove to each other that they are who they claim to be. If they do not, it is very easy for an attacker to mount a Man in the Middle attack.

The thing that is used on the web and elsewhere to prove identity are certificates, and because no one can know all certificates, certificate authorities are acting as trusted passport bureaus of the Internet. In theory.

In practice, that did not work out so well.

What data does WhatsApp collect

Hangout opens.

S: Good morning, Kris, please excuse  me. You are using WhatsApp, I presume.

If so, how are you dealing with the problem of WhatsApp uploading the address book? Ignore it? Change config? Edit address book contacts?

Why I am asking: by not using WhatsApp, I am more and more out of the loop (school, parents, sport clubs, etc). At the moment I am trying to resist, proably being the last person on Planet Earth doing that.

Kris: Just use it. ‘Complete upload of the address book’ is untrue, and uninformed bullshit, btw. WhatsApp hashes stuff, and uploads the hashes. Hashes equal -> match.”

Kris: “What does WhatsApp collect (Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA) dating from 2013)

Out-of-network numbers are stored as one-way, irreversibly hashed values. WhatsApp uses a multi-step treatment of the numbers, with the key step being an “MD5” hash function. The phone number and a fixed salt value serve as input to the hash function, and the output is truncated to 53 bits and combined with the country code for the number. The result is a 64-bit value which is stored in data tables on WhatsApp’s servers.

The findings complain about that, because it is not perfect, but I personally believe that to be a pretty good compromise, making you discoverable without pasting the actual numbers all over the place.

S: Thanks, didn’t know that. Problem solved.

Yay, backdoors

The EFF reminds us that the general direction of current US politics is full steam backwards, and damn the torpedoes.

Trump’s nominee for Attorney General, Sen. Jeff Sessions said on the topic of encryption backdoors

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

The EFF comments:

Despite Sessions’ “on the one hand, on the other” phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It’s simply not feasible for encryption to serve what Sessions concedes are its “many valuable and important purposes” and still be “overcome” when the government wants access to plaintext.

So we are set to repeat the discussions from the crypto wars 25 years ago all over again. Math does not change, and the realities of key management aren’t, either.