If you only read one post today, pay attention to this one... YOU HAVE BEEN WARNED

(Please Boost)

I've been cautioning people about this aspect of using biometrics for credentials for a few years now.

Sure, it may lend itself to secure authentication, yet it also lends itself to search and seizure w/o the constitutional requirements of a warrant signed by a judge. i.e., a court order is required to compel one to divulge a password, or at the very least unlock a device such as a laptop or mobile device using that person's password.

If you're arrested, law enforcement personnel do not have the authority to demand you divulge such information, or require you to use your passwords to grant them access to your assets. Only a judge can do that.

They can however, force you to roll out your fingers to be printed and entered into a fingerprint database, and for if arrested for an alleged felony, collect DNA from a suspect.

What this means, is that in the United States, if you lock your phone with a biometric key, such as a fingerprint, cops can hold you down and physically force your hand (yes, pundit) to unlock your phone, making all of the contents of that device available to them.

Here's the relevantt verbiage in this ARS Technica article that glosses over this fact that most folks aren't even aware of...

To wit: if you lock your phone with a fingerprint, it isn't locked at all if you're ever arrested for something even as common as a DUI.

"While courts aren’t unanimous, they frequently grant more latitude to defendants who refuse to divulge passwords, since doing so amounts to testifying against oneself. Biometric information, by contrast, is often regarded as evidence that investigators can confiscate."

The way they put it in this article, it doesn't sound as vile and all encompassing in scope as it actually is in reality - go read up more on this, US Circuit courts have already long since ruled on this, so it is in fact De jure.

I'll say this one more time: "If you are arrested for ANYTHING, and you lock your phone with a biometric key of any kind, Law enforcement is entitled to freely access ALL of your data without any additional cause.

Unless you want to be their bitch, Don't do it.

#search_and_seizure #iris_scan #1984 #retinal_scan #fingerprint #biometric #privacy #security #personal_information #vulnerability #big_brother #we_are_the_dead #chant_of_the_ever_circling_skeletal_family #run_forrest_run #be_afraid_be_very_afraid #shorn_sheep

https://bit.ly/2Kvv2hW
privacy_annulled-biometrics-002…

Why can't you use "Beef stew" as a password? Because it's not stroganoff.

I spent all day looking for vulns in a IoT clothes dryer. What did I find?

* HTTPS to talk to backend service
* XMPP w/ STARTTLS to steam events
* Cert pinning so no MitM
* Android app obfuscated w/ no obvious backend URLs or certs
* Dryer runs an AP for initial setup w/ DHCP and HTTPS servers
* That HTTPS requires auth with a password printed on a label near the door

Best I could do was get the DHCP server to serve the same IP to every request.

Well done GE.

#defcon27 #iotvillage

when you think about it, the idea that software should scale is actually really weird. "sure this garden is nice, but how nice can it be if it doesn't grow to cover the entire surface of the earth?"

But then again maybe it's better to go for a cheaper $150 Linux phone than the much more expensive librem.

Can you imagine going from an Android device to something running Linux? Linux is great but there is almost no history of it as a phone OS. What's the software story going to be like?

It's likely to make people miss their mainstream devices. Might as well buy a cheap one as a secondary phone and help build the ecosystem while hanging on to your iPhone or Android.

Apparently people are upset with librem because of their policies towards free speech (hate speech is allowed on their platform). Explanation here:

chaos.social/@uint8_t/10223612

But I'm not sure the pinephone will be an adequate replacent for what librem was promising. It's really not as powerful.

For anyone who fancied the #Librem Five but are fed up with the developers politics, or found the price to be way too high, here is something that might be interesting for you: liliputing.com/2019/06/pinepho #PinePhone #Pine64

Oh dear. I found a disbeliever on Reddit. I knew, theoretically, that they'd exist. I never expected to meet one!

The topic: MITM forwarding proxies that decrypt and then re-encrypt your communication with a remote web server, because they are the single point of access to the web.

#privacy #cybersecurity #hacking #pentesting #spying

Everything in this talk about package management could also apply to social media:

- You have no way to hold Jack Dorsey or Mark Zuckerberg accountable.
- The real owners do not care whether it is pork bellies or our commons; the goal is to make money from it
- We have ceded our commons to a private entity.
- We decided this was okay. We voted with our feet.

Does anyone know a #SelfHosted online bullet journal app?

Maybe something that does not include hundreds of dependencies from npm and a "webscale document storage"? Bonus for slurs in the name 😉

PS: Don't recommend paper to me. I know about paper, trust me.

A year ago I tried learning ActivityPub, and more or less failed. I was confounded by a spec that was so abstract I couldn't make heads or tails of it. Turns out I was missing some key things.

I have written a guide to learning about ActivityPub that I wish existed a year ago when I first set out to learn how to write social media servers that conform to the spec:

tinysubversions.com/notes/read

WebKit then sends those "tags" and raw text to the "HTMLTreeBuilder". This structures the tree differently based on it's current state and the tag being inserted into the document tree.

To do the actual work it hands the tag on to the HTMLConstructionSite, which in turn wraps HTMLElementFactory (a Perl-compiled C++ hashmap) and the HTMLElement instances it creates.

NOTE: I'm not particularly fond of the parts of the HTML standard which calls for these components, they're overly complex.

New blog post: "Tech veganism" nolanlawson.com/2019/05/31/tec

Wherein I try to understand what makes a "tech vegan" (i.e. someone who avoids closed-source software and big tech companies, i.e. probably you), and whether there are parallels with real veganism.

@asbjorn Firefox over Chrome matters. Rust over Go not so much, as the languages are too detached from the core business, and don't influence common standards.
Also they're not even direct competitors, since Go isn't compatible with no-GC environments Rust is after.

WASI aims to bring cross-platform, sandboxed executables using webassembly as the base to non-browser systems github.com/CraneStation/wasmti

It's also ocap-based so there's some hope for security actually working.

However Ben Laurie (who worked on Capsicum) argues that since we have something resembling a clean slate, why try to build it on a broken POSIX'y type design? (Article also talks about how and why containers continue to break their own sandboxing) medium.com/@benlaurie_18378/ho

I don't mean this in an elitist/exclusionary way. I think it's a bit irresponsible that coding schools and bootcamps start people off by teaching them React/Angular/etc. It's as if you took a woodworking shop and they're like, "OK day one, you will architect an entire five-story building and build it from scratch."

Show more
Mastodon

One of the first Mastodon instances, there is no specific topic we're into, just enjoy your time!