bit-byters.net

Disassembly of an LCD

Paul — Wed, 11 Nov 2009 13:01:33 +0000

I posted this to YouTube some time ago. It’s a little video showing the disassembly of an LCD.

If you find this interesting, let me know, I might some other stuff as well.

Netherlands Still #1 in Phone Tapping

Paul — Wed, 11 Nov 2009 11:27:15 +0000

It was reported to the Dutch parliament yesterday that we are still number one when it comes to absolute number of phone taps! This considering that we only have a fraction of the population of other big phone tapping countries such as the USA, UK and Germany.

I reported about the first official phone tapping statistics in may 2008. Since then there has been a yearly report, but now they’ve changed that to half-yearly again.

The Numbers:
Well over 13000 phone taps in the first half of 2009.
An average of 2250 active phone taps during that time.
Of which 80% concerned mobile phones.

Compared to previous reports:
There is a huge increase of absolute number of taps compared to last years statistics. But last years where yearly, so longer running taps aren’t counted twice and thus the two can’t be compared by simply multiplying the half yearly statistics. So if we compare the to the 2007 half yearly statistics there is only a slight increase in the number of absolute taps.

However the number of average running taps has increased dramatically. In 2007 this was 1681, but the last report is of 2250 taps running on average!

Moreover there has been a slight decrease of mobile phone taps, relatively speaking.

There have been questions from the parliament whether this high number of taps actually helps solve more crime. It is however, still unclear if there’s going to be any research on this matter.

Strong passwords

Paul — Wed, 10 Sep 2008 16:01:52 +0000

What is a strong password,
how do you know if a password is strong and how do you pick one? That’s what this is going to be about. Passwords are for security, they’re used to certify that one who has knowledge of the correct password has access to the system/information. That’s a very wide description and may thus result in all kinds of different levels of security that are needed. Does this password give you access to your bank account or only to a share with your music collection on your home LAN? What attackers can we expect, or more specifically how does one attack a password? This is the most important, because if we know that, we know what our passwords are up against.

Brute force attacks
are the most basic form of attacking. It merely consists of simply trying out any combination within set boundaries. The success rate of this type of attack is highly dependant on the complexity of the password. A 4-digit PIN-code for example would be extremely easy to break as there are only 10,000 possible combinations, 0000-9999 or 10⁴. That would take a computer less a 1/1000 of a second to break (this is why these systems block an account after 3 failed attempts).
In our defence against these attacks we could choose to add more numbers, ten folding the complexity to break with each number, but this would generate a very hard to memorize sequence of numbers, because it needs to be very long. The other variable in the number of possibilities is the size of the character set. With the example this was only 10, but if we took the alphabet this would increase to 26. 26⁴ = 456,976 and thus a 45-fold of complexity. Notice here how this complexity increase is exponential. This gets bigger as passwords get longer, 8 numeric characters vs. 8 alphabet characters: 10⁸ = 100,000,000 and 26⁸ = 208,827,064,576. This is a 2088-fold in complexity compared to 45-fold for 4 characters!
Of course these numbers are still very low in the computer world and it would only take a short while to try all possibilities. What we need is something that takes an attacker a disproportionate amount of time with current technology or with future technology. Because we now know the two components in the complexity we can choose how complex we want our passwords. Complexity is expressed by:
c = s ⁿ
Where:
c = complexity
s = character set
n = length
It’s relatively easy to enlarge both factors to a size where brute force attacks become completely impractical. As character set you have different blocks to choose from:

a-z
A-Z (capital letters are different, using them effectively doubles your character set)
0-9
!@#$%^&*() (characters located under shift + 0-9)
-=_+[]{};’\:”|,./<>?\|`~ (The rest of the characters on a US-int keyboard)
Special characters: there may be more difficult characters normally not directly found on US-int keyboard such as the ß, ë, é, à, ö, ç, €, ¾, ², ³, ¤, etc. These are top notch, meaning that if you use them in your password you’ll make an extremely strong password, because there’s virtually unlimited numbers of them in different languages (ever used a Chinese character in a password?) Try hitting ctrl + alt + any random key in a text field so you can see the output, most of them yield a special character you probably never knew was there and you might even find useful in normal word-processing!

These sets or blocks of characters are normally attacked in this order. This means that attackers will normally first attack a limited set of characters (e.g. only a-z, A-Z, 0-9) and move towards adding more complex characters as they are unsuccessful or just give up. Key in this all is that you use at least one character from every block up to the highest possible, but it’s better to use more. If you use only up to block:

26 characters
52 characters
62 characters
72 characters
96 characters
a whole lot of characters

The second factor is length. The longer your password, the safer. This is pretty straight forward. Longer is better. A simple guideline:

n < 8 - Don't
n < 10 - very short
n < 12 - short
n < 14 - medium
n > 14 – recommended

Dictionary attacks
Another popular attack is the dictionary attack. This approach is pretty straight forward, you take a dictionary with a set of words and try them as passwords. You can choose a dictionary that is in the language of the end-user. This can be based on information found elsewhere. Maybe the attacker recognises the language from the username or google’s him or her. If this first attempt fails attacking software offers options to combine two or more words, vary capitalization, add numbers to the end, etc. You should also know that there are special dictionaries for this which include common names, patterns found on keyboard (e.g. qwerty, azerty, asdf) and other words that you normally wouldn’t find in a dictionary.
Although this sounds very sophisticated, the solution is simple, don’t use meaningful character combinations!

Shoulder surfing
Is the name used in computer security for getting information by looking while someone enters it. By looking over their shoulder. Choosing the right password can also help to prevent shoulder surfing. It wont make it impossible but if you consider the right techniques it’ll make it a lot harder. The first thing is that you should be able to type your password fast. If you can just smash away your password on a keyboard in the blink of an eye there’s very little chance that someone will be able to follow your actions without help from a camera. The speed you can type your password with is of course highly dependant on how you normally type. If you’re used to typing with two fingers it’ll be hard, but if you type with all ten fingers then exercise. Otherwise consider learning to type with ten fingers, might be a very good idea, it’ll serve you in the long term and beyond just typing passwords.
The but-part of this is of course that this doesn’t combine very well with choosing a complex password. Or maybe it just does, because if you have to type a special char and press two or three keys at a time it becomes far more complex to follow for a shoulder surfer. This is of course assuming that you can still type your password relatively fluently. So go practice. The other thing is that you could put a easy to type part along with a hard to type but also hard to brute force part. In theory someone could combine this with brute-forcing, but in practice that’s highly unlikely.

Hash tables, a technical side note
There’s one more type of attack we should consider. That’s the use of hash tables. Many systems, such as windows and online services store passwords in the form of a hash. This is a highly complex string generated based on the password but in such a way that it’s irreversible. Meaning that multiple input strings could lead to the same hash, but due to the nature of the generating algorithm and the complexity of the hash string this is highly unlikely. The secure thing about this is that the software doesn’t need to store your password anymore, but only a one way derivate of it. Now the software can just derive the hash from the password you enter and check it against the hash stored in the database.
This has made it considerably more difficult for attackers, because the calculation of a hash takes relatively long compared to normal password verification methods and thus making a brute force attack much less feasible. That’s why new attacking methods have been developed. Attackers have just generated a list of all possible passwords with the accompanying hash. Now they only have to look for the hash in their table and look at the string use to generate. This is much quicker than brute forcing.
But the downside of this is that it takes a lot of computing power to generate such a list. Think about 25+ computers running for a month to generate a useable list. Also the file sizes can grow very big. Think tens of gigabytes. But this is worth it, because only one attacker has to generate the list and can then redistribute it to others.
The good thing for us to know is that these attackers target only the most common passwords, because they don’t know what they’re going to attack when they generate the list. This means they try to distribute their resources evenly and last time I checked the tables went up to 14 characters of a-z, A-Z, 0-9, !@#$%^&*(). So if your password exceeds those criteria you’re safe.

What’s encryption? Why do we need it?

Paul — Sun, 15 Jun 2008 19:28:56 +0000

What is encryption?
Cryptography is the field of technologies for hiding information. It tries to hide, encrypt, the information in such a way that a third party who has access to the hidden, encrypted, data cannot reconstruct, decrypt, the original information. In more practical terms, the encryption methods apply a certain routine to information so that it’s no longer recognizable as it’s original. With the right key, that was determined before encrypting the data and the accompanying routine for decrypting the information, the original information can be recovered.
Cryptography was first pioneered many centuries ago. It was the work of specialists to create encryption routines for the military mainly. Cryptography remained something mainly for the military for quite long. Up until a century ago almost entirely and only in the last 20 to 30 years has it become mainstream. Nowadays it’s being used all around us; in ATM cards, on ecommerce websites, in game consoles, for the distribution of copyrighted music and film and many more applications. This is all possible due to the rise of the computer and readily available gross amounts of computing power. Considering the computing power available nowadays we’re actually encrypting very little and leaving the door right open to a lot of sensitive data.

Why do we need to encrypt more?
If you don’t all ready know it, without encryption there is no such thing as privacy. At least not for your data. It’s all 1’s and 0’s but doesn’t take a genius at all to recognize the data it represents if it’s not encrypted when intercepted. And there are literally thousands of ways to intercept data, but I’ll list some common ways.

Internet
is probably the most dangerous place for your data as concerned with privacy. If you don’t use a encrypted connection with the server, pretty much anybody can get their hands on your full communication. People in your local network, your internet provider, the host of the web-site you’re visiting, proxies you’re tunnelled through even if they are transparent and you don’t even notice or know, any carrier of your traffic which can be pretty much any arbitrary person for all you know because routes are chosen dynamically and you have very little to no influence on that and last but not least someone who specifically targets your communication being either a hacker, the government or who knows who.
E-mail
is pretty much the same story as for internet
Instant messaging
is also just as weak as the whole rest of the internet!
WiFi
is a special case all by itself. Special for the fact that it’s extremely dangerous. This is because the information is just put straight into the air for anybody to receive. With the right antenna this can even be from quite far away. Further away than you can be from the access point. Can you imagine what happens if this is unencrypted, or encrypted with some weak encryption such as wep?
USB-sticks
might get stolen or lost. Just plug ‘m in, thanks to plug ‘n play, no problem. The average grandmother can do that. Even encrypted and supposedly safe USB sticks might very well turn out to be very insecure after all.
External hard drives
as you might have figured suffer from pretty much the same issues as USB-sticks except for that less of them are out there who actually try and protect your data.
Personal Computers
get stolen. But a bigger risk might be that other people use them as well. Maybe you don’t fear your husband, wife or maybe even the kids wandering around through your computer, but what about the friends and family who visit your house. Maybe even friends of friends during a party? And did you ever think about the possibility that you might ever become under criminal or tax fraud investigation. You don’t even have to be guilty to be investigated, that’s the ‘beauty’. But then you say, I’ve got my account protected with a password and I’ve made my files private, isn’t that enough? NO! Plain simple NO! All though it will prevent the occasional access to your files it won’t stop the more determent of mind. If they have full access to the hardware, e.g. stolen computer or you’re under investigation, then it’s very easy, but even with limited access it’s possible. Some years ago at a institution we were able to retrieve a very sophisticated password from a machine with a padlock on the case, the HDD as only boot device and bios password set. And then there still is the malware that endangers your data.
Laptops
are the same as PC’s except for that they are stolen much easier, more often, get in the range of different people more easily and that customs have the right to search them if you travel abroad.

Encrypting more, doesn’t that sound like a wise decision?

A little video from Mayrhofen

Paul — Tue, 03 Jun 2008 23:44:21 +0000

It took me quite a while, but here it is. I found the time to recover the material from the tape of my dead film camera. It got a bit moist on a very beautifull powder day. It was heavy snow all day and clear in the afternoon when I finished working. We went skiing and I filmed but the camera started to act weirder every minute untill it completely stopped working. Non of that was recoverable. If someone has a good method to fix the recording mechanism of a DV cam that got moist, please tell me!

Well, with the little material I do have I made this film the other day:

12,491 phone taps during the 2nd half of 2007 in the Netherlands

Paul — Fri, 30 May 2008 00:16:41 +0000

Today a letter to the dutch minister of justice was released. This letter addresses phone tapping statistics collected by the Unit Landelijke Interceptie van het Korps Landelijke Politie Diensten (Unit National Interception from the National Police Department). I will try to translate the letter into English.

In the letter of 13 November 2007 (Tweede Kamer, vergaderjaar 2007-2008, 30517, nr. 5) I promised to send you the tapping statistics, as discussed in the letter, considering the second half of 2007. With this letter I’d like to full fill that.

The Unit National Interception from the National Police Department facilitates the interception for all police departments, the Special Investigations Bureau and the Royal Constabulary and since the middle of 2007 it functions as only body to talk to concerning interception of telecommunication for investigation.

In the second half of 2007 the Attorney General ordered the tapping of 12,491 phone numbers. Of these 84% of the cases considered a mobile phone number and in 16% a tap on a land line. In this period there was a daily average of 1681 active taps.

The statistics for the coming years will be included in the budget cycles and be presented to you through that path.

The Minister of Justice,

This is just an incredibly high rate considering that the Netherlands is a relatively small country with only about 16M people. An average of 1681 active taps means that every 1 in 10,000 is currently being monitored. 12.491 taps in 6 months means about 25K a year. That means on average a tap this year on about 1 in every 650 people. But you should also consider this; not only the people whose number is being taped have their privacy violated, but also the people who call and are called by those persons. If the tapped lines on average only make and receive 5 calls a day this means that the number of people affected daily is almost six times larger!

My sense of privacy on the phone has completely gone by now. I all ready knew that our government liked to tap a lot, but I never could have imagined it to be this bad.

How to take back your privacy

Paul — Tue, 06 May 2008 01:35:09 +0000

It’s almost 1984 and big brother is maturing ever more. Data retention is in effect in ever more countries and most security agencies can tap anything with the push of a button and often even locate you through your mobile phone. Governments even put spying software on your computer (!) if they can’t film you on the streets with one of their 1,500,000 cameras. It’s not only that they can do all this and admit it, but they do so ever more! So what can we do to protect our privacy when big brother is trying to find out what takes places in the comforts of our home?

Privacy is an amazing thing. It’s just incredible how fast it can disappear when everybody has started to rely and assume it. It’s a thing that has long since interested me. It’s got a whole lot to do with security, which is another thing that has long since interested me. Now that privacy is disappearing ever faster and security is getting better, but with no serious notion of privacy, I think it’s about time that I start writing on this subject. I have a fair amount of knowledge on all related subjects and a big interest. Now that’s why I’ve opened a new category: Privacy

In this category I intend to write practical articles, guides and how to’s concerning privacy. One of my goals is to make it useful to all average users and not just experienced. Some subjects are just very complicated, but it’s my goal to make it understandable. A lot of information is off course all ready available in the documentation of tools, tutorials, how to’s and many other sources, but I have not yet found a source that nicely combines this all into a package easy useable. A preliminary list of subjects I intend to write about is (in no particulair order):

Anonymus internet through Tor
Firewall
Anti-Virus
Anti-Spyware
Anti-keylogger
Root-kit defender
File Encryption/Drive Encryption/Hidden encryption
Secure Browsing/Secure Browser
Drive Clean-up
Virtual Machine
PEBCAC (Problem Exists Between Computer And Chair) a.k.a. good behaviour
Private E-mail
Updates and the importance of
Anonymous web-search
Secure chat and VoIP
Back-up
Hardware Recommendations
Secure settings for windows
Probabily more…

A lot of work to do!

Kort berichtje uit Oostenrijk

Paul — Tue, 19 Feb 2008 17:45:44 +0000

Zo, even een kort berichtje nu ik toch ik het internet cafe zit. Het is hier nog steeds leuk en de maand Februarie gaat alweer gestaag voorbij. Morgen komt er een delegatie uit Nederland aan. Mama, Jules, Oma, Willy, Willemien en Ruud! Ik zie er naar uit. Ik ben deze week aan de slag gegaan in de volwassenen skischool. Doe alleen prive lessen nu, daar is niet zoveel werk in, dus dan heb ik de komende dagen tenminste een beetje tijd.

De afgelopen week was wel een beetje een ramp. Ik ben een paar dagen flink ziek geweest met de griep en koorts. Dinsdag, woensdag en donderdag beneden gebleven en daarna was ik nog erg zwak. Geen conditie is toch wel vervelend met dit werk. Ik ben woensdag wel even mee geweest naar de Kneissl fabriek. Daar heb ik de ski die hiernaast staan op de kop getikt. Dat lukte nog en was ook wel goed in de frisse gezonde lucht. Beter dan de lucht in de kelder waar ik verblijf in ieder geval. Zou me niets verbazen als ik daar ziek van ben geworden of van iemand anders met wie ik veelste dicht opeen leef. Misschien was het ook wel de week daarvoor, de week van carnaval, waardoor ik zo ziek ben geworden. Die week was een week van feesten zonder einde. Zondag tot en met vrijdag uitgegaan en er iedere avond een mooi feestje van gebouwt. Carnaval kun je zeker net zo goed hier vieren als in Nederland, dat heb ik nu wel zeker. Nou, ik ben er nu in ieder geval weer bovenop. Moge het feest weer los barsten. Tot snel!

Ik ben 20!

Paul — Fri, 01 Feb 2008 18:58:51 +0000

Weer eens een kort berichtje uit Oostenrijk.

Ik ben maandag jarig geweest zoals jullie natuurlijk allemaal al lang wisten, want zoveel berichtjes, kaartjes en telefoontjes als ik heb gehad! Daarvoor wil ik julllie allemaal heel hartelijk danken. Het is echt leuk om wat van jullie te horen! Het is ook een hele leuke dag geweest. Er lag nieuwe sneeuw, dus ’s ochtends vroeg opgestaan en naar boven om eerst lekker wat poeder te kunnen rijden. Heerlijk met het zonnetje erbij. Er was weinig werk en ik had ’s middags een groep, dus tot 11u geskied en toen met Manfred (de grote baas) een paar biertjes gedronken op het terras en een beetje gegeten rond de middag waarna ik nog les heb gegeven. Toen de apres ski in tot de rij voor de gondel weg was. Dat is geen straf!

Toen ik in de U-boot (zo noemen we de kelder waar we in wonen, omdat hij veel weg heeft van zo’n oude duitse onderzeeer) kwam stond het koor klaar met een grote taart en twintig kaarsjes. Er kwamen ook al snel flessen snaps en vodka op tafel ten behoeve van de drankspelletjes. Toen alles op was zijn de mensen die nog stand hielden mee gegaan naar de Schlussel. Dat is een van de twee discotheken in het dorp. Daar ging het helemaal los en heb ik rond middernacht de spreekwoordelijke fakkel overgedragen aan Roel die tweede was in de verjaardag driedaagse.

De volgende dag heeft iedereen het een beetje rustig aan gedaan. Deels gedwongen en deels in afwachting van de derde jarige. Het was namelijk de woensdag waarop Manfred Gager, de eigenaar van de skischool 60 werd. Groot feest, want alle leraren waren uitgenodigd voor gratis drank en gegarandeerde gezelligheid in de nicky’s. Dat zijn twee zaken waar iedereen wel happig op is. Dus na de nodigde drank hebben we het feest nog even doen rekken met ons gezang, waarna we de hotelbar van de Bruck’n op z’n kop zijn gaan zetten. Navraag heeft mij doen leren dat ze zoiets daar nog nooit meegemaakt hadden. En zelfs toen we daar de uittocht inzette hadden enkele (waaronder ik) nog niet genoeg gehad en zijn door gegaan naar de Schlussel. Ook daar was het heel gezellig en naar verluid tot wel 5u in de ochtend.

Nou dat was me het weekje wel. Vanavond misschien nog uit en dan morgen een dagje vrij voordat de hel losbarst. Naar verluit is het hier de komende maand een gekkenhuis. Het aantal gele nummerplaten begint alvast flink toe te nemen en de typische Nederlander spotte ik vanavond ook al verscheidene malen. Ik ben benieuwd wat het gaat brengen. We zullen het spoedig zien en dan ik zal het ter zijner tijd beschrijven!

Groeten uit Oostenrijk!

Anwärter, lesgeven en feesten

Paul — Thu, 10 Jan 2008 17:52:10 +0000

Zozo, weer een berichtje uit Oostenrijk. Het heeft even geduurd, maar ik heb het gewoon heel druk. Met après skiën dat is. Gelukkig had Peter (collega) het daar ook zo druk mee dat ik z’n was én laptop maar even mee heb genomen naar de wasserette en nu dus even tijd heb om een berichtje te typen voor jullie.

Alle blabla daargelaten is er een heleboel gebeurt sinds mijn vertrek. Ik ben natuurlijk naar Oostenrijk gereisd wat allemaal goed is gegaan en gezellig was. Ik heb heel veel nieuwe mensen leren kennen en nog steeds iedere dag meer. Ik ben de 10e december zoals geplant aan m’n anwärter cursus begonnen en ben 10 dagen later zoals geplant geslaagd. Ik ben nu dus officieel skileraar en ben sinds de 22e ook in die functie werkzaam bij “Die Roten Profis”.

Eerste twee weken heb ik met de race groepjes van de kinderskischool carven grundstufe geoefend. Dat is best leuk. Kinderen zijn wel een uitdaging op zich, maar je leert snel. Vooral vermaken en niet teveel uitleggen. Als er maar kilometers gemaakt worden. Deze week ben ik echter overgeplaatst naar de volwassenen. Ik heb geluk gehad en heb nu zes dagen privé met een heel aardige Engelsman. Skiën valt hem misschien wat moeilijk, maar dat is dan ook extra motief om mij mee te nemen op een extra pauze en tussen de middag kletst hij ook graag even door onder het genot van wat eten en drinken.

Dat is natuurlijk werk, maar je hoeft hier geen 10 min. te zijn om door te hebben dat er nog veel meer is dan werk. Het is hier namelijk altijd feest. Dat is 7 dagen in de week en dan van 3 à 4 uur in de middag tot 5 à 6 uur in de morgen. Voor skileraren in het bijzonder. Her en der krijgen we namelijk korting op de drank en normaal gesproken betaal je ook nergens entree. Het is hier meer de kunst van het nee zeggen. Ik zal verder niet alle gave feestjes gaan beschrijven, maar het dak gaat er hier vaak af.

Verder heb ik een paar foto’s op Hyves gezet.
En ik zit niet zo vaak op internet zoals je wel gemerkt zult hebben, maar je kunt me wel altijd bellen: +436644874359
En er zijn ook speciale 0900 nummers waarmee je goedkoop internationaal kunt bellen, maar dan moet je maar even op internet zoeken of je kunt natuurlijk Skype o.i.d. gebruiken.

Groeten Paul