Author: mfeilner

Hundreds of millions of years missing – the great unconformity

Interesting article, news in the media, too: The Great Unconformity … :

It is fitting that the Grand Canyon should contain some of the best exposures of The Great Unconformity — the gap in the rock record between Cambrian times (~550 m.y. ago) and the pre-Cambrian (anything earlier). An unconformity is a surface in the rock record, in the stratigraphic column, representing a time from which no rocks are preserved. It could represent a time when no rocks were formed, or a time when rocks were formed but then eroded away.

How Facebook is killing democracy – all the facts so far

Iafrikan.com has a nice overview of the Facebook/Cambridge story so far. This story is full of links to the first-hand sources: How Facebook is killing democracy … :

A Cambridge Analytica executive explained: “There are two fundamental human drivers … hopes and fears … and many of those are unspoken and even unconscious. You didn’t know that was a fear until you saw something that evoked that reaction from you. Our job is … to understand those really deep-seated underlying fears, concerns. It’s no good fighting an election campaign on the facts because actually it’s all about emotion.”

Apple: Siri talks too much and reveals secret content (German/Spanish)

Reality update: Sicherheitsproblem: Siri verrät Inhalte gesperrter Benachrichtigungen – Golem.de … :

Solange Apple den Fehler nicht korrigiert hat, lässt sich das Problem nur beheben, indem Sperrbildschirmbenachrichtigungen für sensible Anwendungen deaktiviert werden.(…) Das Problem ist auch in der aktuellen Betaversion von iOS 11.3 vorhanden.

(Only mitigation is to deactivate messages on the lock screen, also iOS 11.3 Beta is affected.) 

If you understand Spanish, here’s the link to MacMagazine that discovered the flaw

Fined 2 trillion? Seems like Facebook has a problem.

Reality update: The FTC Is Powerless to Regulate Facebook Right Now. Ask Chuck Schumer Why. … :

The consent decree authorizes the FTC to fine Facebook $40,000 per violation per day; if applied to 50 million users, the potential exposure equals at least $2 trillion. This is likely not limited to Cambridge Analytica, as Facebook’s policies on third-party developers acquiring user data are famously weak. “We had no idea what developers were doing with the data,” said former Facebook operations manager Sandy Parakilas to The Guardian. Plus, Facebook routinely provides this kind of “social graph” information — likes, friend connections, and other data — to advertisers. Surveillance is effectively Facebook’s business model.

Cryptojacking. How Hackers use your browser for Crypto-Currency Mining

Reality update: [1803.02887v1] A first look at browser-based Cryptojacking …:

In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code- bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website.

Facebook/Cambridge Analytica: When will the mainstream understand?

Reality update: This whole story about Facebook and Cambridge Analytica is not about a data breach, no. It’s the business model. It’s Facebook’s business model, and it has always been.

Facebook: is it time we all deleted our accounts? | Technology | The Guardian … Yes it is. Or let’s hear Mark Zuckerberg himself, in 2004:

“People just submitted it … I don’t know why … They ‘trust me’ … dumb fucks.”

A german university claims there’s child pornography in bitcoin’s blockchain

Looks like Child abuse imagery found within bitcoin’s blockchain | Technology | The Guardian is a good read …

“Researchers from the RWTH Aachen University, Germany found that around 1,600 files were currently stored in bitcoin’s blockchain. Of the files least eight were of sexual content, including one thought to be an image of child abuse and two that contain 274 links to child abuse content, 142 of which link to dark web services.”

Traces of other universes? – Hawking’s last words …

Looks like Stephen Hawking has left us a great paper to ponder … Are there traces of other universes to be found in cosmic background radiation?

“The usual theory of inflation breaks down in eternal inflation. We derive a dual description of eternal inflation in terms of a deformed CFT located at the threshold of eternal inflation. The partition function gives the amplitude of different geometries of the threshold surface in the HartleHawking state. Its local and global behavior in dual toy models shows that the amplitude is low for surfaces which are not nearly conformal to the round three-sphere and essentially zero for surfaces with negative curvature. Based on this we conjecture that the exit from eternal inflation does not produce an infinite fractal-like multiverse, but is finite and reasonably smooth.”

If you understand German, here’s a recap.

If you are intersted in the holographic principle, read this.

A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above

Early in February 2018 I was happy to give my Security Theater speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to, and it was big fun – have a look at the video. Before that event, I had enjoyed meeting politicians from the European parliament and had given an interview to the Radio Berlin Brandenburg about the darknet.

Here (https://fosdem.org/2018/schedule/event/security_theatre/) is where you find all material about this talk. Theres  the slides, the video and a big thank you goes out to Julia Reda’s for making the video for the FOSDEM Hackers. On top, I was asked for an interview about my presentation way before FOSDEM, here’s the link.

Apple: Clean Cobalt – BMW: Certified Clean Cobalt with Blockchain!

The interesting thing about this story (thanks to Fefe!) is not that BMW is using Blockchain now. And it’s not that they go for Cobalt from Congo for their batteries. That all makes perfect sense, given that you want to prove with a probably unhackable certificate story that your Kobalt mining activities do not harm locals or the environment. No, the really interesting part of the story is: BMW and Apple are now competitors. Yep, read that again.

90+ % pure Cobalt

(Alchemist-hp (talk) (www.pse-mendelejew.de), Pure (99%+) Cobalt, Wikimedia)

They used to be alliance friends, partners and we may remember iDrive and similar naming stuff – and the fact that you could only attach your iPhone to the BMW in a reasonable way. Now there’s Samsung-only keyless features for BMWs and Apple cars out there. Since Apple is investigating its capabilities in the electric, autonomous driving market, they more and more become a competitor to BMW.

At least when it’s about batteries and the much needed Cobalt ressources. These are mostly available in Africa, in Congo (80% says the article), and customers are very well aware by now of the blood diamonds and similar painful stories of exploitation.

So only a few days after Apple announced “that it will be negotiating directly with miners“, BMW’s partner Circulor steps in and snarkily comments “We believe it makes economic sense to start with sources that aren’t a problem” and:

… the trial of their blockchain supply chain solution allows supplying of a barcode to what is known as clean cobalt”, ie. cobalt that has been ethically sourced, and adds the key destinations of its trip to a ledger on their blockchain solution. Apart from proving the source of the cobalt and providing a record for it, the solution will likely also bring down regulatory compliance costs.

Five great security tools: SecureDrop, PGP, Signal, OpenVPN and Haven

The Blog Choosetoencrypt has presented three great tools for encryption. Under the title “Three Ways To Communicate Anonymously and Privately Online” they present and evaluate SecureDrop for filesharing (like a whistleblower, not a pirate), PGP for E-Mail and Signal for Instant messaging.

SecureDrop or similar is a mandatory category of tools for those who are dealing with journalists and can’t afford to be tracked.

The instant messenger Signal is being used and recommended by Edward Snowden, I use it every day, with all my phone numbers.

And so do I use PGP every day – find my Key(s) on the servers, among many old and lost and expired ones … Yes, I did many trainings in my life :-(.

And I was happy to meet and interview PGP-founder Phil Zimmermann, in late 2013, while deep in the belly of an old container ship named San Diego in the Hamburg harbor.)

But I also want to add two more tools:

OpenVPN – the best VPN solution that’s around  – Not only because I authored the first book and am still offering classes, but also because I have been using it every day since 2003 without any major outages or problems.

Haven – Also comes with the strong recommendation of Edward Snowden. This tiny Android app turns your old smartphone into a NSA device. Well, just kidding – that has already happened when you first switched it on. No, with Haven your smartphone becomes a motion detector, sound or movement activated alarm system for your home, car, whatever. Free of charge, open source. Here’s a review Techcrunch: “Edward Snowden’s new app turns any Android phone into a surveillance system”.

Winning the Microsoft Fussball (Kicker-) tournament 2008 – well almost

I somehow love this story… we had great fun and made it from total outsider with no chances into the final, almost winning against the overlords. My dear colleague Marcel Hilzinger and me were so close to really, really embarrassing Microsoft – but in the end, Sauron’s powers were stronger. Maybe next time, we thought, but they never invited us Linux-Magazine Journalists again. I guess they had good reason to do so. 🙂

Here’s the original (short) reference to the Linux-User editorial with a paragraph about the sensational event.

Microsoft and Finfisher: The end of the Bundestrojaner as we know it?

I wonder how much money our government has thrown out of the window for this, and I wonder how the truely great work from Microsoft pays off here. They claim to block Finfisher which is a large part of our German Bundestrojaner, and here is a wonderful and detailed blogpost about how they did it and about the amazing findings they made in the multiple layers of virtualization and obfuscations. “FinFisher is such a complex piece of malware that, like other researchers, we had to devise special methods to crack it.

(Image source:  https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)

Finfisher is using an onion-like shell system of six layers around their payload (whatever that may be). And it has several virtual machines built-in with up to 32 opcodes specifically created for this system, all but to protect, obfuscate and hide the payload. But what does the payload do? On that, Microsoft’s engineers write:

“It is evident that the ultimate goal of this program is to steal information. The malware architecture is modular, which means that it can execute plugins. The plugins are stored in its resource section and can be protected by the same VM. The sample we analyzed in October, for example, contains a plugin that is able to spy on internet connections, and can even divert some SSL connections and steal data from encrypted traffic.”

A really good read this article is. And if you find the time, read this amazing work by Tora.

500 Million passwords leaked

Troy Hunt did it again: After August 2016, where he provided a password checking service testing against list with 320 million passwords (“HIBP” and “Pwned Passwords”) he now launched “Pwned Passwords V2” with more than half a billion passwords. If you dare, and if you trust him, you can enter your favorite password here and with the blink of an eye you will see if it is on Troy’s list. If so, then it has been cracked, used before or similar. The Password “password” e.g. has been seen 3 million times, as the new counter in Troy’s tool shows. Plus, the website holds some healthy information and guidelines from NIST on password reuse. Continue reading 500 Million passwords leaked

Do good things and talk about it – Lessons learnt in 20 years of Open Source PR

This is a talk that I first gave as a workshop, together with my wonderfully skilled and experienced colleagues Jake Edge (LWN) and Deb Nicholson (OIN) during the 12. KDE Akademy in Tallinn, Estonia in 2012. Where then we did it as a full-day workshop, this video is from QtCon 2016, and it’s more a presentation of 1:00 hour. This is one of my favourite presentations and the one booked the most – I did it at SUSECON, openSUSE conference and SUSE Labs, too and for a variety of other hosts.

This talk will tell, teach and train open source community members, company leaders, developers and open source project leads how to deal with the press.