Boing Boing 

NSA-proof passwords


The Intercept's Micah Lee explains how to use Diceware's to generate a passphrase that can survive the NSA's trillion-guess-per-second cracking attempts -- but which can still be easily memorized.

Read the rest

Backchannel: computers can talk to each other with heat

A paper by Ben Gurion University researchers to be presented at a Tel Aviv security conference demonstrates "Bitwhisper," a covert communications channel that allows computers to exchange data by varying their temperature, which can be detected by target machines within 40cm.

Read the rest

Automating remote BIOS attacks


Legbacore's upcoming "digital voodoo" presentation will reveal an automated means of discovering BIOS defects that are vulnerable to remote attacks, meaning that your computer can be compromised below the level of the OS by attackers who do not have physical access to it.

Read the rest

Windows 10 announcement: certified hardware can lock out competing OSes


Microsoft has announced a relaxation of its "Secure Boot" guidelines for OEMs, allowing companies to sell computers pre-loaded with Windows 10 that will refuse to boot any non-Microsoft OS.

Read the rest

Brute-force iPhone password guesser can bypass Apple's 10-guess lockout

The IP Box costs less than £200 and can guess all possible four-digit passwords in 111 hours.

Read the rest

Clinton's sensitive email was passed through a third-party spam filtering service


It's been years since the spam wars were at the front of the debate, but all the salient points from then remain salient today: when you let unaccountable third parties see your mail and decide which messages you can see, the potential for mischief is unlimited.

Read the rest

Laptop killing booby-trapped USB drive


The USB Killer is a booby-trapped, hand-made USB drive that will "burn down" your laptop if you insert it into your USB slot.

Read the rest

Three steps to save ourselves from firmware attacks


Following on the news that the (likely NSA-affiliated) Equation Group has developed a suite of firmware attacks that target the software embedded in your hard-drive and other subcomponents, it's time to expand the practice of information security to the realm of embedded software.

Read the rest

Bruce Schneier's Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

No one explains security, privacy, crypto and safety better.Read the rest

Companies should never try to intercept their users' encrypted traffic

Lenovo's disgraceful use of Superfish to compromise its users' security is just the tip of the iceberg: everywhere we look, companies have decided that it's a good idea to sneakily subvert their users' encryption.

Read the rest

Revenge porn shitweasel pleads guilty, admits he hacked victims' accounts


Michael from Muckrock writes, "After months of legal wrangling, Hunter Moore, who ran 'revenge porn' website Isanyoneup, has agreed to a plea deal that will see him serve a minimum of two years and up to seven years in jail, as well as up to $500,000 in fines."

Read the rest

Shining light on the shadowy, "superhuman" state-level Equation Group hackers


For more than decade, a shadowy, heavily resourced, sophisticated hacker group that Kaspersky Labs calls the Equation Group has committed a string of daring, cutting-edge information attacks, likely at the behest of the NSA.

Read the rest

Security researcher releases 10 million username and password combinations


Security researcher Mark Burnett has released 10,000,000 username/password combos he's downloaded from well-publicized hacks, citing the prosecution of Barrett Brown and the looming Obama administration crackdown on security researchers as impetus to do this before it became legally impossible.

Read the rest

Security presentations from Shmoocon

The amazing, always-sold out security conference Shmooocon has posted the videos from its latest event, held earlier this month.

Read the rest

Fingerprints can be reproduced from photos of your hands

A presentation by Starbug at the 31st Chaos Communications Congress (previously) demonstrated a technique for deriving fingerprints from a couple of photographs of your hands. Starbug's proof of concept was a copy of the fingerprints of German Defense Minister Ursula von der Leyen.

Read the rest

Livestreams from the Chaos Communications Congress

The 31st Chaos Communications Congress is underway in Hamburg, where some of the most important, entertaining, mind-blowing, and earth-shaking information about computer security and politics will be revealed. Here's the livestream. (via Hacker News)

Usbdriveby: horrifying proof-of-concept USB attack

Samy Kamkar has a proof-of-concept attack through which he plugs a small USB stick into an unlocked Mac OS X machine and then quickly and thoroughly compromises the machine, giving him total, stealthy control over the system in seconds, even reprogramming the built-in firewall to blind it to its actions.

Read the rest

Wall Street phishers show how dangerous good syntax and a good pitch can be


Major Wall Street institutions were cracked wide open by a phishing scam from FIN4, a hacker group that, unlike its competition, can write convincingly and employs some basic smarts about why people open attachments.

Read the rest

E-cigs and malware: real threat or Yellow Peril 2.0?


After a redditor claimed to have gotten a computer virus from factory-installed malware on an e-cig charger, the Guardian reported out the story and concluded that it's possible.

Read the rest

Cyberwar's hidden victims: NGOs


A new report from the storied Citizen Lab at the University of Toronto documents the advanced, persistent threats levied against civil society groups and NGOs -- threats that rival those facing any government or Fortune 100 company, but whose targets are much less well-equipped to defend themselves.

Read the rest

Indispensable BBC/OU series on cybercrime starts tomorrow

Mike from the Open University sez, "The OU and the BBC have created a new six part series about cybercrime, presented by the technology journalist Ben Hammersley."

Read the rest

Opsec, Snowden style

Micah Lee, the former EFF staffer whom Edward Snowden reached out to in order to establish secure connections to Glenn Greenwald and Laura Poitras, shares the methodology he and Snowden employed to stay secure and secret in the face of overwhelming risk and scrutiny.

Read the rest

Malware authors use Gmail drafts as dead-drops to talk to bots

Once you've successfully infected your victim's computer with malware, you want to be able to send it orders -- so you spawn an invisible Internet Explorer window, login to an anonymous Gmail account, and check in the Drafts folder for secret orders.

Read the rest

2600 magazine profiled in the New Yorker

It's a long-overdue and much-deserved tribute to the hardest-working chroniclers of hacker culture. Emmanuel Goldstein and co have inspired generations of electronic spelunkers and freedom fighters, and they're still going strong -- and have never been more relevant, thanks to the debate sparked by the Snowden leaks.

Read the rest

Inside Secure threatens security researcher who demonstrated product flaws

Martin Holst Swende maintains a free/open tool for testing software that uses the (notoriously flawed) Iclass Software, which is used by Inside Secure for its RFID-based access systems.

Read the rest

Infosec Taylor Swift's cyber-philosophical musings

Do you like your cyberphilosophy delivered via the dulcet voice of America's country music treasure Taylor Swift? Head over to Twitter and follow @SwiftOnSecurity. Below are a few of her most incisive critiques of techno-utopianism.

Read the rest

What's the best way to weaken crypto?


Daniel Bernstein, the defendant in the landmark lawsuit that legalized cryptography (over howls of protest from the NSA) engages in a thought-experiment about how the NSA might be secretly undermining crypto through sabotage projects like BULLRUN/EDGEHILL.

Making sure crypto stays insecure [PDF/Daniel J Bernstein]

(via O'Reilly Radar)

FBI chief demands an end to cellphone security

If your phone is designed to be secure against thieves, voyeurs, and hackers, it'll also stop spies and cops. So the FBI has demanded that device makers redesign their products so that they -- and anyone who can impersonate them -- can break into them at will.

Read the rest

Darkmatter: a secure Paranoid Android version that hides from attackers

Stock Android phones with the Darkmatter OS use encrypted storage, OS-level app controls, and secure messaging by default, but if the phone thinks it's under attack, it dismounts all the encrypted stuff and reboots as a stock Android phone with no obvious hints that its owner has anything hidden on it.

Read the rest

Malware needs to know if it's in the Matrix


Once a security researcher discovers a new strain of malicious software -- running a virtual machine on a test-bench -- and adds its signature to anti-virus and network monitor blacklists, it's game over. So today's malware devotes enormous energy to figuring out if it's running on a real computer, or inside one of its enemies' virtual worlds.

Read the rest