Karte der unterseeischen Glasfaserkabel - ocean map fibre optic cables

http://submarine-cable-map-2013.telegeography.com/

The NSA files explained for everyone

read this page written by the guardian

extreme secure and high availability systems with strong access control

How is it done?

The US intercontinental titan missile system, had to be extremly secure.
But the soldiers on duty also had to be unlock and fire the rocket within minutes if requested!

This was done by:
- two person control
- unlock key in a padlock with 2 locks
- simultaneous actions
- 6 character code lock for fuel lines, from padlock
- code received by radio + code from padlock
- strong perimeter security 

Source: http://www.crypto.com/blog/titans

Rasterfahndung - the mother of NSA prism

The German BKA used the Rasterfahndung-technique in the 1970's to search for RAF terrorists.

Basically it is to brainstorm for descriptive attributes that fit the wanted person. And then use all available information sources, like phone books or customer lists, that help filter out persons that match.

1979 the BKA in fact knew, that the terrorist were living in a rented appartement under false name, somewhere near Frankfurt.
Also they assumed that they have to pay the electricity bill in hard cash (anonymous).
As 18'000 bills were payed by hard cash, the investigators started shrinking the list by removing persons that really exist in other. So if one of the names also exists in an other register, it most possibly isn't a suspicious person and can be removed from the list. Following registers were used:
- car owners
- registered residents
- pensionists
- social welfare benefit receivers
- property owners
- fire insurance owners
- public health care owners

Till there remained only 2 persons!

Limburger Dom Glocken schlagen 13 mal - wie geht das

hmmm:

- entweder über social engineering, weil man jemanden kennt der die Berechtigung hat
oder
- man hat via shodan rinfach Zugriff gefunden und konnte das Passwort raten


link

Dynamic Programming - what is it

Richard Bellman: to hide that he did mathematic research, he invented dynamic programming, and this name sounded cool!

Problems - split to subproblems - solutions then could be easily reused!

basically: results are stored and kept, for the case they will be used again, then they don't need to be calculated again!

Examples:
Fibonacci
shortest path

Why is TOR interesting - Wieso ist Tor interessant?

use it for:
- anonymous websurfing
- publishing illegal websites inside tor (Drugs, hacker, weapon)

since Lavabit - Cloud computing is not safe anymore? - sind Clouds seit Lavabit nicht mehr sicher?

To allow investigations against one single person - a US court forced Lavabit (secure email) to hand out its main private security key.

This allows to read the encrypted mails of the person in concern. But it also allows to read all mails of all customers!!

Technically it has to be like this, that only one main key exists. The fact that investigators then could read all mails of the other 400'000 customers, forced the owner of Lavabit to shutdown the cloud service, as privay could no longer be guaranteed.

It is likely that such a scenario could hit any cloud service user!

source: heise.de

illegal websites - the darknet?

Darknet: places in the internet, where you get illegal things or services

Often they hide behind services like Tor.
Current important darknet places are: 
- The Green Machine
- Hidden Market
- StolenPal
- Silk Road (shutdown 2013) => http://www.bmreloaded.com/ ; https://www.sheepmarketplace.com/; http://deepbay4xr3sw2va.onion/

also see Wiki: http://de.wikipedia.org/wiki/Darknet#Weblinks; null-byte

Whats the value/price of stolen data - Was kosten sie gestohlene Daten; Wert gestohlener Daten

If you are a European company and some of your data gets stolen, whats the price you have to pay?

- average cost per single costumer data record in 2012 is about 150€ (2008: 112€)
- loss of reputation
- value for the theft (depending on Quality):
   - full record (person name, address, credit card number, retention, security number = 1.5 - 3 $
   - full paypal account information = 1000 $ or 10% of the available account money
- in average a company lost 24'000 records per incident and lost 4% of its costumers
- risks:
   - in Germany a company has to tell the authority when data has been stolen, otherwise the responsible person can be fined with up to 300'000 €
   - data theft in Germany can be punished with up to 3 years of jail

source: die Welt

French ministers should now only use a safe french mobile phone

To hide from NSA surveillance, french ministers should use a french manufactured mobile phone, the teoreme manufactured by thales.

sources:

- http://www.sudouest.fr/2011/10/31/c-est-le-nouveau-telephone-portable-de-sarkozy-541360-4778.php

- http://cdn-storage.br.de/MUJIuUOVBwQIb71S/iw11MXTPbXPS/_2rc_H1S/_-QS/_2gy_Akf/130929_1600_Das-Computermagazin_Wird-GTA-5-das-beste-Spiel-ueberhaupt.mp3

Safe encrypted mails with PGP and how to get public key of others - sicher verschlüssselte Mails mit PGP und wie man den öffentlichen Schlüssel von Kommunikationspartnern kommt

There are 2 common ways to encrypt your mails:
 - open-PGP, asymmetric, hier RFC4880, open source tools
 - S/MIME, asymmetric, hierarchic key management (CA), X.509, available in most commercial mail products

Since Snowden, it is often said that the central key management properties (CA) for S/MIME based encryption could very possibly be undercut by NSA or others (to sign or send mails in your name). And it is uncertain if commercial S/MIME based products do not have backdoors.

So, if you decide to go with PGP, you need to know an easy way of sharing and trusting the needed keys:

Facts about PGP:
- messages are encrypted by using a one-time symmetric session key
- session key is exchanged thru asymmetric encryption
- use 2048 bit key (safe till ~2019) or 4096 bit key
- possibility to add expiration to keys (also after creation)
- a (changable passphrase) protects your key usage
- every participant gets a public (share it) and a private key (never give it to anyone, store it at home, safe)
- revocation is possible by self issuing a revocation certificate
- fingerprint: is a 40 character hex number that identifies you (crypto hash of your personal informations and the key-ID)
- your public key needs to be certified, this can be done by any PGP participant (WoT, Web of Trust)

- after certification, you can publish your public key

share keys:
- on a keyserver (SKS based): http://pgp.mit.edu/; http://sks-keyservers.net
- as email footer
- on your website

trust keys:
- function of your PGP software

get keys of others:
- search: http://sks-keyservers.net, http://www.rubin.ch/pgp/searchkey.html 
- send mail with subject "get name@server.com" to pgp-public-keys@keys.pgp.net



sources: c't 22 7.10.2013 and lifehacker and web!

encrypt gmail messages with PGP - Gmails mit PGP verschlüsseln

Um auch seine Gmail Mails bequem mit dem sicheren PGP zu verschlüssen, braucht man Google Chrome und die Erweiterung Mailvelope, mit welcher man Schlüssel verwalten kann.

Mailvelope fügt in das Fenster zum verfassen der Mails einen Button ein, mit welchem man die Mailtexte verschlüsseln kann. Bei erhaltenen Mails, welche verschlüsselt sind, kann man diese ebenfalls mittels eines Buttons im Webfrontend entschlüsseln.

Solltest Du noch kein eigenes Schlüsselpaar haben, kannst Du dieses in Mailvelope gleich miterzeugen.

Das folgende Video zeigt, wie man nun Gmail und Mailvelope nutzt:

Tip: Um  sicher mailen zu können, müssen vorgängig die öffentlichen Schlüssel getausch werden!

Und wie PGP mobil auf meinem Android Smarphone nutzen? Versuche: https://play.google.com/store/apps/details?id=org.thialfihar.android.apg

Bruce Schneier in der Schweiz - Ihr seid Freiwild

Der bekannte IT Security Spezialist hat diese Woche in Lausanne Klartext geredet:

Was die NSA kann:
- Metadaten über uns alle sammeln, ohne dass wir es merken - "ihr seid Freiwild"
- Metadaten enthalten zwar direkt keine eigentlich Information, sind aber ähnlich wie Telefonbucheinträge Verweise um auf diese zugreifen zu können
- Datenverkehr über die belgische Telekom wurde von der NSA abgehört
- NSA hat Hintertüren in kryptographische Mechanismen wie zum Beispiel Bitlocker von Microsoft eingebaut
- Gegenmassnahmen: IETF und ITU sollten sollten nicht zu offen mit der NSA zusammenarbeiten, weniger Daten über die USA routen, Opensource Software fördern, ökonomischen Druck auf US Firmen ausüben

Important IT security websites

Government:
https://isc.sans.edu/ - "Internet Weather"
http://ics-cert.us-cert.gov/ (A)- Industrial Control Systems Cyber Emergency Response Team
http://www.enisa.europa.eu/ - Europe
https://www.bsi.bund.de/DE/Home/home_node.html - Germany
http://www.melani.admin.ch/ - Switzerland
http://dsd.gov.au/ - Australia (top 4 mitigation strategies)
http://www.nerc.com/Pages/default.aspx - North American Energy Cooperation

Companies / Groups: 
http://www.welivesecurity.com/
http://www.ccc.de/ 
http://www.heise.de/security/
http://www.isssource.com

Conferences:
http://www.defcon.org/
http://events.ccc.de/congress/?language=en
https://www.isss.ch/index.php

Threatcheck:
https://www.virustotal.com/de/

Is there a standard for biometrics? - Industrie standards für biometrische Systeme?

So far almost any biometric device handles the captured data by its own way.
This means even if two manufacturers use the same sensor and the same algorithm, they most probably use different data formats. This a disadvantage for propagation of a technology.

But it is a advantage for you as a user. Because all your biometric attributes are unique. So far only companies that asked for your biometrics got it, but as soon there will be standards, also such data can be copied and traded. And everyone knowing your digital fingerprint pattern can identify you from them without you r knowledge. So you can no longer hide. And much worse, because it is biometrics you can't change any attribute like a password (think of changing iris pattern or face geometry - impossible).

Efforts for biomtetric standards:
- FIDO Fast identity online (Google, Paypal, Lenovo)
- IREX (by nist.org) iris scan

types of biometrics:
- fingerprint
- face geometry
- voice
- iris and retina
- hand venes
- palm geometry$
- signature
- brain waves

Top Link Tips

Maps:
http://what3words.com
http://www.radroutenplaner-bw.de/ar-rrp-nvbw/de/alpregio.jsp#tpdt=cycling&tab=TourplannerTab (3D Tracks)

QR Code:

http://research.swtch.com/qr/draw QR Code mit Bild

http://www.visualead.com/qr-code-generator/5a111dbef11384cf14b450edc1d72a872964749/

3D modelling:
http://www.shapeways.com
https://www.shapeways.com/creator/?li=nav - easy tools
http://sourceforge.net/projects/stl4su/ - stl Plugin Sketchup

TouchID - The proof for fingerprint biometrics

As long, as no one is able to hack it: http://istouchidhackedyet.com/

The iPhone 5s is the proof, that fingerprint can save a device.

(At least as long as no one knows your keycode, that will be requested if 5 times a wrong finger was used to unlock)

Is the iPhone 5S finger print sensor TouchID secure => No? - Ist die Technik des iPhone 5s Fingerabdrucksensors sicher?

TouchID facts:
- Sensor (capacitive, 500 ppi, orientationless, 170 microns thin)
- TouchID was developped by AuthenTec that was bought by Apple
- the fingerprints are stored locally by the os (inside A7 processor)
- the stored data is encrypted
- unlock the screen by 4 digit code or fingerprint, because both ways are possible, you don't gain security
- it's not a fingerpint picture that gets stored, the device calculates a signature (or pattern) out of it, because this can be better stored and compared.
- a second source (2) tells, that instead of a pattern only a hash will be stored in the device. This sounds strange. The same finger will for sure be captured always slightly different. Then attributes of the captured fingerprint are taken to create a pattern. The pattern could then be hashed. Hash algorithm are collission resistent one way functions. A hash can not be reverted to original data (the pattern). So the only way to be accepted would be to create 2 100% identical hashes. This sounds impossible! Biometrics works by pattern matching and not by hash comparisation. Maybe the author of the referenced article missunderstood the system!
- by long pressing the button, Siri is activated and can be asked for phone numbers or appointments!!

- NSA has access to sensible data of iOS devices (If they need your data, they most probably get it, even it is not stored in a cloud)
- fingerprints are biometrics that can be easily fooled
- the safety you get is not worth giving biometric data like your fingerprint
- fingerprints can be stolen (copied) without your notice (from a glass, while you sleep), they are not a secret

Pattern matching:
Pattern matching is how all biometric devices work. Pictures can not be compared other ways.
Pattern matching is like counting similiar values from 2 lists, and if enough (ex. 70%) are similiar, patterns are supposed to be equal!)


open questions:
- is the living check accurate (pulse, temperature, glove with artificial fingerprint)?
   - The only statement found regarding this questions so far is:

” The RF capacitive sensor technology is built in a way that the fingerprint image has to be taken from a live finger.” (1)

- also unknown: False Acceptance Rate, False Rejection Rate of TouchID

    - 1:200 false rejection rate; >> 1:200 false acceptance rate (limited number of offenders) (2). This is good but not fantastic
- who is the manufacturer of the TouchID sensor?
- does the A7 processor have a real cryptographic storage

update 22.9.13:
ccc was able to unlock a Iphone 5S by using a photographed fingerprint (3):
"Künstlicher Finger aus Latexmilch
Um den Sensor des iPhone 5S zu überlisten, genügen ein Foto des Fingerabdrucks, das mit 2.400 dpi aufgenommen wurde, und ein Laserdrucker, der mit 1.200 dpi auf transparente Folie druckt. Auf die Folie wird dann hautfarbene Latexmilch oder weißer Holzleim aufgetragen. Nach der Trocknung ist der Fingerabdruck in gefälschter Form fertig und muss für die Benutzung nur noch durch Anhauchen angefeuchtet werden."

Conclusion: This opens a simpler way to unlock your phone than guessing your password!


Sources:
http://www.heise.de/security/meldung/Datenschuetzer-warnt-vor-Fingerabdruck-Sensor-des-iPhone-5S-1956725.html
http://www.digitaltrends.com/mobile/can-apple-hand-over-your-fingerprint-to-the-nsa/
http://inotes4you.com/2013/09/12/fingerprint-technology/comment-page-1/#comment-3202
http://mashable.com/2013/09/15/severed-finger-iphone-5s/?utm_cid=mash-com-fb-main-link (1)
http://www.faz.net/aktuell/technik-motor/computer-internet/apple-iphone-5s-im-test-der-finger-soll-in-die-zukunft-zeigen-12578153.html (2)
http://www.golem.de/news/iphone-5s-chaos-computer-club-ueberwindet-apples-touch-id-1309-101735.html (3)

Energiegehalt E-Mobil

Tesla Motors Batterie:
53 kWh
Reichweite ~320 km
375 V - 200 W Peak - 450 Kg
=117 Wh/kg

6800 Zellen
Preis xxx ?
max. Ladezyklen xxx?
Whitepaper TeslaRoadsterBatterySystem.pdf

Zum Vergleich:
Zebra (Zebra Batterie)
Preis 8000 Eruo/ 14.1 kWh
120 Wh/ kg
Reichweite 200 km (50km/h)

Bleiakku
1700 Euro/ 14.1 kWh
30 Wh/kg

NiCd-Akku
5600 Euro/ 14.1 kWh
50 Wh/kg

Benzin
11000 Wh/kg

Papier
4400 Wh/kg

Beste Raspberry Pi Shops Schweiz - wo kauft man Raspberry Zubehör

play-zone.ch - Display mit inegrierten Knöpfen
klingler.net - zum Teil sehr günstige Teile wie Pi selbst, Netzteile, Displays, Wlanstick, Bluetoothstick

adafruit.com amerikanischer Lieferant

From Whole Earth Catalog to Wired

The-Whole-Earth-Catalog was one thing that inspired Steve Jobs, he called it the bible of his generation.
First published in 1968 it showed useful tools for the anticulture (60ties culture).
The catalog in its way was a predecessor of a world wide web search engine.

In 1992 his managing editor Kevin Relly was hired to run a new magazine called wired. [1]

What ist the message of the 1st apple tv commercial - Was ist die Botschaft des ersten Apple TV Spots

"why 1984 won't be 1984" ?


In 1984, Apple introduced the apple macintosh computer for everyones home use, this was in a time were only big companies could afford "even bigger" computers, sold by companies like IBM or digital. 1984 is the same year, George Orwell used to describe the totalitarian supervision nation that dictates everything down to privacy.

[an apple tv commercial by Riddley Scott]

Those days computers were one symbol for suppressing humans. Another was the ropebelt conveyor production. Powerful machines that suppress the importance of the people by tacting their work. Or the big government you can never trust!

All of a sudden, Apple is enabling ordinary people to use a tool, that up till then only was affordable to military, governance or very huge companies.

Those days home computer felt like a coup. The rebellion for the mainstream. But meanwhile we are no longer sure if apple isn't also part of the NSA network that is supervising is.

read more 3sat

What Snowden really tells us - Was bedeuten die Enthüllungen von Snowden

- our good friends really spy on us, everyone, the whole world
- there is war, even we suppose living in freedom
- it is evident, rumors are now proven, their computers really spy at us
- its worse than "1984"
- the united states are sitting in the tower of the panopticum
- no one knows, who is good or bad, because we don't really know who is part of it (maybe Google, Apple, ...)

- and finally if the US are doing it, why should others not (Russia, Israel, China, ...)

CH: weshalb beim Nachrichtendienst Daten gestohlen werden konnten

- wenig IT Budget
- zu wenig Personal (ein DB Admin)
- Zugriff wichtiger als Security und Organisation
- Führung hat selber zu wenig IT Risikomanagement betrieben 
  (Umsetzung von Massnahmen ist Aufgabe der Mitarbeiter, Controlling kann aber nicht nach unten delegiert werden)

Ein Skandal mit vielen Vätern (Überblick)

GPDel Bericht  <= lesenwert, Vorgeschlagene Massnahmen!!

Bullrun: NSA kann verschlüsselte Dienste von Google, Yahoo und Hotmail knacken

Der Guardian veröffentlicht wie die NSA auch verschlüsselte Dienste knacken und mitlesen kann

- Programm heisst Bullrun
- NSA und Britscher Geheimdienst GCHQ arbeiten diesbezüglich zusammen
- Verschlüsselung von Email-, eBanking-, und Medizinischen Daten wurde geknackt oder geschickt unterwandert
- wo es nicht anders ging (zum Beispiel weil Verschlüsselungsmethoden zu stark sind) wurden Wege gesucht, wie man die Betreiber mit Geheimdienstmethoden unterwandern oder zur Zusammenarbeit bringen kann
- das amerikanische Programm dazu verfügt über ein Jahresbudget von 250 Mio. $


weiterlesen:
US and UK spy agencies defeat privacy and security on the internet

Wie Browser Passwörter speichern

Heise Security verweist auf einen interessanten Artikel, der zeigt wie man mit den Rechten des aktuellen Users die im Browser (IE, Firefox, Chrome) gespeicherten Passwörter entschlüsseln kann.

Die Browser nutzen zu Verschlüsselung Windowsfunktionen unter dem Sicherheitskontext des aktuellen Users. Diese Rechte kann sich Malware in der Regel auch leicht erschleichen.

Abhilfe: Ein sicheres Masterpasswort für den Browser setzen. Dies geht zumindst unter Firefox. oder man speichert die Passwörter in Tools wie Keepass oder Lastpass oder nutzt YubiKey (2 Faktor Authentifizierungssystem, oneTimePasswords).

Firefox: hat ein Masterpasswort
Chrome: hat noch kein Masterasswort Link
IE9,10: hat kein Masterpasswort

Mittels FireMaster oder ffpasscracker kann man aber auch Masterpasswörter knacken!

Why is IT security important to me?

If someone is able to control your internet accounts or devices you use he could harm you, steal your money or sell/use information about you that you prefer to keep secret!

Examples:
- hack your cardiac stimulator (Link)
- open and steal your car
- know your medical state and prevent you form getting life assurance

how to send a safe mail - Email schnell und einfach verschlüsseln

There are ways to encrypt emails. But in general it is more complicated to setup than expected.

Often you can do that on your side, but the recipient will be overstrained to understand the crypto stuff to decrypt your message. So he will never read your encrypted message.

It was not worth the effort and encrypting mails will never ever become a standard thing!
Getting personal keypairs is the first difficult step.
(Solange es für den Empfänger zu kompliziert ist, wird er das verschlüsselte Mail nie lesen. Der erste komplizierte Schritt dabei ist, ein persönliches Schlüsselpaar zu erhalten.)

Solution:
send crypted mails, that recipient can decrypt without having to install and configure more than one easy softwaretool.

- use asymmetric keys - https://www.cacert.org/
   to encrypt mailbody in clipboard with gpg4win software - http://www.gpg4win.org (install with GPA option selected)
    first Line is ::, second line is anon-to: recipient@emailaddress.com
   at third line your text is starting
- open a new mailmessage and do not use subject field
   first line of body is ::, second line is anon-to:   - example: remailer@aarg.net or anon@paranoici.org
   third line is to copy encrypted clipboard into
- use a remailer to for the to-address  

The only complicated thing that remains is to explain the recipient, how he gets his key pair (for sending) and your public key (for reading) the first time. Afterwards he is familiar with this concept and can get everyones public key or explain the concept to other persons.

(maybe you can even send him your public key for the beginning. So he does not need to register himself for receiving it thru the CA)!

--- also see:

Tools for the paranoid: 5 free security tools to protect your data

listen to data traffic in fibre cables - how to intercept or tap a fibre

In general it is said, that data in fibre optic cables are safe from interception.
It's true, there is no electro magnetic way to "listen" to light pulses. And it is not possible to see the light pulses from outside without breaking or interrupting the cable. That sounds understandable. 

Why it is possible to listen to fibre cable data traffic: 
1. fibre optic cables can be very very long 1000 km and more this makes it difficult to protect it from foreign access.

2. even if cables lay on the ground of the sea or below earth, there are intersection points that allow to install devices for interception. As there are always several 100 fibre cores in one cable it is not easy to find the right one, but there are also ways to get it. For example by stealing cabling information documentation. 
2.a interception by cutting a fibre and splice a capture device in between the line. Done within a short interception of 1 hour that might not be suspicious. 
2.b use a Biegekopplerdevice to couple out the light without interruption (Einstein, SRF) 
2.c if there is an active device at an interception point, it is possible to hack such a network switch and then listen to the data 

be aware: The US submarine Jimmy Carter is said to be able to tap underwater fibre sea cables to eavesdrop communication (Washington Post, ARD).

GPS Bike Helm für Navigation

Ein Helm der mittels LED's zur gewünschten Position navigiert und noch viele andere coole Anleitungen gibt es unter: learn.adafruit.com