This blog is coming to an end. Although I have lots to talk and write about, time is limited and prioritized in other areas. New blog posts may appear in the future on my own company web page: https://godpraksis.no/
Security Nirvana
Personal research and opinions from Per Thorsheim.
Wednesday, May 20, 2015
Tuesday, February 24, 2015
Seek Thermal XR - first impressions
[ First picture using Seek Thermal XR with iPhone 6. ] |
So I got my Seek Thermal XR thermal imaging camera today, through a proxy service in the US since they do not offer shipping outside US/Canada yet. I put out a tweet earlier today, were I said I would unbox and give my first impressions of it. Here it is.
Thursday, November 06, 2014
Dear Technology Leader,
in adaptive multi-factor authentication.
I'll be nice and not name you in this blog post quite yet, as I want to give you a chance of fixing things ASAP. I just hope & believe you'll listen, at least after the presentation from your company I listened to not long ago.
However I feel obligated to speak up against some of the claims you made in your presentation, as well as what I see from your demo website. Let's get started.
I'll be nice and not name you in this blog post quite yet, as I want to give you a chance of fixing things ASAP. I just hope & believe you'll listen, at least after the presentation from your company I listened to not long ago.
However I feel obligated to speak up against some of the claims you made in your presentation, as well as what I see from your demo website. Let's get started.
Tuesday, June 17, 2014
What I want from Domino's passwords
Domino's Pizza got hacked, hackers demand money for not publishing stolen user credentials.
Now if I could analyze those passwords, here's what I would be interested in:
Friday, April 25, 2014
Did Twitter silently remove login verification using their Twitter app?
Updated information:
I tried to register for one-way tweeting by sms by sending 6 messages (stop, stop, start, yes, username, password) to Twitters UK number. Didn't work, repeated the process to the number listed in Finland. It worked.Now I can tweet by SMS (Who would do that anyway???), but I can finally configure login verification by use of iOS/Android app.
Error report, or at least sort of:
The option Security and privacy - "Send login verification requests to my phone" is available (using pc/windows/Chrome at twitter.com), but I do not receive any verification code from Twitter.
My phone number is correctly listed under Mobile, including +47 country code for Norway and (Norway) listed. I have set a PIN to protect my account from SMS spoofed texts appearing to come from me.
_________________________________
Original text:
So @hmemcpy and @omervk had this little discussion on failure of configuring Twitter login verification, and I thought "dude, that's easy", and pointed to the option of using the "login verification" through Twitters native app for iOS or Android, and option I've been using for quite some time:
Monday, February 24, 2014
Personvern hos våre politiske partier
I valgkampens innspurt høsten 2013 sjekket jeg om de politiske partiene i Norge overholdt personopplysningsloven og de krav/anbefalinger som er gitt av Datatilsynet. Det jeg fant var såpass overraskende at jeg tipset Aftenposten, som selv kontrollerte, og fikk en klar tilbakemelding om lovbrudd for partiene da de henvendte seg til Datatilsynet. Saken til Aftenposten ligger tilgjengelig her.
I tillegg kritiserte jeg også partiene Høyre og Venstre for svak epost sikkerhet, også dette gjennom Aftenposten.
Nå, 6 måneder senere, var det tid for å sjekke hvilke partier som har holdt sine løfter og etablert den sikkerheten de er lovmessig pålagt å ha.
Tuesday, February 04, 2014
Sparebank 1 MSN på Facebook / Tinder
(English summary at the end)
Oppdatetert 06.02.2014: Dagbladet har laget sak basert på nedenstående.
Både Facebook og Tinder har som krav til personprofiler at de skal tilhøre en eksisterende person. Her har banken glatt oversett dette, og opprettet falske personprofiler.
Tinder stiller som krav at konto baseres på en eksisterende personlig Facebook profil, og at denne benyttes til ikke-kommersiell bruk. Her bryter banken vilkårene, da deres formål er å tiltrekke seg nye kunder via en datingtjeneste (!).
Banken sier at en ansatt som jobber spesielt med sosiale medier har ansvaret for disse (falske) profilene. Jeg finner det naturlig å tro at flere andre ansatte kan få helt eller delvis innsyn i data som fremkommer gjennom deres bruk av disse tjenestene. Ved å bruke disse profilene, aktivt eller passivt, så vil banken få innsyn i opplysninger til uvitende som kan anses som sensitive personopplysninger.
--
English summary:
A Norwegian bank created 2 falsified "personal" accounts on Facebook, and uses them on Tinder (dating site) to attract new potential customers. Not only is this a violation of EULAs in terms of spoofing & commercial usage, it could also be a gross violation of privacy.
I know these kind of violations happens every day, but I never thought a Norwegian bank could do something this stupid. To top it all off, their head of information says that so far they are very happy with their strategy so far. A bank becoming a scammer. Nice strategy. Now take a look in a mirror, and see what a scammer looks like.
(Full story: google translate the link above).
Friday, January 31, 2014
OCR matching Unicode characters
[Image linked from http://babelstone.blogspot.no/2013/10/whats-new-in-unicode-70.html] |
I wonder if somebody could do OCR matching of all Unicode 6.x characters against each other, with a threshold value to find characters that visually will look pretty much the same to "normal" people.
Purpose: to identify characters I could use to mock password crackers by telling them my password is ᖴᕀⅠ੨Ȝ੫ƼⅥ⑦Ȣ, but there's no way in hell you'll be able to crack it.
(No, don't ask me how I would remember how to type in my passwords.)
That's all.
Tuesday, January 14, 2014
78K and counting!
So far, I have served out 78K+ minutes of viewing time from my YouTube account, through 19K+ views. I am really happy with that. :-)
With 88% males and 12% females watching, I can only speculate why red-headed women seem to have better (longer) passwords on average then men. 146 countries/territories have been watching, even from countries far away like Turkmenistan, Afghanistan, Mongolia, Uganda and South Sudan.
While Windows is the most popular platform for viewing these videos, I'm a bit surprised to see Android in second position, well ahead of Mac, Linux & iOS. But hey, there are viewers out there using Nintendo Wii! :-)
Jens Steube (atom, author of Hashcat), Passwordscon in Las Vegas, July 30-31, 2013.
Katja Malvoni, PasswordsCon in Bergen, December 2013
Jens Steube (atom, author of Hashcat), Passwordscon in Oslo, December, 2012.
Joshua Dustin and Kevin Young, Passwordscon in Las Vegas, July 30-31, 2013.
Jeremi Gsoney, PasswordsCon in Bergen, December 2012.
Congrats Jeremi! :-)
With 88% males and 12% females watching, I can only speculate why red-headed women seem to have better (longer) passwords on average then men. 146 countries/territories have been watching, even from countries far away like Turkmenistan, Afghanistan, Mongolia, Uganda and South Sudan.
While Windows is the most popular platform for viewing these videos, I'm a bit surprised to see Android in second position, well ahead of Mac, Linux & iOS. But hey, there are viewers out there using Nintendo Wii! :-)
So without further ado, here are the TOP 5 PasswordsCon Videos:
Number 5:
Advanced Password Cracking: Hashcat Techniques for the Last 20%Jens Steube (atom, author of Hashcat), Passwordscon in Las Vegas, July 30-31, 2013.
Number 4:
Energy-efficient bcrypt crackingKatja Malvoni, PasswordsCon in Bergen, December 2013
Number 3:
Passwords^12 - Exploiting a SHA-1 weakness in password crackingJens Steube (atom, author of Hashcat), Passwordscon in Oslo, December, 2012.
Number 2:
Password Cracking, From "abc123" to "thereisnofatebutwhatwemake"Joshua Dustin and Kevin Young, Passwordscon in Las Vegas, July 30-31, 2013.
Number 1:
Password Cracking HPCJeremi Gsoney, PasswordsCon in Bergen, December 2012.
Congrats Jeremi! :-)
Monday, November 04, 2013
PasswordsCon Bergen - practical info
Alrighty, less than a month until PasswordsCon in Bergen, Norway!
Just some quick & practical information for those travelling from far away here:Hotels
Most hotels in the city center will represent walking distance (15-30 minutes tops) to our venue.Recommended hotels (preferred order, based on proximity to city center):
Radisson Blu Hotel Norge (absolute city center)
Clarion Collection Hotel No 13 (absolute city center)
Thon Hotel Bristol Bergen
Rica Travel Hotel Bergen
Grand Hotel Terminus (has one of the best Whisky bars in northern Europe)
I recommend looking them up on ww.tripadvisor.com, but do check out their prices directly from their home pages, as that just might give you the best price after all, without all the low price restrictions. All these hotels are very close to each other, making it easier to go out during the evening and find your way back home late at night. :-)
Depending on your arrival (saturday or sunday), I'll be able to show you & others around the city, including a visit to the top of 1 or more of the 7 mountains surrounding the city. Prepare for a bit colder and rainier environment than ... well... wherever. :-)
Subscribe to:
Posts (Atom)