Hacker Cultures


The European Association for the Study of Science and Technology held its annual conference in August, and a veritable feast of information it turned out to be (as is their website).

In particular though I would like to point readers towards a podcast series, based upon a panel held during the conference.

The podcast series is called Hacker Cultures. From the website:

This year, Covid-19 turned most conferences virtual, so to combat Zoom-fatigue, we decided to try another format and turn a conference session into a podcast. This series comes to you from the 2020 joint Society for Social Studies of Science/European Association for the Study of Science and Technology conference, titled “Locating and Timing Matters: Significance and agency of STS in emerging worlds” which took place from August 18th-21st. Among hundreds of panels, papers and sessions, the Hacker Cultures panel rounded up all sorts of researchers who study what it is to be a hacker, and what hacking, programming, tinkering and working with computers is all about. The hosts of this podcast are Paula Bialski, who is an Associate Professor at the University of St. Gallen, and Mace Ojala, a lecturer at the IT University of Copenhagen. On-site recording and production was done by Heights Beats at Hotmilk Records. The theme song is titled “Rocky” by Paula & Karol. Funding for the editing of this podcast comes from the University of St. Gallen.

The episodes are in the style of an interview rather than a lecture, easy to follow and really interesting.

What is on Offer?

Episode 1: Morgan G. Ames – Throwback Culture: The Role of Nostalgia in Hacker Worlds
Episode 2: Minna Saariketo & Mareike Gloss – In the grey zone of hacking? Two cases in the political economy of software and the Right to Repair
 Episode 3: Annika Richterich – Forget about the learning: On (digital) creativity and expertise in hacker-/makerspaces
 Episode 4: Alex Dean Cybulski – Hacker Culture Is Everything You Don’t Get Paid For In the Information Security Industry
 Episode 5: Jeremy Grosman – Algorithmic Objects, Algorithmic Practices
 Episode 6: Stephane Couture – Hacker Culture and Practices in the Development of Internet Protocols
 Episode 7: Ola Michalec – Hacking infrastructures: understanding capabilities of Operational Technology (OT) security workers
 Episode 8: Sylvain Besencon – Securing by hacking: maintenance regimes around an end-to-end encryption standard
 Episode 9: R. Stuart Geiger & Dorothy Howard – ‘I didn’t sign up for this’: The Invisible Work of Maintaining Free/Open-Source Software Communities

Really entertaining, informative and featuring lots of well known experts, 15 to 20 minutes each, well worth a browse.

Media News

Somebody is Watching You (Via TV)

Last week my local Congressman Michael Capuano introduced some important legislation into the house regarding privacy and TV.

Like many of us residing in the US, Capuano was astonished and troubled by the revelations that home TV and telephone operator Verizon was required to give the government lots of data about our telephone use. They provide a daily list of all calls, duration and codes to identify mobile devices so that the government can look for terrorists.

Capuano decided to look further into issues of privacy surrounding this particular operator, and his legislation is a result of his findings.

He found that cable TV companies are developing systems that allow the TV set to watch the viewer. The idea is that a box sits in your house and watches you watch the TV so that advertisers can market their wares better.

A woman watching TV in the dark
Watching TV

The systems will be fitted with face recognition software (see this article for an idea of how far this software has come) so that publicity can be tailor made for the consumer.

So if I am watching something the publicity will be aimed at me, and probably cross referenced with data about my interests, life and Google searches. Fast cars, motorbikes and concert tickets.

If my wife is in the room maybe the publicity will also take her presence into account, and offer her shampoo, a fitness package or the likes, or maybe target us both with a cruise or a romantic weekend in the sun for 2 or likewise. If we are sat at opposite ends of the sofa maybe some counselling or a good divorce lawyer, who knows.

I can only imagine that if the watcher is eating a bag of crisps (chips) and drinking a bottle of beer then publicity for pizza and wine would be in order, the right message at the right time if you see what I mean.

What Capuano and his co sponsor are trying to do is to pass legislation to force producers to build and market a version of their cable interface box without the cameras integrated, and that the TV must show the message “I am watching you” when the machine is watching you.

Not too much to ask you might think but in free market led America I await the outcome. Read more about the legislation here.

I was fortunate enough to interview Congressman Capuano for my Bassetti Foundation blog a couple of years ago. We spoke about technology and his responsibility as a politician to society and his electorate. A transcription of the interview is available here.

Just as a sideline the BBC has an article out about hackers taking over webcams to spy on people covertly. Apparently there is a market for access to your computer, although the stated motivations are different and the practice is not legal.

EDITOR NOTE: Don’t forget the post I wrote about keeping Java up to date Jonny; it mentions about webcam hacking too 🙂 – note by Christopher

Computers Internet Media Social Media

Kill the Password

This week I would like to draw readers’ attention to an article that appeared in Wired at the end of last year. Written by Mat Honan and entitled Kill the Password: Why a String of Characters Can’t Protect Us Anymore, it makes for really interesting and alarming reading.

The author starts by explaining that he lost all of his digital life last year as his accounts were hacked, an event that lead him into investigating online security and how it is breached.

What he discovered is not for the faint hearted. The linking together of different accounts using an email as username means that any seriously interested party with a little time on their hands and very little money can relatively easily get into a single account, and from there into the others.

His conclusion is that the culture of using passwords for security is outdated, a thing of the past and that anyone who tells you otherwise is either deluded or trying to convince you of something that is not true.

The worst password choices
Worst passwords of 2012

The availability of information is a problem because of the personal question access to resetting your password. Mother’s maiden name, place born etc. are easy things to find out about anybody through ancestry sites or other documents. Once you have somebody’s email address, you try to reset the password using the personal questions through the provider’s website. The answers might be on Facebook, or on their blog, or maybe intuitive, but they are out there.

Then to the customer services rep that you speak to by phone. They are people and can be misled. The article contains a transcription of a conversation between a hacker and one of these people. As the user needs to be able to reset the password they are offered a series of questions that get easier and easier to guess. Names of best friends is possible using Facebook or other social network publications, but if not try favourite food or others, but the example given is name of one of the files in the account. Try Google, Amazon, Personal, one will be right.

So the problem is that the system needs to be flexible and easy enough to use, so we must be able to easily change our passwords, but this makes security impossible.

How can this problem be addressed? Here the trade off is privacy. If the company knows you, through your search histories, places you have been, where you work and what you like to do they might better be able to tell if the password reset-er is you, but you lose any privacy you think you might have.

Voice recognition can be tricked using recordings, biometrics and fingerprints too. Once a system uses these things that cannot be changed or reset the problem is magnified. If I have a fingerprint lifted from a screen I can use it to get anywhere and new fingers are hard to come by these days, so what do you use next?

The article poses these problems from the point of view of somebody who has been hacked, but the author also looks at who these hackers are and even meets a couple. It is big business in certain circles, particularly in the Russian speaking world where organized crime has a large stake and makes a lot of money through stealing identities and all that follows. In other circles they are just “kids” having some fun wreaking havoc.

There are a few simple strategies outlined in this (not short) article that are worth following but none are foolproof, and that is a lesson we could all learn from. Just a word of warning, it contains some harsh language.

On a lighter note happy new year to everyone, and my mum’s maiden name was Windsor (no relation to either Barbara or Elizabeth).


Is One-Factor Authentication Really Sufficient?

In the analogue world, we identify ourselves by our national identity card which consists of basic information such as name, address, date of birth, and a unique ID number.

However this cannot be done in the digital world. Whenever you go online, even your name is not commonly used for identification. What commonly used is the username and password and these two are the basic criteria of a one-factor authentication.

The one-factor authentication is also known as ‘something you know’. Today we have more than one factor when it comes to authentication and it is applied by using a software or hardware device as part of your authentication. This make up the second factor and it is known as ‘something you have’. There is also third factor which is still not popularly used is the third factor or also known as ‘something you are’.
A set of keysThe reason of having so many factors in authentication is that the one-factor authentication is not sufficient for a sensitive transaction’s security. It is vulnerable to the traditional ‘Brute-Force’ attack that it is still useful today simply because computers today are extremely fast and it can even be done not only using CPU but also GPU.

The other weakness of one-factor authentication is that it is extremely vulnerable to ‘Password Reuse’ attack. There are not many users who change their password frequently or use different password for different online account. As a result, any username and passwords that are hacked can be possibly used from time to time on different website.

So now, do you perform your online banking transaction with just username and password? Think twice before you put your online banking account at risk.

Even for certain two factor devices, they are vulnerable to phishing attack. With the increasing cybercrime rate, we should focus more in our IT security. Especially for online banking account users, do think of your safety if you are still with one-factor authentication on that.

Internet Technology

5 Reason Why Phishing Is Still A Popular Trick

Phishing had been widely used at least half a decade ago but it still remains as one of the popular method to scam internet users. Just recently, thousands of Tumblr bloggers were affected by a phishing attack which caused their credentials such as username, passwords, and email addresses to be stolen. Many of us might still be wondering why there are so many victims out there even though we had been taught from time to time to stay aware of a phishing scam. There are five reasons here why phishing is still a popular trick and below are the reasons.

#1 – It tricks the victim with fear.

One of the most common method is to trick the victim by sending them an email and tell them that their internet banking account is being compromised and need to click on a link to resolve the issue. Once the user followed the link, the user will be redirected to some forged website that looks similar to the banking website which requires the user to input his/her username and password. Once that form is sent, all the data will be transmitted to the attacker controlled server. Users who have a large amount of cash in their banking account will be scared to see this mail and some of them will follow the mail to avoid their account being compromised.

#2 – It tricks the victim with special interest.

Some scammers use the scenario such as winning lottery or viewing adult material to create a temptation for the victim to click on a link that redirects to the phishing site. Just recently, Tumblr bloggers were asked to re-verify their accounts by entering the username and password in order to continue and view the adult content. At times, it is not always money related issue can relate to phishing scam, but also special interest as mentioned can relate to a phishing scam.

Free Money - Scam
A typical scam: a persuader is put out, but just as you grip hold of it, the trap snaps shut on you

#3 – It is not a rocket science technology.

Phishing attack involves creating a forged website and it might be difficult to certain people. However if it is to compare to hacking a banking server, creating a forged website is not that complicated. Therefore many novice or intermediate scammers will choose to use the phishing method over any other method in their hacking project. In short, phishing is not mainly about technical skills but it is also about how good the hacker in luring his victim into a trap.

#4 – It can be launched via many types of communication channel.

Phishing can happen not only by simply building a forged website and anticipate for the victim to come to you. It can also involve sending emails to the victims to lure them to the forged website. Besides that, a phishing scam uses as well the manipulation of a URL and post it as a comment or forum to trick them to the forged website. Apart from using the computer knowledge to lure the victim, phishing can also be done via phone calls. The conclusion is this type of scam can be done via multiple channels and multiple techniques.

#5 – Compromising one account is not the end.

After stealing one’s credentials is not the end, but it can be the beginning. Why is it so? Internet users nowadays have many online accounts for instance Facebook, Twitter, and LinkedIn. In common, most users will use the same username and password for each of the account so that remembering them is not an issue. Hence this can lead to the users’ credentials that had been stolen can be used as well for other accounts by the scammers.

In conclusion, phishing can be an old technology but it is not an out-dated technology. There are still countless internet users who fell for this old technology. To have a better IT security, we should always stay focus and caution when using the internet and pay extra attention when something unusual occurred.