Neulich lag beim Bäcker die SHZ aus. Ich hab sie gekauft, warum auch immer. Schlagzeile dort: Übergriffe auf Frauen: Die Nacht der Schande und ihre Folgen. Überhaupt berichten eine Menge Medien über die Ereignisse in Köln als Schande.

An dieser Wortwahl wird vor allem eines überdeutlich sichtbar: wie frauenfeindlich die "deutsche Öffentlichkeit" nach wie vor ist, also genau das, was derzeit vor allem Nordafrikanern und Arabern vorgeworfen wird. Denn eigentlich meint "Schande" im Zusammenhang mit der Vergewaltigung einer Frau, dass diese nun eine Schande für ihre Familie/Dorf/Sippe sei, daher anders bezeichnet als Schändung.

Man kann das Wort natürlich auch in einem anderen Kontext verwenden: nämlich dass die aktuelle Berichterstattung eine Schande ist. 

Update 2016-01-15:

Mely Kiyak:<blockquote> Es wird dieser Tage viel diskutiert über die Frauenverachtung. Ganz besonders laut ist bei diesem Thema die Rechte. Gerade nationalkonservative Kreise setzen sich für den feministischen Kampf immer dann ein, wenn es darum geht, Frauenrechte im Kampf gegen Minderheitenrechte auszuspielen. Es geht dabei immer darum, “die Frau” vor “dem Ausländer, Moslem, Schwarzen oder Araber” zu beschützen. Im Kampf um die Frau vor dem eigenen Mitbürger oder Ehepartner macht die Rechte dann nicht mehr so eifrig mit. </blockquote> (wobei es in dem Artikel eigentlich um was anderes geht…)<p>Update 2016-01-13:</p>Passender Kommentar dazu vom Kietzneurotiker: Es geht dann mal los. Leider.

11 January 2016 | #gesellschaft


Chaum's Unfug

David Chaum and Co-Authors Javani, Kate, Krasnova, de Ruiter and Sherman have published a new paper called "cMix: Anonymization by High-Performance Scalable Mixing" proposing a new cryptographic mix protocol called "cMix" which he plans to implement with "Privategrity". The system aims to provide anonymity to users while also providing law enforcement the means to both identify users and decrypt their messages.

The relevant (prosa) section of the paper reads:

Independent from cMix, PrivaTegrity addresses potential abuse of anonymity services by establishing a trust model that offers a balance of anonymity and accountability. On the one hand, PrivaTegrity aims to provide privacy at a technical level that is not penetrable by nation states. On the other hand, PrivaTegrity aims to provide integrity, both prior restraint and accountability after the fact, that is inescapably tied to individuals. Only if all of the mixing nodes cooperate, can the senders and receivers of messages be linked or identified.

PrivaTegrity implements a new approach to user identification requiring each user to provide a small but different type of identifying information to each mix node. Some nodes may require photos or answers to personal history questions; others may request mobile phone numbers or email addresses. A user reveals comparatively little to any single node, but collectively the nodes possess significant identifying information. Each node can obligate itself contractually to trace and aggregate identifying information only according to a published policy, resulting in accountability and effective identification of users who violate the policy.

I'd say this scheme is Unfug:

  • If some third party is able to identify an "anonymous" user, then the user is not anonymous. It doesn't count how much effort a third party would have to put into this. If it IS possible, it's not anonymous. Calling it as such is just a lie.
  • If some third party is able to decrypt a message, then the system is not secure. Wether you operate nodes in nine different countries, 190 different countries or even 1 million different planets - if it IS possible, then it's not secure.
  • Also something like "accountability" might score high on government wishlists, it has nothing to do with "anonymous communication". This newspeak is only introduced to justify the scheme.
  • The whole concept ignores the problems with multiple jurisdictions. Something may be worth a warrant in one country but not in another. So it will be next to impossible to reach a consensus among all admins in most cases. Of course governments will catch this and demand a simple solution: operate all nodes in friendly jurisdictions (say: only in "five eyes countries").
  • And, last but not least: how can a user know which node runs in which country? What if all nodes are operated by a state company in turkey? Or what if all nodes are running on the very same system?

So this scheme is nothing else as just another surveillance infrastructure, which is something no cryptographer shall ever propose.

Wired article. Hackernews Thread


09 January 2016 | #source


Re: The Perl Jam 2 [32c3] ... for the LoLz

Netaniel Rubin continues his crusade to eradicate Perl from the planet, on 32C3 this time. I will not respond to the technical details, as others are already doing so.

During his talk Netaniel complains about the Perl Community, which he assumes is being represented by the people on, responding to his talk last year aggressively, personally and with trolling. Well, this comment will be personal as well and surely offending. 

Let's be clear first: the problems pointed out by Netaniel during his second talk are indeed real in a sense. But they are not new, nor are they perl specific. At least they are well known for years (see the gist linked above for more details). The problem I'm seeing with this talk is the tone.

You see, there's criticism and there's rants. Netaniel's talk is a rant. And it's not justified. Obviously he REALLY hates perl. He makes fun of it, he shouts at it, he even insults it. However, we're talking about a fucking programming language, not a human being, or an organisation or the like. This boy stands on the stage and behaves like a five year old shouting at his non-functioning Lego construction: "You Moron!".

My impression of this talk (and thus Netaniel) is worse than the last one. It's funny if you don't have a clue but insults the intelligence of the initiated.

Dear Netaniel: "Stop using Perl!" is a childish, ridiculous and unrealistic demand. And your "arguments" aren't getting the more valid the louder you shout them. Therefore, let me explain to you how the real world looks like:

There are lots of computers running these days (not counting PCs, notebooks, tablets or phones). The majority of them is not connected to the internet. These are headless servers running unattended most of the time (just to make sure you understand what I'm talking about since you're a windows user: headless in this context means "no GUI", just a console). Such systems are operated by system administrators, labeled as "DevOps" these days.

Administrators are responsible for lots of systems, hundreds or even thousands of servers. Many of such servers are legacy systems running legacy operating systems and legacy software. Sometimes it's not possible to update them, sometimes it's not allowed, sometimes there's no developer for the particular software running on it left in the company. So they keep running. And running, and running, and running.

Administrators are a lazy species. If they ever watch themselfes entering the same cascade of commands twice they put them into an shell alias. And if it grows so much that it doesn't fit into an alias, they put it into a shell function. Sometimes such a function grows and grows so much that it doesn't make any sense any more to maintain it as a shell function in .bashrc or something. So, the administrator puts the function into a script.

The script grows further and sometimes reaches a point where it is a pain in the ass to continue to develop it as a shell script. The administrator decides to go to the next level and rewrite the thing with something more powerful and flexible than a shell script. In essence he wants to convert the script from a beast into an elegant lady.

Now, Netaniel, remember what I told you earlier about legacy systems. You cannot install node.js on an AIX system of the past decade. You're not allowed to install Go on a mainframe. There's no modern ruby package for that ancient Sun machine. But there's Perl.

Let me repeat: but there's Perl!

Perl is part of the base installation of most operating systems of relevance (that is: not Windows, Netaniel, sorry) for decades. A well crafted perl script can be deployed over dozens of different platforms doing the same simple thing, stable, portable and maintainable. Sometimes Python can be used instead. If all servers have python. Sometimes even ruby might be used. But the more heterogeneous a network gets and the more legacy systems it contains the higher the probability that you will be stuck with Perl.

The reason is simple: Perl itself is a legacy system. It was born out of system administration, designed by system administrators just to make their live easier. Not necessarily yours, that is.

Of course, since its inception, people have done things with Perl beyond imagination. The even wrote CGI scripts, replaced them with application servers which they then replaced with content management systems. And all those dirty features built into Perl to make administrators happy are still there, waiting to be exploited by Kids like yourself.

That's the reason thousands of developers all over the world implemented better systems like Mojolicious, because we already know of those features. Your demo code will not work if you just put an "use strict" in there. And we urge people to do so since years after years. The fact that you don't seem to know it, shows how unfamiliar you are with perl. And the fact that you don't seem to know that flexibility with variables is not in any way specific to Perl, shows you never developed anything. Someone in the monk thread (linked above) from last year pointed out that he couldn't find anything you ever developed. This didn't change 2015: there's still nothing to find made by you. Even your Github account with which you responded to the gist post linked above is fresh and has not a single repository or contribution.

Let me say it bluntly: Don't diskuss battle tactics with us unless you bled with us! 

03 January 2016 | #source


Quantenphysik und Kosmologie [32C3]

03 January 2016 | #gefunden


Apple Security Professionals

This is how "security professionals" sound these days:

[..] modifying the hosts file isn’t super easy. It’s a multistep process that varies depending upon which operating system you are using. Here’s a good overview of how to edit the hosts file on different Mac and Windows systems.

And their "howto" is even wrong.

So sad... 

11 November 2015 | #networking