Travel Setup 2020

Being on the road regularly comes with a few challenges. The main one would be charging all the things and a lot of tech changed since 2013 it seems 🙂

My daily driver remains a 13′ Macbook. And I’m pretty happy that most of the devices moved from proprietary connectors to mostly USB-C 🎉. I used the Apple USB-C charger for a long time but it feels wrong to use the notebook as a charging hub for my other devices and it’s sometimes a bit error prone. So I looked into a few new chargers to get an easier setup and landed with the Satechi Travel Charger. This gives me 2 USB-C and 2 normal USB Ports which is usually enough.

My setup currently:

  • Satechi Travel Charger 75W (2x USB-C and 2x USB-A)
  • USB-C Cables (good ones! – If you go cheap you won’t get far)
  • One of those Multi-USB Cables (USBC, Lightning, Micro-USB)
  • OmniCharge 13 or 20 (I backed those things back when there wasn’t a USB-C Version) The OmniCharge 20 has a variable DC Barrel Output and I used that for a while with a Dell Barrel to USB-C Adapter but after a while that started to fail and now I’m back to reverting to 220V HVDC or AC to charge things. HVDC works with most™ power supplies.

This is it. This part of kit gives me enough freedom to run on and off grid for quite some time. Bonus for the OmniCharge is that it can be charged via a lot of power sources so I sometimes hook it up to my Solar System to get the batteries replenished.

Angelesen #62

Rushing this one out somehow – A few links assorted. Makes me think if WhatsApp should be abandoned completely even though it is still a very strong ecosystem. But the need of trying to convince people to move to another messenger is just another pain in the behind.

Apollo 11 vs USB-C Chargers (forrestheller.com)

The most powerful CPU in the table is from the Anker PowerPort Atom PD 2 (CYPD4225). Compared with the Apollo 11 Guidance Computer it runs at ~48 times the clock speed with 1.8x the program space

Interesting what we got in terms of computing power in the small USB-C Powerbricks these days.

Boeing 737 Max: New Software Problem Discovered on Grounded Plane (bloomberg.com)

Boeing Co. has discovered a new software problem on the grounded 737 Max, but the company said the flaw won’t set back the goal of returning the plane to service in mid-2020.

It’s still a software project innit?

Wacom drawing tablets track the name of every application that you open (robertheaton.com)

What requires more explanation is why Wacom think it’s acceptable to record every time I open a new application, including the time, a string that presumably uniquely identifies me, and the application’s name.

What the actual…

Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access (perimeterx.com)

Whatsapp I: …

🎥 “Wir müssen reden!”: Was die Influencer JANAklar und Lisa Sophie ins Burnout getrieben hat (youtube.com)

Interessante Doku über das Youtuber/Influencer leben.

🎥 Wikkelhouse: pick your modular segments & click them together (youtube.com)

Lovely module-based building. The Channel of Kirsten Dirksen has a ton of videos with very interesting buildings and living concepts.

Microsoft Teams has been down this morning (techcrunch.com)

We’ve determined that an authentication certificate has expired causing, users to have issues using the service. We’re developing a fix to apply a new certificate to the service which will remediate impact. Further updates can be found under TM202916 in the admin center.

We’re all cooking with water it seems

TeamViewer – WhyNotSecurity (whynotsecurity.com)

TL;DR: TeamViewer stored user passwords encrypted with AES-128-CBC with they key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also lets you copy data or schedule tasks to run through their Service, which runs as NT AUTHORITY\SYSTEM, so a low privilege user can immediately go to SYSTEM with a .bat file. This was assigned CVE-2019-18988.

Yay!

99 second hand smartphones are transported in a handcart to generate virtual traffic jam (simonweckert.com)

" 99 second hand smartphones are transported in a handcart to generate virtual traffic jam in Google Maps.Through this activity, it is possible to turn a green street red which has an impact in the physical world by navigating cars on another route to avoid being stuck in traffic. " #googlemapshacks

Everyone knows it by know and if not, now you know!

Why Using WhatsApp Is Dangerous (telegra.ph)

Last week it became clear that this backdoor had been exploited to extract private communications and photos of Jeff Bezos – the richest person on the planet – who unfortunately relied on WhatsApp [3]. Since the attack seemed to originate from a foreign government, it is likely that countless other business and government leaders have been targeted [4].

Whatsapp II – The most complete Article so far with tons of additional sources

Cost of a 51% Attack for Different Cryptocurrencies (crypto51.app)

This is a collection of coins and the theoretical cost of a 51% attack on each network.

51% Attacks are getting cheap!

Technical Report of the Bezos Phone Hack (schneier.com)

"The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS’ account, egress on the device immediately jumped by approximately 29,000 percent," it notes. "Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos’ phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data."

Whatsapp III: Interesting things about the Whatsapp Hack based on the egress data

Historisches Urteil: 6-0 für die Klimajugend gegen die CS (nzz.ch)

Das Urteil kann an die nächste Instanz weitergezogen werden. Doch es ist schon jetzt historisch: Zum ersten Mal seit dem Aufkommen der Klimabewegung gibt ein Schweizer Gericht Aktivisten recht. Angesichts der Dringlichkeit der Situation wird ziviler Ungehorsam ausdrücklich nicht mehr als unzulässiges Mittel erachtet, um auf die Klimakrise aufmerksam zu machen. Die Anwälte übertreiben deshalb wohl nicht, wenn sie sagen, dass das Urteil Signalwirkung haben dürfte und der Tag «in die Geschichtsbücher der Schweizer Rechtsprechung» eingehen wird.

So. much. win!

Angelesen #61

The past weeks I played around with ESPHome and started to get all my sensors updated to it. There was too much “works on just this device” code sitting around. And there’s the Winterkongress coming up soon so a few venue walkthroughs happened also during the week – let’s say there will be Internet!

ESPHome (esphome.io)

ESPHome is a system to control your ESP8266/ESP32 by simple yet powerful configuration files and control them remotely through Home Automation systems.

Hat tip to Simon for the tip with ESPHome. Getting all my sensors going without getting into heavy coding was a breeze 🙂

hakluke/how-to-exit-vim (github.com)

Apparently there are "easier" ways to get out of VIM!

Preliminary US Emissions Estimates for 2019 (rhg.com)

After a sharp uptick in 2018, we estimate that US greenhouse gas (GHG) emissions fell by 2.1% last year based on preliminary energy and economic data. This decline was due almost entirely to a drop in coal consumption. Coal-fired power generation fell by a record 18% year-on-year to its lowest level since 1975.

Progress!

1,500 scientists lift the lid on reproducibility (nature.com)

More than 70% of researchers have tried and failed to reproduce another scientist’s experiments, and more than half have failed to reproduce their own experiments. Those are some of the telling figures that emerged from Nature’s survey of 1,576 researchers who took a brief online questionnaire on reproducibility in research.

ouch, that was an interesting read.

A former Egyptian engineer found the secret to building a big Northwest gas-station chain (seattletimes.com)

Said’s formula is simple: He finds locations that are ideally located but poorly maintained, upgrades the equipment and the store, and institutes a spit-and-polish customer-service regimen. Even the handles on the gas pumps get buffed down regularly so that “the customer does not put his hand on something dirty,” he says.

Wow who would have thought that an issue can be fixed with actually providing a service and adding good customer service ;)?

20 top Ideen für Europa Städtereisen mit dem Zug im 2020 (travelita.ch)

Diesem Vorsatz sind Taten gefolgt. Im 2019 bin ich für keine europäische Reisedestination in ein Flugzeug gestiegen. Stattdessen habe ich jenste Zugstrecken ausprobiert und meinen Erfahrungsschatz an Zugreisen ausgeweitet. Ich bin unter anderem mit dem Eurostar unter dem Ärmelkanal durch nach Manchester gefahren, bin mit Trenitalia, TGV, Thalys sowie ICE nach Modena, Luxemburg, Antwerpen und Hamburg gereist und habe mit dem Nachtzug einen Weekendtrip nach Zagreb unternommen.

👏Yeah! Tolle Liste an EU Destinationen die mit dem Zug erreichbar sind.

China is getting smarter – but at what cost? (bbc.com)

Mr Anderson told an anecdote about a friend who had recently visited a Chinese city.

"He got to his hotel and realised he had left [his phone in a taxi], so the hotel walked him to the police station," he explained.

"The police pulled up the data about the vehicle but didn’t have the traffic cam so they took him to another department a few blocks away, and they were able to track the taxi in real time and called the driver to ask him to bring back the phone.

"Within two hours he had his phone back."

"The taxi driver may have been worried that if he didn’t return it, he was going to get a negative score."

I happened to talk to a group of people lately that never heard about the SCS (Social Credit System). While those systems in some form exist in most countries the SCS in China goes far beyond what would be considered legal in the EU.

Hackers hit Norsk Hydro with ransomware. The company responded with transparency (news.microsoft.com)

The entire workforce did their jobs with pen and paper during the attack’s first days. Some plants switched to manual procedures to meet manufacturing orders. Retired employees – familiar with the old paper system – volunteered to return to their plants to keep production rolling.

I’ve read early reports of the Norsk Hydro attack but the writeup shows very interesting parts like running infrastructure manually with pen, paper and checklists.

Google Cloud Platform (GCP) Security Best Practices (assured.se)

A good GCP security primer to understand the concepts.

Coal power becoming ‘uninsurable’ as firms refuse cover (theguardian.com)

The number of insurers withdrawing cover for coal projects more than doubled this year and for the first time US companies have taken action, leaving Lloyd’s of London and Asian insurers as the “last resort” for fossil fuels, according to a report.

The report, which rates the world’s 35 biggest insurers on their actions on fossil fuels, declares that coal – the biggest single contributor to climate change – “is on the way to becoming uninsurable” as most coal projects cannot be financed, built or operated without insurance.

Also a way to get rid of coal projects – if the "risk" is getting uninsurable – This might be more effective than other ways

How Ring Went From ‘Shark Tank’ Reject to America’s Scariest Surveillance Company (vice.com)

This amounts to a picture of paralyzing scale: Amazon, one of the three largest publicly-traded companies in the world, owns a company that has been quietly building a privatized surveillance network throughout the United States. This network is only possible because consumers choose to buy the cameras themselves. Why do people make this choice? There are as many answers as there are Ring customers, but there is also one answer that explains everything the company has done: At its core, Ring is a marketing company that realized it could make money by selling fear.

This could be straight out of Orwells 1984 or a Black Mirror episode.

Angelesen #60

Happy 2020 folks – A few links that found their ways into my bookmarks lately:

Which emoji scissors close (wh0.github.io)

Ah, scissors. They’re important enough that we have an emoji for them. On your device, it appears as ✂️. Unlike the real world tool it represents, the emoji’s job is to convey the idea, especially at small sizes. It doesn’t need to be able to swing or cut things. Nevertheless, let’s judge them on that irrelevant criterion.

Yeah why would scissors work anyway ;)?

Russia ‘successfully tests’ its unplugged internet (bbc.com)

Russia has successfully tested a country-wide alternative to the global internet, its government has announced.

Well this was announced for quite a while but it’s concerning if other nations start to follow suit.

How to Track POTUS (nytimes.com)

The Times Privacy Project obtained a dataset with more than 50 billion location pings from the phones of more than 12 million people in this country. It was a random sample from 2016 and 2017, but it took only minutes — with assistance from publicly available information — for us to deanonymize location data and track the whereabouts of the President.

Well nobody saw this coming, right? Right!

Open letter from the Home Secretary – alongside US Attorney General Barr, Secretary of Homeland Security (Acting) McAleenan, and Australian Minister for Home Affairs Dutton – to Mark Zuckerberg (gov.uk)

We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.

great… weakening E2E encrpyption for the greater good… Is this an rerun of the crypto exports all over again?

Autonomous DeLorean drives sideways to move forward (news.stanford.edu)

“We’re trying to develop automated vehicles that can handle emergency maneuvers or slippery surfaces like ice or snow,” Gerdes said. “We’d like to develop automated vehicles that can use all of the friction between the tire and the road to get the car out of harm’s way. We want the car to be able to avoid any accident that’s avoidable within the laws of physics.”

It’s insane to see an EV DeLorean driving that track without going off rails!

Fefes Blog (blog.fefe.de)

Und – dieses Detail hat mir echt die Schuhe ausgezogen – 60% der Energie dieses Kraftwerks geht wieder in den Betrieb des Tagebaus.

Kohle? Das kann weg oder?

Privacy Analysis of Tiktok’s App and Website (rufposten.de)

Another nail into TikToks Privacy coffin…

Nail 1: Tiktok – Überwachung und Kritik Nail 2: Cheerfulness and Censorship

The “Great Cannon” has been deployed again (cybersecurity.att.com)

These may seem like an odd selection of websites and memes to target, however these meme images appear on the LIHKG forums so the traffic is likely intended to blend in with normal traffic. The URLs are appended to the LIHKG image proxy url (eg; https://na.cx/i/6hxp6x9.gif becomes https://i.lih.kg/540/https://na.cx/i/6hxp6x9.gif?t=6009966493) which causes LIHKG to perform the bandwidth and computationally expensive task of taking a remote image, changing its size, then serving it to the user.

The Great Cannon has been deployed earlier already (also in the writeup) but It’s interesting how the DOS will be hit the target – by basically invalidating caches and re-rendering images.

36C3 Recap

While getting back to normal life after congress is always hard. I went through all the recordings and pulled out a few very good ones I either saw live or in days after. There were so many talks in parallel it was very hard to choose. All of this is also available in multiple languages thanks to the volunteers of the c3lingo team!

I also volunteered and got into the Stage Manager Supporter role during which was fun to see how other stages are managed – but I was also happy to have an easy first shift to learn 🙂

Now to the talks: Most of them are available in English and German and only the last one is only available in German. Translations can be found by clicking at the cog-wheel – Enjoy:

Boeing 737MAX: Automated Crashes 🇺🇸🇬🇧

A lot of background around the 737 Max issues.

What the world can learn from Hongkong 🇺🇸🇬🇧

How protest works in Hongkong

Reducing Carbon in the Digital Realm 🇺🇸🇬🇧

Digital Products seem always so sleek and “carbon-friendly” but most of the time they aren’t. Chris dives into this topic and sheds light on a lot of aspects I didn’t think about.

The Large Hadron Collider Infrastructure Talk 🇺🇸🇬🇧

If the LHC is among the things you like to know more about. That’s the talk!

Bahnmining – Pünktlichkeit ist eine Zier 🇩🇪

David already held a lot of good talks at the congress. This time he looked into punctuality of the German Railways – Die Bahn. With a lot of interesting things uncovered.

Von 4G zu 5G 🇩🇪

Peter is a regular speaker and talks usually about very interesting aspects of Mobile Radio Networks as he did at 35C3 on HF-Isses in the Uplink Channel. This time he looks into the Path from a 4G network to a 5G network.

Let’s play Infokrieg 🇩🇪

Hacking the Media 🇩🇪

The Peng Collective does all sorts of political actions. Civil disobedience at its best!

Hirne Hacken 🇩🇪

Looks like the weakest link in security is: YOU!

Das Mauern muss weg 🇩🇪

How the Informationsfreiheitsgesetz (IFG) / Freedom of Information Act (FOIA) can lead to very interesting behaviour in the government but als lead to interesting information being published.

Welches Betriebssystem hat der Bundestag und wie kann man es hacken? only 🇩🇪