Tag: 2fa

Public Service Internet monthly newsletter (Oct 2022)

Bus stop in bladerunner style using AI
Created with Midjourney

We live in incredible times with such possibilities that is clear. Although its easily dismissed seeing the ongoing fight around ransomware. 2fa social engineered and youtube dislike meaning very little.

To quote Buckminster Fuller “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.

You are seeing aspects of this with the EU ramping up its open source code access, South Korea’s win for privacy violations and solutions like Watomatic providing out of office replies for WhatsApp to aid with stopping using it.

Recommendations for a Digital Future to the EU

Ian thinks: Exit Platforms over the past year have brought together a group of experts, To chart out what a public service internet could looks like from a policy point of view. The last meeting being a hackathon in the European parliament. This is the report is a detailed from the last year of meetings.

Jack Dorsey realising the mistakes of twitter

Ian thinks: Jack’s thought about the mistakes are further clarified when Kevin Marks making it super clear how Twitter killed twitter as a API in favour of control and profit.

The future of Solar panels? Everywhere!

Ian thinks: Its fantastic to see solar panels in places I thought were simply a no go. Although the cost of panel is dropping there is still a need for a bigger drop.

Bus shelters turned into garden

Ian thinks: Although Manchester has had a bus shelter like described since 2016 and people point out its advertising driven. I do think its generally a good idea and better than looking at a metal frame in the pouring rain.

Escape Fantasies of the Tech Billionaires (nsfw)

Ian thinks: Aspects of team human, this interview with Rushkoff is entertaining but its hard to see fault in the logic behind the new book.

EU puts its foot down around mobile waste and upgrades

Ian thinks: Although in draft form, its a move which may have serious consequences in many different industries.

Bluetracking around the city for better transport but at what cost?

Ian thinks: Contactless travel sounds fantastic but I’m not sure the trail will consider privacy and abuse cases. Something they really should.

Chris’s challenging talk about crypto gave me a bad taste

Ian thinks: Mydata is a good conference but this talk gave me a taste but I can’t exactly point at one thing. A lot of what Chris says is correct, but I can’t get his position over the keynote. Or maybe its just the bored ape t-shirt?

AI art has changed the game quietly

Ian thinks: I have personally been using mid-journey and dall-e2 for some personal works. It feels like something has changed, and we haven’t really acknowledged the effect yet.

What can be learned from Google’s smart city project?

Ian thinks: Sobering talk from Josh O’Kane about Google’s sidewalk labs project with plenty of insights for future smart city projects.

Find the archive here

Google Titan key security problem?

I was sure I tooted/tweet a thank you to the Google team in Berlin’s Re:publica conference. But it looks like it never quite happened due to connectivity issues with the wifi at certain points of the day.

So first of all I want to say thanks for giving me a titan security key for spending time listening to what changes Google had made to their security as announced in Google IO 2019.

I was surprised to see Google there with all the ill feeling about the 5 stacks, their monopoly and business practice.

But before I could get home try the key/system, I saw a bunch of problems with the key.

Google Titan Bluetooth Security Key Can Be Used to Hack Paired Devices

Titan-ic disaster: Bluetooth blunder sinks Google’s 2FA keys, free replacements offered

Obviously I was a little concerned, although I had not added the titan key to my google 2 factor auth yet.

After a bunch of reading, it seems its not completely flawed. The Google security blog confirms my research.

The problem is with the Bluetooth fob which to be honest is super convenient wasn’t the most secure idea in the world. The bluetooth stack is limited in its range but because of that, its not got as much security as most things on the net.

Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:

When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.

Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

This all being a big mistake, Google has offered a replacement key. However because my key hasn’t been added to my account yet, I get a message saying no action is required but a email to override this. However after double checking my key is a type T3 meaning it wasn’t effected.

Good work Google…

My Motiv activity ring

My Motiv ring on my hand

Finally the Motiv ring came

Motiv Ring pack

Nicely packaged and simple to setup although I did find the pairing with my Google Pixel 2 took a long time. I hooked it up to Google Fit but haven’t setup 2 factor auth yet but I just need to get the barcodes for some of my services and create my gesture. Kept meaning to save the barcodes in my password manager.

I did also pair it with my Ubuntu laptop but I’m unsure how to do anything with it except using Bluetooth unlock. The fit is good and the ring feels super light to me.

Motiv USB power charger

My only worry is I can’t seem to find another USB power unit for it, as I’d like to have one at home and one I can carry with me when away. I checked Amazon but I can’t find similar. Also not sure I can get another one separately unless I buy the USB Magnetic Charging Dock Keychain and Charging Dock?

So far so good…

Personal data stores are the new grey?

https://www.flickr.com/photos/slightlyeverything/8227615319/

If I had some money from all the people who sent me details of Tim Burners-Lee’s Solid I would have enough to buy a cheap flight to somewhere in Europe with a cheap airline.

Solid is meant to change “the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance – by giving every one of us complete control over data, personal or not, in a revolutionary way.”

Solid isn’t a radical new program. Instead, “Solid is a set of modular specifications, which build on, and extend the founding technology of the world wide web (HTTP, REST, HTML). They are 100% backwards compatible with the existing web.

Main reason why people seem to be sending it my way is because of another open source project I’m involved in called Databox.

For me the Solid is a personal data store, its like a secure vault for your data. This is good but like 2 factor authentication over SMS, not as secure as other ways. Put all your personal data in one place and its a central point for those who want everything at once. Think about how many times you have seen leaks of databases which contain credit cards, numbers, emails, names, etc… Its the eggs/data in one basket problem…

This came up at Mydata 2018, there was quite a lot of discussion about this through out the conference and touched on in Mikko Hypponen’s talk.

The data in one place is just aspect, others are more about the value proposal to people and technically how verified claims work; as expressed in how solid is tim’s plan to redecentralize the web.

The comparisons between Solid and Databox have been asked by many and I would certainly say Databox (regardless of its name) isn’t a place to hold all your personal data. You could use it like that but its more of a privacy aware data processing platform/unit. I remember the first time I heard about Vendor relationship management (VRM), it was clear to me how powerful this could be for many things. But then again I also identified Data portability as something essential while most people just didn’t see the point.

Everything will live or die by not just developer support, privacy controls, security, cleverness, but by user demand… and it feels like personal data stores still a while off in most peoples imagination.

Maybe once enough people personally experience the rough side of personal data breaches it may change?

For example today I received a email from have you been pwned saying…

You’re one of 125,929,660 people pwned in the Apollo data breach.

In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password. The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned. The data left exposed by Apollo was used in their “revenue acceleration platform” and included personal information such as names and email addresses as well as professional information including places of employment, the roles people hold and where they’re located. Apollo stressed that the exposed data did not include sensitive information such as passwords, social security numbers or financial data.

Till this is a everyday occurrence, most people will just carry on and not care? Maybe theres even a point it should be part of the furniture of the web, like the new grey?