Wenn du denkst schlimmer geht's nicht mehr...

... kommt von irgendwo ein Piratenvorstand her.

Aber ich bin kein Pirat mehr, und wenn ich mich über jeden Irren so aufrege ist das ungesund. Stattdessen also ein hübsches Foto:

Der Entropia und eine Mahnwache gegen die NSA Überwachung

Am gestrigen Samstag den 22.06.2014 haben Sven Krohlas und ich eine Mahnwache organisiert. Unser Motto: "Halt durch, Harald!"
Ursprünglich sollte diese Veranstaltung erst morgen Abend stattfinden, aber bei der Terminfestlegung sind wir auf die Gulaschprogrammiernacht des lokalen CCC Ablegers Entropia gestoßen.

Daraufhin habe ich telefonisch bei Entropia in Karlsruhe angerufen und gefragt, ob sie sich da eine Kooperation vorstellen können, es geht ja immerhin um Kernthemen des Vereins: Überwachung und Grundrechte.

Die Antwort stimmte mich sehr positiv, denn sie lautete "klingt gut, muss ich aber auf die Mailingliste kippen". Eine Antwort die ich wenig überraschend fand, wenn ich an seine Satzung denke:

Der Zweck der Vereins ist die Förderung der Integration der neuen Medien in die Gesellschaft, die Aufklärung über Techniken, Risiken und Gefahren dieser Medien sowie die Wahrung der Menschenrechte und des Verbraucherschutzes in Computernetzen.

Nach einer Woche rief ich nochmals an, um zu erfahren wie es denn aussähe, erneut eine positive Antwort, es gab auf die erste E-Mail angeblich keine Gegenstimmen. Unsere Planung fokussierte sich also auf den Samstag. Und in Erwartung einer Kooperation korrigierten wir auch die Teilnehmerzahl nach oben.

Am Sonntag den 15.06. rief ich ein letztes mal an, es wurde mir erneut mitgeteilt, dass alles OK sei, und dass es keine Probleme gäbe. Auf meine Frage nach einer Unterstützung mit Strom wurde mir gesagt, ich solle mich auf der Veranstaltung an die Orga wenden, und da könnte man schon was machen.

Wir haben also unsere Planung durchgezogen. Es wurden Einladungen an regionale und überregionale Presse versandt, es wurden Parteien eingeladen und vieles mehr. Rückblickend bin ich dankbar, dass die Resonanz dort schlecht war. Auf diese Art musste ich mich wenigstens nur bei einem Landesvorstand entschuldigen.

Stell dir vor es ist Demo und keiner geht hin

Am Samstag um 11:51 nahm die Katastrophe ihren Lauf. Ein von mir als Vorhut entsandter Helfer informierte mich telefonisch, dass es Stress mit der Orga vor Ort gäbe. Man warf ihm vor unabgesprochen die Veranstaltung zu stören. Er entschied selbstständig sich zurückzuhalten, ich stimmte ihm zu und setzte meine Vorbereitungstätigkeiten fort. Eine halbe Stunde später erhielt ich erneut einen Anruf. Das Verteilen von Flyern war ihm vollständig untersagt worden, und er zog sich von der Veranstaltung zurück. 10 Minuten später war ich vor Ort.

Ich unterhielt mich mit einem äußerst feindseeligen Vertreter der Orga am Infodesk der sich mir gegenüber nicht identifizierte. Dieser teilte mir mit, dass das ganze in der Orga diskutiert worden war und man sich entschieden hatte jegliche Kooperation mit uns zu verweigern.

Die Demonstration wurde zum Fiasko. Statt angekündigter 200 Teilnehmer standen knappe 30 Personen da. Die für knappe 100 Euro ausgeliehene Soundanlage war ohne Strom, an die geplante Eröffnungskundgebung war nicht zu denken. Sämtliche eingeladenen Redner sind dann unverrichteter Dinge gegangen.
Gegen 17:00 Uhr konnte ich dann dank Jaroon’s American Diner Strom organisieren.

An dieser Stelle ein riesen Dankeschön dafür!

Es wurde im Verlauf des Tages noch einige Male versucht von verschiedenen Personen auf die Orga einzuwirken, jeweils ohne Erfolg. Der letzte Versuch endete um 18:30 mit der finalen Niederlage. Die Orga weigerte sich auch auf gutes zureden von verschiedenen Teilnehmern um 18:30 wenigstens zu einer kurzen Kundgebung und Fotos mit den Snowden Leaks vor der Generalbundesanwaltschaft aufzurufen.

Zu diesem Zeitpunkt entschieden wir uns mit der verbliebenen Hand voll Helfer abzubauen.

Fazit

Ich stimme nicht oft mit der Kanzlerin überein, aber mit "wichtig ist was hinten rauskommt" hat sie einen unanfechtbaren Satz formuliert. Was ist hinten herausgekommen?
Wir haben gezeigt, dass persönliche Pfründe selbst den angeblich großen Gegnern der Totalüberwachung wichtiger sind als die Sache. Ich habe gute 300 Euro in den Sand gesetzt, darunter knappe 100 Euro für eine Soundanlage die wir heute einem teuren Funktionstest unterzogen haben. Wir haben gezeigt, dass die vollständige Aufhebung der Privatsphäre und das skandalöse ignorieren dieser Angriffe auf uns alle nicht einmal ein paar Nerds von CCC bzw. Entropia dazu bringt 100 Meter vor die Türe zu gehen.

Der Totalschaden für den Kampf gegen die faktische Aufhebung von Artikel 3 des Grundgesetzes der am Samstag entstanden ist wird nicht wieder gut zu machen sein. Für mich persönlich bedeutet er das Ende jeglichen Engagements in diese Richtung. Ich werde keine Lebenszeit mehr verschwenden wenn ein paar abgefuckte Arschlöcher das mit ihren am Sessel festgeklebten Hintern ohne Not wieder einreißen.

Und das beste? Vertreter des Entropia e.V. verteidigen dieses Vorgehen auch noch.

Ich habe fertig. Und wenn ich irgendwann mal gefragt werde "Warum habt ihr denn nichts gemacht?" werde ich Antworten, "Ich habe es versucht, leider waren da so ein paar Dreckschweine die unsere Arbeit kaputt gemacht haben."

Short note: Googles ban of thirdparty extensions

The claim

Google claims to improve user security. The scenario they postulate contains extensions that are installed via manipulation of the browser settings.

The method

Google blocks extensions installed into chrome as packed extensions from being executed if they are not from the google webstore.

The hard and fast mistakes

Google did not block extensions being installed as unpacked extensions in development mode, and they also did not block extensions being installed by company policy via registry setting.

The meta mistakes

Manipulation of browser settings have much more serious implications than unwanted extensions. Via the proxy setting an attacker can gain access to the full browsing behaviour including cleartext passwords and much more. Banning thirdparty extensions robs a user who failed at securing his system from a chance to recognize his mistake.

Conclusion

Googles ban on thirdparty extensions fails in the task it was supposed to achieve and reduces user awareness of possible security issues on their system. It is thus actually harming users while improving googles bottom line.

If you repeat a lie often enough...

Yesterday I ranted quite a bit over googles first attempt ever at raising the stupidity-and-bullshit bar. [link]
Sadly this tragic episode in the lifecycle of google is not even close to over. I guess some people over there are engaged in full reality denial mode. Or simply stupid like a rock.

Hello All,

We've noticed the question of "Why not give us an option or setting for this change" has come up quite a bit, so I just updated my main post with an answer to this. I'm re-posting here so everyone gets an email notification as well.

Why isn't this change optional?
In an ideal world, we would love to give our users total control over installing extensions from off web store. However, on desktop operating systems, we don't have a way to protect such a setting from being automatically modified by malicious software. Any option that a user could set could also be set by such a program. Given this, the only way to protect against this bad software is to restrict items to the Chrome Web Store.

Best,
Sarah

Now if you happened to be in the same room with me and knew me very well you might notice a small tick in my right eyelid. That's never a good sign. As a 9gagger recently put it: I don't have a short temper, I just have a quick reaction to bullshit.

To be honest, that post more or less speaks for itself. There's the old lie that this is about protecting the user (explained in detail in my last post that was also posted to this very thread on the google chrome forums) and that there is no other way to protect the poor little lambs. No mention of the fact that they left two loopholes the size of the Brandenburger Tor open, not to mention that their were actually valid propositions that had a chance to actually work. Work against both the real threat of unwanted manipulation of the browser settings as well as against the bogus threat of weird extensions appearing where they shouldn't be.

There's just a simple question left: Is this whole issuea genuine fuckup or a new corporate policie flashing through the clutter for the first time?

Now there's a real question I'd actually love to get an answer to...

Google - Officially evil since 12.02.2014

6) Do the right thing; don't be evil.

• Honesty and integrity in all we do
• Our business practices are beyond reproach
• We make money by doing good things

- Google Code of Conduct, Core Values

Google has gone away from this core value. Why? Well, let's look at what they did to chrome and its extensions.

The problem that is a problem

On October 2013 they announced that they were seeing a high amount of systems compromised so badly, that the settings of chrome could be manipulated. [link] Let's review this statement in detail:

Online criminals have been increasing their use of malicious software that can silently hijack your browser settings. This has become a top issue in the Chrome help forums; we're listening and are here to help.

Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update. These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.

The author is very carefully avoiding specifically telling you what kind of "software" he is referring to. The examples given are however quite telling: "a free screensaver, a video plugin [...]a supposed security update" All of these have one thing in common: They have nothing to do with extensions because they all are run of the mill windows-software.
This means the scope of the attacker, the most important factor in any security consideration, is very broad. A normal windows program can change so many things that are stored on disk, that it is very hard to protect against. The threat described in this post is a very real one.

While it is quite real, it also is quite easy to counter. Files stored on the filesystem can be compromised, but other things, like memory, can't (ok, technically it can, but there's a much, much higher level of protection to overcome there...) so a key to protecting the user lies in the proper usage of those uncompromised places. You need a secret.
There are many potential methods, I will provide two of them.

The solution that is a solution

1. Checksums -
   It's not hard to tell whether a file has been manipulated. Even a simple md5 checksum will suffice (yes, md5 is "broken", but luckily it's not broken in a way that endangers its use here). The checksum of course has to be stored away from where a local attacker could change it. The latter part being a task one of the largest cloud storage providers worldwide should feel comfortable handling.
2. Cryptographic signatures -
   Create a password protected private key, sign the settings with it, store the signed settings in a file. Any attacker without the password or access to chromes memory has no option to generate a correct signature for his manipulations.
   
   Quite ironically google itself is currently working on a pure Javascript solution for this problem. [link] Even implementing this in extension space would be safe, since no attacker with "only" access to the filesystem can even dream of accessing the protected extension memory inside the protected chrome memory...

So we now have a path to improving the security of all chrome users significantly. Keep in mind, that the settings of a browser contain highly critical avenues of attack. The proxy settings are maybe the most prominent feature. If an attacker changes the proxy he gains access to everything. From cookies to plaintext passwords. So if google is really monitoring a high amount of those manipulations the house is almost literally aflame. Doing the right thing never was easier. At least you would think that.

The problem that isn't the problem

Google went public with what would become the source of the current outrage one month later. In another blogpost they presented what they claim is the solution to the security issues presented before. [link]

Extensions are a great way to enhance the browsing experience; whether users want to quickly post to social networks or to stay up to date with their favorite sports teams. Many services bundle useful companion extensions, which causes Chrome to ask whether you want to install them (or not). However, bad actors have abused this mechanism, bypassing the prompt to silently install malicious extensions that override browser settings and alter the user experience in undesired ways, such as replacing the New Tab Page without approval. In fact, this is a leading cause of complaints from our Windows users.

This post starts with a total non sequitur. Discussing extensions in this context is as misleading as it gets. The problem (as I showed before) is not in the extension system, it is in the operating system and the way google chrome stores unsecured settings where thirdpartys can access and manipulate them. Blaming any part of this on extensions is almost literally blaming the smoke for all your problems in the aforementioned aflame house.

Just to stress this point: The "malicious extension" is not the problem, it is merely the symptom of a system that was infected by malicious software. The "leading cause of complaints" is basically that users with infected systems notice that their systems are infected by the fact, that they can't remove certain extensions.

The solution that isn't a solution

If they had stopped at this spectacularily bad piece of security analysis no one would have to face any repercussions over this. Sadly the blogpost went on like this:

Since these malicious extensions are not hosted on the Chrome Web Store, it’s difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we’re announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we’ll require all extensions to be hosted in the Chrome Web Store. We’ll continue to support local extension installs during development as well as installs via Enterprise policy, and Chrome Apps will also continue to be supported normally.

This is the worst part of this whole clusterfuck, boiled down to a paragraph. It is plain bullshit from start to end. Those "malicious extensions" are not the problem, them not being in the webstore is not a problem. The problem is an attacker with filesystem access. Forcing all extensions to be hosted in the webstore will not mitigate the cause of the problem, quite the opposite. Disabling such extensions does not mean the system won't be infected anymore, it means the user won't notice the infection anymore. I might be a bit old fashioned, but last time I checked it was considered generally better to have your users in a state of awareness towards security issues on their system.

Don't do evil?

Not only does the action google took fail completely at the task it was officially supposed to do, under closer scrutiny it shows its true damoclean nature. There are two ways of installing extensions that are to be left unimpeded: Local development install and enterprise policy.

Local development install

This is an absolutely necessary feature. Take it away and developing new extensions becomes an almost impossible task. The location of those extensions as well as the development state flag is saved in the browser settings. The same browser settings whose very compromisation opens up the issue in the first place. The very idea of leaving this one open is such an unequivocal sign of incompetence it hurts physically.

Enterprise Policy

This is a not absolutely necessary feature. Take it away and deploying extensions over company networks becomes a hassle. Enforce the same security restriction on extensions installed that way and you'll not only seriously impede professional use of chrome the way this change just did, you will basically make it impossible. There have already been reports of smaller companies moving away from chrome over this issue, and rightfully so. Also keep in mind: A software that is being installed on windows normally requests administrative privileges. With those it can set the necessary entries in the registry to make chrome install any extension without the critisized third party ban.

Honesty and integrity

Either a whole bunch of people fucked up at google in the most spectacular way ever, or there's a whole lot of stuff going on beneath the surface. Honesty is certainly not a driving force in this issue anymore. Integrity is also about as gone as it can be, an honest mistake is one thing. Sticking to such an obvious bogus policy after being called on it repeatedly is not a sign of a party with an intact integrity. Apple, Microsoft and co now have a true competitor in all fields, big corporate bullshit included. They have however one advantage in my personal opinion: At least neither Apple nor Microsoft claim to not do this kind of stuff. Yes, they may occasionally (or all of the time) milk you for all you're worth, but they will openly say that they're doing so.

Practice beyond reproach

There's not a lot about this move that is not a very valid target for criticism. In fact there's not a single point in this whole piece of garbage that shouldn't be inspected very carefully and critisized in the strongest possible tones. Disabling third party extensions with a claim of improved security while leaving gaping holes open for attackers and completely missing the critical point of attack is probably the most stupid thing ever to leave a google office.

Making money

There's a piece of additional ice cream for those of you reading this far. If you were to take the path google just forced you upon it won't be damaging to google. There's a new app on their store, a new bunch of people installing it from there, thus being targeted by advertising in said store and last but not least registering as a developer will set you back 5$. That last isn't much, but on the other hand it's not money google would make without this dick move.

Conclusions

Google is being dishonest with it's customers, it is actively endangering them by attenuating symptoms of an infected system without actually going for the root cause, and last but not least, Google is making profit from this. I have long defended google for a few policies critisized by others as going to far, and I believe I was right in doing so. However, from this day on google has officially (but still temporarily) lost its trusted company status in my book.

Effective February the 12th 2014 Google is a candidate for an evil corporation.

My personal consequences: I will watch this development for a few weeks. If nothing changes in the high handed and dishonest ways of google there is no other choice but to move all my business away from chrome to firefox, ban chrome whereever I have the ability to do so, and last but not least, phase out all other google products. I strongly urge everyone else to do the same.

Die nutzloseste Unterschrift aller Zeiten

Über 30 Millionen Euro werden jedes Jahr über das EC-Lastschriftverfahren gestohlen. Der Grund dafür ist einfach: Im Gegensatz zum etwas sichereren Pin geschützten Online-Verfahren muss für eine solche Lastschrift lediglich eine Unterschrift erbracht werden. Theoretisch ist das ein einigermaßen sicheres System, praktisch gibt es da das ein oder andere Problem.

Um am Lastschriftverfahren teilzunehmen muss eine EC-Karte auf dem dafür vorgesehenen Streifen auf ihrer Rückseite eine Unterschrift haben. Da ich ein fauler Mensch bin habe ich dies eine ganze Weile nicht getan. Folgerichtig wurde ich bei jedem Versuch mit Lastschrift zu bezahlen aufgefordert meinen Personalausweis vorzuzeigen. Das gefiel mir so gut, dass ich es gerne so belassen hätte. Bei einem der zahllosen Gespräche zu diesem Thema wies mich eine Verkäuferin aber richtigerweise darauf hin, dass ein Dieb ja einfach seine eigene Unterschrift auf der Karte platzieren könnte. Also musste eine andere Lösung her, kurzerhand schrieb ich "nach Perso fragen" auf die Karte.

Und eigentlich sollte dieser Blogpost damit zu Ende sein.

Ich wurde bisher einmal nach meinem Personalausweis gefragt. Die Geschäfte in denen ich nicht gefragt wurde sind dabei nicht gerade Kleinkram: Rewe, Hornbach, Hagebau, Globus, Globus Baumarkt, und viele mehr. Die Unterschrift die ich in all diesen Geschäften, teilweise für mehrere hundert Euro, geleistet habe ist das Papier nicht Wert auf dem ich sie erbracht habe.

Positiv bleibt mir hier eigentlich nur Aldi in Erinnerung: Dort besteht man konsequent auf dem Pin-Verfahren, das hier eingetretene Katastrophenszenario ist also technisch ausgeschlossen.

Bleibt die erschreckende Konsequenz: Wenn jemand meine EC-Karte stehlen würde, so könnte er damit unbegrenzt Einkäufe über Lastschriftverfahren tätigen. Mir bleibt nur die Hoffnung, dass der Dieb sich dieser katastrophalen Sicherheitslücke nicht bewusst ist, und davon ausgeht, dass jeder Verkäufer der vermeintlich einfachen Aufforderung auf meiner Karte nachkommt.