Skip to content

Password Cracking – MD5 hashes

There’s a new online MD5 cracking database, that has the largest hacking database of over 20 TRILLION hashes.

I tested out the password “dragon” and “toor” and the database instantly decrypted the password hashes.

  1. Step 1 – hash a password
    http://www.miraclesalad.com/webtools/md5.php
  2. Step 2 – crack that hash here
    http://www.cmd5.org/

cmd5 md5 decrypter

 

Advertisements

Global race for AI will ‘most likely cause’ WWIII as computers launch 1st strike – Musk

Competition for superiority in Artificial Intelligence at national level will “most likely” cause World War Three, billionaire entrepreneur Elon Musk has said, warning that an AI may deem first use its best chance of winning.

“China, Russia, soon all countries with strong computer science. Competition for AI superiority at national level most likely cause of WW3,” Musk tweeted.

It will likely not even be the countries’ leaders that start the war, Musk elaborated, but “one of the AI’s, if it [AI] decides that a pre-emptive strike is most probable path to victory.”

The SpaceX founder says he doubts that North Korea can launch its own nuclear strike. He believes that Pyongyang “launching a nuclear missile would be suicide for their leadership, as South Korea, [the U.S.] and China would invade and end the regime immediately.”

https://www.rt.com/usa/401957-ww3-ai-musk-strike/

DuckDuckGo – Doubled in Size in 2017 – Private Search Engine

In 2013, Edward Snowden released documents proving that the NSA was conducting warrantless online surveillance at a massive scale, something many had already suspected. In the subsequent year, many people have sought out more secure software to help ensure that their digital privacy remains intact. Groups such as the Electronic Frontier Foundation have subsequently promoted alternatives to popular software which can be easily adopted; such as DuckDuckGo to replace Google. As a result, DuckDuckGo’s popularity has skyrocketed.

According to newest stats from Alexa.com, DuckDuckGo has almost doubled its global popularity in the past year – ranked as the 400th most popular website. When you dig down to the national scale, it’s ranked 255th in the US, 177th in Germany, 186th in France, 193rd in the UK, and 715th in China. The search engine is far more popular than other privacy oriented search engines such as Ixquick or Searx.

DuckDuckGo has been a bit of a magnet for privacy-oriented folk with it promising not to store personal information, track you around with ads, or in any other fashion. The search engine appeals to power users as well, with its more advanced features like ‘bangs’ which are essentially prefixes that allow you to search websites directly; for example, adding !w as a prefix in search will lead to Wikipedia directly.

 

In August, DuckDuckGo surpassed 18 million direct searches per day towards the end of the month; the average for the month was 16,739,317 per day. While quite impressive, the figures still pale in comparison to Google which as of May 2016 handled two trillion searches per year.

 

https://www.neowin.net/news/duckduckgo-almost-doubled-its-popularity-in-the-past-year

GDPR – European Privacy – Discussion of the European views on CONSENT

It is well documented that the American cultural understanding of privacy is the inverse of the European view of privacy, and this particularly applies to what determines CONSENT by the individual.  We have all been horrified by the Internet terms of Facebook and Google who bully the user into reading war and peace sized documents, for each app installed.

Europe is about to enact the GDPR – to curtail the abuses of personal data on the internet, where is it used without knowledge or consent.  Massive fines will apply to corporations who do not apply the GDPR.

gdpr not a precondition to access

Go Europe!

Consent

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.

gdpr balance

User can withdraw consent without penalty

gdpr consent no penalty

Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.

Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

gdpr bans ticked opt in boxes

Next steps for the Article 29 Working Party

The Article 29 Working Party are due to publish guidelines on consent in 2017 and the latest timetable is for this to be agreed and adopted in December 2017.

 

Authors summary

*Marketing purposes = disallowed as consent

*Research purposes = disallowed as consent

*Pre ticked opt in boxes = disallowed as consent

*Takes 100 years to find the means to delete consent = disallowed as consent

The current business model of the Internet, where you are forced into consenting that they can resell your data to millions of third parties is about to be halted.  Go Europe!

 

Reference:

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

How the GDPR will disrupt Google and Facebook

Google and Facebook will be disrupted by the new European data protection rules that are due to apply in May 2018. This note explains how. 

Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed, they cannot use a “service-wide” opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking.[1] Some parts of their businesses are likely to be disrupted more than others.

The GDPR Scale

When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.[2]

Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have made clear what they expect:

“A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[3]

A business cannot, for example, collect more data for a purpose than it needs and then retroactively ask to use those data for additional purposes.[4]

It will be necessary to ask for consent, or present an opt-out choice, at different times, and for different things. This creates varying levels of risk. We estimate these risks on the “GDPR scale”, shown below.

The scale ranges from zero to five. Five, at the high end of the scale, describes the circumstances that many adtech companies that have no direct relationship with Internet users will find themselves in. They need to get the consent of the people whose data they rely on. But they have no channel of communication through which they can do so.

Four, next highest on the scale, refers to companies that have direct relationships with users, and can use this to ask for consent. However, users have little incentive to “opt-in” to being tracked for advertising. Whereas a user might opt-in to some form of profiling that comes with tangible benefits, such as a loyalty scheme, the same user might not be willing to opt-in to more extensive profiling that yields no benefit. The extensiveness of the profiling is important because, as the note at the bottom of this page shows, users will be aware of the uses of their data when consent is sought. Thus adtech tracking across the web might rank as four, but a loyalty scheme might rank as three on the GDPR scale.

A slightly more attractive prospect, from Google and Facebook’s perspective, is to inform a user about what they want to do with the personal data, and give the user a chance to “opt-out” beforehand.[5] This is two on the scale. This opt-out approach has the benefit – from the company’s perspective – that some users’ inaction may allow their data to be used. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users.[6] In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.[7]

One on the scale refers to activities that currently involve the processing of personal data, but that do not need to do so. With modification, these activities could be put beyond the scope of the Regulation.

Activities at the zero end of the scale are outside the scope of the Regulation, because they use no personal data.

Google

Our estimate of Google, when applied to this scale, shows a significant range of products at four on the scale, with the proviso that some part of that set of products can be modified, which would lower their score from four to one.

 

Reference

https://pagefair.com/blog/2017/gdpr_risk_to_the_duopoly/

European view of Privacy compared to the American view – Schneier

GAZETTE: But Google and Facebook face more restrictions in Europe than in the United States. Why is that?

SCHNEIER: Europe has more stringent privacy regulations than the United States. In general, Americans tend to mistrust government and trust corporations. Europeans tend to trust government and mistrust corporations. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does. U.S. law has a hands-off way of treating internet companies. Computerized systems, for example, are exempt from many normal product-liability laws. This was originally done out of the fear of stifling innovation.

“Google knows quite a lot about all of us. No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”
               —Bruce Schneier, cybersecurity expert

GAZETTE: It seems that U.S. customers are resigned to the idea of giving up their privacy in exchange for using Google and Facebook for free. What’s your view on this?

SCHNEIER: The survey data is mixed. Consumers are concerned about their privacy and don’t like companies knowing their intimate secrets. But they feel powerless and are often resigned to the privacy invasions because they don’t have any real choice. People need to own credit cards, carry cellphones, and have email addresses and social media accounts. That’s what it takes to be a fully functioning human being in the early 21st century. This is why we need the government to step in.

GAZETTE: You’re one of the most well-known cybersecurity experts in the world. What do you do to protect your privacy online?

SCHNEIER: I don’t have any secret techniques. I do the same things everyone else does, and I make the same tradeoffs that everybody else does. I bank online. I shop online. I carry a cellphone, and it’s always turned on. I use credit cards and have airline frequent flier accounts. Perhaps the weirdest thing about my internet behavior is that I’m not on any social media platforms. That might make me a freak, but honestly it’s good for my productivity. In general, security experts aren’t paranoid; we just have a better understanding of the trade-offs we’re doing. Like everybody else, we regularly give up privacy for convenience. We just do it knowingly and consciously.

GAZETTE: What else do you do to protect your privacy online? Do you use encryption for your email?

SCHNEIER: I have come to the conclusion that email is fundamentally insecurable. If I want to have a secure online conversation, I use an encrypted chat application like Signal. By and large, email security is out of our control. For example, I don’t use Gmail because I don’t want Google having all my email. But last time I checked, Google has half of my email because you all use Gmail.

GAZETTE: What does Google know about you?

SCHNEIER: Google’s not saying because they know it would freak people out. But think about it, Google knows quite a lot about all of us. No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.

GAZETTE: Is Google the “Big Brother?”

SCHNEIER: “Big Brother” in the Orwellian sense meant big government. That’s not Google, and that’s not even the NSA. What we have is many “Little Brothers”: Google, Facebook, Verizon, etc. They have enormous amounts of data on everybody, and they want to monetize it. They don’t want to respect your privacy.

Reference:

https://news.harvard.edu/gazette/story/2017/08/when-it-comes-to-internet-privacy-be-very-afraid-analyst-suggests/

Discover what runs a website – Chrome

https://www.whatruns.com/

 

Discover what runs a website

Extension that helps you identify technologies used on any website at the click of a button.

What the Announced NSA / Cyber Command Split Means

Cyberwar and cyber intelligence are diverging, as are Cyber Command and the NSA. Here’s what that means for the man who leads both entities, the future of signals intelligence collection, and cyberwarfare.

 

The move to elevate Cyber Command to a full Unified Combatant Command and split it off from the National Security Agency or NSA shows that cyber intelligence collection and information war are rapidly diverging fields. The future leadership of both entities is now in question, but the Pentagon has set out a conditions-based approach to the breakup. That represents a partial victory for the man who directs both Cyber Command and the NSA.

The move would mean that the head of Cyber Command would answer directly to the Defense Secretary and the National Security Agency would get its own head. It’s a move that many have said is long overdue, and its exact timing remains unknown. So what does the split mean for the Pentagon, for Cyber Command, and for the future of U.S. cyber security?

The split will give the commander of Cyber Command central authority over resource allocation, training, operational planning and mission execution. The commander will answer to the Defense Secretary directly, not the head of Strategic Command. “The decision means that Cyber Command will play an even more strategic role in synchronizing cyber forces and training, conducting and coordinating military cyberforce operations and advocating for and prioritizing cyber investments within the department,” said Kenneth Rapuano, assistant defense secretary for Homeland Defense and Global Security.

The elevation of Cyber Command represents a big step forward for the military’s cyber ability, but it has yet to be catch up to the NSA in terms of collecting signals intelligence or creating network accesses, according to Bill Leigher, who as a rear admiral helped stand up Navy Fleet Cyber Command. Leigher, who now directs government cyber solutions for Raytheon, applauds the split because the NSA, which collects foreign intelligence, and Cyber Command, a warfighting outfit, have fundamentally different missions.This caused tension between the two organizations under one roof. Information collected for intelligence gathering may be useful in a way that’s fundamentally different from intelligence for military purposes, he says. “If you collecting intelligence, it’s foreign espionage. You don’t want to get caught. The measure of success is: ‘collect intelligence and don’t get caught.’ If you’re going to war, I would argue that the measure of performance is’ what we do has to have the characteristics of a legal weapon in the context of war and the commander has to know what he or she uses it.”

 

http://www.defenseone.com/technology/2017/08/what-announced-nsa-cyber-command-split-means/140362/

Ever felt as thick as 2 short planks?

Do you ever have those dense days, where everyone else seems to understand something and you just can’t get off the starting block?

I bought a Yubikey, to have a play around with.  Now, the documentation for Yubikey isn’t the best, and they would benefit from hiring a decent technical author.  So 2 weeks on, I’m spending my Sunday afternoons struggling with a piece of kit that is supposed to be effortless.

Then, on a forum I notice a reference to this article.

For months now, the Windows 10 Anniversary Update has broken two-factor logins using certain smart cards – and Microsoft has refused to discuss it.

 

“This showstopper of a bug must be known to Microsoft, as they have fixed it in the Insider preview fast-ring release. They will not publicly acknowledge it, and there is no suggestion that they will patch it either.”

 

https://www.theregister.co.uk/2017/02/16/win10_anniversary_borks_smartcards/

 

So Microsoft “won’t discuss the issue”.  Well, its not like anyone is not going to notice is it? Your 2 factor authentication system blows up in your face, and you may not notice?  In polite circles this is called “lying by omission”, as in they know that they’ve busted it, but lets not mention it shall we.

There potentially is a fix… that the Microscopic morals company won’t discuss either.

We have confirmation from Microsoft that a hotfix has been released on the Windows Update Catalog that should solve the Windows 10 smart card login issue with the YubiKey. We do not have a timeframe when this will be available as an automatic Windows Update but it is available for a manual download and installation. We’ve done testing in our lab environment and found this has indeed solved the issue.

 

You can grab the fix, KB3216755, from here. Let your Yubico-using friends know about this bug fix because Microsoft won’t.

 

And let them know that they’re not mental, dense, incompetent or to blame – rather the Microsoft updates are the villains of the peace.

Updates… we broke the system and called it an update.

 

 

MIT paper on the impact of Facebook/ Google on democracy – need for Decentralisation

risk 1

 

http://dci.mit.edu/assets/papers/decentralized_web.pdf

risk1a

%d bloggers like this: