Wednesday, March 26. 2014
Extract base64-encoded images from CSS
                I recently stepped upon a webpage where I wanted to extract an image. However, after saving the page with my browser I couldn't find any JPG or PNG file. After looking into this, I saw some CSS code that looked like this:
background-image:url("data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAQAAAABbAUdZAAAAE0lEQVR4AWNgYPj/n4oElU1jAADtvT/BfzVwSgAAAABJRU5ErkJggg==";
What this does is that it embeds a base64 encoded image file into the CSS layout. I found some tools to create such images, but I found none to extract them. It isn't very hard to extract such an image, I wrote a small bash script that will do and that I'd like to share:
Hope this helps others. If this script is copyrightable at all (which I doubt), I hereby release it (like the other content of my blog) as CC0 / Public Domain.
            
            
            
        background-image:url("data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAQAAAABbAUdZAAAAE0lEQVR4AWNgYPj/n4oElU1jAADtvT/BfzVwSgAAAABJRU5ErkJggg==";
What this does is that it embeds a base64 encoded image file into the CSS layout. I found some tools to create such images, but I found none to extract them. It isn't very hard to extract such an image, I wrote a small bash script that will do and that I'd like to share:
#!/bin/shSave this as css2base64 and pass HTML or CSS files on the command line (e. g. css2base64 test.html test.css).
n=1
for i in `grep -ho "base64,[A-Za-z0-9+/=]*" $@|sed -e "s:base64,::g"`; do
echo $i | base64 -d > file_$n
n=`expr $n + 1`
done
Hope this helps others. If this script is copyrightable at all (which I doubt), I hereby release it (like the other content of my blog) as CC0 / Public Domain.
Thursday, March 6. 2014
Diffie Hellman and TLS with nonsense parameters
                tl;dr A very short key exchange crashes Chromium/Chrome. Other browsers accept parameters for a Diffie Hellman key exchange that are completely nonsense. In combination with recently found TLS problems this could be a security risk.
People who tried to access the webpage https://demo.cmrg.net/ recently with a current version of the Chrome browser or its free pendant Chromium have experienced that it causes a crash in the Browser. On Tuesday this was noted on the oss-security mailing list. The news spread quickly and gave this test page some attention. But the page was originally not set up to crash browsers. According to a thread on LWN.net it was set up in November 2013 to test extremely short parameters for a key exchange with Diffie Hellman. Diffie Hellman can be used in the TLS protocol to establish a connection with perfect forward secrecy.
For a key exchange with Diffie Hellman a server needs two parameters, those are transmitted to the client on a connection attempt: A large prime and a so-called generator. The size of the prime defines the security of the algorithm. Usually, primes with 1024 bit are used today, although this is not very secure. Mostly the Apache web server is responsible for this, because before the very latest version 2.4.7 it was not able to use longer primes for key exchanges.
The test page mentioned above tries a connection with 16 bit - extremely short - and it seems it has caught a serious bug in chromium. We had a look how other browsers handle short or nonsense key exchange parameters.
Mozilla Firefox rejects connections with very short primes like 256 bit or shorter, but connections with 512 and 768 bit were possible. This is completely insecure today. When the Chromium crash is prevented with a patch that is available it has the same behavior. Both browsers use the NSS library that blocks connections with very short primes.
The test with the Internet Explorer was a bit difficult because usually the Microsoft browser doesn't support Diffie Hellman key exchanges. It is only possible if the server certificate uses a DSA key with a length of 1024 bit. DSA keys for TLS connections are extremely rare, most certificate authorities only support RSA keys and certificates with 1024 bit usually aren't issued at all today. But we found that CAcert, a free certificate authority that is not included in mainstream browsers, still allows DSA certificates with 1024 bit. The Internet Explorer allowed only connections with primes of 512 bit or larger. Interestingly, Microsoft's browser also rejects connections with 2048 and 4096 bit. So it seems Microsoft doesn't accept too much security. But in practice this is mostly irrelevant, with common RSA certificates the Internet Explorer only allows key exchange with elliptic curves.
Opera is stricter than other browsers with short primes. Connections below 1024 bit produce a warning and the user is asked if he really wants to connect. Other browsers should probably also reject such short primes. There are no legitimate reasons for a key exchange with less than 1024 bit.
The behavior of Safari on MacOS and Konqueror on Linux was interesting. Both browsers accepted almost any kind of nonsense parameters. Very short primes like 17 were accepted. Even with 15 as a "prime" a connection was possible.
No browser checks if the transmitted prime is really a prime. A test connection with 1024 bit which used a prime parameter that was non-prime was possible with all browsers. The reason is probably that testing a prime is not trivial. To test large primes the Miller-Rabin test is used. It doesn't provide a strict mathematical proof for primality, only a very high probability, but in practice this is good enough. A Miller-Rabin test with 1024 bit is very fast, but with 4096 bit it can take seconds on slow CPUs. For a HTTPS connection an often unacceptable delay.
At first it seems that it is irrelevant if browsers accept insecure parameters for a key exchange. Usually this does not happen. The only way this could happen is a malicious server, but that would mean that the server itself is not trustworthy. The transmitted data is not secure anyway in this case because the server could send it to third parties completely unencrypted.
But in connection with client certificates insecure parameters can be a problem. Some days ago a research team found some possibilities for attacks against the TLS protocol. In these attacks a malicious server could pretend to another server that it has the certificate of a user connecting to the malicious server. The authors of this so-called Triple Handshake attack mention one variant that uses insecure Diffie Hellman parameters. Client certificates are rarely used, so in most scenarios this does not matter. The authors suggest that TLS could use standardized parameters for a Diffie Hellman key exchange. Then a server could check quickly if the parameters are known - and would be sure that they are real primes. Future research may show if insecure parameters matter in other scenarios.
The crash problems in Chromium show that in the past software wasn't very well tested with nonsense parameters in cryptographic protocols. Similar tests for other protocols could reveal further problems.
The mentioned tests for browsers are available at the URL https://dh.tlsfun.de/.
This text is mostly a translation of a German article I wrote for the online magazine Golem.de.
            
            
            People who tried to access the webpage https://demo.cmrg.net/ recently with a current version of the Chrome browser or its free pendant Chromium have experienced that it causes a crash in the Browser. On Tuesday this was noted on the oss-security mailing list. The news spread quickly and gave this test page some attention. But the page was originally not set up to crash browsers. According to a thread on LWN.net it was set up in November 2013 to test extremely short parameters for a key exchange with Diffie Hellman. Diffie Hellman can be used in the TLS protocol to establish a connection with perfect forward secrecy.
For a key exchange with Diffie Hellman a server needs two parameters, those are transmitted to the client on a connection attempt: A large prime and a so-called generator. The size of the prime defines the security of the algorithm. Usually, primes with 1024 bit are used today, although this is not very secure. Mostly the Apache web server is responsible for this, because before the very latest version 2.4.7 it was not able to use longer primes for key exchanges.
The test page mentioned above tries a connection with 16 bit - extremely short - and it seems it has caught a serious bug in chromium. We had a look how other browsers handle short or nonsense key exchange parameters.
Mozilla Firefox rejects connections with very short primes like 256 bit or shorter, but connections with 512 and 768 bit were possible. This is completely insecure today. When the Chromium crash is prevented with a patch that is available it has the same behavior. Both browsers use the NSS library that blocks connections with very short primes.
The test with the Internet Explorer was a bit difficult because usually the Microsoft browser doesn't support Diffie Hellman key exchanges. It is only possible if the server certificate uses a DSA key with a length of 1024 bit. DSA keys for TLS connections are extremely rare, most certificate authorities only support RSA keys and certificates with 1024 bit usually aren't issued at all today. But we found that CAcert, a free certificate authority that is not included in mainstream browsers, still allows DSA certificates with 1024 bit. The Internet Explorer allowed only connections with primes of 512 bit or larger. Interestingly, Microsoft's browser also rejects connections with 2048 and 4096 bit. So it seems Microsoft doesn't accept too much security. But in practice this is mostly irrelevant, with common RSA certificates the Internet Explorer only allows key exchange with elliptic curves.
Opera is stricter than other browsers with short primes. Connections below 1024 bit produce a warning and the user is asked if he really wants to connect. Other browsers should probably also reject such short primes. There are no legitimate reasons for a key exchange with less than 1024 bit.
The behavior of Safari on MacOS and Konqueror on Linux was interesting. Both browsers accepted almost any kind of nonsense parameters. Very short primes like 17 were accepted. Even with 15 as a "prime" a connection was possible.
No browser checks if the transmitted prime is really a prime. A test connection with 1024 bit which used a prime parameter that was non-prime was possible with all browsers. The reason is probably that testing a prime is not trivial. To test large primes the Miller-Rabin test is used. It doesn't provide a strict mathematical proof for primality, only a very high probability, but in practice this is good enough. A Miller-Rabin test with 1024 bit is very fast, but with 4096 bit it can take seconds on slow CPUs. For a HTTPS connection an often unacceptable delay.
At first it seems that it is irrelevant if browsers accept insecure parameters for a key exchange. Usually this does not happen. The only way this could happen is a malicious server, but that would mean that the server itself is not trustworthy. The transmitted data is not secure anyway in this case because the server could send it to third parties completely unencrypted.
But in connection with client certificates insecure parameters can be a problem. Some days ago a research team found some possibilities for attacks against the TLS protocol. In these attacks a malicious server could pretend to another server that it has the certificate of a user connecting to the malicious server. The authors of this so-called Triple Handshake attack mention one variant that uses insecure Diffie Hellman parameters. Client certificates are rarely used, so in most scenarios this does not matter. The authors suggest that TLS could use standardized parameters for a Diffie Hellman key exchange. Then a server could check quickly if the parameters are known - and would be sure that they are real primes. Future research may show if insecure parameters matter in other scenarios.
The crash problems in Chromium show that in the past software wasn't very well tested with nonsense parameters in cryptographic protocols. Similar tests for other protocols could reveal further problems.
The mentioned tests for browsers are available at the URL https://dh.tlsfun.de/.
This text is mostly a translation of a German article I wrote for the online magazine Golem.de.
                Posted by Hanno Böck
                                   in Cryptography, English, Linux, Security                
                                    at
                 19:27
                                                            | Comments (2)
                                    
                                                            | Trackbacks (0)
                                    
                
                
        Defined tags for this entry: chrome, chromium, crash, cryptography, diffiehellman, forwardsecrecy, keyexchange, security, ssl, tls
            Monday, February 3. 2014
Adblock Plus, Werbung und die Zukunft des Journalismus
 tl;dr Journalismus bangt um seine Finanzierung, aber Werbung nervt. Die Aufmerksamkeit für die Ereignisse um Adblock Plus ist völlig übertrieben. Die Idee der Acceptable Ads ist eigentlich vernünftig, die Medien sollten sie selbst aufgreifen.
tl;dr Journalismus bangt um seine Finanzierung, aber Werbung nervt. Die Aufmerksamkeit für die Ereignisse um Adblock Plus ist völlig übertrieben. Die Idee der Acceptable Ads ist eigentlich vernünftig, die Medien sollten sie selbst aufgreifen.In den letzten Tagen macht mal wieder eine Nachricht um den Werbeblocker Adblock Plus die Runde und wird von zahlreichen Medien aufgegriffen. Ich wollte mal meine Meinung dazu aufschreiben, das wird jetzt etwas länger. Vorneweg: Ich fühle mich in gewisser Weise zwischen den Stühlen. Ich verdiene mein Geld überwiegend mit Journalismus, ich kann aber sehr gut nachvollziehen, warum Menschen Adblocker einsetzen.
Die eine Seite: Zukunft des Journalismus
Der Journalismus ist in der Krise, das wissen wir spätestens seit dem Ende von dapd, der Financial Times Deutschland und dem Beinahe-Ende der Frankfurter Rundschau. Viele Menschen machen sich Sorgen um die Zukunft guter Berichterstattung und viele Journalisten machen sich Sorgen um ihren Job. Die Zukunft des Journalismus liegt im Internet, aber es gibt ein Problem: Bisher haben Zeitungen damit Geld verdient, bedrucktes Papier zu verkaufen und dieses Geschäftsmodell erodiert in rapider Geschwindigkeit. Im Internet Geld zu verdienen ist schwer. Es gibt im wesentlichen vier Möglichkeiten, mit Jouranlismus im Netz Geld zu verdienen: Werbung, bezahlte Inhalte, Spenden/Sponsoring und aus Steuern und Gebühren finanzierter Journalismus.
Keine dieser Möglichkeiten funktioniert sonderlich gut. Viele, die gute Inhalte produzieren, haben es verdammt schwer. Viele glauben, dass man die Nutzer nur irgendwann zum Bezahlen von Inhalten „umerziehen“ muss und dann alle ihre Paywalls anschalten, ich halte das aus verschiedenen Gründen für eine Illusion. Von allen Möglichkeiten, Onlinejournalismus zu finanzieren, funktioniert Werbung derzeit am besten. Nicht gut, aber für die meisten besser als alles andere.
Aber das Geschäftsmodell „Werbung“ wird angenagt. Immer mehr Nutzer nutzen Software wie Adblock Plus, ein relativ simpel zu installierendes Browserplugin.
Die andere Seite: Der genervte Nutzer
Wer heute ohne Werbeblocker im Netz surft bekommt den Eindruck die Werbeindustrie hat jedes Maß verloren. Werbung, die Musik abspielt, die wild blinkend um Aufmerksamkeit bettelt, die ihn ausspioniert, die das System auslastet oder die – das kommt immer wieder vor - versucht, Viren auf dem Rechner des Nutzers zu installieren oder ihn auf betrügerische Webangebote weiterleitet.
Die wenigsten installieren sich einen Adblocker leichtfertig. Denn auch das ist nervig und problembehaftet. Ich habe beispielsweise jahrelang ohne Werbeblocker gesurft. Schon lange vor es Adblock Plus überhaupt gab hatte ich mal ein Tool namens Privoxy installiert, es aber nach kurzer Zeit wieder deinstalliert. Jeder Werbeblocker bringt Probleme mit sich: Manche Seiten funktionieren nicht richtig, der Werbeblocker selbst will Speicher und Systemressourcen, kann für Browserabstürze verantwortlich sein und hat möglicherweise Sicherheitslücken. Werbeblocker installiert man sich erst dann, wenn die Nachteile durch Werbung so gravierend sind, dass sie die Nachteile eines Adblockers deutlich aufwiegen.
Diesen Punkt haben wir inzwischen erreicht und er führt dazu, dass gerade auf IT-Webseiten immer mehr Nutzer mit Adblockern unterwegs sind.
Die dritte Seite: Werbung an sich
Es gibt noch eine dritte Perspektive, die hier nicht verschwiegen werden soll und der ich einiges abgewinnen kann: Werbung ist eigentlich – aus gesellschaftlicher Sicht – eine reichlich dumme Angelegenheit. Werbung dient dazu, Menschen zu mehr Konsum zu bewegen. Sie fragt nicht, ob dieser Konsum irgendeinem Zweck dient. Sie bindet unglaubliche Mengen an Ressourcen und menschlicher Kreativität.
Diese Meinung mag nicht jeder im Detail teilen, aber mehr oder weniger denken vermutlich sehr viele Menschen so. Die wenigsten werden sagen: „Werbung ist etwas grundsätzlich tolles und schützenswertes.“ Schützenswert ist vielleicht der von der Werbung finanzierte Journalismus, aber nicht die Werbung selbst. Deswegen hat man auch wenig Hemmungen, Werbung zu blockieren. Man blockiert nichts wertvolles und hat nicht das Gefühl, etwas zu verpassen.
Es ist in gewisser Weise eine Tragik, dass so etwas sinnvolles wie Journalismus (bei aller Kritik im Detail) heute in starkem Maße von so etwas sinnlosem wie Werbung abhängt. Nein, einen einfachen Ausweg habe ich nicht anzubieten. Aber ich denke man muss sich dieses Dilemmas bewusst sein.

mobilegeeks versus Adblock Plus
Eine sehr erfolgreiche Software zum Blocken von Werbung ist das Browserplugin Adblock Plus. Adblock Plus hat vor einiger Zeit ein Programm für sogenannte „akzeptable Werbung“ (Acceptable Ads) eingeführt. Dafür hat Adblock Plus eine Reihe von Regeln, die wenig überraschen. Sie entspricht in vielen Punkten dem, was auch die meisten Nutzer als „akzeptable Werbung“ betrachten würden, etwa das Verbot von Sound in der Werbung oder von Layer Ads. Adblock Plus pflegt eine Whitelist von Seiten, die sie als akzeptabel betrachten und diese werden in der Standardeinstellung nicht blockiert.
Nun nimmt Adblock Plus von manchen Werbebetreibern auch Geld dafür, dass sie vom Werbeblocker ausgenommen werden. Das kann man fragwürdig finden. Der Betreiber der Webseite mobilegeeks Sascha Pallenberg berichtete darüber schon mehrfach, oft in ausgesprochen polemischer Weise („mafiöses Netzwerk“), und hat dabei eine erstaunliche Medienresonanz. Zuletzt berichtete mobilegeeks, dass Google und andere große Unternehmen an Adblock Plus nicht unerhebliche Beträge zahlen, um in die Liste der akzeptablen Werbung aufgenommen zu werden.
Dass eine Software mit Geschäftsmodellen arbeitet, die fragwürdig sind, kommt häufiger vor. Dass einiges von dem, was die Firma hinter Adblock Plus treibt, kritikwürdig ist, will ich nicht bezweifeln. Die gigantische Medienresonanz der Geschichte hat aber einen faden Beigeschmack. Die Süddeutsche, die Welt, die FAZ oder die Neue Züricher Zeitung sind üblicherweise keine Blätter, die besonders ausführlich über Netzthemen berichten oder sich für die Details seltsamer Geschäftsmodelle im Internet interessieren. Die ganze Geschichte wird viel größer gemacht als sie ist.
Der Effekt dürfte bei vielen Nutzern übrigens kaum sein, dass sie künftig ohne Adblocker surfen. Wer Adblock Plus misstraut, wird entweder das Acceptable Ads-Feature abschalten (ist problemlos möglich) oder auf einen alternativen Werbeblocker setzen, der ohne ein solches Feature auskommt (es gibt genügend davon).
Acceptable Ads
Grundsätzlich ist die Idee von Acceptable Ads nicht dumm. Die Medienbranche täte gut daran, die Diskussion darum, was an Werbung akzeptabel ist und was nicht, selbst zu führen. Man könnte sich etwa eine Selbstverpflichtung der Medienbranche ähnlich dem Pressekodex des deutschen Presserats vorstellen. Im Prinzip kommt man immer wieder zu ähnlichen Schlüssen, was akzeptable Werbung ist: Kein Blinken, kein Sound, keine Layer-Ads, kein Flash.

Werbelinks im Text findet Adblock Plus "akzeptabel"
Man kann sich über manche Details sicher streiten. Ob Animationen generell verboten oder im bestimmten Rahmen erlaubt sein sollten etwa, oder ob Flash eine Existenzberechtigung hat. Manche Nutzer finden es spooky, wenn ihnen Werbebanner durchs Netz folgen, andere haben damit kein Problem. Aber es gibt denke ich zwei Punkte bei denen kann man sich nicht streiten: Sicherheit und Systemauslastung.
Adblocker als Schutz vor Malware
Werbung im Netz ist ein Sicherheitsrisiko. Werbeblocker sind eine sinnvolle Maßnahme, die Sicherheit beim Surfen zu erhöhen. Die Situation ist einigermaßen gruselig. Das BSI hat im letzten Jahr zweimal vor Malware in Werbebannern gewarnt. Es ging dabei nicht um die Schmuddelecken des Internets, zahlreiche populäre Webseiten waren betroffen.
Eine beliebte Software zur Verbreitung von Werbung nennt sich OpenX. OpenX hatte in der Vergangenheit immer wieder massive Sicherheitslücken. Im vergangenen Jahr verteilte die offizielle Webseite von OpenX eine gehackte Version mit einer Backdoor. Diese gehackte Version ist extrem verbreitet. Ich betreibe selber Webserver und habe schon mehrere Installationen davon stillgelegt. OpenX wird inzwischen nicht mehr weiterentwickelt, es gibt einen Nachfolger namens Revive, aber http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/ erst im Dezember wurde in Revive eine weitere massive Sicherheitslücke entdeckt.
Das ist nicht akzeptabel. Überhaupt nicht. Ein „wir bemühen uns, dass so etwas nicht vorkommt“ reicht nicht. Dafür kommt es viel zu oft vor. Ich möchte wissen, welche Strategie die Werbebranche hat, so etwas abzustellen. Ich möchte von den werbenden Webseiten, die mich darum bitten, meinen Adblocker abzuschalten, wissen, welche Software ihre Werbepartner einsetzen, denen sie immerhin die Sicherheit ihrer Kunden anvertrauen. Ich möchte wissen, warum noch niemand einen professionellen Audit von Revive organisiert hat oder Bug-Bounties bezahlt. Solange die Branche dieses Problem nicht soweit im Griff hat, dass das Risiko geringer ist als sich durch den Werbeblocker Sicherheitsprobleme einzuhandeln, werde ich weiterhin jedem, der mich um seine Meinung fragt (und das sind in Sachen PC-Sicherheit ein paar) sagen, dass Adblocker eine effektive Maßnahme zu mehr Sicherheit im Netz sind.

Flash-Banner treiben CPU-Last nach oben
Kommen wir zum Thema Systemlast. Werbung benötigt Rechenpower. Nicht ein bisschen, sondern ganz erheblich. Als es zuletzt mal wieder eine Kampagne von verschiedenen Medien mit der Nachricht „schaltet doch bitte Eure Adblocker aus“ gab, habe ich testweise die Seiten der beteiligten Medien mit Firefox und ohne Werbeblocker aufgerufen. Das Ergebnis war beeindruckend. Auf allen Seiten schnellte die Systemlast nach oben, in top (ein Tool unter Linux zum Anzeigen der Systemauslastung) waren abwechselnd Firefox und das Flash-Plugin ganz oben und benötigten über 50 Prozent der CPU-Leistung.
Ich habe dazu nur eine Frage: Wenn ihr schreibt „Bitte schaltet den Adblocker aus“ - meint ihr wirklich, dass sich eure Besucher deswegen einen schnelleren PC kaufen?
(Hinweis am Rande: Ich weiß, dass das Problem mit der CPU-Last unter Linux verstärkt auftritt, weil der Flash-Player für Linux so schlecht ist. Aber nein, das ist keine Entschuldigung.)
Ein Allmendeproblem
Nachdem ich gestern noch eine Weile über die Sache nachgedacht hab, ist mir ein offensichtliches Problem aufgefallen: Einzelne Nachrichtenwebseiten können vermutlich kaum etwas ausrichten. Werbeblocker deinstallieren werden die Nutzer nicht, wenn eine einzelne Webseite aufhört, nervige Werbung zu schalten. Die Nutzer darum zu bitten, ihren Werbeblocker auf einzelnen Webseiten auszuschalten, funktioniert vermutlich nur in sehr begrenztem Umfang.
Deswegen: Wenn einzelne, kleinere Webangebote voranpreschen und besonders nervige Werbeformen ausschließen, ist das löblich, es wird ihnen aber vermutlich wenig gedankt – ein klassisches Allmendeproblem. Das ganze müsste eine Debatte der Branche sein. Ein guter Anfang wäre es, wenn all diejenigen, die zuletzt entsprechende Appelle an ihre Besucher gestartet haben, sich auf eine Art Kodex einigen würden. Da wäre schon ein relevanter Anteil der deutschsprachigen Nachrichtenwelt zusammen.
Datenschutz
Was ich bis jetzt nur am Rande gestreift habe: Das Thema Datenschutz. Nicht weil ich es vergessen habe, sondern weil ich das Gefühl hatte es verkompliziert die ganze Debatte noch enorm. Werbung wird heute fast immer nicht über die jeweilige Seite selbst sondern über externe Vermarkter ausgeliefert. Das bedeutet automatisch: Der Werbevermarkter bekommt nicht nur Aufmerksamkeit, sondern auch Daten. Dazu kommen noch zahlreiche Services, die ausschließlich Daten abgreifen und für den Nutzer komplett unsichtbar sind. Nicht wenige davon sind gerade für journalistische Angebote kaum verzichtbar, etwa die Zählpixel der VG Wort oder die Statistiken der IVW. Das darf aber nicht darüber hinwegtäuschen: Gerade diese Services dürften inzwischen ein enormes Datenmaterial mit großen Missbrauchspotential haben.
Fazit
Werbung ist doof, aber sie wird auf absehbare Zeit ein wichtiges finanzielles Standbein des Journalismus bleiben. Wenn ihr wollt, dass die Leute aufhören, Adblocker einzusetzen: Macht Werbung erträglich. Dann wird die Rate derer, die sich Werbeblocker installieren, ganz von selbst zurückgehen. Ja, das bedeutet Konflikte mit den Werbevermarktern. Ja, ihr müsst denen erklären, dass Flash doof ist und dass ihr es Euren Nutzern nicht zumuten könnt, wegen ihrer Banner neue Rechner zu kaufen. Nein, von dem Werbebetreiber, der letzten Monat einen Virus verbreitet hat, solltet ihr keine Werbebanner schalten. Ja, es kann dazu führen, dass ihr kurzfristig finanziell lukrative Werbung nicht mehr schalten könnt.
Disclaimer / conflict of interest: Ich benutze auf diesem Blog Google Ads. Google scheint die einzige Firma zu sein, die richtig viel Geld mit Werbung verdient und trotzdem in der Regel das tut, was die meisten als akzeptable Werbung ansehen (mit der großen Ausnahme Datenschutz). Außerdem benutze ich Zählpixel der VG Wort und einen flattr-Button. Ich schreibe regelmäßig Texte für die IT-Nachrichtenseite Golem.de, die an einer der jüngsten Kampagnen zum Thema Adblocker beteiligt war.
Bildquellen: Leuchtreklame von Wikimedia Commons (Public Domain), restliche Bilder Screenshots.
                Posted by Hanno Böck
                                   in Computer culture, Politics, Security, Webdesign                
                                    at
                 14:45
                                                            | Comments (0)
                                    
                                                            | Trackback (1)
                                    
                
                
        Defined tags for this entry: acceptableads, adblock, adblockplus, journalismus, mobilegeeks, reklame, werbung
            Thursday, January 23. 2014
BSI-Botnetz mit uralten Daten
                Das Bundesamt für Sicherheit in der Informationstechnik (BSI) macht ja seit vorgestern mächtig Wirbel um einige Zugangsdaten, die sie angeblich aus einem Botnetz haben. Leider informiert das BSI bislang nur sehr spärlich über Details. Ich habe, nachdem die zugehörige Webseite nach einigen Stunden wieder einigermaßen erreichbar war, verschiedene von mir in der Vergangenheit genutzte Mailadressen prüfen lassen. Bei einer Mailadresse eines großen deutschen Freemail-Anbieters, die ich vor langer Zeit als primäre Mailadresse genutzt hatte, schlug der Test an und ich bekam eine der Warnmails (ich dokumentiere die Mail weiter unten). Das ist jetzt aus zwei Gründen interessant:
1. Ich habe diese Mailadresse seit ungefähr zehn Jahren nicht genutzt. Ich habe alle Accounts, die ich aktiv nutze, auf meine aktuelle Mailadresse auf eigener Domain umgestellt. Das bedeutet: Die Daten, die das BSI da hat, sind also - zumindest teilweise - uralt.
Eine Sache, die hier vielleicht spannend ist: Im November letztes Jahr gab es einen größeren Leak von Accountdaten bei Adobe. Da war ein Account mit dieser Mailadresse dabei (fragt mich nicht warum ich irgendwann einen Adobe-Account hatte, wie gesagt, ist mindestens zehn Jahre her). Es ist natürlich reine Spekulation, aber es scheint mir zumindest vorstellbar, dass es sich bei den BSI-Daten schlicht um die selben Daten handelt. Rein zeitlich würde es ins Bild passen. (Update: Mehrere Leute teilten mir mit dass sie vom Adobe-Leak betroffene Mailadressen haben, die das BSI nicht kennt, also Spekulation höchstwahrscheinlich falsch)
2. Ich erhalte hier eigentlich eine völlig nutzlose Warnung und unpraktikable Tipps. Denn was mir das BSI letztendlich mitteilt: Sie haben Zugangsdaten zu irgendeinem Account irgendwo im Zusammenhang mit einer Mailadresse von mir. Oder, um das BSI zu zitieren: "Dieses Konto verwenden Sie möglicherweise bei einem Sozialen Netzwerk, einem Online-Shop, einem E-Mail-Dienst, beim Online-Banking oder einem anderen Internet-Dienst."
Verbunden ist das ganze mit dem kaum umsetzbaren Vorschlag, ich solle doch am besten alle meine Passwörter ändern.
Was ich ja jetzt gern wüsste: Weiß das BSI, um was für einen Account es geht? Und falls ja: Warum teilen sie es mir nicht mit? Ich werde zumindest versuchen, darauf eine Antwort zu erhalten. Laut Bundesdatenschutzgesetz ist das BSI verpflichtet, mir Auskünfte über Daten, die sie über mich gespeichert haben, zu erteilen.
Hier die vollständige Mail, die man vom BSI erhält:
Sehr geehrte Dame, sehr geehrter Herr,
Sie haben diese E-Mail erhalten, weil die E-Mail-Adresse [...] auf der Webseite www.sicherheitstest.bsi.de eingegeben und überprüft wurde.
Die von Ihnen angegebene E-Mail-Adresse [...] wurde zusammen mit dem Kennwort eines mit dieser E-Mail-Adresse verknüpften Online-Kontos von kriminellen Botnetzbetreibern gespeichert. Dieses Konto verwenden Sie möglicherweise bei einem Sozialen Netzwerk, einem Online-Shop, einem E-Mail-Dienst, beim Online-Banking oder einem anderen Internet-Dienst.
Um diesen Missbrauch zukünftig zu verhindern, empfiehlt das BSI die folgenden Schritte:
1. Überprüfen Sie Ihren eigenen Rechner sowie weitere Rechner, mit denen Sie ins Internet gehen, mittels eines gängigen Virenschutzprogramms auf Befall mit Schadsoftware.
2. Ändern Sie alle Passwörter, die Sie zur Anmeldung bei Online-Diensten nutzen.
3. Lesen Sie die weiteren Informationen hierzu unter www.sicherheitstest.bsi.de.
Diese E-Mail ist vom BSI signiert. Wie Sie die Signatur überprüfen können erfahren Sie auch unter www.sicherheitstest.bsi.de.
Mit freundlichen Grüßen
Ihr BSI-Sicherheitstest-Team 
            
            
            
            1. Ich habe diese Mailadresse seit ungefähr zehn Jahren nicht genutzt. Ich habe alle Accounts, die ich aktiv nutze, auf meine aktuelle Mailadresse auf eigener Domain umgestellt. Das bedeutet: Die Daten, die das BSI da hat, sind also - zumindest teilweise - uralt.
Eine Sache, die hier vielleicht spannend ist: Im November letztes Jahr gab es einen größeren Leak von Accountdaten bei Adobe. Da war ein Account mit dieser Mailadresse dabei (fragt mich nicht warum ich irgendwann einen Adobe-Account hatte, wie gesagt, ist mindestens zehn Jahre her). Es ist natürlich reine Spekulation, aber es scheint mir zumindest vorstellbar, dass es sich bei den BSI-Daten schlicht um die selben Daten handelt. Rein zeitlich würde es ins Bild passen. (Update: Mehrere Leute teilten mir mit dass sie vom Adobe-Leak betroffene Mailadressen haben, die das BSI nicht kennt, also Spekulation höchstwahrscheinlich falsch)
2. Ich erhalte hier eigentlich eine völlig nutzlose Warnung und unpraktikable Tipps. Denn was mir das BSI letztendlich mitteilt: Sie haben Zugangsdaten zu irgendeinem Account irgendwo im Zusammenhang mit einer Mailadresse von mir. Oder, um das BSI zu zitieren: "Dieses Konto verwenden Sie möglicherweise bei einem Sozialen Netzwerk, einem Online-Shop, einem E-Mail-Dienst, beim Online-Banking oder einem anderen Internet-Dienst."
Verbunden ist das ganze mit dem kaum umsetzbaren Vorschlag, ich solle doch am besten alle meine Passwörter ändern.
Was ich ja jetzt gern wüsste: Weiß das BSI, um was für einen Account es geht? Und falls ja: Warum teilen sie es mir nicht mit? Ich werde zumindest versuchen, darauf eine Antwort zu erhalten. Laut Bundesdatenschutzgesetz ist das BSI verpflichtet, mir Auskünfte über Daten, die sie über mich gespeichert haben, zu erteilen.
Hier die vollständige Mail, die man vom BSI erhält:
Sehr geehrte Dame, sehr geehrter Herr,
Sie haben diese E-Mail erhalten, weil die E-Mail-Adresse [...] auf der Webseite www.sicherheitstest.bsi.de eingegeben und überprüft wurde.
Die von Ihnen angegebene E-Mail-Adresse [...] wurde zusammen mit dem Kennwort eines mit dieser E-Mail-Adresse verknüpften Online-Kontos von kriminellen Botnetzbetreibern gespeichert. Dieses Konto verwenden Sie möglicherweise bei einem Sozialen Netzwerk, einem Online-Shop, einem E-Mail-Dienst, beim Online-Banking oder einem anderen Internet-Dienst.
Um diesen Missbrauch zukünftig zu verhindern, empfiehlt das BSI die folgenden Schritte:
1. Überprüfen Sie Ihren eigenen Rechner sowie weitere Rechner, mit denen Sie ins Internet gehen, mittels eines gängigen Virenschutzprogramms auf Befall mit Schadsoftware.
2. Ändern Sie alle Passwörter, die Sie zur Anmeldung bei Online-Diensten nutzen.
3. Lesen Sie die weiteren Informationen hierzu unter www.sicherheitstest.bsi.de.
Diese E-Mail ist vom BSI signiert. Wie Sie die Signatur überprüfen können erfahren Sie auch unter www.sicherheitstest.bsi.de.
Mit freundlichen Grüßen
Ihr BSI-Sicherheitstest-Team
                Posted by Hanno Böck
                                   in Computer culture, Security                
                                    at
                 08:38
                                                            | Comments (3)
                                    
                                                            | Trackback (1)
                                    
                
                
        Defined tags for this entry: adobe, botnetz, bsi, leak, password, passwort, security, sicherheit, zugangsdaten
            Saturday, January 18. 2014
Laos, Thailand, Malaysia and back home

These signs in Penang/Malaysia were quite a good symbol for my trip.
I entered Laos from China, but I didn't spend a lot of time in Laos. The main reason was that I was quite frustrated with the weather. It was a comparatively cold winter in southern China and Laos and the buildings there are not really isolated at all and heating usually doesn't exist. While the days were all sunny and nice, the nights were sometimes quite tough. In Laos, usually the only mode of transport are buses and minibuses. I crossed the border at Houay Xai and quickly moved on to Bangkok by bus and train.
Travelling in Laos and Thailand was quite a different experience when compared to Kazakhstan and China. For the first half of my trip, I mostly felt like "the stranger going to places rarely visited by strangers". In China, even at touristy places there were mostly domestic tourists. Laos and Thailand are flooded with western tourists, so I was more like "the western guy going to places everyone else is going". Honestly, I felt much more comfortable with the first role. Malaysia was somewhat in-between. The most important thing I was looking for in this part of Asia was mostly nature and rainforests.

Rainforest in Malaysia.
If you know me, you know that I try to avoid flying. But it was clear that doing this trip without would be close to impossible. So I flew back from Kuala Lumpur in Malaysia earlier this week.
While I've seen a lot and experienced a lot, at the end I was at a point where I really didn't want to continue any more. I have a lot of respect and get inspiration from people people who consider themselves digital nomads, permanent travelers or something alike and I though a lot about that during travelling and in the months before. I'll probably write some more about that at a later point, as I find it quite desirable to organize life in a way to be less dependent on a fixed living spot. But for me, this has limits and I know where they are.
                Posted by Hanno Böck
                                   in English, Life                
                                    at
                 13:02
                                                            | Comment (1)
                                    
                                                            | Trackbacks (0)
                                    
                
                
        Defined tags for this entry: asia, asia2013, kualalumpur, laos, malaysia, rainforest, thailand, travel
            Tuesday, January 7. 2014
Boten - a chinese casino ghost town in Laos

This hotel still takes customers, although there probably aren't many
Right behind the border in Laos is the small town Boten. There's a quite interesting story behind this place. A couple of years ago, this was a place of casinos for chinese gamblers. In China itself casinos are forbidden, so this gained quite some popularity. A couple of luxury Hotels and other facilities for the chinese gamblers emerged. However, some conflicts were arising. The casinos sometimes held chinese gamblers unable to pay their gambling debt as hostages. Chinese authorities were unhappy with this and pressured the laotian authorities to shut the place down, which finally happened in 2011.

In this former hotel only cows sleep these days

A Casino - empty today.
It was definitely one of the more interesting places on my trip.
Pictures from Boten
Saturday, December 21. 2013
Hallstatt in China

Hallstatt in China's Guangdong province
It was a bit tricky to get there. I found only limited information online. The place is near Luoyang, which is part of an area called Boluo, near the town Huizhou. Getting to Huizhou was mostly hassle-free, there are many trains every day from Guangzhou and it takes about two hours. How to come to Luoyang/Boluo is another story. I had two bus numbers I found in some Internet forums, but I couldn't find them at the train station. So either the information was wrong or the buses with that numbers are departing from another place in Huizhou. I also had some GPS coordinates I found online of the copycat Hallstatt, but it turned out later that they were not very accurate.

The entrance
What is interesting to know is that this place isn't primarily a tourist destination. It's a housing development, people are supposed to live here. However, I think nobody lives here yet, because except for the town's center, everything is still in construction. There are a number of similar projects in China. Tianducheng in eastern China, which rebuilts parts of Paris, has gotten quite a lot of media attention lately as an example for the Chinese housing bubble. Almost nobody lives there and it's mostly a ghost town. As the chinese Hallstatt isn't yet ready to house anyone, the future will tell if it'll fall to the same fate.
There were a number of things that made this place weird. The most obvious thing: You usually don't see tropical plants in an austrian town. I have no idea why they had a (fake/nonworking) red, british-style phone booth. Maybe for a chinese Britain isn't that far from Austria after all. Although this place isn't primarily meant as a tourist destination, it certainly attracts a lot of them. It was quite crowded. I haven't seen anyone who looked like being from Austria though.

British style fake phone booth
I'd like to finish with a quick comment. When reading western news commenting about this case and others, they're often quick in condemning this kind of "copycat" culture. I think one needs to be careful with that. The importance of the "original" is something that is deeply rooted in cultural norms and traditions. Sticking to the original is something that's probably more important in European cultures than in China. But I don't think either of them is right or wrong, it's just a different approach to culture. After all, it doesn't hurt anybody if someone is rebuilding Austrian villages in China. Also, there is almost certainly no legal issue at stake here. While it may be debatable if a town's layout can be covered by copyright, Hallstatt is a historic city. So if there is any copyright on it, it's already expired.
Pictures from Luoyang
Pictures from Chinese Hallstatt
Some Links:
Blog entry about Hallstatt / China on thechinachronicle.com
Blog entry about Hallstatt / China on liongrass.hk
Friday, December 13. 2013
Fastest overland route from Europe to China
 The well-known way of getting from Europe to China overland is the transsiberian railway. However, I noted that the route through Kazakhstan I took is the quickest way to get to China by train and bus. I thought I'd write that up:
The well-known way of getting from Europe to China overland is the transsiberian railway. However, I noted that the route through Kazakhstan I took is the quickest way to get to China by train and bus. I thought I'd write that up:- Take train EC 43 from Berlin Hauptbahnhof (09:37 on Monday, Berlin time) to Warsaw Wschodnia, change to train D 10SZ (15:28). If you - like me - feel that the time to switch trains is a bit risky in case of delaqys, you can take the earlier Beriln-Warsaw-train EC 41 (06:37 until 12:08). There's also a direct Berlin-Moscow-train D 50472 (Berlin 04:28, Moskwa Belorusskaja 10:33), but it's often sold out early.
- Spend some time in Moscow and then take the Metro Line 5 (Circular Line) to Komsol'skaya (Metro of Kazasky railway station)
- Take train 090У from Moscow Kazansky (18:48 on Tuesday, Moscow time) to Petropavl/Petropavlovsk in Kazakhstan (09:46 on Thursday, Astana/Almaty time). Note that this only works every second Tuesday - you may choose other days where this train goes, but then other options may not work.
- Take train 152T from Petropavl (13:48 on Thursday, Astana/Almaty time) to Almaty (22:28 on Friday, Astana/Almaty time).
- Take bus number 100 to Sayran bus station and hope that they'll sell you a ticket late in the evening for the bus next morning. Find a place to sleep (but not very long).
- Take bus from Astana Sayran bus station (07:00 on Friday, Astana/Almaty time) to Yining (approx. 21:00 on Friday, Beijing time). You're in China.
With the transsiberian, you can leave Berlin on Monday (same options as above until Moscow) and take the D4ZJ direct train from Moscow to Beijing. You will enter China in Erlian on the next Monday at 00:47. So this makes almost 7 days vs. about 4 and a half days.
I wouldn't recommend anyone doing that. Better spend some time on the way and see some places in Russia or Kazakhstan. Also it should be noted that one obvious reason for being faster is that you'll enter China at a place much further in the west. And getting to the main part of china (the western part is much less inhabited than the eastern part and all big cities are in the east) can be somewhat troublesome. Still, I thought it might be of interest to document the fastest overland way from Europe to China.
I always assumed the starting point Berlin, obviously because I live there, adapting that to other starting places should be trivial. For example you can usually easily (and for a comparatively cheap price) reach Berlin by Eurolines bus in a day from other major european cities like Paris or London.
Saturday, December 7. 2013
Xi'an, capsule hostel, chinese pyramids and more

The great pyramid of China (I admin it doesn't look that spectacular and pyramid-like)
Between Dunhuang and Lanzhou, I took what is called the "hard seat" class for a 14 hour ride (not overnight). I can quote Wikivoyage on that:
"Traveling in a seat (hard or soft-class) means you will share the car space with lots of locals. You will most likely encounter smokers, loud noise, and constant activity in the aisle while you try to sleep. *Do not* travel hard class if you are uncomfortable with these settings."
While I certainly was an interesting experience, it is not exactly one I'd like to repeat. It was challenging and I was quite happy when I finally arrived.
With my arrival in Xi'an, finally I noticed that I approach the warmer zones of China. While not really "summer-warm", I apprechiated not having to wear winter clothes all the time. Appart from that, Xi'an was quite different from the other cities I've visited before. It is in many small ways much more like a western city (and, to be not mistaken, in many ways this is a good thing - better hygiene, less dangerous traffic, no smoking in non-smoking zones). And regarding my last blog post, yes, coffee is usually available, although often expensive.
Xi'an is also home of one of Chinas most popular tourist attractions, the so-called terracotta warriors and - not that well known - the Chinese pyramids. I didn't know that there are pyramids in China, so found that worth seeing. Unlike pyramids in other places of the world, the chinese pyramids are not buildings, they are artificial hills. The biggest one, near the terracotta warriors, is the mausoleum of Chinas first emperor Qin Shi Huang.
My initial plan was to visit the pyramid and then decide if I still had time and motivation to see the terracotta warriors. I took the bus to the terracotta warriors and walked the roughly two kilometers to the pyramid. Turned out my planning was not really how one was supposed to do things. Going to the pyramid is only possible with an entrance ticket for the terracotta warrior museum - and you cannot buy it at the entrance of the pyramid area. There's a free shuttle service which I then took to get the ticket and drive back.
The pyramid doesn't look that spectacular and there's hardly a spot where you can actually see it's a pyramid. It once was much bigger, but during the centuries, the earth got compressed and it became smaller. I walked around a lot, the area around is a nice park.
As it is common amongst tourist destinations probably everywhere in the world, there is a huge amount of people who want to sell you things - from terracotta warrior replica in all sizes (including ones in original size and made mostly out of the same materials than the original ones) to the various tour guides. I refused all these offers and preferred to find my own way. One more thing notable: This isn't mainly a tourist spot for foreign tourist. The vast majority were domestic tourists.

Capsule Hotel in Xi'an
While writing this, I'm in the highspeed train from Xi'an to Guangzhou (taking only 8 hours). I've been to Guangzhou before, and I'm not going there not mainly because I want to see something there. I have a double-entry 2 x 30 days visa and from Guangzhou, I intend to make a quick hop to Hong Kong. Although part of China, in visa issues Hong Kong is like going to another country. So by going to Hong Kong, I have another 30 days to spend in China. Arriving in Guangzhou, I can also finally leave any traces of the northern hemisphere winter behind myself. It has comfortable temperatures all year round.
Pictures from Xian
Pictures from Guangzhou
                Posted by Hanno Böck
                                   in English, Life                
                                    at
                 04:06
                                                            | Comments (0)
                                    
                                                            | Trackbacks (0)
                                    
                
                
        Defined tags for this entry: asia, asia2013, capsulehotel, china, pyramid, terracottawarriors, train, xian
            Monday, December 2. 2013
No coffee in northwest China

Costa Coffee is expanding to Asia - this one's in Astana
When travelling, I usually have my own coffee making equipment, which consists of a couple of coffee filters, a collapsable filter holder, some coffee powder and some coffee creamer powder (which doesn't make a very delicious coffee and I prefer real milk or soy milk if possible, but it's a reasonable compromise when travelling).
I was running out of coffee powder shortly after I entered China. I really hadn't expected that it would be a problem. After all, the biggest international coffee chains, Starbucks and Costa Coffee, are flooding eastern and southern China with their restaurants and Chinese chains and independent coffee houses are trying to keep up with that. Well, the problem is that I entered China in the far northwest. And the Chinese love for coffee hasn't made it there yet.
I could hardly believe this, but between Yining and Dunhuang, I didn't find any coffee. None at all. Not in the form of coffee powder and not in brewed form. Yeah, supermarkets have a large collection of soluble instant coffee, most of it Nescafe and also some Chinese brands. But I refuse to call that stuff coffee. Most of it contains more sugar than anything else. When you get coffee in restaurants at all, you can bet it's also instant coffee. I checked where the next Starbucks is: In Xi'an, thousands of kilometers away. I checked for the next Costa Coffee: Also in Xi'an. (I'm on my way to Xi'an now - no, not just because of the coffee, it was my plan anyway.)
After all, I bought some non-sugared instant coffee. No, I wasn't happy with it, but it seemed it was the best I could get.
Lesson learned: There's just no coffee in northwest China.
Saturday, November 30. 2013
Through Western China and no train tickets from Urumqi

Train station in Yining
I took the train from Yining to Urumqi. My original plan was to move along quite fast and directly take the next train to Xi'an. But that didn't really work. I had to find out that all train tickets for the upcoming days to every location east of Urumqi were sold out. This was kind of a déjà vu. Last time I was in China I had the plan to travel this way in the other direction - and no tickets were available. Reading local news, this situation might improve 2014, when a new highspeed train line opens between Urumqi and Lanzhou. I didn't want to wait that long though.
However, this time I knew that there are alternatives - by taking the bus. I took a bus to the town Dunhuang, which is about 1,000 kilometers east of Urumqi.

Bus times in Urumqi
The bus trip through the Xinjiang desert passed a lot of wind turbines. While China is often portrayed as the environmental bad guy, one shouldn't fail to recognize that it's also the world leader in building renewable energies. However, the many Xinjiang wind turbine fields also told the other not so green side of the Chinese renewable boom: Many of the turbines were just standing still. The most likely reason: China is building up wind power faster than it's caring for grid integration. I'm used to that look in Germany - wind power there is also often downregulated, because grid integration is not keeping up with the installation of new wind energy. But it was quite obvious that this problem is far bigger here in China's desert.

Wind energy in Xinjiang
Tomorrow I'll take the train to Lanzhou.
Pictures from Yining
Pictures from Dunhuang
Pictures from wind power turbines in the Xinjiang province
Pictures from Lanzhou
Tuesday, November 26. 2013
By Bus from Almaty/Kazakhstan to Yining/China

Our bus
I read at some places about a different possibility: A bus service from Almaty to Yining (伊宁 which, to make things complicated, has also a kazakh/uighur name - Kulja / Құлжа / قۇلجا - which, to make things even more complicated, can be written in many different ways using latin characters, cyrillic characters or arabic characters). The information was quite scarce. I basically only had a few forum entries mentioning it, so all the information I had seemed quite unreliable. And even the guy from the hostel where I stayed didn't know more.
I could find out that there's an international bus station in Almaty called Sayran (сайран). It is located somewhat outside the city and can be reached with bus number 100 from the Almaty 2 train station. I went there on Thursday and - although without language communication possible - could tell them what I wanted. They wrote me down a date and time for the next bus: Saturday at seven in the morning. Sadly, I didn't find out how often this bus goes. Saturday was fine for me so I bought my ticket for the bus.

Beds and most people sitting on the floor
We spend about an hour at a restaurant in the middle of the desert and also some time at the border. I was a bit worried about the border crossing, because recently there have been some conflicts in the Xinjiang province, which is the chinese province you enter when coming from Kazakhstan. But at the border everything was fine, except that my border crossing took a bit longer than the others.
Right behind the border a lot of people were trying to offer money exchange. I didn't do that, because at such points you usually don't get the best exchange rates, which later turned out to be a mistake. It seems not exactly easy to change Tenge into Renminbi in Yining and as I'm writing this, I still have some Kazakh money with me after having tried to exchange it in three different banks in Yining.

Lunch break in the desert - this really felt like being in the middle of nowhere
Hopefully this information will provide other travellers some help when they try to take this bus. To recap the important information:
- Bus from Almaty to Yining starts at Sayran bus station (reachable via local bus 100 from Almaty 2 train station).
- Runs at 07:00 a.m. on unknown weekdays, but due to my experiences probably on fridays and not on thursdays (If you have any info on that, e. g. a link to the bus company, please add it in the comments).
- Costs 4600 Tenge (thats about 21 € or 30 US$).
- Takes about 12 hours.
- Crosses border to China at Khorgas (霍尔果斯 in mandarin chinese, قورعاس in uighur, Хоргос in russian and Қорғас in kazakh language).
Pictures from bus trip
Saturday, November 23. 2013
Almaty and the little Alps
 After Astana I went on to Almaty, which is the former capital of Kazakhstan. As I already wrote my previous two stops (Petropavl and Astana) were sharp contrasts, Almaty again was a completely different place. While also relatively expensive, it doesn't have the kind of "artificial" feeling that is present in Astana.
After Astana I went on to Almaty, which is the former capital of Kazakhstan. As I already wrote my previous two stops (Petropavl and Astana) were sharp contrasts, Almaty again was a completely different place. While also relatively expensive, it doesn't have the kind of "artificial" feeling that is present in Astana.I spend two days here. Almaty has some mountains surrounding it. There are two hilltops that one can reach via cable car. One is Koktobe, which has something like a small amusement park on the top. But due to lots of snow, most things there were closed. For the free software fans upon my readers: I saw an arcade machine with Tuxracer there. Never seen Tuxracer in an arcade machien before (however, I have seen an arcade machine with the free software game Stepmania on my last trip).
The other cable car starts near the ice skating stadium Medeo (which can be reached via public bus line 6) and goes to the ski ressort Shymbulak. The ski resort was closed and sadly, this meant that also the second cable car, which could bring one even more up the hills, was also closed. Still I had some stunning views on the mountains. In the gondola, I talked to a local who spoke a bit of English. He said they call it the "little Alps". I found that quite described it well. It really looked like you were in Austria or Switzerland. To make this impression complete, the cable car was even built in Switzerland.
Pictures from Almaty
Friday, November 22. 2013
Astana - the Dubai of Kazakhstan

Baiterek from the West ...
I am glad that I've been both in an I assume average Kazakh city like Petropavl and the capital Astana. The contrast was pretty extreme. It wasn't like going to another city in the same country, it felt more like going to another world. Petropavl looked more or less like many post-soviet cities I've been before. Often a bit shabby, with waste laying around, broken or non-existent sidewalks and alike.
Astana is quite the opposite. Nothing here is old, large parts of Astana were build within the last two decades. Dirt or waste in the streets was almost zero and the traffic seems pretty civilized. Until 1997, Almaty was the capital of Kazakhstan, due to some complicated political compromises, it was moved to Astana and there began the growth of this boom town.

... and from the East
One thing that's notably missing in Astana: It has only a very limited public transport system. There's no metro, no tram and no trolleybusses. Normal busses are the only way to get around. In the evening, they are so crowded that it can be a pain to use them. Also, it's a bit tricky to find out which busses you want to take. Bus stations have sometimes maps with bus lines, but they don't show all bus lines, only the ones starting at exactly that bus stop. I didn't see any complete bus map anywhere offilne or online. I've pictured a bus map (and another one) which features some of the more important lines linking the city center with the train station, maybe this is of some help for other travellers.

Astana Bus map
I originally planned to stay until saturday and take the train to China from Astana, but I found that the options of exploring the city were quite limited. You pretty quickly get around having seen all of its sights and there doesn't seem much around worth visiting. So I went on to Almaty.
A quick overview of things one can do and i did in Astana:
- Go on Baiterek tower: Not too expensive and nice view on the city with signs of distances to other relevant cities (e. g. Beijing 3656 km, Moscow 2280 km, Helsinki 3020 km).
- Ocenarium in the Duman entertainment center: Not that cheap, but nice and quite relaxing atmosphere. Biggest attraction are two large tunnels under a big aquarium, so you can watch the fishes from below.
- Pyramid (Palace of Peace and Reconciliation): Pyramid formed building containing an opera, conference centers and more. Not really worth visiting, it was mostly boring. I was the only english speaking person at that time, which didn't stop them from giving me a guided tour through the building.
- Khan Shatyry: Mostly a shopping center (so not thatwah interesting, except for the fact that it's a tent-like architecture). The upper floor contains a mix of an amusement park and an arcade hall. I saw a lot of those entertainment complexes, most other shopping centers in Astana have something alike. Also, there's a "Beach Club", which is a very expensive swimming bath.
- Watch unusual architecture: All over the city center.
Pictures from Astana
                Posted by Hanno Böck
                                   in English, Life                
                                    at
                 13:36
                                                            | Comments (0)
                                    
                                                            | Trackbacks (0)
                                    
                
                
        Defined tags for this entry: architecture, asia2013, astana, baiterek, kazakhstan, khanshatyry, petropavl, travel
            Thursday, November 21. 2013
Visa Registration in Kazakhstan
                When I crossed the border to Kazakhstan I was told that I had to register my visa within 5 days. I read about that before, but I thought I had read somewhere that this wasn't necessary for EU citizens, so I was a bit surprised. But it turned out registration wasn't that difficult.
I did the registration on Monday in Astana. Registration needs to be done at the Migration Police office, which is located in the улица Сакена Сейфулина 29. I was there at 11:00 and the place was quite crowded and busy, so I already feared this might take some time. But it only took a couple of minutes, I gave them my passport, my migration card and a business card of my hotel (they wanted to know the adress). Then I was told to come back at 15:00. I was also told that they could only do a registration for a maximum of ten days. This wasn't a problem for me, because I don't intend to stay longer in Kazakhstan and my Visa validity ends there anyway. But for travellers wanting to stay longer in Kazakhstan this might be a cause of trouble.
After all, it wasn't that troublesome, but you should be aware of the registration when travelling to Kazakhstan. I don't know what to do if you're not passing a big city and thus have no way to visit the office of the migration police. 
            
            
            
            
        I did the registration on Monday in Astana. Registration needs to be done at the Migration Police office, which is located in the улица Сакена Сейфулина 29. I was there at 11:00 and the place was quite crowded and busy, so I already feared this might take some time. But it only took a couple of minutes, I gave them my passport, my migration card and a business card of my hotel (they wanted to know the adress). Then I was told to come back at 15:00. I was also told that they could only do a registration for a maximum of ten days. This wasn't a problem for me, because I don't intend to stay longer in Kazakhstan and my Visa validity ends there anyway. But for travellers wanting to stay longer in Kazakhstan this might be a cause of trouble.
After all, it wasn't that troublesome, but you should be aware of the registration when travelling to Kazakhstan. I don't know what to do if you're not passing a big city and thus have no way to visit the office of the migration police.
            « previous page  
    
            (Page 5 of 57, totaling 848 entries)
    
            » next page