f3mhack

Another super interesting thing I found: https://f3mhack.org

The lack of women, queer and trans persons, and diversity in technological fields in general and hacking more specifically is acute. To change this state of affair, critical approaches towards technologies, the tech/hacking culture, among others are needed. Looking at gender issues is admittedly important, but we must compound it with an intersectional analysis to be truly cognisant of existing systems of oppression. An intersectional approach requires all of us to engage with the diversity of cultures, social status, sexual orientations, ethnicities and other power structures that create various forms and levels of inequality (in tech production centers, access, design, usability, hacking potential, etc.) for different individuals.

Moreover, we believe that to have more feminist and post-colonial activists and practitioners at the forefront of the use and development of liberation and (free)dom technologies requires safe spaces to ignite desires!

Untitled-21-1024x277

The FemHack will focus on doing just that: triggering this desire towards feminist and post-colonial approaches to technology that foster differences, autonomy, liberation and social resistance. To start this process of liberating ourselves from patriarchal technologies, we will need to push a bit more the boundaries of technologies.

Besides, let’s not forget that everybody is an expert in relation to the technologies they use in their everyday life. And as we consider gender as one of the most pervasive social technologies ever created, we bet that everybody has a lot to share on this topic too! Join us in creating an international global event for women, queer and trans people, feminist and post-colonial activists to learn, share and connect on technical, theoretical and performative issues with the long-term goal of liberation and autonomy. Join our forces in challenging the systems of oppression we encounter on a day-to-day basis.

We as citizens and communities continue to organize against different systems of oppression be it: the so-called “austerity” measures, financial system bankruptcy, mass surveillance, infringement on privacy rights, governmental and business appetite for our (meta) data, witch hunts to rule our bodies, criminalization of our reproductive rights, etc.

Back to reality: asking random people about feminism

2741178925

The idea is simple, ask 250 random people from a chatting website their opinion of feminism. In particular, the question was “What do you think of feminism?”.

We ask the question and leave two random strangers to discuss about it (without any possibility of intervention from our side).

The results are of course overwhelmingly bad:

  • In 49 discussions the two strangers happily agreed about how much they hate feminism
  • In 45 discussions one of the persons kept attacking feminism (the other one either disconnected, or went into defense/attack mode)
  • In 13 discussions no real answer came out of the question (people didn’t know what feminism is, couldn’t answer the question, or disconnected when they realized that they were both males)
  • In 9 discussions the two persons agreed that feminism is something nice (yay)

Bonus unexpected(?) answers included (too) many islamophobic reactions and of course an anti-Semitic delirium/conspiracy theory:

Notes:

This is of course not really a statistical way to make conclusions about the society we are living in.

The sample was 250 from around 20,000 to 35,000 (i.e., the constantly changing number of people who were online in the website) during different times of the same day.

TRIGGER WARNING: before checking the post, be aware that the dialogs in the pictures bellow are full of extremely sexist/racist/homophobic/etc. comments.

[On the security and privacy of] messaging tools

Messaging, either using your computer or smartphone is becoming a big deal lately in terms of security and privacy. Whether you are discussing with a friend for this cool queer movie you saw, or for details about a demonstration you are organizing, you might want to do this without making it really easy for organizations or individuals to eavesdrop.

Important notice: There is no (and probably never will be) 100% security/privacy over the Internet. When you want to really privately discuss something with someone, better do it in person and with all the reasonable measures (no phones around, in a trusted (bug-free) environment, etc.).

In the following we will discuss the main requirements that a messaging program should meet, and present the best choices for communicating as secure as possible through the Internet.

First of all you might be wondering, what’s the big deal, or what exactly is the problem with using the usual stuff (skype, whatsapp, viber, facebook messenger, etc.). There is a plethora of questions that we have to ask including: is the code of the program open to everyone?, does it use state-of-the-art encryption?, can the provider (e.g., facebook) decrypt your data?, has the tool been audited from an external entity? And much more. But let’s take each one of the important questions and go a bit deeper.

Is the code open?

All programs consist/are-made-out of code. With respect to this, one can distinguish programs to open-source (when the code is available for everyone to see) and closed-source (code private; only the respective company has access to it). It is important to know that when the code is closed, NOBODY can safely state that the program is only doing what is intended to do. This means that it could be possible that a program implements spying mechanisms (backdoors) that can be enabled whenever asked (e.g., from the police). Furthermore, when the code is closed, it is hard to assess the quality of it, especially from a security/privacy perspective.

Encryption and *the key*

When discussing about encryption (i.e., if data transferred can be “seen” by others or not) it is important to understand two things. The first one is of course the existence of encryption itself.This means that when Judith sends the message “performativity is important” to Silvia, Mikhail that was eavesdropping in the communication would not understand anything.

The other one, and most confusing is the location in which the cryptographic keys are saved.

The good news

Except from some rare cases (e.g., kik, and QQ) most current versions of messaging applications do encrypt their data (yes even skype, or whatsapp).

The bad news

The big question however is not the existence of encryption but rather who owns the decryption keys. This is also the most important security problem of the majority of applications (among others: viber, facebook chat, yahoo messenger, and skype OWN the keys; this basically means that they potentially have access to all your communication data).

Basically you can think of this, as if there are two ways to have encryption, one is that the key is owned by the user -good choice- and the other one that is owned by the company (its servers more specifically) -bad choice-. In the first option this means that all communications are end-to-end encrypted and the only way to decrypt is to use a key that is stored on the users’ device.

Recent code audit

Another important criterion is whether the program has been independently tested for security flaws. This means that an other entity that is an expert on security has analyzed both the architecture as well as the implementation of the program for security flaws. This is actually becoming common lately, so a number of programs do meet this requirement.

Other requirements

Many other requirements exist. For instance the documentation of the system’s design, and the ability to keep the past communications secure even when the cryptographic key is stolen. In addition, the ability to verify the identity of the person we are trying to contact (even when the service provider is compromised) is also of great importance.

And the winner is…

Smartphones

TextSecure (android) provides end-to-end encryption, with the keys being saved in the users’ side. The identity of the recipient can be verified, and all past communications cannot be read even when the key is stolen. In addition, the code is open to review, the security design is properly documented and there has been a recent code audit. This basically is one of the few apps for smartphones that meets all the requirements! Another alternative that I haven’t tested is ChatSecure (for android and apple).

Computers

By far the best choice is Pidgin along with the off-the-record plugin. I will have a dedicated post on Pidgin along with the off-the-record plugin soon, to describe how to install and what are the benefits of using XMPP/Jabber in contrast to other protocols.

More info

A lot of the information stated here is adapted from the super cool work done by the EFF (Electronic Frontier Foundation, also check here.

This photo reminds me of something [or just a small hint on reverse image searches]

Did you know that you can search but instead of text use images?

nice image right? You wished you could learn more about it?
nice photo right? You wished you could learn more about it?

 

This is called reverse image search and might be handful in several cases. For instance when you search for the original creator of a photo, painting, or whatever. In addition, it can also be used to check if a profile of someone contacting you (e.g., through facebook, or a dating site, or whatever you are doing in the Internet :) ) is real or not. On the other hand, it is good to know that someone can also reverse an image and get back to you. So, keep that in mind, whenever uploading photos in the web. Especially, when the algorithms behind reverse image searching are getting better.

How?

Plenty of ways as always. The easiest and quite good one is google. Simply navigate to google and go to images; from there you can simply drag and drop any image and it will search for it. Actually, if you are using firefox, there is even an add-on for this. Simply head to the firefox add-ons website and search for google reverse image.

The next alternative would be TinEye and it’s pretty much straightforward to use too.

Photos, privacy and the weird EXIF data

Did you know that whenever you take a (digital) photo your camera usually saves (in the photo) a bunch of additional private (meta-)data? Most of this can be usually found in the properties of the respective file. An example is show bellow:

 

EXIF data example
EXIF data example

This is called EXIF (i.e., Exchangeable image file format; also see http://en.wikipedia.org/wiki/Exchangeable_image_file_format), and can include the exact camera model, date/time information, and in some cases (depending on the camera, or the smartphone in this case) even GPS data (i.e., the exact place of the photo taken). It is important to remember this whenever we post a photo anywhere in the Internet (whether it’s facebook -well it’s your choice not to do that ;), or a photo from a demonstration in a leftist/anarchist site).

So, how do we remove this?

Windows:

There are plenty of ways including doing it manually. For instance in a Windows machine this can be done by clicking in the properties of the image (also see http://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/) and manually removing everything you can. However, as windows won’t really delete anything, you can also try the plethora of free available tools (just google for “remove exif data”, tools like Easy Exif Delete, etc. should do the trick; yet you should always manually check the properties of the photo afterwards to be sure.

Linux:

In a linux/debian/ubuntu system this can be easily done through many different tools (e.g.,  libimage-exiftool-perl or jhead ; sudo apt-get install libimage-exiftool-perl and/or sudo apt-get install jhead respectively).

Finally an alternative way (if you are really picky) is to make a screenshot of the actual photo, save/edit it as you wish, and then (just to be sure) run again an exif removal tool.

 

Penetration testing

Penetration testing is a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats. Basically, this means that you might have a website, that you created manually (or used a CMS, e.g., Joomla, Drupal, etc.), and wonder if it is possible for a hacker to attack it (or in the worst case scenario you already got an attack, e.g., a defacement). Penetration testing is usually quite expensive, even for a company, let alone a political/activist group!

So! I am now offering free penetration testing for political groups’ websites. This excludes blogs (e.g., wordpress, blogspot, etc.) or websites hosted in major companies. In addition, this could take a lot of time (as I do not have so much free time ;)). Nevertheless, if you are interested contact me via the contact form!