Curve25519:
Only the Nitrokey Start controls the elliptical curve Curve25519, which is one of the SaveCurves - the only curve where the choice of curve is completely transparent and therefore rear doors can practically be excluded. The other Nitrokeys only support the algorithms NIST P, Brainpool, and/or SECG/Koblitz. So if you really want to use ECC keys, you should currently use a Nitrokey Start - and update its firmware, as it may be affected by a vulnerability.
Compatibility:
In order for ECC keys to work smoothly in practice and, for example, to be used for e-mail encryption, all communication partners must use at least GnuPG 2.1 or newer. If this is not the case, problems may occur.
Apart from that, the use of ECC has a decisive advantage over RSA:
With smaller key lengths, the procedure is just as secure as longer RSA keys and is much faster in practice - especially on the security tokens, where all crypto operations (encryption, decryption, authentication, etc.) take place directly on the hardware, this is noticeable.
6.2 RSA-4096-Bit
The greater the RSA key length used, the longer a crypto operation on the smart card will take. For example, if you want to open an encrypted email, using an RSA-2048-bit key is much faster than using an RSA-4096-bit key. However, it is not only the Federal Office for Information Security (BSI) that recommends not using RSA keys of 2048-bit length from 2022 at the latest.
So you can still choose between RSA-3072-bit and RSA-4096-bit. The GnuPG project has an interesting answer to the question Why do people advise against using RSA-4096? in the FAQ:
"Almost always when people use 4096-bit RSA they’re doing so because they believe RSA-4096 to be much stronger than it is. The United States’ National Institute of Standards and Technology (NIST) states that RSA-2048 gives roughly 112 bits of security and RSA-3072 gives roughly 128. There is no formal recommendation on where RSA-4096 lies, but the general consensus is that it would come in somewhere around 140 bits – 28 bits of improvement over RSA-2048. This is an improvement so marginal that it’s really not worth mentioning.
If you need more security than RSA-2048 offers, the way to go would be to switch to elliptical curve cryptography – not to continue using RSA."
Do what, then? Since RSA does not support Perfect Forward Secrecy, I recommend using at least RSA-3072-bit or RSA-4096-bit. The decision may be at the expense of speed, but in view of the security gain it is a reasonable compromise.
7. conclusion
Both the GPG master key (sign / certify) and the two subkeys for encryption and authentication are now stored on the Nitrokey. Thus all three key slots of the OpenPGP smart card are occupied. The advantage of the variant shown is that if the nitrokey is lost or defective, a backup of the keys can be imported.
In the next part of the article series we will use the Nitrokey for the exchange of encrypted e-mails based on GnuPG. We will use the free email client Thunderbird in combination with the add-on Enigmail to decrypt / encrypt and sign emails.
Source (German) and more info on Nitrokey (part 2):
https://www.kuketz-blog.de/gnupg-schluesselerstellung-und-smartcard-transfer-nitrokey-teil2/
Nitrokey part 1:
https://t.iss.one/BlackBox_Archiv/404
#Nitrokey #SecurityKeys #usb #guide #kuketz #part2
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Only the Nitrokey Start controls the elliptical curve Curve25519, which is one of the SaveCurves - the only curve where the choice of curve is completely transparent and therefore rear doors can practically be excluded. The other Nitrokeys only support the algorithms NIST P, Brainpool, and/or SECG/Koblitz. So if you really want to use ECC keys, you should currently use a Nitrokey Start - and update its firmware, as it may be affected by a vulnerability.
Compatibility:
In order for ECC keys to work smoothly in practice and, for example, to be used for e-mail encryption, all communication partners must use at least GnuPG 2.1 or newer. If this is not the case, problems may occur.
Apart from that, the use of ECC has a decisive advantage over RSA:
With smaller key lengths, the procedure is just as secure as longer RSA keys and is much faster in practice - especially on the security tokens, where all crypto operations (encryption, decryption, authentication, etc.) take place directly on the hardware, this is noticeable.
6.2 RSA-4096-Bit
The greater the RSA key length used, the longer a crypto operation on the smart card will take. For example, if you want to open an encrypted email, using an RSA-2048-bit key is much faster than using an RSA-4096-bit key. However, it is not only the Federal Office for Information Security (BSI) that recommends not using RSA keys of 2048-bit length from 2022 at the latest.
So you can still choose between RSA-3072-bit and RSA-4096-bit. The GnuPG project has an interesting answer to the question Why do people advise against using RSA-4096? in the FAQ:
"Almost always when people use 4096-bit RSA they’re doing so because they believe RSA-4096 to be much stronger than it is. The United States’ National Institute of Standards and Technology (NIST) states that RSA-2048 gives roughly 112 bits of security and RSA-3072 gives roughly 128. There is no formal recommendation on where RSA-4096 lies, but the general consensus is that it would come in somewhere around 140 bits – 28 bits of improvement over RSA-2048. This is an improvement so marginal that it’s really not worth mentioning.
If you need more security than RSA-2048 offers, the way to go would be to switch to elliptical curve cryptography – not to continue using RSA."
Do what, then? Since RSA does not support Perfect Forward Secrecy, I recommend using at least RSA-3072-bit or RSA-4096-bit. The decision may be at the expense of speed, but in view of the security gain it is a reasonable compromise.
7. conclusion
Both the GPG master key (sign / certify) and the two subkeys for encryption and authentication are now stored on the Nitrokey. Thus all three key slots of the OpenPGP smart card are occupied. The advantage of the variant shown is that if the nitrokey is lost or defective, a backup of the keys can be imported.
In the next part of the article series we will use the Nitrokey for the exchange of encrypted e-mails based on GnuPG. We will use the free email client Thunderbird in combination with the add-on Enigmail to decrypt / encrypt and sign emails.
Source (German) and more info on Nitrokey (part 2):
https://www.kuketz-blog.de/gnupg-schluesselerstellung-und-smartcard-transfer-nitrokey-teil2/
Nitrokey part 1:
https://t.iss.one/BlackBox_Archiv/404
#Nitrokey #SecurityKeys #usb #guide #kuketz #part2
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
gpg> key 1
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb* rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <[email protected]>
gpg> keytocard
Select the storage location for the key:
(2) Encryption key
Your choice? 2
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb* rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <[email protected]>
With the command key 1 we first switch to the first subkey, which provides the encryption function. The subkey is then transferred to the smartcard again using the keytocard command. This time into the key slot (2) Encryption key. Then we can also transfer the second subkey:gpg> key 1
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <[email protected]>
gpg> key 2
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb* rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <[email protected]>
gpg> keytocard
Select the storage location for the key:
(3) Authentication key
Your choice? 3
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb* rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <[email protected]>
The last key or subkey has now also been transferred to the key slot (3) Authentication key on the smart card.As soon as you exit the interactive mode with quit and agree to save the changes, your keys will be irrevocably transferred to the nitrokey. From this point on, the GnuPG-KeyRing only points to the smartcard with a pointer - but the keys are no longer on the computer on which they were created:
gpg> quit
Save changes? (y/N) y
This completes the RSA key creation and transfer to the Nitrokey. Your keys are located in the secure smart card environment of the Nitrokey.5.1 Important: Making the public key known
To be able to use the Nitrokey and the keys on it on your system, you must import the public key of the RSA key pair you just created on each system you wish to use the Nitrokey on. As we have already created a backup of the public key, we can import it into the GnuPG-KeyRing or make it known there with a command:
gpg --import [email protected]
gpg --import-ownertrust [email protected]
Then we link the keys stored on the smartcard with the local GnuPG-KeyRing:gpg --card-status
6. ECC key and RSA key length6.1 ECC Dilemma
In addition to RSA keys, keys based on Elliptic Curve Cryptography (ECC) are also suitable in practice for the planned OpenPGP/GnuPG e-mail encryption and OpenSSH public key authentication application scenarios. However, there are a few pitfalls to consider when using ECC:
🇪🇸 El mensaje "Forbidden" de Zippyshare llega a España.
Los misteriosos esfuerzos de bloqueo del popular servicio de hospedaje de archivos Zippyshare continúan expandiéndose. Después de que a los usuarios británicos y alemanes se les prohibiera el acceso al sitio, los visitantes españoles están recibiendo el mismo trato. Los operadores del sitio, mientras tanto, permanecen en silencio.
Fundado en 2006, el servicio de hospedaje de archivos Zippyshare existe desde hace más de una década.
El centro de intercambio, con unos 100 millones de usuarios, figura entre los 500 sitios más visitados de Internet.
Sin embargo, en los últimos meses Zippyshare comenzó a cerrar selectivamente sus puertas en varias regiones. En marzo informamos de que los visitantes del Reino Unido habían sido bloqueados, y unas semanas más tarde los visitantes alemanes recibieron el mismo tratamiento.
En lugar de ser bienvenidos en la página de inicio habitual, ven un error "Forbidden" en su navegador, lo que sugiere que los operadores han prohibido específicamente estas regiones.
Este mes los misteriosos esfuerzos de bloqueo de Zippyshare se expandieron a España. Los visitantes de países del sur de Europa, o cualquier persona que acceda al sitio desde una dirección IP española, ya no pueden acceder al sitio.
El mensaje de error no explica lo que está sucediendo, lo que ha resultado en que algunos simplemente supongan que el sitio se ha cerrado, voluntariamente o no. Sin embargo, ese no es el caso.
Otros creen que Zippyshare está bloqueado o prohibido en España, señalando que todavía se puede acceder a él a través de un servidor VPN francés.
Aunque eso es más parecido a la verdad, el sitio no está siendo bloqueado por los ISPs. Por el contrario, parece que Zippyshare es responsable del bloqueo aquí. Por alguna razón, la gente del Reino Unido, Alemania y España ya no son bienvenidos.
Intentamos obtener un comentario de los operadores del sitio esta semana, pero aún no hemos recibido respuesta. Nuestras investigaciones anteriores también quedaron sin respuesta.
Una explicación probable es que Zippyshare dio este paso después de algún tipo de presión legal. No sería la primera vez que un sitio web hace esto. Anteriormente, varios desgarradores de secuencias también bloqueaban el tráfico en el Reino Unido, presumiblemente debido a problemas similares.
Aunque no estamos al tanto de ningún problema legal concreto, la RIAA reportó a Zippyshare como un sitio pirata "notorio" al Representante de Comercio de los Estados Unidos a finales del año pasado. Dicho esto, el sitio sigue estando disponible gratuitamente en los Estados Unidos.
Cualquiera que sea la razón o la fuente del bloqueo localizado, la gente siempre puede encontrar una solución. Se puede acceder al sitio a través de una VPN, siempre y cuando no sea desde un servidor en uno de los países bloqueados.
https://torrentfreak.com/zippyshares-forbidden-message-spreads-to-spain/
#bloqueo #zippyshare
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Los misteriosos esfuerzos de bloqueo del popular servicio de hospedaje de archivos Zippyshare continúan expandiéndose. Después de que a los usuarios británicos y alemanes se les prohibiera el acceso al sitio, los visitantes españoles están recibiendo el mismo trato. Los operadores del sitio, mientras tanto, permanecen en silencio.
Fundado en 2006, el servicio de hospedaje de archivos Zippyshare existe desde hace más de una década.
El centro de intercambio, con unos 100 millones de usuarios, figura entre los 500 sitios más visitados de Internet.
Sin embargo, en los últimos meses Zippyshare comenzó a cerrar selectivamente sus puertas en varias regiones. En marzo informamos de que los visitantes del Reino Unido habían sido bloqueados, y unas semanas más tarde los visitantes alemanes recibieron el mismo tratamiento.
En lugar de ser bienvenidos en la página de inicio habitual, ven un error "Forbidden" en su navegador, lo que sugiere que los operadores han prohibido específicamente estas regiones.
Este mes los misteriosos esfuerzos de bloqueo de Zippyshare se expandieron a España. Los visitantes de países del sur de Europa, o cualquier persona que acceda al sitio desde una dirección IP española, ya no pueden acceder al sitio.
El mensaje de error no explica lo que está sucediendo, lo que ha resultado en que algunos simplemente supongan que el sitio se ha cerrado, voluntariamente o no. Sin embargo, ese no es el caso.
Otros creen que Zippyshare está bloqueado o prohibido en España, señalando que todavía se puede acceder a él a través de un servidor VPN francés.
Aunque eso es más parecido a la verdad, el sitio no está siendo bloqueado por los ISPs. Por el contrario, parece que Zippyshare es responsable del bloqueo aquí. Por alguna razón, la gente del Reino Unido, Alemania y España ya no son bienvenidos.
Intentamos obtener un comentario de los operadores del sitio esta semana, pero aún no hemos recibido respuesta. Nuestras investigaciones anteriores también quedaron sin respuesta.
Una explicación probable es que Zippyshare dio este paso después de algún tipo de presión legal. No sería la primera vez que un sitio web hace esto. Anteriormente, varios desgarradores de secuencias también bloqueaban el tráfico en el Reino Unido, presumiblemente debido a problemas similares.
Aunque no estamos al tanto de ningún problema legal concreto, la RIAA reportó a Zippyshare como un sitio pirata "notorio" al Representante de Comercio de los Estados Unidos a finales del año pasado. Dicho esto, el sitio sigue estando disponible gratuitamente en los Estados Unidos.
Cualquiera que sea la razón o la fuente del bloqueo localizado, la gente siempre puede encontrar una solución. Se puede acceder al sitio a través de una VPN, siempre y cuando no sea desde un servidor en uno de los países bloqueados.
https://torrentfreak.com/zippyshares-forbidden-message-spreads-to-spain/
#bloqueo #zippyshare
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Torrentfreak
Zippyshare's "Forbidden" Message Spreads to Spain * TorrentFreak
The mysterious blocking efforts of popular file-hosting service Zippyshare continue to expand. After UK and German users were 'forbidden' from accessing the site, Spanish visitors are now getting the same treatment. The operators of the site, meanwhile, remain…
This media is not supported in your browser
VIEW IN TELEGRAM
Code Execution Flaw in Vim and Neovim
Razmjou discovered a flaw in the way Vim editor handles "modelines," a feature that's enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.
Though the editor only allows a subset of options in modelines (for security reasons) and uses sandbox protection if it contains an unsafe expression, Razmjou revealed that using ":source!" command (with a bang [!] modifier) can be used to bypass the sandbox.
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
Patches and NVIM 0.3.6:
https://github.com/vim/vim/commit/5357552
https://github.com/neovim/neovim/pull/10082
https://github.com/neovim/neovim/releases/tag/v0.3.6
#patch #vulnerability #vim #neovim #alert #update
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Razmjou discovered a flaw in the way Vim editor handles "modelines," a feature that's enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.
Though the editor only allows a subset of options in modelines (for security reasons) and uses sandbox protection if it contains an unsafe expression, Razmjou revealed that using ":source!" command (with a bang [!] modifier) can be used to bypass the sandbox.
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
Patches and NVIM 0.3.6:
https://github.com/vim/vim/commit/5357552
https://github.com/neovim/neovim/pull/10082
https://github.com/neovim/neovim/releases/tag/v0.3.6
#patch #vulnerability #vim #neovim #alert #update
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Amazon is the most valuable brand in the world
An increase in value of more than 52 percent last year made Amazon the most valuable company in the world, according to a report. The online retailer is now ahead of Apple and Google for the first time.
Google was the most valuable brand in 2018, but now fell to third place with a brand value of just under 273 billion dollars. Apple remained in second place with a good 273.5 billion dollars. Visa ranked fifth, Facebook sixth. The seventh place went to the Chinese online retailer Alibaba, which climbed two places with a brand value of 116 billion dollars. He thus positioned himself ahead of Tencent. McDonald's and the telecommunications group AT&T ranked ninth and tenth respectively.
📺 https://youtu.be/ti5manNDF_c
https://www.brandz.com/
#DeleteAmazon #DeleteGoogle #DeleteApple #DeleteFacebook #brandz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
An increase in value of more than 52 percent last year made Amazon the most valuable company in the world, according to a report. The online retailer is now ahead of Apple and Google for the first time.
Google was the most valuable brand in 2018, but now fell to third place with a brand value of just under 273 billion dollars. Apple remained in second place with a good 273.5 billion dollars. Visa ranked fifth, Facebook sixth. The seventh place went to the Chinese online retailer Alibaba, which climbed two places with a brand value of 116 billion dollars. He thus positioned himself ahead of Tencent. McDonald's and the telecommunications group AT&T ranked ninth and tenth respectively.
📺 https://youtu.be/ti5manNDF_c
https://www.brandz.com/
#DeleteAmazon #DeleteGoogle #DeleteApple #DeleteFacebook #brandz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assange…
Risky.Biz
Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assange faces espionage charges
NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
Assange to face espionage charges, extradition fight looming
SanboxEscaper just keeps dropping those 0days
Fury over Facebook’s response to doctored Pelosi video
The news that in 2019 Germany had decided to support backdoors in messengers such as Whatsapp and Threema
Much, much more
📻 Risky Business #543 #podcast
https://risky.biz/RB543/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
Assange to face espionage charges, extradition fight looming
SanboxEscaper just keeps dropping those 0days
Fury over Facebook’s response to doctored Pelosi video
The news that in 2019 Germany had decided to support backdoors in messengers such as Whatsapp and Threema
Much, much more
📻 Risky Business #543 #podcast
https://risky.biz/RB543/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Bellingcat’s Online Investigation Toolkit
Welcome to Bellingcat’s freely available online open source investigation toolkit.
You can follow our work on via our website, Twitter and Facebook. (We also provide three to five day open source investigation workshops.) This is version 4.7 (May 13, 2019). The list includes satellite and mapping services, tools for verifying photos and videos, websites to archive web pages, and much more. The list is long, and may seem daunting. There are guides at the end of the document, highlighting the methods and use of these tools in further detail. We also provide tailored digital forensics workshops. Feel free to suggest tools via email ([email protected]) or Twitter (@trbrtc). To view an outline of the document, click “View” and then “Show document outline”. There’s also one below. The “OSINT Landscape” — a condensed version of the online investigation toolkit below — can be download in high resolution here. https://pbs.twimg.com/media/DXM63T0WsAA7E-a.jpg:large
https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/mobilebasic
#Bellingcat #investigation #tool
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Welcome to Bellingcat’s freely available online open source investigation toolkit.
You can follow our work on via our website, Twitter and Facebook. (We also provide three to five day open source investigation workshops.) This is version 4.7 (May 13, 2019). The list includes satellite and mapping services, tools for verifying photos and videos, websites to archive web pages, and much more. The list is long, and may seem daunting. There are guides at the end of the document, highlighting the methods and use of these tools in further detail. We also provide tailored digital forensics workshops. Feel free to suggest tools via email ([email protected]) or Twitter (@trbrtc). To view an outline of the document, click “View” and then “Show document outline”. There’s also one below. The “OSINT Landscape” — a condensed version of the online investigation toolkit below — can be download in high resolution here. https://pbs.twimg.com/media/DXM63T0WsAA7E-a.jpg:large
https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/mobilebasic
#Bellingcat #investigation #tool
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Each of us eats one credit card per week.
The particles are smaller than five millimeters and are found in food, drinking water and air. Depending on where they live and their diet, people take in five grams of microplastic every week. The big question is: How bad is this for the body?
People consume microplastics daily - through food, drinking water or just breathing. Up to five grams of these tiny particles enter the body of an earth citizen every week - depending on his or her circumstances. This is appreciated by researchers at the University of Newcastle (Australia), who have taken a closer look at existing studies on behalf of the environmental foundation WWF. By way of comparison, a credit card also weighs about five grams.
The researchers' study is based on data on microplastics - particles smaller than five millimetres - in the air we breathe, in drinking water, in salt, beer and in shellfish. According to WWF microplastics expert Caroline Kraas, microplastics, which may be recorded in other ways, was not included in the Australian analysis. The researchers also excluded fish despite available data, as it is not clear how much microplastic is eaten and how much remains in the animals' intestines.
The WWF calls for a global agreement against plastic pollution with binding targets. "If we don't want plastic in our bodies, we must prevent millions of tons of plastic waste from ending up in nature every year," said Heike Vesper, head of marine conservation at WWF Germany, according to a statement.
PDF Frauenhofer:
https://www.umsicht.fraunhofer.de/content/dam/umsicht/de/dokumente/publikationen/2018/kunststoffe-id-umwelt-konsortialstudie-mikroplastik.pdf
PDF WWF:
https://www.wwf.de/fileadmin/fm-wwf/Publikationen-PDF/WWF-Faktenblatt-Mikroplastik.pdf
#microplastics #pollution #why #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The particles are smaller than five millimeters and are found in food, drinking water and air. Depending on where they live and their diet, people take in five grams of microplastic every week. The big question is: How bad is this for the body?
People consume microplastics daily - through food, drinking water or just breathing. Up to five grams of these tiny particles enter the body of an earth citizen every week - depending on his or her circumstances. This is appreciated by researchers at the University of Newcastle (Australia), who have taken a closer look at existing studies on behalf of the environmental foundation WWF. By way of comparison, a credit card also weighs about five grams.
The researchers' study is based on data on microplastics - particles smaller than five millimetres - in the air we breathe, in drinking water, in salt, beer and in shellfish. According to WWF microplastics expert Caroline Kraas, microplastics, which may be recorded in other ways, was not included in the Australian analysis. The researchers also excluded fish despite available data, as it is not clear how much microplastic is eaten and how much remains in the animals' intestines.
The WWF calls for a global agreement against plastic pollution with binding targets. "If we don't want plastic in our bodies, we must prevent millions of tons of plastic waste from ending up in nature every year," said Heike Vesper, head of marine conservation at WWF Germany, according to a statement.
PDF Frauenhofer:
https://www.umsicht.fraunhofer.de/content/dam/umsicht/de/dokumente/publikationen/2018/kunststoffe-id-umwelt-konsortialstudie-mikroplastik.pdf
PDF WWF:
https://www.wwf.de/fileadmin/fm-wwf/Publikationen-PDF/WWF-Faktenblatt-Mikroplastik.pdf
Read more 🇩🇪:https://www.welt.de/gesundheit/article195127017/Mikroplastik-Jeder-von-uns-isst-eine-Kreditkarte-pro-Woche.html
#microplastics #pollution #why #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Hongkong - Police use tear gas against demonstrators
The protests in Hong Kong against the controversial extradition law led to riots. According to eyewitnesses, police used tear gas and pepper spray against demonstrators near government buildings and tried to disperse them.
https://twitter.com/hongkonghermit?lang=en
#freehongkong #humanrights
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The protests in Hong Kong against the controversial extradition law led to riots. According to eyewitnesses, police used tear gas and pepper spray against demonstrators near government buildings and tried to disperse them.
https://twitter.com/hongkonghermit?lang=en
#freehongkong #humanrights
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
A Fake Zuckerberg Video Challenges Facebook’s Rules
Two weeks ago, Facebook declined to remove a doctored video in which the speaker of the House, Nancy Pelosi, seemed to drunkenly slur her speech. Over the weekend, two British artists released a doctored video of Facebook’s chief executive, Mark Zuckerberg, as a sly comment on the spread of false information online.
Posted to the Facebook-owned social network Instagram, the video shows Mr. Zuckerberg speaking directly into the camera, boasting of nefarious motives behind his online empire.
https://www.nytimes.com/2019/06/11/technology/fake-zuckerberg-video-facebook.html
#deepfake #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Two weeks ago, Facebook declined to remove a doctored video in which the speaker of the House, Nancy Pelosi, seemed to drunkenly slur her speech. Over the weekend, two British artists released a doctored video of Facebook’s chief executive, Mark Zuckerberg, as a sly comment on the spread of false information online.
Posted to the Facebook-owned social network Instagram, the video shows Mr. Zuckerberg speaking directly into the camera, boasting of nefarious motives behind his online empire.
https://www.nytimes.com/2019/06/11/technology/fake-zuckerberg-video-facebook.html
#deepfake #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Google Workers Rise Up: Inside the Protests
🎧 Google Workers Rise Up: Inside the Protests
Google has long had a special relationship with staff, encouraging employee input on all sorts of internal matters. For the last two decades, this approach has worked well. But after a series of controversies and protests in the last two years, some workers are openly at war with Google. This week on Decrypted, editor Alistair Barr speaks to Irene Knapp, a senior software engineer who has had a front-row seat during the tumult inside the company.
📻 https://www.bloomberg.com/news/audio/2019-06-10/google-workers-rise-up-inside-the-protests-podcast
#DeleteGoogle #bloomberg #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Google has long had a special relationship with staff, encouraging employee input on all sorts of internal matters. For the last two decades, this approach has worked well. But after a series of controversies and protests in the last two years, some workers are openly at war with Google. This week on Decrypted, editor Alistair Barr speaks to Irene Knapp, a senior software engineer who has had a front-row seat during the tumult inside the company.
📻 https://www.bloomberg.com/news/audio/2019-06-10/google-workers-rise-up-inside-the-protests-podcast
#DeleteGoogle #bloomberg #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
Critical Flaw Reported in Popular Evernote Extension for Chrome Users
As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.
https://thehackernews.com/2019/06/evernote-extension-hacking.html
#exploit #evernote #extension #chrome #browser #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.
https://thehackernews.com/2019/06/evernote-extension-hacking.html
#exploit #evernote #extension #chrome #browser #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
How Hong Kong demonstrators organised
Tens of thousands of protesters have taken to Hong Kong's streets in opposition to a bill that would allow extradition to mainland China.
The demonstrators have said they are not operating in a planned movement, but have been cooperating on the ground as they have come under pressure to disperse from security forces.
📺 https://www.bbc.com/news/av/world-asia-48622346/how-hong-kong-demonstrators-organised
Hongkong - Police use tear gas against demonstrators
📺 https://t.iss.one/BlackBox_Archiv/429
#FreeHongKong
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Tens of thousands of protesters have taken to Hong Kong's streets in opposition to a bill that would allow extradition to mainland China.
The demonstrators have said they are not operating in a planned movement, but have been cooperating on the ground as they have come under pressure to disperse from security forces.
📺 https://www.bbc.com/news/av/world-asia-48622346/how-hong-kong-demonstrators-organised
Hongkong - Police use tear gas against demonstrators
📺 https://t.iss.one/BlackBox_Archiv/429
#FreeHongKong
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
📺 Language is a Weapon
“In our time it is broadly true that political writing is bad writing” wrote George Orwell 70 years ago, and the observation remains true today. But bad writing is not just bad writing; the language employed by politicians (and their string pullers) can literally be a matter of life and death. Join James today on the podcast as he delves into the tyrants’ linguistic weapons and how we can arm ourselves against them.
📺 #CorbettReport Episode 357 – #Language is a #Weapon #video #podcast
https://www.corbettreport.com/episode-357-language-is-a-weapon/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
“In our time it is broadly true that political writing is bad writing” wrote George Orwell 70 years ago, and the observation remains true today. But bad writing is not just bad writing; the language employed by politicians (and their string pullers) can literally be a matter of life and death. Join James today on the podcast as he delves into the tyrants’ linguistic weapons and how we can arm ourselves against them.
📺 #CorbettReport Episode 357 – #Language is a #Weapon #video #podcast
https://www.corbettreport.com/episode-357-language-is-a-weapon/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Audio
🎧 The “Privacy Policy” Policy
Privacy policies: most apps and websites have them, buried away somewhere. These legal documents explain how companies collect, use, and share your personal data. But let’s be honest, few of us actually read these things, right? And that passive acceptance says a lot about our complicated relationship with online privacy.
In the Season 5 premier of IRL, host Manoush Zomorodi speaks with Charlie Warzel, writer-at-large with the New York Times, about our complicated relationship with data and privacy — and the role privacy policies play in keeping things, well, confusing. You’ll also hear from Parker and Lila, two young girls who realize how gaming and personal data intersect...(...)
📻 #IRL Season 5: Episode 1 The “Privacy Policy” Policy #podcast
https://irlpodcast.org/season5/episode1/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Privacy policies: most apps and websites have them, buried away somewhere. These legal documents explain how companies collect, use, and share your personal data. But let’s be honest, few of us actually read these things, right? And that passive acceptance says a lot about our complicated relationship with online privacy.
In the Season 5 premier of IRL, host Manoush Zomorodi speaks with Charlie Warzel, writer-at-large with the New York Times, about our complicated relationship with data and privacy — and the role privacy policies play in keeping things, well, confusing. You’ll also hear from Parker and Lila, two young girls who realize how gaming and personal data intersect...(...)
📻 #IRL Season 5: Episode 1 The “Privacy Policy” Policy #podcast
https://irlpodcast.org/season5/episode1/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Paypal subsidiary Venmo leaves transactions open on the Internet
The transactions including personal data can be retrieved via the API of the Venmo payment service. According to a report, a computer science student downloaded seven million transactions and published them on Github.
The Paypal subsidiary Venmo itself advertises its service as "the fun and easy way to send, spend and receive money". The transactions that are processed with the payment service are publicly viewable by default and can therefore be entertaining even for non-users. Computer science student Dan Salmon collected seven million transactions and published them on Github, Techcrunch reports. The payment service currently has around 40 million users. https://github.com/sa7mon/venmo-data
A year ago, programmer and privacy researcher Hang Do Thi Duc downloaded over 207 million records from Venmo. She prepared the data creatively and entertainingly with the project Public By Default (https://publicbydefault.fyi/). In addition to various statistics, she uses the data to tell little stories from the lives of Venmo users, for example about a married couple who go to the vet together, shop at Walmart and order certain dishes to take away. With this project, Do Thi Duc wanted to draw attention to the privacy problems of the payment service. She therefore published the data and stories anonymously and explained in instructions how users can remove the public attitude. https://www.vice.com/en_us/article/j5n8wk/public-by-default-venmo-privacy-settings
The Venmo data also inspired other projects, for example a Twitter bot called "Who buys drugs from Venmo? He searched the transaction comments for relevant keywords or emojis and then tweeted the profile pictures and user names of the Venmo users involved. The tweets have now been deleted.
https://www.golem.de/news/datenschutz-paypal-tochter-venmo-belaesst-transaktionen-im-internet-1906-141947.html
#DataPrivacy #Venmo #PaymentService #API #transaction #details #GitHub
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The transactions including personal data can be retrieved via the API of the Venmo payment service. According to a report, a computer science student downloaded seven million transactions and published them on Github.
The Paypal subsidiary Venmo itself advertises its service as "the fun and easy way to send, spend and receive money". The transactions that are processed with the payment service are publicly viewable by default and can therefore be entertaining even for non-users. Computer science student Dan Salmon collected seven million transactions and published them on Github, Techcrunch reports. The payment service currently has around 40 million users. https://github.com/sa7mon/venmo-data
A year ago, programmer and privacy researcher Hang Do Thi Duc downloaded over 207 million records from Venmo. She prepared the data creatively and entertainingly with the project Public By Default (https://publicbydefault.fyi/). In addition to various statistics, she uses the data to tell little stories from the lives of Venmo users, for example about a married couple who go to the vet together, shop at Walmart and order certain dishes to take away. With this project, Do Thi Duc wanted to draw attention to the privacy problems of the payment service. She therefore published the data and stories anonymously and explained in instructions how users can remove the public attitude. https://www.vice.com/en_us/article/j5n8wk/public-by-default-venmo-privacy-settings
The Venmo data also inspired other projects, for example a Twitter bot called "Who buys drugs from Venmo? He searched the transaction comments for relevant keywords or emojis and then tweeted the profile pictures and user names of the Venmo users involved. The tweets have now been deleted.
https://www.golem.de/news/datenschutz-paypal-tochter-venmo-belaesst-transaktionen-im-internet-1906-141947.html
#DataPrivacy #Venmo #PaymentService #API #transaction #details #GitHub
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities
Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
#Linux #security #FreeBSD #Kernel #vulnerabilities #netflix #patches #alert
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.
The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
#Linux #security #FreeBSD #Kernel #vulnerabilities #netflix #patches #alert
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
Thermomix from Lidl: Monsieur Cuisine Connect hacked
The insecurity of many "smart" devices is well known. Now there is a new example: A kitchen appliance that is supposedly extremely popular among customers runs on an old version of Android and, according to French hackers, can easily be converted into a monitoring device (build in mic). Even the good old "Doom" can be played on the miracle mixer.
📺 https://www.youtube.com/watch?v=WeTAwJisF3c
#Thermomix #lidl #hack #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The insecurity of many "smart" devices is well known. Now there is a new example: A kitchen appliance that is supposedly extremely popular among customers runs on an old version of Android and, according to French hackers, can easily be converted into a monitoring device (build in mic). Even the good old "Doom" can be played on the miracle mixer.
📺 https://www.youtube.com/watch?v=WeTAwJisF3c
#Thermomix #lidl #hack #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Top 20 Public Bug Bounty Programs
The HackerOne bug bounty platform shows how quickly and to what extent Intel, PayPal & Co. distribute bonuses to security researchers.
According to the report, Verizon Media has paid out the highest total amount to date, more than $4 million. The Bug Bounty Program has been in place since early 2014 and has since worked with various security researchers to solve more than 5,000 security problems.
PayPal has paid the highest premium for a security vulnerability to date at 30,000 US dollars. These are usually vulnerabilities that attackers can exploit to execute malicious code without logging on over the Internet. If an attacker is in such a position, he could, for example, bring a web server completely under his control. So-called remote code execution gaps are the most dangerous security gaps.
The provider of Shopify e-commerce software pays out the premiums on average after two days and thus leads the rankings in this area. By way of comparison, GitLab needs an average of three months for this. Starbucks responds quickly to reported vulnerabilities and gives feedback after an hour on average.
https://www.hackerone.com/sites/default/files/2019-06/H1-718_Top%2020%20Public%20Bug%20Bounty%20Programs_V2.pdf
#pdf #BugBounty #HackerOne
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The HackerOne bug bounty platform shows how quickly and to what extent Intel, PayPal & Co. distribute bonuses to security researchers.
According to the report, Verizon Media has paid out the highest total amount to date, more than $4 million. The Bug Bounty Program has been in place since early 2014 and has since worked with various security researchers to solve more than 5,000 security problems.
PayPal has paid the highest premium for a security vulnerability to date at 30,000 US dollars. These are usually vulnerabilities that attackers can exploit to execute malicious code without logging on over the Internet. If an attacker is in such a position, he could, for example, bring a web server completely under his control. So-called remote code execution gaps are the most dangerous security gaps.
The provider of Shopify e-commerce software pays out the premiums on average after two days and thus leads the rankings in this area. By way of comparison, GitLab needs an average of three months for this. Starbucks responds quickly to reported vulnerabilities and gives feedback after an hour on average.
https://www.hackerone.com/sites/default/files/2019-06/H1-718_Top%2020%20Public%20Bug%20Bounty%20Programs_V2.pdf
#pdf #BugBounty #HackerOne
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Why Silicon Valley Is Hiring Bird Experts
🎧 Why Silicon Valley Is Hiring Bird Experts
A few years ago, reporter Sarah McBride noticed that a top engineer at Twitter was also an expert on the brains of birds. Then, more and more, she started seeing that many top tech companies have bird brain experts in their highest ranks -- that includes Apple, Google, Intel and a secretive startup founded by Elon Musk. This week on Decrypted, Sarah and fellow reporter Ashlee Vance set out to understand why Silicon Valley is so interested in avian minds, and what they could tell us about tech’s ability to influence our own.
📻 https://www.bloomberg.com/news/audio/2019-06-18/why-silicon-valley-is-hiring-bird-experts-podcast
#podcast #bloomberg
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
A few years ago, reporter Sarah McBride noticed that a top engineer at Twitter was also an expert on the brains of birds. Then, more and more, she started seeing that many top tech companies have bird brain experts in their highest ranks -- that includes Apple, Google, Intel and a secretive startup founded by Elon Musk. This week on Decrypted, Sarah and fellow reporter Ashlee Vance set out to understand why Silicon Valley is so interested in avian minds, and what they could tell us about tech’s ability to influence our own.
📻 https://www.bloomberg.com/news/audio/2019-06-18/why-silicon-valley-is-hiring-bird-experts-podcast
#podcast #bloomberg
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN