Skip to content

The Isoblog. Posts

Bielefeld Conspiracy hits Facebook

Westfalenblatt knows: Yesterday all references to the place name “Bielefeld” have been replaced with “Bielefeldverschwörung” (Bielefeld Conspiracy):

Facebook showing “Bielefeldverschwörung” (Bielefeld Conspiracy) instead of the proper city name.

Bielefeld is a typical while label city in Germany. In fact, it is conspiciously inconspicious, and that is, so the conspiracy theory fabricated by Achim Held in 1993, because the city does not actually exist. It’s a fake location that protects something else on the map, probably an entrance to the Hollow Earth or something else, but we don’t actually know.

The story of the Bielefeld Conspiracy has been made up as a satire, but has since picked up a life of it’s own. The cities bureau of tourism uses it for marketing purposes, and there is even a feature film, which in turn features Achim Held.

Facebook claims that the change was unintentional and that the root cause is being researched. There totally is no conspiracy at all.

Leave a Comment

Command line access to the Mac keychain

I am getting my payslips in electronic form, as an encrypted, password protected PDF. It’s not a super secret password, and the encryption is more against accidentally opening the file than it is to keep the content of the file actually secret.

After shipping the PDF home, I am archiving it for tax purposes, but in order to make the archival safe, I am storing the original file as well as the decrypted cleartext version of it. To do that, I wrote a shell script, which contained the password in a variable in clear.

Discussing that at work had a few people rejecting the storage of keys in a script in clear as a matter of principle, and the suggestion was to use the operating system key management service to hold this kind of data.

Here is how to interact with the key management of MacOS.

Leave a Comment

Chinese New Year, and birthrate anomalies

Coming up: Chinese New Year @ 28. Januar.

The coming year is a year of the Fire Rooster, and apparently these things mean a lot to a lot of people.

So what influence does the Chinese Zodiac have?

Well, one sign that is supposed to be very unlucky is the Fire Horse. An article from 2012 explains:

People born during the year of the Fire Horse are notorious for being bad luck. People born during a Fire Horse years are said to be irresponsible, rebellious, and overall bad news.

And for some reason, women are said to be especially dangerous Fire Horses. They supposedly sap their family’s finances, neglect their children, and drive their father and husband to an early grave.

Solution? Don’t make babies in a Fire Horse year, and especially no female babies.

So 1966 was a Fire Horse, and that’s what 1966 stats look like:

 

5 Comments

What data does WhatsApp collect

Hangout opens.

S: Good morning, Kris, please excuse  me. You are using WhatsApp, I presume.

If so, how are you dealing with the problem of WhatsApp uploading the address book? Ignore it? Change config? Edit address book contacts?

Why I am asking: by not using WhatsApp, I am more and more out of the loop (school, parents, sport clubs, etc). At the moment I am trying to resist, proably being the last person on Planet Earth doing that.

Kris: Just use it. ‘Complete upload of the address book’ is untrue, and uninformed bullshit, btw. WhatsApp hashes stuff, and uploads the hashes. Hashes equal -> match.”

Kris: “What does WhatsApp collect (Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA) dating from 2013)

Out-of-network numbers are stored as one-way, irreversibly hashed values. WhatsApp uses a multi-step treatment of the numbers, with the key step being an “MD5” hash function. The phone number and a fixed salt value serve as input to the hash function, and the output is truncated to 53 bits and combined with the country code for the number. The result is a 64-bit value which is stored in data tables on WhatsApp’s servers.

The findings complain about that, because it is not perfect, but I personally believe that to be a pretty good compromise, making you discoverable without pasting the actual numbers all over the place.

S: Thanks, didn’t know that. Problem solved.

12 Comments

Mac OS 10.12 and ssh

Yeah, I know, it’s old, but I need this mostly as a memo to self: ssh key handling changed between MacOS 10.11. and 10.12.

What you probably want is the following magic in a generic Host block of your machines .ssh/config or /etc/ssh/ssh_config:

Host *
  UseKeyChain No
  AddKeysToAgent yes

This will store your SSH Keys in the agent, entering the password only once. It will not persist the keys on the machine, requiring that you authenticate and unlock the keys once after each restart.

Getting rid of persisted keys is complicated and requires some SQLite magic.

ssh-add -D -K
for f in ~/Library/Keychains/*/keychain-2.db
do 
  sqlite3 $f "delete from genp where agrp = 'com.apple.ssh.passphrases';"
done
2 Comments

Yay, backdoors

The EFF reminds us that the general direction of current US politics is full steam backwards, and damn the torpedoes.

Trump’s nominee for Attorney General, Sen. Jeff Sessions said on the topic of encryption backdoors

Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

The EFF comments:

Despite Sessions’ “on the one hand, on the other” phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It’s simply not feasible for encryption to serve what Sessions concedes are its “many valuable and important purposes” and still be “overcome” when the government wants access to plaintext.

So we are set to repeat the discussions from the crypto wars 25 years ago all over again. Math does not change, and the realities of key management aren’t, either.

6 Comments

Secure defaults kind of matter…

snyk writes on secure defaults:

Before version 2.6.0 hipster data “store” did not by default require authentication (wait, what?) and also did bind to * instead of 127.0.0.1.

As a result, by default, each MongoDB data “store” has been accessible from the entire internet.

Scanners such as Shodan provide an index to all such MongoDB installations on the entire Internet. Enterprising anonymous “hackers” have monetized this opportunity by accessing these installations over the Internet, encrypting the data and then accepting Bitcoin for the decryption password – or scamming the installations owner, assuming that people who put production data on internet-wide installations with unauthenticated access deserve to be conned and then conned over again.

Other hipster data stores, including Elastic Search, CouchDB and Redis, are known to have similar access properties. NoSQL might actually mean “NoSequrity”.

Leave a Comment