Send nexa mailing list submissions to
        nexa@server-nexa.polito.it

To subscribe or unsubscribe via the World Wide Web, visit
        https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
or, via email, send a message with subject or body 'help' to
        nexa-request@server-nexa.polito.it

You can reach the person managing the list at
        nexa-owner@server-nexa.polito.it

When replying, please edit your Subject line so it is more specific
than "Re: Contents of nexa digest..."


Today's Topics:

   1. How Abusers Are Exploiting Smart Home Devices - VICE
      (Alberto Cammozzo)
   2. Google chief: I'd disclose smart speakers before guests enter
      my home - BBC News (Alberto Cammozzo)
   3. Vatican's wearable rosary gets fix for app flaw allowing easy
      hacks - CNET (Alberto Cammozzo)
   4. La chat dove regna l'orrore dei nostri adolescenti lasciati
      soli (don Luca Peyron)
   5. interessante (Stefano Quintarelli)
   6. Re: interessante (Mario Sabatino)
   7. Re: interessante (Andrea Trentini)


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Oct 2019 18:41:06 +0200
From: Alberto Cammozzo <ac+nexa@zeromx.net>
To: Center Nexa <nexa@server-nexa.polito.it>
Subject: [nexa] How Abusers Are Exploiting Smart Home Devices - VICE
Message-ID: <50a399f9-41fc-59cb-f139-128f6f5d19b1@zeromx.net>
Content-Type: text/plain; charset=utf-8

<https://www.vice.com/en_uk/article/d3akpk/smart-home-technology-stalking-harassment>


Ross and Catherine Cairns had been married for 16 years. He was an
electronics expert, she an accountant, and by their early 30s they were
living with their two young daughters in Hale, in Greater Manchester.
The village is one of the wealthiest areas in the UK, home to upmarket
restaurants and Premier League football players.

The Cairns household was fitted out with an ELAN smart home system. The
house’s security alarm, lighting and heating were all controlled
centrally by a tablet mounted on the kitchen wall. With the touch of one
button, the tablet let you turn off the lights and ensure the doors were
locked. Using a smartphone app, you could remotely activate security
cameras or change the music playing through the entertainment system.
Ross was the administrator; Catherine mainly used it to turn lights on
and off.

“Monitoring your home has never been so easy!” declares the ELAN
website. Perfect for parents to keep a distant eye on their kids while
working late, but when used maliciously, also for jealous partners to
spy on their spouses.

Internet-connected devices – wearable trackers, smart TVs,
voice-activated assistants, app-controlled locks and lights and
thermostats – promise a utopia of convenience, a world in which we don’t
need to get out of bed to turn off a ceiling light or fumble for house
keys in the bottom of a bag. But as these devices – the internet of
things, as it’s known – become ever more pervasive, so too does their
use by domestic abusers as tools for surveillance and harassment.

“Perpetrators of domestic abuse like to keep tabs on their partners.
They like to know what you’ve been up to and where you’ve been,” says
Sara Kirkpatrick, Research and Services Development Manager at Respect.
“Being tracked is so much easier than it ever was.”

As of January 2019, domestic violence charity Refuge has documented more
than 2,500 people seeking their support services who have reported
experiences of technology-facilitated abuse.

Ross and Catherine separated in 2016. They remained friendly and the
children spent time with both parents. Ross moved in with his mother in
the neighbouring town of Altrincham, a five-minute drive from Hale.

On August 12, 2017, Ross visited the family home to fix a fish tank.
While he was there, she handed him her mobile, as she also wanted him to
check the security system. “When he was on it, he read messages I had
sent to a man I had been on a date with,” Catherine would later testify
in Manchester Magistrates’ Court. Ross became agitated. He left the
house, then came back inside, crying. “He ran upstairs and got the
wedding rings and said that I wouldn’t need them.”

Catherine told her parents about the incident. Standing in the kitchen
with her mother, she said that she no longer loved Ross. “The next thing
I knew, he was downstairs telling the kids he was moving back in,”
testified Catherine. “He repeated the conversation that I had with my
mum. He said, ‘Oh, you don’t love me anymore.’”

Ross later admitted to accessing the ELAN system remotely through an app
on his iPhone to eavesdrop on conversations. He also hacked into her
Bumble accounts, posting an intimate picture and sending explicit
messages. Catherine switched off the control tablet’s camera function
and asked an IT engineer to change the system password. But even after
this, the system logged more remote connections on October 14 and 15.

“It looks like he was using the system as normal, but hadn't informed
her exactly how it works,” says Bill Hensley, a spokesperson for ELAN.
The password was likely changed for only the security system, he says,
but not for the overriding administrator account. “It doesn't look like
there was a breach.”

“Prosecuting cases involving the use of technology in order to commit
offences present real difficulties,” says Neil White, who was the
prosecutor in the Cairns case. “With offences like harassment, this can
be especially difficult, as there can be issues like shared IP
addresses, or of one party having the technological knowledge, and being
able to abuse it, when the other doesn't.”

In May 2018, Ross was convicted of stalking and harassment. In court, he
claimed that he had accessed ELAN remotely only to switch lights on or
off, or adjust television volume. The stalking conviction was later
quashed on appeal, but the harassment offence was upheld and he was
banned from contacting Catherine for three years.

The Cairns court case marked one of the first convictions involving IoT
technology, says Leonie Tanczer, a gender and IoT researcher at
University College London. The rise of smart devices, she believes,
creates a new arsenal of tools that can be used against people already
at risk of domestic abuse. Tanczer leads a research project on the topic
in collaboration with the London Violence Against Women and Girls
Consortium, comprising 29 organisations.

Discussions with support groups have identified examples such as spying
via smart TVs and security cameras at entrances, tracking location via
GPS-enabled smartwatches, and physical gaslighting – remotely changing
the temperature in a room by meddling with the heating system. Refuge,
which is part of the consortium, has found a rise in women whose kids’
video game consoles have been hacked by perpetrators to trace
information including a child’s location.

[...]



------------------------------

Message: 2
Date: Sat, 19 Oct 2019 18:54:38 +0200
From: Alberto Cammozzo <ac+nexa@zeromx.net>
To: Center Nexa <nexa@server-nexa.polito.it>
Subject: [nexa] Google chief: I'd disclose smart speakers before
        guests enter my home - BBC News
Message-ID: <6e0826b4-0054-c262-a1c7-6a00c2df6bab@zeromx.net>
Content-Type: text/plain; charset=utf-8

<https://www.bbc.com/news/technology-50048144>

It's an admission that appears to have caught Google's devices chief by
surprise.

After being challenged as to whether homeowners should tell guests smart
devices - such as a Google Nest speaker or Amazon Echo display - are in
use before they enter the building, he concludes that the answer is
indeed yes.

"Gosh, I haven't thought about this before in quite this way," Rick
Osterloh begins.

"It's quite important for all these technologies to think about all
users... we have to consider all stakeholders that might be in proximity."

And then he commits.

"Does the owner of a home need to disclose to a guest? I would and do
when someone enters into my home, and it's probably something that the
products themselves should try to indicate."

To be fair to Google, it hasn't completely ignored matters of 21st
Century privacy etiquette until now.

As Mr Osterloh points out, its Nest cameras shine an LED light when they
are in record mode, which cannot be overridden.

But the idea of having to run around a home unplugging or at least
restricting the capabilities of all its voice- and camera-equipped kit
if a visitor objects is quite the ask.

[...]


------------------------------

Message: 3
Date: Sat, 19 Oct 2019 19:03:18 +0200
From: Alberto Cammozzo <ac+nexa@zeromx.net>
To: Center Nexa <nexa@server-nexa.polito.it>
Subject: [nexa] Vatican's wearable rosary gets fix for app flaw
        allowing easy hacks - CNET
Message-ID: <e27813ee-d98f-1c09-7a1b-30bd642b7a18@zeromx.net>
Content-Type: text/plain; charset=utf-8

Qui serve un e-Sorcista!


<https://www.cnet.com/news/vaticans-wearable-rosary-gets-fix-for-app-flaw-allowing-easy-hacks/>


The road to internet-connected salvation is paved with cybersecurity
issues. The Vatican discovered that Thursday, after a security
researcher disclosed a severe vulnerability with the "Click to Pray"
eRosary app.

On Wednesday, the Vatican announced its $110 wearable rosary, an
internet of things device that syncs with an app from the Pope's
Worldwide Prayer Network. One advantage of IoT devices is that they open
up a new way for people to interact with resources. With the eRosary,
the Vatican said, people can get different prayers every day, as well as
reminders on when to pray.

The downside of IoT devices is that they're ripe for security issues.
Lawmakers in the US have consistently called out poor security practices
on connected gadgets, warning that they could lead to a flood of
vulnerable devices.

French security researcher Baptiste Robert found a significant flaw in
the Vatican's app within 15 minutes. The vulnerability would have let a
hacker take over a person's account, just by knowing the potential
victim's registered email address.

"This vulnerability is very severe as it allows an attacker to take over
the victim's account and get his personal information," Robert said in a
message.

The Vatican didn't respond to a request for comment. Robert said he
reached out to the Vatican on Wednesday and the security issue has since
been fixed.

The flaw worked because of how the app handled login credentials, Robert
said.

When you register for the "Click to Pray" app, you sign up with an
email, and instead of setting a password, the app sends a PIN code to
your inbox. You log in like this every time.

Before the fix, the app was sending out requests to its server to email
you the four-digit PIN. The issue was that PIN code itself was also sent
on the network. Anyone analyzing the network traffic could have seen the
response with the PIN sent.

Robert demonstrated this vulnerability with an account we created on the
app. Every time he gained access to the account, the app logged me out,
telling me I was logged in on another device. It also sent an email with
a new PIN code I didn't request.

Once he had access, Robert was able to do anything I could on the
account. He saw what I set as my gender, height, weight and birthday, as
well as the cat photo I used for my avatar. He also deleted my account
and was able to access a second account that I had made right after.

The app logs other personal information as well, like how often someone
prays, and it works as a fitness tracker. The rosary keeps track of how
many steps a person takes throughout the day and distance traveled.

The Android app also asks for access to location data and permissions to
make calls.


------------------------------

Message: 4
Date: Sat, 19 Oct 2019 19:22:52 +0200
From: don Luca Peyron <dluca.universitari@gmail.com>
To: Nexa <nexa@server-nexa.polito.it>
Subject: [nexa] La chat dove regna l'orrore dei nostri adolescenti
        lasciati        soli
Message-ID:
        <CAGS_u7iAK6eUGXtQNFxUBmomOAxXuCkhfA8eQUEZ1rmazcp11A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Qui l' e- sorcista serve davvero, purtroppo!

Buon lettura

dl

https://www.famigliacristiana.it/articolo/la-chat-dove-regna-l-orrore-dei-nostri-adolescenti-lasciati-soli.aspx?fbclid=IwAR0cnK7pFQN3VVNv-C8Am_Ytr-OB9kz-xXfpihSUCvl-gfDG4oJcohaZdSc

*L’online non ha funzioni educative. *Può diventare educativo, all’interno
di un solido progetto pensato e sostenuto da adulti attenti. Ma se quegli
adulti non ci sono, l’online diventa il paese dei balocchi, dove le scelte
dei nostri figli sono funzionali a nutrire il loro cervello di eccitazione
e sensazioni forti, intensissime.


_________________________
www.universitari.to.it
via XX settembre 83, Torino
tel. 011 5156239
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://server-nexa.polito.it/pipermail/nexa/attachments/20191019/849bf050/attachment-0001.html>

------------------------------

Message: 5
Date: Sat, 19 Oct 2019 19:43:45 +0200
From: Stefano Quintarelli <stefano@quintarelli.it>
To: Nexa <nexa@server-nexa.polito.it>
Subject: [nexa] interessante
Message-ID: <f9730773-335b-ae68-a39c-2455c11097e0@quintarelli.it>
Content-Type: text/plain; charset=utf-8; format=flowed

interessante.

un client imap che fa da chat.
https://github.com/open-xchange/ox-coi
(c'e' per android in beta)

chissà il carico sui server.

in pratica usi il tuo server email per la chat

Ciao, s.
--
reserve your meeting with me at http://cal.quintarelli.it


------------------------------

Message: 6
Date: Sat, 19 Oct 2019 20:35:45 +0200
From: Mario Sabatino <sevenofnine@riseup.net>
To: nexa@server-nexa.polito.it, Stefano Quintarelli
        <stefano@quintarelli.it>, Nexa <nexa@server-nexa.polito.it>
Subject: Re: [nexa] interessante
Message-ID: <46F36814-A821-43DE-9442-E5366BF8A537@riseup.net>
Content-Type: text/plain; charset="utf-8"

C'è anche Delta Chat

https://delta.chat/it/

Qualcuno la conosce?

Mario Sabatino

Il 19 ottobre 2019 19:43:45 CEST, Stefano Quintarelli <stefano@quintarelli.it> ha scritto:
>interessante.
>
>un client imap che fa da chat.
>https://github.com/open-xchange/ox-coi
>(c'e' per android in beta)
>
>chissà il carico sui server.
>
>in pratica usi il tuo server email per la chat
>
>Ciao, s.
>--
>reserve your meeting with me at http://cal.quintarelli.it
>_______________________________________________
>nexa mailing list
>nexa@server-nexa.polito.it
>https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa

--
Mario Sabatino
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://server-nexa.polito.it/pipermail/nexa/attachments/20191019/720a3f19/attachment-0001.html>

------------------------------

Message: 7
Date: Sat, 19 Oct 2019 20:50:07 +0200
From: Andrea Trentini <andrea.trentini@unimi.it>
To: Mario Sabatino <sevenofnine@riseup.net>,
        nexa@server-nexa.polito.it, Stefano Quintarelli
        <stefano@quintarelli.it>
Subject: Re: [nexa] interessante
Message-ID: <4bbc4220-3207-6ce9-3661-a851472430c5@unimi.it>
Content-Type: text/plain; charset=utf-8

On 19/10/2019 20:35, Mario Sabatino wrote:
> C'è anche Delta Chat
>
> https://delta.chat/it/
>
> Qualcuno la conosce?

io l'ho usato per un po' per valutarlo, poi son passato a cose tipo tox/riot/etc.

cmq la soluzione definitiva (al problema della messaggistica decentralizzata) non l'ho ancora


--
|_|0|_| Andrea Trentini - http://atrent.it
|_|_|0| Dipartimento di Informatica
|0|0|0| Università degli Studi di Milano


------------------------------

Subject: Digest Footer

_______________________________________________
nexa mailing list
nexa@server-nexa.polito.it
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa


------------------------------

End of nexa Digest, Vol 126, Issue 30
*************************************