radiospiel.org

Threema, Privacy, and Open Source

Mit Threema werden einige Schweizer/innen ja gerade richtig reich. Glückwunsch! Auch ich habs probiert, man kann mich dort erreichen, aber auf Dauer wird das nix: solange ich dann nur auf dem Phone (und auch nur auf einem Phone erreichbar bin) ist das maximal ne Notlösung. Mein Messenger muss zumindest den Text-Teil von Skype ersetzen können. Und warum basiert Threema nicht auf Jabber/OTR? DAS gibt’s seit Jahren und funkt auch recht prima.

Aber wie privat ist’s denn wirklich? Klar geben sich die Jungs & Mädels auf threema.ch richtig Mühe, Vertrauen zu vermitteln. Aber kann das irgendwer überprüfen? Jeder sollte in die Apps selber und, falls - wie in diesem Fall - vorhanden, die Server schauen können. Das geht eben nur bei Open Source. Und welche Daten werden denn wirklich übertragen? Die Aussage: “Telefonnummern werden nur als Hash übertragen” mag ja vielleicht sogar stimmen für die aus dem Adressbuch - dass während der Anmeldung selbst die eigene Telefonnummer und Email-Adresse übertragen werden stimmt mich allerdings bedenklich.

@Threema: macht das Ding Open Source, führt Multi-Device-Optionen ein, zieht den Gruppenchat gerade und ich liebe euch für immer. Sonst: Finger weg.

E-Plus: Ungenehmigte Abbuchung Von Meinem Guthaben Durch Net Mobile AG

Update: eplus hat sehr schnell und sehr vernünftig reagiert; mit dem Angebot einer Gutschrift für die Abbuchung, der Sperrung aller “Premium”-Dienste, und, ja, “wir kennen die Net mobile AG leider schon”

To: datenschutz@eplus.de, kundenservice@eplus.de

Meine Kundennummer: XXXXXXXX

Hallo,

ich habe von meinem Handy (Mobil-Nummer 0177 XXXXXXXX) aus gestern Abend, gegen 20:30 Uhr, einen Link innerhalb der Facebook-App geöffnet. Dieser link (http://www.somethingawful.com/d/news/movie-game-review.php) öffnete sich kurz, um anschließend einen “Sind sie älter als 18 Jahre?” Dialog anzuzeigen. Als ich das bestätigte, öffnete sich eine Porno-Seite und ich erhielt um 20:38 Uhr eine SMS-Kurznachricht von der Absendernummer 1232111 mit dem Text “E-Plus hat Ihnen soeben 6.99 EUR für die Nutzung des Premium-Dienstes von Net mobile AG berechnet. Bei Fragen wenden Sie sich bitte an den Partner.”

Ich konnte diesen Prozeß (ohne die Bezahlung) ein zweites Mal nachvollziehen, in dem ich den Link im externen Browser öffnete; im Anhang erhalten Sie einen Screenshot der Paywall, auf dem zumindest teilweise die URL erkennbar ist.

Als IT-Spezialist, und als Kunde von E-Plus stellen sich mir folgende Fragen:

  1. Offensichtlich ist diese Abbuchung nicht rechtmäßig; bitte rückerstatten Sie mir den Betrag; aber viel wichtiger eigentlich
  2. wie kann ein Webseitenbetreiber Zugriff auf meine Handynummer erhalten, die ja offensichtlich Voraussetzung ist, um ein solches Payment zu veranlassen; und
  3. wie gedenkt die E-Plus Service GmbH & Co. KG mit dem offensichtlich illegalen Gebaren der Net mobile AG umzugehen?

Über eine Antwort wäre ich sehr erfreut. Sie erreichen mich für Rückfragen jederzeit per Email oder unter meiner o.a. Mobil-Nummer

Mit freundlichen Grüßen, …

Wurde Auch Zeit (II)

Sometimes I don’t code, sometimes I am radio-active.

In case you missed it, when it was on air: the episode of the Kulturwelle radioshow I talked about in my last blog post is finally online.

It’s About Time

Sometimes I don’t code, sometimes I am radio-active. I was asked to support a group of students at the Berlin Humboldt University in creating an episode of their Kulturwelle radio show. That episode is all about acceleration of time in modern societies, and yes, you can hear me speaking at ~40 minutes into the show.

Curious? Make sure to tune in to piradio 88.4 MHz at 2013/3/20 8:30pm.

Goodbuy Posterous, Welcome Octopress

Ah yes! One year ago I prepared to move my blog to posterous.com. Just when I was ready to move the DNS name, Twitter announced it acquired that service. Well, this is what I call unlucky timing.

But still: posterous.com did run this blog since, and usually without much hassle. But now it will be gone for for good, and I needed a new hosting infrastructure.

However, the departure of the posterous.com web service teached me one thing: no longer will I rely for a web service to host my blog. Remember: this is not the first move, radiospiel.org lived in many places throughout the times, and with each change of the hoster some content was lost. (As is now: comments are gone, and some timestamps are wrong…)

So: this time I will use a static blog generator: http://octopress.org. After all, static files cannot get lost, right? So, wherever these pages are living in the net: I can just move them to wherever I like.

This time again the comments will be lost. And the ability to automatically post to Twitter and Facebook whenever I write something - but I will try to add this later. And I can’t post from a browser no longer. And there is no mobile app.

Can’t have the cake and eat it too…

More Pixels for the Stuff That Matters!

Dear friends,

thank you for flattring the kinopilot ios application. You might be interested to know that there is a new version in apple’s big validation pipeline, which will finally! finally! support iPhone5’s native resolution, and, even more important, removes all ads from the application. And it was your support that pushed me to build this new version.

So stay tuned, I hope you’ll like the new version as much as you liked the previous one.

Thank you!
/eno aka. @radiospiel

Yes, it is true: flattering actually improve things. Click here to flattr kinopilot. Don’t know kinopilot yet? Find out more.

Yesterday: Cringing at the 5 Elephants Coffee Shop

a middle aged german woman - the kind that probably votes the Green party since ever - comes through the door, approaches the counter, and says something like (in german): “While I do speak english fine enough, I insist on talking german now.” To a barista that does speak german a bit, but english way better (no surprise, she probably being native US anyways).

Didn’t she see how gross and fremdenfeindlich that is?

If you don’t know it yet: 5 elephants is an american style coffee bar run by americans just around my corner. These guys running a website also: http://www.fiveelephant.com, and I can recommend their coffee.

Create a Postgresql User and Database

Just a reminder: this is how to create a Postgresql user and database:

postgres@exs:/root$ sudo su -c psql - postgres 
psql (9.1.4)
Type "help" for help.

postgres=# CREATE USER dontpanic WITH PASSWORD 'PASSWORD';
CREATE ROLE
postgres=# CREATE DATABASE dontpanic;
CREATE DATABASE
postgres=# GRANT ALL PRIVILEGES ON DATABASE dontpanic TO dontpanic;
GRANT
postgres=# \q

Wickr: Secure Mobile Communication?

wickr promises to let you communicate with others in a secure fashion from your phone – and have your messages dfestroyed after a while. It is free…

…and yet is a ripoff.

There is NO SECURITY to be had on mobile devices. Think about it: you need a strong password to set up strong encryption. Do you need to enter a 40 character string in Wickr each time you start the app? No you don’t.

That lets wickr – and in fact any mobile app – with two choices: generate a strong password and store it in an unsafe place – on the device which is probably secured with a 4-digit-pins only. Or ask the user for a (then) weak password and use that, which leaves wickr users with encredibly easy to break security.

And then: self-destructing messages? Ha! This is not how the net works. It is actually quite easy to interfere with internet routing in such a way that messages you send or received can be intercepted and stored by others. (Note: that doesn’t mean they would be immediately readable. But throw in the weak security inherent to mobile devices… well, there goes security.) Meaning: Wickr probably destroys a message’s copy on their own servers, and in your device and so on; but they can’t do nothing with other potential copies of the message itself.

To add REAL SECURITY to mobile devices we need a sufficiently secure and yet convinient way to set some kind of secret; something like a PIN, but with much more numbers. At this time, noone has anything to offer in that department.

What you get with Wickr is a weak concept with a nice UI; but a weak concept nevertheless. Bad security is actually worse then no security – think about it!

Paypal: A Bunch of Liars

Assume you are living in Europe. Your home currency is EUR. As it so happens in todays global economy, sometimes you stumble upon an online shop outside of Europe that lets you pay only via Paypal.

As a German customer you usually have your checking account and one or more credit cards registered with Paypal. You’ll need the checking account in case you receive money; and the credit card is good for actually paying something, because you still earn loyalty points or so.

This just happened to me: I wanted to checkout items at some New Zealand store. When I went through with the checkout Paypal automatically converted the NZD amount into EUR at a really bad rate: 1.50 vs 1.57 or so – which is a cut of more than 4 percent already! After that they ask me to use my checking account instead of my credit card for the payment, because, so they say, my credit card company would charge me ~3% for international use, and oh are they nice to point that out…

Well, this is a blatant lie: AFAIK CC issuers do not charge extra for international payments, but for non-EUR payments. Which this one isn’t any more since paypal already forced me into a EUR payment. On top of that my credit card company used a fair exchange rate. And also untrue: my credit card company only charges 0.5% for non EUR payments; mentioning 3% seems a bit exaggerated.

Instead, I think, paypal prefers to charge my checking account instead of my credit card because that is basically free (~ 0.5%), while they would have to pay an ~2% costs when I used my credit card.

So paypal chooses to

  • force me into a really bad exchange rate to earn an additional 4% on top of the already 3% or so charge the online shop has to bear,
  • and feed me lies about my CC issuer to save on processing costs.

I think I will never use paypal on a non-EUR transaction again. And if you are running an online store: please consider adding a non-paypalled credit card payment options.