Olivier Forget @teleclimber@social.tchncs.de

If you only read one post today, pay attention to this one... YOU HAVE BEEN WARNED

(Please Boost)

I've been cautioning people about this aspect of using biometrics for credentials for a few years now.

Sure, it may lend itself to secure authentication, yet it also lends itself to search and seizure w/o the constitutional requirements of a warrant signed by a judge. i.e., a court order is required to compel one to divulge a password, or at the very least unlock a device such as a laptop or mobile device using that person's password.

If you're arrested, law enforcement personnel do not have the authority to demand you divulge such information, or require you to use your passwords to grant them access to your assets. Only a judge can do that.

They can however, force you to roll out your fingers to be printed and entered into a fingerprint database, and for if arrested for an alleged felony, collect DNA from a suspect.

What this means, is that in the United States, if you lock your phone with a biometric key, such as a fingerprint, cops can hold you down and physically force your hand (yes, pundit) to unlock your phone, making all of the contents of that device available to them.

Here's the relevantt verbiage in this ARS Technica article that glosses over this fact that most folks aren't even aware of...

To wit: if you lock your phone with a fingerprint, it isn't locked at all if you're ever arrested for something even as common as a DUI.

"While courts aren’t unanimous, they frequently grant more latitude to defendants who refuse to divulge passwords, since doing so amounts to testifying against oneself. Biometric information, by contrast, is often regarded as evidence that investigators can confiscate."

The way they put it in this article, it doesn't sound as vile and all encompassing in scope as it actually is in reality - go read up more on this, US Circuit courts have already long since ruled on this, so it is in fact De jure.

I'll say this one more time: "If you are arrested for ANYTHING, and you lock your phone with a biometric key of any kind, Law enforcement is entitled to freely access ALL of your data without any additional cause.

Unless you want to be their bitch, Don't do it.

#search_and_seizure #iris_scan #1984 #retinal_scan #fingerprint #biometric #privacy #security #personal_information #vulnerability #big_brother #we_are_the_dead #chant_of_the_ever_circling_skeletal_family #run_forrest_run #be_afraid_be_very_afraid #shorn_sheep

https://bit.ly/2Kvv2hW
privacy_annulled-biometrics-002…

@zensaiyuki @dredmorbius

man, imagine Game of Thrones in Smellovision

Why can't you use "Beef stew" as a password? Because it's not stroganoff.

I spent all day looking for vulns in a IoT clothes dryer. What did I find?

* HTTPS to talk to backend service
* XMPP w/ STARTTLS to steam events
* Cert pinning so no MitM
* Android app obfuscated w/ no obvious backend URLs or certs
* Dryer runs an AP for initial setup w/ DHCP and HTTPS servers
* That HTTPS requires auth with a password printed on a label near the door

Best I could do was get the DHCP server to serve the same IP to every request.

Well done GE.

#defcon27 #iotvillage

when you think about it, the idea that software should scale is actually really weird. "sure this garden is nice, but how nice can it be if it doesn't grow to cover the entire surface of the earth?"

For anyone who fancied the #Librem Five but are fed up with the developers politics, or found the price to be way too high, here is something that might be interesting for you: https://liliputing.com/2019/06/pinephone-149-linux-smartphone-could-support-ubuntu-sailfish-maemo-luneos-and-more.html #PinePhone #Pine64

Oh dear. I found a disbeliever on Reddit. I knew, theoretically, that they'd exist. I never expected to meet one!

The topic: MITM forwarding proxies that decrypt and then re-encrypt your communication with a remote web server, because they are the single point of access to the web.

#privacy #cybersecurity #hacking #pentesting #spying

Everything in this talk about package management could also apply to social media:

- You have no way to hold Jack Dorsey or Mark Zuckerberg accountable.
- The real owners do not care whether it is pork bellies or our commons; the goal is to make money from it
- We have ceded our commons to a private entity.
- We decided this was okay. We voted with our feet.

Does anyone know a #SelfHosted online bullet journal app?

Maybe something that does not include hundreds of dependencies from npm and a "webscale document storage"? Bonus for slurs in the name 😉

PS: Don't recommend paper to me. I know about paper, trust me.

A year ago I tried learning ActivityPub, and more or less failed. I was confounded by a spec that was so abstract I couldn't make heads or tails of it. Turns out I was missing some key things.

I have written a guide to learning about ActivityPub that I wish existed a year ago when I first set out to learn how to write social media servers that conform to the spec:

https://tinysubversions.com/notes/reading-activitypub/

WebKit then sends those "tags" and raw text to the "HTMLTreeBuilder". This structures the tree differently based on it's current state and the tag being inserted into the document tree.

To do the actual work it hands the tag on to the HTMLConstructionSite, which in turn wraps HTMLElementFactory (a Perl-compiled C++ hashmap) and the HTMLElement instances it creates.

NOTE: I'm not particularly fond of the parts of the HTML standard which calls for these components, they're overly complex.

New blog post: "Tech veganism" https://nolanlawson.com/2019/05/31/tech-veganism/

Wherein I try to understand what makes a "tech vegan" (i.e. someone who avoids closed-source software and big tech companies, i.e. probably you), and whether there are parallels with real veganism.

https://9to5google.com/2019/05/29/chrome-ad-blocking-enterprise-manifest-v3/

If you haven't switched to Firefox, now is the time

@asbjorn Firefox over Chrome matters. Rust over Go not so much, as the languages are too detached from the core business, and don't influence common standards.
Also they're not even direct competitors, since Go isn't compatible with no-GC environments Rust is after.

WASI aims to bring cross-platform, sandboxed executables using webassembly as the base to non-browser systems https://github.com/CraneStation/wasmtime/blob/master/docs/WASI-overview.md

It's also ocap-based so there's some hope for security actually working.

However Ben Laurie (who worked on Capsicum) argues that since we have something resembling a clean slate, why try to build it on a broken POSIX'y type design? (Article also talks about how and why containers continue to break their own sandboxing) https://medium.com/@benlaurie_18378/how-to-ruin-a-perfectly-good-container-d33250fca595

I don't mean this in an elitist/exclusionary way. I think it's a bit irresponsible that coding schools and bootcamps start people off by teaching them React/Angular/etc. It's as if you took a woodworking shop and they're like, "OK day one, you will architect an entire five-story building and build it from scratch."