Slashdot Mirror

Wouldn't be surprised if Microsoft caved. The architecture of Skype changed when Microsoft bought the company, it's no longer p2p. They are really helpful with providing access to data of former Hotmail.

But a much bigger problem is the rules in the US (at least for us foreigners, I'm in Europe, they'll probably get the data of the people in the US too):
https://media.ccc.de/v/31c3_-_...

The rules talks about remote compute, so my guess is it applies to: VPS, 'Cloud computing'/IaaS, PaaS, SaaS and all those kinds of services.

My problem is not with my data, I know where my data is and if it's encrypted. I put it there.
The problem is with companies that have data about me: insurance companies, banks, telecom providers and the 3rd parties they deal with. I do not directly control where they keep my data.

it's only a matter of time before someone figures out how to print fake finger prints as some sort of stamp, or at the very least transfer them to gummy bears.

You mean like how the CCC theoretically defeated TouchID on the iPhone [1]? A pretty basic process, all you need is a 2400 dpi scanner, photo-sensitive PCB, graphite spray, a very nice pristine stray fingerprint (on a glass), and lots and lots of free time and determination.

Theoretically automated, but basic brute-force defenses and secondary factors would render such an attack as unreliable.

[1] https://www.ccc.de/en/updates/...

Not only that, if you really care about this problem. You need to not have the encryption keys on a machine you don't trust. I would keep the server hardware close.

Don't use VMs or servers cloud/hosting providers (maybe dedicated colo-servers in a cage with an alarm on it ?). Or host it yourself. That is the only way to be sure who has access to the hardware.

Also keep it in the same jurisdiction as yourself, dealing with multiple governments just makes things more complicated.

Some more background about the (US) laws from a European perspective:
http://media.ccc.de/browse/con...

Everything else is just silly business because there is no way encryption can safe you from an attacker with physical access.

Just look at all the buggy IPMI implementations. You have to remember these devices have direct access to RAM (if you decrypt/encrypt data on the server, that is where your unencrypted data is).

Unless: you are only storing encrypted data, you probably don't need machines/VMs for that.

Or your application needs to be designed and build to only store/use encrypted data on the server, like with homomorphic encryption:
https://www.youtube.com/watch?...

And the designed for homomorphic encryption part is important, so you don't leak any data by accident.

Librarians where also among the first to fight the National Security Letters:

http://media.ccc.de/browse/con...

In the parliamentary elections of September 2013, more than 250 000 Norwegians in selected municipalities were able to vote from home. They were taking part in a national trial of Internet voting, building on an advanced cryptographic protocol. Follow the link below for a talk about the technology behind it, presented at the last Chaos Computer Conference by Tor E. BjÃrstad http://media.ccc.de/browse/con...

If any electronic voting system is going to work, it would be a system that prints what you've voted so the voter can see what he/she voted. And then you have a separate electronic counting of those pieces of paper.

Now I know in the past they had some what similar systems in the US and they had problems with printers not working, so I don't know if they'll ever get it right.

There are also a whole lot of people who use terms like math/encryption or blockchain.

So far I haven't seen a system that works.

It does however make for interesting presentations:
http://media.ccc.de/browse/con...

Good lord, that did not make the problem better, you just have all the problems of both and none of the advantages.

And a photo of any such paper would allow you to prove how you voted which is antithetical to the secret ballot. Conversely a photo of a marked paper ballot is not proof of how you voted since it's not counted until it is invisible in the ballot box or optical scan. The voting machine makers tried to do something like that with a rolled continuous paper ballot printer the voter could see. However these tape ballots which were longer than a football field proved impossible to manipulate for recounting. With cut sheets it's easy to divide them into piles for any race and then have the observers help you recount the piles. takes very little time to sort and recount fixed page paper ballots for any given race being recounted. Not so with the toilet paper rolls. Furthermore, paper jams and printer malfunctions made these unreliable. paper ballots don't have that problem and if the opscan jams they can be counted later after putting them in a locked ballot box.

finally when a machine does go down or a church bus shows up to vote all at once, long lines ensue. When pen breaks on a paper ballot you get more pens, and you can have as many voting stations as you like.

Finally, which record is the actual record in case of a discrepancy? the electronic one or the paper one? ideally you want one tracable to the voters makrking action not her click-through glance at a printed paper ballot. With DRE's the errors happen during the clumsy touch screen process. (e.g. if you can't make a fist with one finger extended (people with R. Arthtrhitis can't) then you can't use a touch screen accurately. the touchscreens get out of calibration and programming errors result in incorrect recording of votes. pens on paper are generally more accessible (even though DREs can offer some handicap accessible features) and record the voters intent directly.

p>That way you have faster counting of votes and still everything on paper as back up.

faster? no slower. precint counting is not the slow part. the optical scans of paper count instantly. the rate limits are how may voters can vote at the same time (paper ballots win) and the protocols for collation to central tabulation of the precints (for which there's not any difference between opscan and a DRE voting machines).

If any electronic voting system is going to work, it would be a system that prints what you've voted so the voter can see what he/she voted. And then you have a separate electronic counting of those pieces of paper.

That way you have faster counting of votes and still everything on paper as back up.

Now I know in the past they had some what similar systems in the US and they had problems with printers not working, so I don't know if they'll ever get it right.

There are also a whole lot of people who use terms like math/encryption or blockchain.

So far I haven't seen a system that works.

It does however make for interesting presentations:
http://media.ccc.de/browse/con...

There was a great talk on 31C3 (Chaos Communication Congress), the largest hacker conference in Europe. Tell no-one A century of secret deals between the NSA an the telecom industry

The talk can be found on youtube as well.

>> Then things got a lot more complicated. We started building verification code into the first bytes of the data and added icon to tell humans what it was.

This fails. OS still largely use extensions for identification.
Identification and verification are both broken because there is no standard file header for that.
Extensions still give an easy method. Not reliable (coz users/spoofers mess with it), but easy to use and cross platform and cross format.

The big advantage of using extensions is that it is backwards compatible. Header identification would require rewriting every single file format, as well as all software using it. That will not happen.

see some examples of identification/verification abuse :

http://media.ccc.de/browse/con...

I doubt it. They are in the business of selling products and services, they don't care what they can sell. They are a business trying to make money and stay relevant.

If running a porn streaming service wouldn't damage their image and was something they thought they knew how to run well and make good money on, I'm sure they would just add it to their list of services.

Now to be a bit more specific, of course they want your data. You see this happening especially on the consumer side.

For example: where can I get a copy of SkyDrive/OneDrive/whatever which I can run on my own systems ?

Anyway, I can't use Azure, I'm a foreigner:
http://media.ccc.de/browse/con...

of course, since like 2 days after the conference ended. http://media.ccc.de/browse/con...

Also, for a different perspective. Look at this: http://media.ccc.de/browse/con... ...

Because talking head delivering 60 seconds worth of information spread out over 10 minutes is so much better than a readable, grep-able transcript.

Exactly. That you should only use ssh to tunnel X and only between trusted hosts is well known. It would be nice if you could run untrusted clients on X (and the X security extension was meant for this), but nobody seems to work on this. This would be vastly more useful IMHO than re-building everything on top of a dumbed down protocol: Wayland.

The solution the Wayland guys offer for remote desktop: Use RDP. As if this proprietary protocol from Microsoft never had security problems....

Also, for a different perspective. Look at this:
http://media.ccc.de/browse/con... ... and don't jump to conclusions based on the title. Just watch and pay attention especially with respect to the comments about security of core X11 vs. Qt. And then maybe don't use KD anymore.

In my opinion, breaking compatibility with the X protocol would be the biggest strategic blunder Linux community coud do. Even bigger than messing with the GUI in stupid ways exactly when everybody using Windows is frustrated with the GUI

Liked the size relation between the gnu part of the system and the linux part:
http://media.ccc.de/browse/con...

You have to take steps to make progress. You can take something useful and make it more open (like librem) or you could start from scratch and make something very basic that is completely open.

You can take bigger strides towards openness and get something like Novena, but then you make other sacrifices (size, cost, performance).

I guess if you had infinite money you could make a high spec, completely opensource laptop.

interesting that you should say this :) i am taking a different approach. i am also developing a laptop where the goal is to reach FSF-Endorseability *and* high-end specs. i am doing it one phase at a time, as you suggest... however where instead of having infinite money i am instead using creativity and ingenuity (posh words for "persistent bloody-mindedness combined with desperation stroke eye-popping frustration").

sooo, i decided to go the "modular" route, but had to first create a decent hardware standard - one that will still be here in 10 years time but is simple enough for the average person (or a 5-year-old, or an 80-year-old) to use. it's based on an old "Memory Card" standard - you may have heard how PCMCIA is no longer being used? well, the case-work is still around :) so, re-using PCMCIA it is. and all the benefits of "Memory Card", you now get "Computer Card".. upgradeable, swappable, saleable, transferrable, storable "Computer" Card. ... but then, of course, because of that, yaay, you now have to design entirely new casework, not just a motherboard. talking to casework suppliers didn't um go so well, so i have to do it. bought a mendel90 6 months ago... ... but mendel90's don't do injection-moulded plastics, they do 3d-printed filament plastics. and when presented with a potential $USD 20,000 cost for creating injection-moulding (you send your STL files off, someone adapts them, CNCs out two steel halves and then a little *team* of chinese people sit there for weeks on end polishing out all the CNC burrs.... then you find out it's *completely wrong* and have *another* $USD 20,000 to pay... no wonder ODMs quote $USD 250,000 for developing laptops!!!) ... anyway so that's all completely insane, so i thought, "hmm, i wonder if you can create reverse-3d-printed moulds to do injection-mould prototyping" and it turns out that you can. so i could at least - on a low budget - make a few runs out of very-low-temperature plastic (so as not to burst the 3d-printed plastic under pressure), hell i could even use plasticine for goodness sake, just to get a proof-of-concept, *then*.... and this is the hilarious bit.... there's a girl who's been doing LostPLA home-grown aluminium casting.... *using 1500W microwave ovens* :)

http://media.ccc.de/browse/con...

so in theory i could quite conceivably even try doing the casting of the inverse-moulds for plastic injection *myself*, out of landfill-designated aluminium bicycle rims. do watch that talk: julia is surprisingly subtly funny, there were lots of jokes that the audience didn't get (not a native english speaking audience), and a few later that they did.

bottom line it *can* be done... if you make the decision, and damn well stick at it until success. if you're interested to follow along, here's the links:

* micro-desktop (launching very soon) which has the first EOMA68 module: https://www.crowdsupply.com/eo...
* the 7in tablet (due to go to assembly this week) http://rhombus-tech.net/commun...
* the 15.6in laptop (currently developing the casework) http://rhombus-tech.net/commun...

on the laptop - as yo

Yes, it's a really hard.

Lots of people have tried, for years now, they've all failed:

http://media.ccc.de/browse/con...

Things that might look good in theory still turn out to be a big fail in practise. Even just getting the implementations right is really, really hard.

Using a blockchain will probably fail too.

Remember if we knew how to make Bitcoin or Darkcoin/Darkwallet/Darksend/Coinjoin/etc. really, really good anonymous, we would have already done it.

Nope, unfortunately, a big chunk of NK laptops are under windows too

See here for a much better insight than the article :
http://media.ccc.de/browse/con...

Also as a foreigner I'm now a 100% sure I can't put my data in a US cloud:

http://media.ccc.de/browse/con...

Not only does this app detect suspicious network configurations and behaviors on your phone, you can also optionally upload your results to improve a web site where the security level and abnormal behavior of networks worldwide is crowdsourced: gsmmap.org.

The app, the theory behind it and information about other attack vectors beside IMSI catchers, SS7 in particular, was presented at the 2014 Chaos Communication Congress in Hamburg, Germany. You can download videos of the talks by Tobias Engel and Karsten Nohl. Of course those weren't the only interesting talks. Almost all recordings should be available on the CCC-TV page by now. There are more SS7 talks, but for something different I recommend this presentation. OMFG.

Not only does this app detect suspicious network configurations and behaviors on your phone, you can also optionally upload your results to improve a web site where the security level and abnormal behavior of networks worldwide is crowdsourced: gsmmap.org.

The app, the theory behind it and information about other attack vectors beside IMSI catchers, SS7 in particular, was presented at the 2014 Chaos Communication Congress in Hamburg, Germany. You can download videos of the talks by Tobias Engel and Karsten Nohl. Of course those weren't the only interesting talks. Almost all recordings should be available on the CCC-TV page by now. There are more SS7 talks, but for something different I recommend this presentation. OMFG.

Not only does this app detect suspicious network configurations and behaviors on your phone, you can also optionally upload your results to improve a web site where the security level and abnormal behavior of networks worldwide is crowdsourced: gsmmap.org.

The app, the theory behind it and information about other attack vectors beside IMSI catchers, SS7 in particular, was presented at the 2014 Chaos Communication Congress in Hamburg, Germany. You can download videos of the talks by Tobias Engel and Karsten Nohl. Of course those weren't the only interesting talks. Almost all recordings should be available on the CCC-TV page by now. There are more SS7 talks, but for something different I recommend this presentation. OMFG.

Not only does this app detect suspicious network configurations and behaviors on your phone, you can also optionally upload your results to improve a web site where the security level and abnormal behavior of networks worldwide is crowdsourced: gsmmap.org.

The app, the theory behind it and information about other attack vectors beside IMSI catchers, SS7 in particular, was presented at the 2014 Chaos Communication Congress in Hamburg, Germany. You can download videos of the talks by Tobias Engel and Karsten Nohl. Of course those weren't the only interesting talks. Almost all recordings should be available on the CCC-TV page by now. There are more SS7 talks, but for something different I recommend this presentation. OMFG.

Not only does this app detect suspicious network configurations and behaviors on your phone, you can also optionally upload your results to improve a web site where the security level and abnormal behavior of networks worldwide is crowdsourced: gsmmap.org.

The app, the theory behind it and information about other attack vectors beside IMSI catchers, SS7 in particular, was presented at the 2014 Chaos Communication Congress in Hamburg, Germany. You can download videos of the talks by Tobias Engel and Karsten Nohl. Of course those weren't the only interesting talks. Almost all recordings should be available on the CCC-TV page by now. There are more SS7 talks, but for something different I recommend this presentation. OMFG.

The hacker conference is the 31st Chaos Communication Congress, organized by the Chaos Computer Club. As usual, it is held between Christmas and New Year, and talks are streamed live and made available for download shortly after.

Various groups provide network services to the attending hackers, including wired and wireless networks with multi-gigabit internet links, a DECT phone network covering the congress center, a GSM mobile phone network (on spectrum specifically licensed for this purpose), and even a pneumatic tube network.

The hacker conference is the 31st Chaos Communication Congress, organized by the Chaos Computer Club. As usual, it is held between Christmas and New Year, and talks are streamed live and made available for download shortly after.

Various groups provide network services to the attending hackers, including wired and wireless networks with multi-gigabit internet links, a DECT phone network covering the congress center, a GSM mobile phone network (on spectrum specifically licensed for this purpose), and even a pneumatic tube network.

The hacker conference is the 31st Chaos Communication Congress, organized by the Chaos Computer Club. As usual, it is held between Christmas and New Year, and talks are streamed live and made available for download shortly after.

Various groups provide network services to the attending hackers, including wired and wireless networks with multi-gigabit internet links, a DECT phone network covering the congress center, a GSM mobile phone network (on spectrum specifically licensed for this purpose), and even a pneumatic tube network.

The hacker conference is the 31st Chaos Communication Congress, organized by the Chaos Computer Club. As usual, it is held between Christmas and New Year, and talks are streamed live and made available for download shortly after.

Various groups provide network services to the attending hackers, including wired and wireless networks with multi-gigabit internet links, a DECT phone network covering the congress center, a GSM mobile phone network (on spectrum specifically licensed for this purpose), and even a pneumatic tube network.

The hacker conference is the 31st Chaos Communication Congress, organized by the Chaos Computer Club. As usual, it is held between Christmas and New Year, and talks are streamed live and made available for download shortly after.

Various groups provide network services to the attending hackers, including wired and wireless networks with multi-gigabit internet links, a DECT phone network covering the congress center, a GSM mobile phone network (on spectrum specifically licensed for this purpose), and even a pneumatic tube network.

Original story:
http://it.slashdot.org/story/1...
CCC talk:
http://media.ccc.de/browse/con...

When I read about such techniques in a presentation from the 25C3 conference in 2008 it was not news to me even then. http://events.ccc.de/congress/...

The Chaos Communication Congress is an annual conference in Hamburg, Germany (previously in Berlin, Germany). It is held between Christmas and New Year. You can review previous schedules and download recordings. Most talks are in English, some in German. There are also workshops and podiums.

>> Someone gets an Office file, modifies it with LO, sends it back. Then they receive the e-mail "hey buddy, everything looks wrong". What happens now?

Not a problem. Everybody uses Libre, and that's the whole point of migrations well done.

>> How much of those €1M savings will be used to sponsor LibreOffice?
Don't know for toulouse, but Munich contributed a lot back, in the form of a kind of frameword, at least.

>> Can we please hear a "status update" of these cities or governments switching to OSS?
https://media.ccc.de/browse/co...
https://www.google.com/search?...

The parent didn't link to a direct source for his claim, but this was talked about during the 30th chaos communication congress (a really interesting conference, by the way. You can find other talks here).

It is somewhere part of a possible German talk which should be on http://media.ccc.de/ about biometrics and statistics from countries who create passports with biometrics.

If you can understand German, I'm willing to look for it, I might have eventually remember which one it is.

You mean if one were to send an email from Munich to Paris, it'd cross the Atlantic and come back?

NSA aside, that's a pretty sucky setup.

It's how the Internet works. To quote directly from the experts: A target's phone call, e-mail or chat will take the cheapest path, not the physically most direct path.

Physical distance is not as important as congestion on the routes. So it might very well be that your data takes a much longer path that what you'd think, simply because it uses the fastest way, not the shortest.

Angela Merkel's approach is pretty idiotic, and it cannot fix the problems. First of all, most emails are routed through the US either because the sender or the recipient has an American email provider (Germans love Gmail, too). Secondly, even if that is not the case, can you be sure that the NSA doesn't spy on traffic in Frankfurt? It wouldn't surprise me.

Only true end-to-end encryption can be a solution. The government in Germany is currently pushing for DE-Mail, which relies on transport encryption only. So that means that your email provider can still snoop and so can the German government, which is probably the reason why they designed it like that in the first place. End-to-end encryption would have been possible, especially since the German government is spending much money rolling out their own PKI, with keys for every citizen right on their new national ID card.

There's a presentation about DE-Mail from last December's Chaos Communication Congress, it's worth watching (video also has an audio track with English translations).

the NSAs linguistical analysis capabilities are way beyond simple keyword-insertion. There is a (german) talk from the 30c3 available on this topic

Not according to Jacob Applebaums (lead developer of TOR) latest talk at Chaos 30C3

http://media.ccc.de/browse/con...

The youtube stream is not an official mirrir -look at the same talk on media.ccc.de

http://berlin.ftp.media.ccc.de/congress/2013/mp4/30c3-5499-en-X_Security_h264-hq.mp4

Or in Tamagotchis or in SD-card controllers.

Or in Tamagotchis or in SD-card controllers.

Details of the exploit were presented Friday durning the "Electronic Bank Robberies" talk at Chaos Communication Congress, yet some how the slashdot article completely misses that. You can watch the talk on Youtube or download the MP4 Video(172M) if you want to watch the original talk.

It is already well known that you can break A5/1 offline anytime you want, and at the 26th CCC there was the "GSM: SRSLY?" conference which outlined the 2 main problems of GSM and UMTS.
GSM A5/1 can be broken (and the give plenty of details), but it is not used in UMTS. No worries, for UMTS you just need a fake station and you are set. No offline decoding though.

There was an article posted on either slashdot or boingboing which linked to the following: http://events.ccc.de/congress/2011/Fahrplan/attachments/2022_11-ccc-qcombbdbg.pdf Summary: the (usually) proprietary firmware on the chip that controls real-time functions such as wireless communication (which requires so many different standards to be adhered to that it ends up being a real mess and rarely rewritten) is surprisingly easy to hack. I believe there was a quote that you could get remote code execution after sending it a string of less than 100 bytes. It also mentioned that the chip with the main OS is often a slave to the one with the RTOS. Just curious if anyone knows if CyanogenMod accounts for this particular type of security vulnerability.

It's on their website. I also don't question if Apple really is the one that sells the .

Yep, no injecting needed, a bit of work perhaps. http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

http://www.youtube.com/watch?v=eT2fQu50sMs
http://events.ccc.de/congress/2010/Fahrplan/events/4263.en.html

The importance of resisting Excessive Government Surveillance [27C3]

About "National Security Letters".

Nicholas Merrill stood up to this before, and even gave a talk at 27C3 about it. It's seriously worth watching .

Favourite quote? Paraphrased somewhat: "If I say something wrong about the gag order, I go to jail or 10 years; if those in power get it wrong in front of congress, they just say sorry."

http://mirror.fem-net.de/CCC/29C3/mp4-h264-HQ/29c3-5024-en-hackers_as_a_highrisk_population_h264.mp4

and other mirrors at https://events.ccc.de/congress/2012/wiki/Documentation#CCC-TV

Cut google from the loop, they already know enough about you!

Ada foundation was perfectly reasonable in making a recommendation they were ASKED to make given the limited information that was available to them.

Ada Initiative confused a hacker convention -- which, as hackers are a subculture, includes cultural elements -- with a technical conference. They got upset about a planned discussion of sex and drugs in that culture.

Ada Initiative Mega-Fail.