I was sure I tooted/tweet a thank you to the Google team in Berlin’s Re:publica conference. But it looks like it never quite happened due to connectivity issues with the wifi at certain points of the day.
Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b) communicate with the device to which your key is paired. In order for the misconfiguration to be exploited, an attacker would have to align a series of events in close coordination:
When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.
This all being a big mistake, Google has offered a replacement key. However because my key hasn’t been added to my account yet, I get a message saying no action is required but a email to override this. However after double checking my key is a type T3 meaning it wasn’t effected.
Tim Berners-Lee helped invent the world wide web 30 years ago. And he has consistently pointed out that the original dream that gave rise to it is under threat.
It is exactly 30 years since Sir Tim submitted a paper to his colleagues at CERN, suggesting a way of sharing data across networks, under the title “Information Management: A Proposal”. The humble title belies the importance of what was contained inside, which included a complete sketch for the networked information system that would on to become the internet we know today.
But its really important to think about the next 30 years.
I had a really good 10min talk with Sir Tim Berners-Lee during the last Mozilla Festival, while talking about Solid, Databox and data trust. What got me as we talked, was ultimately we were talking about power and where it lies. Power in the hands of governments (Chinese model) , corporations (American model) or people? (could be the European model?)
I think remembering their are humans, not eyeballs, not lefties/rightwingers, etc is so important. Lets celebrate the people of the web!
I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage. Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.
What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.
I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.
The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.
If I’m right this is deeply troubling and a worrying precedent!
Its been a difficult time recently. My scooter was damaged once again in a break in on the car park where I park. I say again because in April 2018 exactly the same thing happened. Less that a year!
In April 2018, the motorbikes were targetted but none were taken, if I remember some other things were broken and taken. However between the chains and locks broken, it was clear they tried to break my steering lock by forcing the handle bars. They slightly twisted but not at the fork level lucky, this still costed about £150 to fix.
This time the motorbikes were targetted and looking at the CCTV images from the different cameras across the site its clear they were only after the motorbikes nothing else.
There was some other similarities between the break-ins. The CCTV over looking the motorbikes was covered up in both cases.
They also broke into the car park from the building site next door
Unlike last time however, I spotted 4 men acting very weirdly on the canal side on Monday 14th night/Tuesday 15th morning. They were dressed in black with hoods and scarfs across their mouths and noses. They seemed to be breaking into Islington Wharf Mews by jumping over a wall with a sleeping bag to protect themselves from the spikes on top.
23:49 – Calling the non-emergency number (101) I was put on hold for ages but finally by the time they picked up. The men jumped back over the wall to the canal side, they disappeared from my view.
00:09 – The police took some details and asked where they were now. I happened to catch them breaking into the building site from the road side. Telling the police, they originally said they were going to send someone out. However as I found out later they looked at the public CCTV, which obviously doesn’t point on to the building site plus they were dressed in complete black. Once they looked and saw nothing they closed the logged case
00:45 – Meanwhile I hadn’t noticed but saw later on the garage CCTV a 5th man dressed totally in Black was trying to get into the garage by sneaking in while the roller shutter was coming down after some left or entered the garage. He failed and even got shouted at by residents in a car.
00:48 – I get a short phone call from the police asking if I seen anything else new? I said no.
01:08 – Not long after my original call and 20mins after my call back, some men gain access to the car park via the ground floor car park by breaking the wood slats. I know this for sure because the CCTV confirms the moment they broke through and climbed through.
They headed straight for the motorbikes ignoring all the cars and bicycles. Broke two locks of 2 motorbikes, and damaging my scooter. They are in the car park for 35mins (01:08 – 01:43), All their movements around the carpark are captured on our own CCTV, except the one right above the bikes
01:43 – Finally they leave heading out the car park pedestrian door with 2 motorbikes
0941 – I only found out the next day when I was going to work and saw the damage and the missing motorbikes. This time to tried to get at the scooter ignition instead of trying to break the steering lock. As you can see the damage is pretty bad but the steering is actually fine. I checked all the other locks and chains and they are good.
However 2 other motorbikes are gone and I got lucky. I’ve beefed up my locks and now using my alarm more often now (not just the immobiliser). I also got a crime reference and asked about my early morning call. I’m told the case is on going but police were sent out.
1953 – Later in the evening when I call up again, I’m told the cases are not connected was closed and the police were not sent out because there was nothing on a CCTV (no idea which one they are referring to)
My problem I see is…
The police are not connecting the two cases. Now I understand there is a chance the 4 men dressed head to toe in black on a building site may not be the same 5 people who broke into the garage from the same building site stealing the bikes? Yes it happened with 60 mins of my call but who knows – right? What I don’t understand is why no one was sent out? Even a visit could have prevented a crime. They also lied to me on the phone
I don’t get how the building site isn’t partly to blame for it lack of security not just once but twice now. There is a good chance the men stole tools from the building site to break the locks. I certainly didn’t see them carrying anything when getting into Islington Wharf Mews.
The police still haven’t looked or requested the CCTV from Islington Wharf, The Mews or the building site next door. Yes they are dressed in black but it could be useful to see where they came from and got to with the stolen motorbikes?
Why was I told they will send out a police offer but later told they didn’t? I feel like I was lied to….
I’m doing what I can but its slow going and not being able to get actual CCTV (for good reasons) its kinda impossible to convince the police to follow up. This is partly why I decided to share my frustrations without too much details.
I’ve had an update from a few sources and the timeline includes this..
Tuesday 15 January 2019
00:19 – While I see 4 men getting into Islington Wharf Mews, another man also dressed in black from head to toe is trying to gain entry to the Islington wharf car park by trying to sneak in when someone leaves or enters. Unsuccessfully he returns to his hiding position each time. This also explains why 1 of the 4 men I saw kept looking out from their 1st floor position.
00:45 – They tried to gain entry again but a resident closes the shutter too quickly. 3mins later I get my call from the police, but still no one shows up. On the building site they break a padlock on a tool box, giving them access to stronger tools
01:08 – They break into the car park via the ground floor through the fence using the builders tool.
01:18 – They send 2 of them for an initial scope out of the carpark and then after all 5 of them go into the car park. Breaking two locks of 2 motorbikes, and damaging my scooter. They are in the car park for 35mins
01:43 – One of the Residents tried to drive in to the car park and when the roller shutter goes up they run away pushing the motorcycles.
At 8:30am I received a phone call from the special operations police. They had read my email and were slight shocked at how I’d be treated through this investigation. He massively apologized and agreed based on the research I had done, the cases are linked. Then finally at 1300 they did go and review the footage from the flats and are using it in their ongoing investigation along with other CCTV footage.
I have a lot of curiosity and one of the things which has consistently got me curious, is the challenges of the hidden. Hidden being the trick, the data, the technique, the place or the knowledge. This is why I’m very interested in Hacker House (it was almost added to my new years resolutions for 2017 even).
Currently data is the hidden which intrugued me the moment, hence my massive interest in data ethics. There’s been 3 experiments which have really got me jumping up and down about this all… thought I’d share while I eat cheese and drink wine on Christmas day
I know what you downloaded (…last summer or even last Christmas)
This site collects IPs from public torrent swarms by parsing torrent sites and listening to the DHT network. They have more than 500.000 torrents which where classified and have data on peers sharing habits. The slightly twisted feature is the ability to share a link and see what people have been sharing. I promise not to do this but highlights the problem with shortern urls and long query strings you can’t be bother to read or don’t understand how they work (knowledge). Found via Torrentfreak
Find my phone
Man’s smartphone is stolen in Amsterdam, so the same man decides to root another phone and deliberately track the phone. Along with the person who stole it! The results are turned into a video which you can watch on youtube.
Found via Schneier
This is exactly the sort of Internet-of-Things attack that has me worried:
“IoT Goes Nuclear: Creating a ZigBee Chain Reaction” by Eyal Ronen, Colin OFlynn, Adi Shamir and Achi-Or Weingarten.
Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
To put it bluntly, I’ve stopped worrying about whether the public cares about privacy – and I believe privacy advocates should stop worrying about it too.
Unless human rights activists and their philanthropic backers abandon their focus on public opinion, the prospects for reform of mass surveillance will disintegrate.
I’ll go even further. Unless human rights activists and their philanthropic backers abandon their focus on public opinion, the prospects for reform of mass surveillance will disintegrate.
I’m aware that these thoughts might sound wildly contradictory – if not insane. Over the past three years I’ve tested them out on audiences across the world and experienced waves of disbelief. That’s one reason why I’m certain those ideas are on the right track.
In summary, my belief is that too many of us are obsessing about whether X percent of people change their default privacy settings, or whether Y+4 percent “care very much” about privacy – or indeed whether those figures went up or down in the last few months or were influenced by loaded questions, etc etc.
As advocates, we should never buy into that formula; it’s a trap. And for funding organisations to think that way is a betrayal of fundamental rights. A program director for a medium sized philanthropic foundation told me earlier this month that her board had “given up” on privacy because “we can’t measure any change in people’s habits”. I don’t see that equation being used as a measure of the importance of other rights.
In the failed rationale of opinion and user behaviour statistics, the relative importance of privacy depends on the level of active popular interest in the topic. According to some commentators, privacy is a non-issue if only a minority of people actually adopt privacy protection in their social networking or mobile use.
Imagine if that logic extended to other fundamental rights. It would mean that the right to a fair trial would be destabilized every time there was a shift in public sentiment. And it would mean that Unfair Contract protections in consumer law would never have been adopted – replaced instead with a “Buyer Beware” ideology.
Just to be clear, I’m not saying public opinion isn’t relevant. Nor am I saying that public support isn’t a laudable goal. We should always strive to positively influence thoughts and beliefs. It’s certainly true that for some specific campaigns, changing the hearts and minds of the majority is critically important.
The struggle for human rights – or indeed the struggle for progress generally – rarely depended on the involvement of the majority (or even the support of the majority).
However, on the broader level, there’s a risk that we will end up cementing both our belief system and our program objectives to the latest bar talk or some dubiously constructed stats about online user behaviour. Or, at least, the funding organisations will do so.
It seems to me we’ve been collectively sucked into the mindset that privacy protection somehow depends on scale of adoption. That populist formula is killing any hope that this fragile right will survive the overwhelming public lust for greater safety and more useful data.
I’ve noticed an enduring (and possibly growing) argument that public support for privacy is largely theoretical because relatively few people put their beliefs into practice. Conversations on that topic tend to dwell depressingly on public hypocrisy, with detractors pointing out that the general population fails to use the privacy tools that are on offer. Even worse, whole populations avidly feed off the very data streams that they claim to be wary of. Apparently this alleged public disinterest and hypocrisy invalidates arguments for stronger privacy.
(As a side point, I don’t believe that the situation is so black and white. People have become far more privacy aware in recent years, and their expectations of good practice by organisations have increased. People change their behaviour slowly over time, and yet there has been real progress in recent years.)
I also (generally) am less caring of what the general public think about these issues. In recent times, people have convinced me to join different services and tactfully decline. I do sometimes forget my world isn’t the mainstream, and wonder why are we still having these discussions.
Don’t get me wrong, its always interesting good to have the discussion, especially because most people still see privacy in a binary way but when pressed are much less binary about their decisions. A while ago I started calling it data ethics as privacy alone leaves the door open to worries about security for example.
Context and experience has a lot to do with it and in the discussion this becomes much clearer. Just ask anyone who has had their idenity stolen, hacked or abused. Most of the public will never (luckily) experience this.
The personal or private cloud is growing in popularity and I’m starting to see it spring up in the popular tech press more and more. Interestingly I keep starting a blog post then not finishing it because theres not quite enough to talk about. Then I heard Bruce Sterling’s 2012 South by south westtalk (recommended to me by Imran)
“[There’s] a new phenomena that I like to call the Stacks [vertically integrated social media]. And we’ve got five of them — Google, Facebook, Amazon, Apple and Microsoft. The future of the stacks is basically to take over the internet and render it irrelevant. They’re not hostile to the internet — they’re just [looking after] their own situation. And they all think they’ll be the one Stack… and render the others irrelevant. And they’ll all be rendered irrelevant. That’s the future of the Stacks.
People like the Stacks, [because] the internet is scary now — so what’s the problem there? None of them offer any prosperity or security to their human participants, except for their shareholders. The internet has users. Stack people are livestock — ignorant of what’s going on, and moving from on stack to another. The Stacks really, really want to know you’re a dog.
They’re annihilating other media… The Lords of the Stacks. And they’re not bad guys — I’d be happy to buy them a beer. But really, a free people would not be so dependent on a Napoleonic mobile people. What if Mark Zuckerberg trips over a skateboard?
This structure won’t last very long… But you’re really core people for them and their interests. You are them. I’m them.
Bruce is right on the money. The 5 stacks have been trying to outdo each other for many years and see the whole thing as a zero-sum game, death to the end. This is not the way the internet or human society has to work or has to be. On the face of it, they are friendly but like a vicious dog (remember I’m not really a fan of them) they need a certain amount of caution.
Even myself are weary of how much data I hand over to Google. It may seem like I don’ t care but you would be very wrong. If I didn’t care I would sign up for Google Drive storage (I like the idea of being able to search across all my files, something which is tricky with Dropbox), would have moved from Evernote to Google Keep, etc, etc… I tend to keep my data across different stacks and deal with the migration and syncing myself. Its a bit of a pain and boy would it be easier to just dump it in Google’s cloud/stack. But I don’t want that.
I have been experimenting with my own cloud but not found anything yet which works the way I really want it to. The thing about clouds is they should merge and split or in other terms they should seamlessly blend. A personal cloud should consume and work with the other clouds. Now I understand the 5 stacks don’t really want to work with anyone else and will make there clouds/stacks difficult to inter-operate with but it can be done.
The lure of having a cloud which is as powerful and ubiquitous as other the other 5 clouds would be amazing. The advantages are all there but unlike the 5 clouds, you wouldn’t have to worry about it snooping on you and selling data to others. Increasingly more and more of us post Edward Snowdon.would like to something which we could exist and support our own ambitions not the shareholders.
Revelations that many governments of the world are able to collect personal data on-demand has called into question our desire and need to keep everything online. While we want to access and share our content, we want privacy and security as well. Whether it is photos on a social network or work documents in an online storage account, we want to know that we have absolute control of our data because it is ours, regardless of what services we use and regardless of how they choose to manage their Terms of Service.
Ok so were all down with Personal clouds? What are the projects I have been keeping an eye on? Cozy.io, Sparkleshare, Owncloud, Tonido and Amahi. Weirdly the last one isn’t really a Cloud but I’ve looked into turning it into a personal cloud platform.
The problem with the personal clouds is they are a long way off that ready state. They require a lot of hand cranking and can be a massive time and money hog. Which means only those knowledgeable and with enough money can afford the privacy…?
Its a shame but whats new?
Well nothing much but its fascinating what else you can do with your own cloud. I have seen a lot of activity around the idea. For example you have things like tent.io and you got to admire what Bit Torrent inc are doing in the labs, if only it was open source. Would love to use Bittorrent sync across the board but I just don’t trust it more than dropbox. In which case I might as well keep using dropbox? At least they have 2 factor authentication now and full support for Linux. Plus the amount of other cloud services which support dropbox is very high.
Ultimately if the personal cloud is going to really make a dent. It needs to be super flexible, work with others and support features which the others wouldn’t dare (bit torrent is one such feature)
This talk was like no other. Most of the talks were pretty neutral about the web. However Paul literally sucked the air out of the room with his talk about the political mess and security woes the internet has accelerated. Afterwards there was a level of what just happened in the cinema.
Now you can hear/watch and judge for yourselves… but bear in mind this was the last talk after a number of very positive talks about life online
Paul Rogers is Professor of Peace Studies at Bradford University. He worked originally in the biological and environmental sciences, including lecturing at Imperial College, London, but has worked for the past 30 years on international security. He is a consultant to Oxford Research Group, an independent UK think tank, and also writes a weekly analysis of international security issues for www.opendemocracy.net
So I've been using Microsoft Money for quite a while to manage my money but since moving to gnu/Linux, I've not really converted the money file over to anything else. I was checking out the KDE application Money2 but started thinking there has got to be a better way to do this?
Well in steps Mint fresh faced from the Techcrunch conference. When I first heard rumours about it, I thought it was something to do with that terriable credit card company in the UK with the same name. However Mint.com promises to refresh money management by adding all the goodness of Web 2.0.
So I've been checking it out, and to be honest I like what I see but I'm not convinced they can be trusted with my finanical information. Now don't get me wrong I'm no hot shot with millions in the bank but I still wouldn't want what how much I pay for lunch (not a lot thanks to Tesco) in the public domain. I'm not saying Mint are leaking this information, I'm just not sure. I've been reading there Privicy policy and it all looks ok but I have this naggy feeling that this is dangerious and should be avoided for a while longer, at least let someone else be the test muppet. I had this feeling when I first heard about Paypal and to be honest I do use it but tend not to keep money in it for long and I use its most basic features. All those advanced features like hooking it into your bank i've avoided because it worries me. Although in a recent episode of Security now, Paypal's Director of Account protection was on talking about the levels of security and privicy they have for users of their service. SecureID was one of the solutions and to be honest, if my bank offered that, I would gladly use it.
I guess my fear of using Mint is a little overboard but like linking my facebook profile to some of the other sites I use, I think somethings are maybe left alone till I can trust them. Trust is a funny thing, I mean I trust my bank, paypal, amazon, Tesco, Plaxo, etc. But I don't trust Facebook, Mint, etc with my credit card details. They haven't been around long enough to prove their trustworthness. There rep is 0 in my book. I need Facebook to stop mining my information and start offering me real uses. Mint I guess will have to rely on good feedback from people on there own blogs before I start using it.
Have they never heard of Open ID? Simon Wilison was right, all startups should use Open ID if they want people to use their service. Now Mint you've lost a customer because although I could make up a zip code, why the hell should I?
After listening to Security now Episode 58, I had write a quick blog post to warn people about this very (I would say) critical flaw in Windows XP and IE. I have temporarily patched my systems by unregistering the VGX DLL. I would highly suggest everyone do the same by copying the following code into your run dialog box and restarting your machine.
A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.
In the vein of the cluetrain manfesto, Devanshu posted a great post with 95 points about geek activism. Honestly there pretty awesome, but here's my favorate…
Violating a license agreement is not theft.
All corporations are not on your side.
Everything will enter the public domain some day- even Mickey Mouse.
Trusted computers must not be trusted.
Proprietary data formats must never store public information.
Fair use is a good thing.
Use multiple operating systems regularly so you truly understand interoperability.
Data mining will not stop terror.
Express your opinion in public
Security is a trade-off- what are you willing to give up?
Use Creative Commons
Understand the difference between civil disobedience and breaking the law.
Support the free, public domain archives of information.
Undermine censorship by publishing information censored in oppressive countries.
Voicing your views in a Slashdot comment thread is good, in your own blog is better, but in places that non-geeks frequent is best.
Have a global perspective in ideas of geek civil liberties, intellectual property rights and so forth. Do you like your country’s policies in this respect? Can you help people from another country?
Make sure that if a vendor locks you in, you lock them out.
Linux is no longer a philosophy- it is a good piece of software. Use it if it fits your needs.
More information available to the most number of people is a good thing.
Read our modern geek philosophers- read Bruce Perens, Cory Doctorow, Bruce Sterling and even Richard Stallman. Read Schneier to find practical reasons why stupid security mechanisms are stupid. Read them even if you disagree with them- it will help frame your point of view.
DRM only keeps an honest user honest.
Be proud of being a geek, a gamer, a privacy advocate, promoter of free speech and an innovator without fear of litigation, of government or restrictions on liberties- a geek activist.