* Posts by Drs. Security

55 publicly visible posts • joined 3 Aug 2013


UK concerned over EU law plans on trade of data for digital content

Drs. Security


The GDPR will be law as soon as it is voted into law by the EU institutions later this year (at least if all goes as expected) with a two year grace period to fully comply.

As such it will fully replace all national laws on data protection.

So if the UK really doesn't want this, vote yes in David's his "I don't know what to decide so I will ask my citizens referendum".

It killed Safe Harbor. Will Europe's highest court now kill off hyperlinks?

Drs. Security

the answer to that (at least according to European data protection law) is no you are not allowed to make somebodies phone number public without explicit consent.

IMHO this hole case shouldn't be about the hyperlink but about the obnoxious style of the website and their attitude towards these matters.

They probably went looking for those illegally posted pics over and over again, in my mind that should be under scrutiny not the placement of the hyperlink.

Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal

Drs. Security

and then there are things like the FISA (foreign intelligence security act) etc.

The other term in this article which is worrying me is "adequacy" which if the US would obtain that status their privacy protection would be ranking similar to countries like Switzerland which obviously can't be correct.

US government's $6bn super firewall doesn't even monitor web traffic

Drs. Security

governments and IT projects

Interesting to see it's not only the Dutch government making a mass of their IT project and spanding.

As for safe harbour II? Hope Homeland Security is not part of the negosiating team ;)

Facebook tells Belgian government its use of English invalidates privacy case

Drs. Security

and then there is this line in the article too

"soon after but not before promising to appeal the ruling and warning that by blocking its information gathering code, it was putting people's online security at risk. "

Specifically that last bit of the sentence. So not only are they stupid linguistically, their view on "people's online security" is heavily distorted and very laughable.

Senate marks Data Privacy Day with passage of critical bill for Safe Harbor

Drs. Security

Re: extend US privacy rights to Europeans.

let's hope El Reg will publish the full text, I doubt any EU or US politicians will ever do it at all.

Drs. Security

Re: extend US privacy rights to Europeans.

yes and probably have to travel to America first to claim those rights, so what is the benefit in the end?

Drs. Security

Re: extend US privacy rights to Europeans.

correct, and there is one very basic reason for that: In the US privacy (or better yet, data protection) is a consumer right whilst in the EU it’s a fundamental human right part of the european laws and precisely the reason why safe harbour was killed in the first place. Oh and the European data retention directive as well btw.

This “extending” is just to make the big American firms happy whilst IMHO in practice it will change nothing at all.

Aircraft now so automated pilots have forgotten how to fly

Drs. Security

Re: SItuational Awareness

yeps, interesting accident where in the end the runway turned out to be closed and a racing track. The build guide-rail in the end held up the nose gear preventing it to collapse causing more injuries.

Other examples are a partially blind (one eye) pilot who landed his plane on a small grass waterworks (dyke or something) in New Orleans, an ethiopia Airlines pilot landing his 767 on the beach of a small island when it went out of fuel after it was hijacked (okay nearly), etc.

Drs. Security

Re: Pilots will soon only be needed for taxiing

totally agree and the airbus technology vs. boeing less-technology debate is still raging on these days. Recent automation and training disaster is the AF447 over the Atlantic in 2009.

Drs. Security

Re: The human pilots just do the easy bits...

So far as I know there is no fully automated take-off.

As for fully automated landings there are however very strict rules before a airport, plane and crew are allowed to facilitate or execute a fully automated landing in fog or general bad visibility conditions. Under normal visibility landing is not automated, if one of the minimal two autopilots fails landing can not be fully automated etc.

As for the comment by Airbus, interesting bit is that even if the pilot takes manual control it's still a computer (partially) flying the plane because of the fly-by-wire system, Boeing planes at least have a "very heavy" according to a airline captain (friend of mine) back-up cable system which fully works on manual aka crew power to move the control services.

Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact

Drs. Security

Re: Confused as usual

correct on the confusion of issues.

Partially on the proxy systems, because if certificate chains are setup correctly this would be detectable.

And yes their are workarounds to make this type of proxy work too (only think back to the Diginotar incident and why a certain government allegedly broke in to get certificates to spy on their own people).

Drs. Security

Re: Augh, encryption and Paris.

I think I only have to quote Benjamin Franklin here:

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Enough said.

Drs. Security

Re: Saying 'no' to backdoors means nothing

plus they don't count for our intelligent agencies because we have a committee watching over them so they don't do something really stupid (yeah right)

Drs. Security

Re: Dutch government and IT (Security) in general

besides the fact that openVPN or openSSL or whatever similar stuff build by any company is transport layer security only.

This simply means that data is protected on the cables and wireless internet links, not in storage or in use or in any other way whatsoever.

So nice of the Dutch government to protect data in transit (that's the bloody least they should do) but that's far from a total security posture including securing servers, authentication on basis of need-to-know and least privilege etc.

As for that openVPN NL-style? That's certainly not used by citizens communicating with the government and looks to me like their attempt to rewrite the ISO27001:2005 to their own "security" standard.

Drs. Security

Re: Dutch government and IT (Security) in general

unfortunately you will see that in Europe in its entirety at the moment. But that is somewhat besides the point discussed here.

As for right wing politics in the Netherlands, we'll see what happens at the next elections in probably 2017.

Drs. Security

Dutch government and IT (Security) in general

whilst I must give kudos to my own government (or at least the given ministery which also houses the national cyber security center btw) I am far from convinced that the same reasons of privacy and security of communications play any role in the way the Dutch government is itself handeling private and sensible data in the first place.

On the contrary, I have seen enough examples in which the opposite is true (either by lack of knowledge and understanding or just because it seems unnecessary).

Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture.

Bash, smash, trash Flash – earn $100k cash

Drs. Security

Re: Not dead yet, is it?

thought it was pretty dead as well.

This has a very nice similarity to the dead parrot sketch IMHO :)

Obama calls out encryption in terror strategy speech

Drs. Security

Benjamin Franklin

"Those who would give up essential liberty , to purchase a little temporary safety, , deserve neither Liberty nor Safety."

I think that says enough. Just think of online privacy and secure communications as "essential liberties".

As for Clinton's remarks, glad she is in politics not in information security as backdoors like that will not only help government (or so they think) but cyber criminals and other nation states as well.

Joining the illuminati? Just how bright can a smart bulb really be?

Drs. Security

Re: I agree with all of the posts so far (which is a first)

which is only limited by the amount of metal in your walls and the knowledge you have of building a good directional or yagi antenna ;)

Drs. Security

Re: cart before horse

hope all that power line stuff will never be available overhere, we have enough PLC noise on the power lines that sometimes even lights dim out of themselves, radio equipment picks up extreme wide-band interference and generally other equipment (even networked once) experience issues with those things.

Power lines are not meant for digital communications and misusing them for such is bound to lead to a lot of problems, including all your walls radiating radio frequency interference.

Oh and if the communication isn’t secure I may be able to control your IOT equipment from 3 or 4 houses away because those PLC signals don’t mind traveling on the entire power grid near your home at all.

Drs. Security

Re: Burglar deterent?

that would mean A) the burglar knows you have these lights and B) he dares to go in even though there are lights on as well and C) he knows enough of bluetooth or wireless technology that he has the tools to detect the bluetooth signals from the bulbs.

That is if they do transmit a signal when in idle mode at all instead of just listening for your phone to connect to them which would from a security point of view be smarter.

Drs. Security

Bluetooth a downside point?

Although I understand why the author would think this, from a security standpoint I totally disagree.

For me it would be a positive point.

Having all the IOT stuff in your house requiring a cloud account option has two distinct disadvantages:

- if your internet connection goes down, most or all of them lose the "smart" way to control them

- if the cloud service itself isn’t secure or your password is too easily guessed, suddenly somebody else can control your IOT stuff too.

(and that may include the IOT vendor).

Bluetooth isn’t without security problems either though.

Maybe this type of light would become even more interesting if a voice comment would let you turn them on and off as well. And yes I know Apple homekit may allow you to do so, but then you still need to have your phone or watch around to turn lights on and off, not very practical.

Full duplex! Bristol boffins demo Tx and Rx on the same frequency AT THE SAME TIME

Drs. Security

Re: Is this just new in Cellular?

AFAIK the Tetra system does this as well, though it isn't using the entire frequency and width of the signal for one transmission but divide it up in 4 separate channels.

As for the propagation argument: it's line-of-side anyway on these frequencies.

Meaning any reflections, ground versus sky wave and polarisation changes common in frequencies below 30mhz don't apply here.

As for tunable radio's: there are enough of them around that can cover a wide range of frequencies well enough.

The issue almost always is the resonance of the antenna system and possible the extra loss incurred on standing wave ratio's (SWR) and electrical losses in tuning components like extra capacitors and coils.

Exploding Power Bars: EE couldn't even get the CE safety mark right

Drs. Security

Re: Let me guess...made in China?


And if they were, in some rare twist of the universe, then the inside of the test sample was at least fully compliant.

Which is no guarantee that your production sample is as well.

Drs. Security

Re: Totally ....

no, if there's a short in the cable the power will flow back and not (mostly) pass through the battery system at all.

e.g. it will not charge.

One way there could be issues if somehow the negative (katode) and positive (anode) lines in the cable switch sides and you try to "charge" the power bar with the wrong terminals connected to the wrong wires.

A short circuit can also cause this but it is not an overcharging issue that will cause the spectacular failure here IMHO.

Drs. Security

agreed, it may be tested once but what happens afterwards in the real production run is never tested nor verified to be similar as the test sample.

In that respect it's as non-interesting as the fuel figures in car brochures on how much you can drive for on a single liter of petrol.

Only difference is: most people know about the car fuel specs they are not true.

Drs. Security

secondly, the CE mark is only awarded and tested at the start of a product marketing cycle.

After that there is a chance that products get retested. But that's very rarely indeed.

As a hamradio operator we see enough effects of this so-called conformity in light dimmers missing filtering capacitors (yes they were there when the product got so-call CE-certified) because a couple of components less makes manufacturing cheaper.

I've even had a battery pack for my i-devices (IIRC it was the Gum Max 10,400 Mah one) that when charging blurred out so much radio frequency interference that practically all radio signals coming into my house were drowned out (FM broadcast as well as e.g. civil airband frequencies).

And yes it was CE-marked and sold in Europe and I tested two versions of it before advising Apple to stop selling it and returning the 2nd one for a refund.

Similar issues can be found with power line communication (PLC) adapters, plasma tvs etc.

So maybe that powerbar was nicely CE certified and fully correct and afterwards some components were yanked to make them cheaper. ON more then a million units that's making a lot of difference in the costs.

Although this time that trick failed (if true of course).

Wanna harvest a stranger's Facebook data? Get a mobile number and off you go

Drs. Security

Re: This is the fatal flaw of corporate, searchable 'social' media

That holds for all companies and products as: "Security is never and never will be an add-on feature"

(nor bolted, patched or otherwise thought off afterwards etc.)

Drs. Security

Re: If something is free....

haha even more so at the company you work for.

It isn't called the human resource department for nothing ;)

Drs. Security

Re: If something is free....

Only the sun rises and sets for free and the air is free too.

Everything else is free as in "free beer" specifically on Internet.

Drs. Security

Re: Well duh!

if all FB users would view and act like the sensible you do your FB posts Jeremy 3 they would be out of business.

I agree, this is the only way to use FB though it still is harvesting a lot of information through indirectly as well.

OH and not using FB doesn't mean you don't use the internet at all. FB isn't similar to the internet although Zuck would rather think they are identical. But so does Google (or should I say Alphabet now).

And to some extend Apple too.

Apple and Google are KILLING KIDS with encryption, whine lawyers

Drs. Security

Re: Make your minds up!

phones are, but that is just data at rest.

Transmission of data over the net, storage in "cloud" datacenters etc. etc. is not.

And I'm not even talking about the default 4-digit passcode protection most people probably still use.

Full disk encryption is a nice marketing selling point, but it's only part of the total story.

Drs. Security

Re: "We support the privacy rights of individuals. But"

really not that should be I think.

Apparently we privacy-minded people kill children, support sex-trafficking and actively endorse terrorism as well.

Like other articles already have stated.

For a fact: I do none of the above, I just protect myself against everyone who is without my explicit consent peaking into my private life.

I'd say that is a fundamental human right!

Drs. Security

Re: Are you *sure* you fully understand the objective, Reg?

agreed, who says they are ill-informed?

Though from a tech-perspective I would agree that is probably still true.

Maybe it's a bit of both.

Drs. Security

Re: @ Martin Summers

yeah we have seen that one before as well.

Extremely dangerous.

Interesting side-effect: all snooping agents who use crypto (of course they keep using it) are then by default criminals as well.

Though who is going to charge them with that "crime"?

Rise up against Oracle class stupidity and join the infosec strike

Drs. Security

Re: First, I stand for TLS, not SSL.

and indeed, because of old cypher suites as easily vulnerable as well.

Just because of all the issues rightly portrait in this article.

California Uber Alles: Google wants to become the World Privacy Court

Drs. Security

Re: They would say that, wouldn't they?

fair point on the sub-title, was missing that bit as well.

Drs. Security

dangerous situation

whilst we all may have expected this kind of behaviour from Google, it is still something to watch out for.

Generally big internet companies that provide you with a "free" service will ultimately want something in return and that is your data.

For Google, Twitter, Facebook etc. we are the products and our privacy rights we unwittingly give away to them for some "free" services.

Besides the privacy point there is one more extremely dangerous side-note here, will Google next become our news censorship court as well?

Euro mobile standards chiefs eye tiny beauty: It's the KEY to 5G

Drs. Security

ask the HAMS

Apparently this body is looking for something the amateur radio community is already actively researching.

Several experiments are regularly undertaken with amateur tv connections in the 24ghz spectrum.

Biggest issue with these high frequencies will be influences from the weather (humidity etc.).

Even a wet pane of glass will constitute a 10DB attenuator.


Thanks for nothing, Apple, say forensic security chaps

Drs. Security


Seems forensic guys have become lazy :)

I propose all hardware (mobiles, tablets, computers) to have encryption by default and "remote" wipe functionality.

Drs. Security

Re: Boo. Hoo..

not only passwords but cryptographic private keys as well.

There are countries who are trying this e.g. France.

So much for laws stating you don't have to aid in your own conviction.

Anonymous develops secure data over ham radio scheme

Drs. Security

I totally agree.

The only "encryption" radio amateurs are using are new modes they are designing themselves which the regulatory bodies don't know about yet.

But even then they are obligated to put their callsign out in a recognised mode for regulations.

It's hard enough dealing with neighbours, municipalities and other electronics trying to destroy the HAM hobby.

As said before, let's not forget that the way we communicate today is largely thanks to amateur radio.

Oh and misuse of HAM frequencies for hacking or illegal stuff isn't new either, just read Kevin Mitnick's book "ghost in the wires"

Drs. Security

Re: Data collisions?

Amateur packet radio already takes care of that problem.

However quality of service may indeed be an issue in the end.

Effectively the HAM bands work because of one simple and important rule: thou shell not cause interference with thou fellow HAMs.


Drs. Security

Re: Sorry to spoil the fun, but ...

no only the FCC btw.

Those same rules apply practically worldwide and I am pretty sure HAMs will help the authorities kick those unlicensed pirates off their bands.

Even if it is only to preserve the rights they have studied for and see as their hobby and technological advancement.

And Yes CW was indeed the first digital mode. Even so that the Dutch (probably CEPT in total) state that it is a digital mode even now.

What a lot of people are forgetting is that the way we communicate now, certainly wireless (mile phones, WiFi, satellites etc.) are largely thanks to radio amateurism in the past.

Even the fact that we are free to listen to any radio station (apart from say Air Traffic communication in Germany and the UK) is directly linked to the fact that radio HAMs in the past had the guts to prove to authorities that having listening licences could never be uphold and checked by law.

And yes, HAM bands are monitored by the government for misuse and piracy.

73! (CEPT Full licence operator)

RSA comes out swinging at claims it took NSA's $10m to backdoor crypto

Drs. Security

why change the default?

by standard definition, users and as specially administrators are lazy.

Yes and that means me myself and I as well :)

So why change the default security random generator if a security company has that as default?

They know best, right?

And why did it take our security community 6 (six) years to shy away from this algorithm only after the NIST told us so in September of this year?

Do we all have a big stock of butter on our heads?

Did RSA take the money? Probably. Everything to please the stock markets.

Did they know the reasons why they were paid to do what they did? Possibly not (at least the people deciding in the top layers did not).

Were they hacked themselves earlier this year too? Wonder if the attackers used this same backdoor.

Oh how ironic if true *grin*

Slurp away, NSA: Mass phone data collection IS legal, rules federal judge

Drs. Security

so US citizens are not special

it seems that the US judge also ruled that US citizens are either foreigners in their own country or, interestingly enough, they are not that more special then us non-US once.

As the same snooping rules seem to apply to everyone using any means of communication on the earth by this ruling.

Honestly, let them get all the data from all their own citizens as well, they are snooping on mine too and I can't even complain legally.

It seems their own paranoia is biting them in the ass finally.

And besides that: where were the 9/11 attackers? And the Boston Marathon once?

Precisely: inside the USA!

Did the NSA snooping programs stop those attacks? nope.

Did they possibly have all the data: very likely yes.

Chaos Computer Club: iPhone 5S finger-sniffer COMPROMISED

Drs. Security

Re: This is the most assine article ever....

this works provided:

1: the print you got is indeed the one I use to unlock the phone with

2: your scanner lamp will not deflect off the shiny surface off my phone into your scanner camera and destroy your image

3: you are within 48 hours of me touching/unlocking it for the last time

4: you're done before the battery runs out

5: you are actually interested in my personal data and didn't nick it to be used by yourself

6: you are faster then me wiping it via find-my-iphone (yes tinfoil will help I know until you have to remove that to place it under your scanner unless you tinfoil wrap your entire room).

Yes the sensor can be "fooled" but the real screw-up would be if they actually can obtain the data from the SecureZone within the A7.

Essentially that would really break the TouchID system.

Drs. Security

Re: How about using your nose?


It's even simpler then that: if you're right handed then simply use a finger you mostly ignore on your left hand and vice versa.

Earprints maybe interesting as well.

Although I'll hear the sceptics cry out wolf again as you will leave that on your phone everytime you make a call.

Yes, so use the other ear!

Besides: you have 10 fingers and only 5 attempts.

I'll let somebody else do the math ;)

Drs. Security

Re: Front door keys deemed unsuitable for access control

yeps! Totally agree.

And we could rewrite this perfect scenario for:

- passwords

- pincodes on bankpasses and creditcards

- Iris detection on airports

- handprint scanners

- face recognition

- baggage locks with keys or 3-digit cyphers

- those TSA locks nobody but the TSA is supposed to have the key for

- wireless carkeys

By simply copying the peace, replacing the appropriate security term and rewording some small bits to fit the different style of technology.

What do you really want?

An iPhone requiring both a fingerprint and a passcode to unlock? I would but then I'm security paranoid enough to care.

99% of users on this world don't and that's why this will improve security for those who don't bother to set a passcode at all in the first place.