Perhaps the most worrying moment of the hearing was when Senator Sinema brought up TechCrunch’s article citing that “The real risk of Libra is crooked developers.” There I wrote that Facebook’s VP of product Kevin Weil told me that “There are no plans for the Libra Association to take a role in actively vetting [developers],” which I believe leaves the door open to a crypto Cambridge Analytica situation where shady developers steal users money, not just their data.
Reality update: Datenschützer: Einsatz von Microsoft Office 365 an Schulen ist unzulässig | heise online … :
“Microsoft Office 365 darf in der Standardkonfiguration an Schulen wegen Problemen für die Privatsphäre der Nutzer derzeit nicht verwendet werden. Zu diesem Schluss ist der hessische Datenschutzbeauftragter Michael Ronellenfitsch gekommen, weil personenbezogene Daten von Kindern und Lehrern in der Cloud gespeichert würden. Auch wenn die zugehörigen Server in Europa stünden, seien die Informationen “einem möglichen Zugriff US-amerikanischer Behörden ausgesetzt”.“
“That’s important, because the concerns and beliefs of that “novel alliance” are closely aligned with those of the Free Software community. The new-found interest in hitherto obscure aspects of the online world and its software are an opportunity for the Open Source world to increase awareness of what it does, and to garner support for its activities. The potential for spreading the word is huge: over five million people signed an EU petition against upload filters, and 200,000 took to the streets to protest. Where new digital rights initiatives are set up to harness the recent mobilization of “digital natives”, free software coders can help people understand that open source is a key part of the solution to the problems they seek to address.“
Don’t think about what that really means or implies in terms of testing, processes, management and security. Crazy.
Meine Theorie ist ja, dass die Grünen so erfolgreich sind, weil sie bei immer mehr Dummheiten mitmachen, die auch die Ex-Volksparteien machen oder gemacht hätten. Wie doof muss man sein????
Reality update: Massive attacks on PGP-Keyservers, gazillion old and untrusted keys. Sorry, folks, but the web of trust didn’t work, not with that infrastructure. Here’s what you might want to do, what might help:
Goto keys.openpgp.org and upload and confirm your key(s) – I took the liberty to highlight the important facts…:
“Launching a new keyserver!
From a community effort by Enigmail, OpenKeychain, and Sequoia PGP, we are pleased to announce the launch of the new public OpenPGP keyserver keys.openpgp.org!
Give me the short story!
Fast and reliable. No wait times, no downtimes, no inconsistencies. Precise. Searches return only a single key, which allows for easy key discovery. Validating. Identities are only published with consent, while non-identity information is freely distributed. Deletable. Users can delete personal information with a simple e-mail confirmation. Built on Rust, powered by Sequoia PGP – free and open source, running AGPLv3. Get started right now by uploading your key!“
Facebook’s Libra is the last thing the world needs – big tech’s use of our data threatens to intrude even on financial transactions
So true, and I am happy that I was allowed to partially witness that in Brussels. Its the right way to go, and others will follow
“The project will reference the world-leadingGlobal Data Protection Regulation developed by the European Union. Under the regulation, the idea that you control your data footprint has been accepted and embedded with privacy protocols placing enforceable rules on how corporations harvest and then monetise personal information. Protections include the right to be unknown and the right to be able to delete your personal records from a business that is holding them. It also includes rights for portability of data allowing, for instance, a user to take their data with them when they change banks, obligations on a business to delete a customer’s records when the customer takes their business elsewhere, as well as stringent data-handling protocols. Adopting these principles in Australia would be a significant step towards taking responsibility for the way the digital economy affects our privacy.”
“Without end-to-end encryption, Gmail confidential mode is little more than a marketing strategy. Learn why privacy experts call Google’s privacy features “misleading.”“
RAMBleed Attack – Flip Bits to Steal Sensitive Data from Computer Memory … :
“Dubbed RAMBleed and identified as CVE-2019-0174, the new attack is based on a well-known class of DRAM side channel attack called Rowhammer, various variants [GLitch, RAMpage, Throwhammer, Nethammer, Drammer] of which have been demonstrated by researchers in recent years.“
Once again Europe just doesn’t realize how far ahead we are in some technical an economic and social things. Wake up, lady!
“G.D.P.R.establishes several privacy rights that do not exist in the United States — including a requirement for companies to inform users about their data practices and receive explicit permission before collecting any personal information. Although Americans cannot legally avail themselves of specific rights under G.D.P.R., the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.“
“Forward-thinking legislation — and the public hearings that would inform its passage — are urgently needed. Americans deserve a robust discussion of what privacy rights they are entitled to and strong privacy laws to protect them.”
“Congress should seize the moment and the public momentum to enshrine digital privacy rights into federal law.“
Reality update: Verschlüsselung in 5G: “Das Rennen ist verloren” | heise online … :
“Eine Verschlüsselung des Netzverkehrs, die auch der Netzbetreiber nicht mehr entschlüsseln kann, verbat sich aus Sicht der an der Standardisierung beteiligten Firmen durch bestehende Überwachungsgesetze.“
Reality update: How does Apple (privately) find your offline devices? – A Few Thoughts on Cryptographic Engineering … :
“The idea of the new system is to turn Apple’s existing network of iPhones into a massive crowdsourced location tracking system. Every active iPhone will continuously monitor for BLE beacon messages that might be coming from a lost device.”
I wonder how long it will take until authorities want to use that for prosecution. I wonder if secret services not already are. What a brilliant idea. I suggest watching Iron Sky 2.
Wer bitte wählt solche Verfassungsfeinde?
5G: Justizminister wollen zu viel Sicherheit verhindern – SPIEGEL ONLINE … :
“Ende-zu-Ende-Verschlüsselung als Risikofaktor”
“die Tatsache, dass Endgeräte in 5G zum Teil direkt miteinander kommunizieren können, ohne Umweg über zentrale Server eines Providers – wo allerdings auch die Abhörschnittstellen der Polizei sitzen.”
“Auch die Innenminister wollen eine ‘Mitwirkungspflicht der Provider'”
I published an article on that in Heise IX in 2017. So long ago, so long expiration…
Password expiration is dead, long live your passwords
This is interesting. Back to Firefox? Or will Google turn around? They have got a lot of shitstorms back, in advance – since this is not fully decided yet. But it shows a lot of the “Don’t be evil” attitude. Even Google is a business oriented enterprise, and thus wants to make money. What a surprise. I wonder what the security people say and think. A large part of successful attacks today utilize ads and ad-lookalikes…
Chrome to limit full ad blocking extensions to enterprise users – 9to5Google
“The lead developer of uBlock Origin, Raymond Hill, has commented on the situation, both to The Register and on uBlock Origin’s GitHub, pointing out that allowing ad blockers goes completely against Google’s business model.
‘Google’s primary business is incompatible with unimpeded content blocking. Now that Google Chrome product has achieve high market share, the content blocking concerns as stated in its 10K filing are being tackled.’
Google themselves have even admitted as such in a recent SEC Form 10-K filing by Alphabet, uncovered by Hill, in which ad blocking extensions are labeled as a “risk factor” to Google’s revenues.
‘New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business.’“
The article also links to the interesting FCC risk assessment paper Google has to file. A nice read.
Reality update: GitHub – good-lly/gdpr-documents: 🇪🇺 Your Right to be Informed and Erased. The General Data Protection Regulation (EU) 2016/679 (“GDPR”) documents for personal use. … :
“After one of the Equifax data breaches & one year after feared GDPR came into force, a team of lawyers decided to explore the state of data protection of European banks & credit scoring entities. At first, we did a research of available GDPR requests but found next to nothing. The vast majority of information is advising companies on how to fend off personal data inquiries. This saddened us, as financial institutions gather massive amounts of detailed information about us. We expected that more people would want to execute their right to know. To shift this imbalance a little, we created our own request templates. Currently is available only “Data Access” request but stay tuned – Erase template is coming soon.“