Half of all U.S. adults are in face-recognition databases, and Black people more likely to be targeted


One in two American adults is in a law enforcement face recognition network.

“The Perpetual Lineup” report out today from a Georgetown University thinktank makes a compelling case for greater oversight of police facial-recognition software that “makes the images of more than 117 million Americans — a disproportionate number of whom are black — searchable by law enforcement agencies across the nation,” as the New York Times account reads.

Read the rest

Donald Trump's mail-servers are running Windows 2003


Security researcher Kevin Beaumont had a look at the mail servers operated by the Trump organization and found a veritable dumpster fire: systems running Windows 2003 (!), unpatched, badly configured. Read the rest

After being outed for massive hack and installing an NSA "rootkit," Yahoo cancels earnings call


What do you do if your ailing internet giant has been outed for losing, and then keeping silent about, 500 million user accounts, then letting American spy agencies install a rootkit on its mail service, possibly scuttling its impending, hail-mary acquisition by a risk-averse, old economy phone company? Just cancel your investor call and with it, any chance of awkward, on-the-record questions. (via /.) Read the rest

Joi Ito interviews Barack Obama for Wired: machine learning, neurodiversity, basic research and Star Trek


Joi Ito (previously) -- director of MIT Media Lab, former Creative Commons chief, investor, entrepreneur, and happy mutant -- interviewed Barack Obama for a special, Obama-edited issue of Wired. Read the rest

Information security needs its own National Institutes of Health


Superstar security researcher Dan Kaminsky (previously) wants to create a "National Institutes of Health for computer security" -- a publicly funded research institution that figures out how to prevent and cope with large-scale security issues in networked devices. Read the rest

The clumsy, amateurish IoT botnet has now infected devices in virtually all of the world's countries


Mirai, the clumsily written Internet of Things virus that harnessed so many devices in an attack on journalist Brian Krebs that it overloaded Akamai, has now spread to devices in either 164 or 177 countries -- that is, pretty much everywhere with reliable electricity and internet access.

Imperva, a company that provides protection to websites against Distributed Denial of Service (DDoS) attacks, is among the ones who have been busy investigating Mirai. According to their tally, the botnet made of Mirai-infected devices has reached a total of 164 countries. A pseudonymous researcher that goes by the name MalwareTech has also been mapping Mirai, and according to his tally, the total is even higher, at 177 countries.

Internet of Things Malware Has Apparently Reached Almost All Countries on Earth [Lorenzo Franceschi-Bicchierai/Motherboard] Read the rest

The Copyright Office wants your comments on whether it should be illegal to fix your own stuff


Under Section 1201 of the DMCA, a law passed in 1998, people who fix things can be sued (and even jailed!) for violating copyright law, if fixing stuff involves bypassing some kind of copyright lock; this has incentivized manufacturers so that fixing your stuff means breaking this law, allowing them to decide who gets to fix your stuff and how much you have to pay to have it fixed. Read the rest

Yahoo didn't install an NSA email scanner, it was a "buggy" NSA "rootkit"


Ex-Yahoo employees have spoken anonymously to Motherboard about the news that Yahoo had built an "email scanner" for a US security agency, likely the FBI or the NSA. These sources -- at least one of whom worked on the security team -- say that in actuality, the NSA or FBI had secretly installed a "rootkit" on Yahoo's mail servers and that this was discovered by the Yahoo security team (who had not been apprised of it), who, believing the company had been hacked, sounded the alarm, only to have the company executives tell them that the US government had installed the tool. Read the rest

FBI arrests "Shadow Brokers" leak suspect charged with theft of NSA cyberweapons


Sometime over the last few weeks, the FBI made a secret arrest of a Maryland man who worked as a Booz Allen Hamilton contractor for the National Security Agency.

Read the rest

Yahoo secretly scanned its users' email for U.S. intelligence services


Yahoo email accounts were scanned by the company on behalf of U.S. intelligence services from last year. This represents the first example of a U.S. service provider providing complete access to "all arriving messages," reports Reuters.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

It might not seem terribly meaningful to users, given the revelation that 500m Yahoo accounts (surely all of its users, or close to it) were hacked anyway, but there's a difference between a one-off break-in and a standing invitation. Over four years of Mayer's leadership, Yahoo suffered a "stunning collapse in valuation" and was sold to Verizon for $4.83bn. Completion of the deal is reportedly threatened by the recent stories about Yahoo's security failings. Read the rest

Johnson & Johnson says people with diabetes don't need to worry about potentially lethal wireless attacks on insulin pumps


Rapid7 security researcher Jay Radcliffe (previously) has Type I diabetes, and has taken a personal interest in rooting out vulnerabilities in the networked, wireless-equipped blood-sugar monitors and insulin-pumps marketed to people with diabetes, repeatedly discovering potentially lethal defects in these devices. Read the rest

Your next DDoS attack, brought to you courtesy of the IoT


The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding. Read the rest

Electronic voting machines suck, the comprehensive 2016 election edition


It's been thirteen years since we started writing here about the shenanigans of the electronic voting machine industry, who were given a gift when, after the contested 2000 elections, Congress and the Supreme Court signaled that elections officials had to go and buy new machines. Read the rest

EFF to court: don't let US government prosecute professor over his book about securing computers


In July, the Electronic Frontier Foundation filed a federal lawsuit on behalf of Dr Matthew Green, a Johns Hopkins Information Security Institute Assistant Professor of Computer Science; now the US government has asked a court to dismiss Dr Green's claims. A brief from EFF explains what's at stake here: the right of security experts to tell us which computers are vulnerable to attack, and how to make them better. Read the rest

Yahoo says hack of 500 million users "state-sponsored," but a security firm calls bullshit

Yahoo logo at Mobile World Congress in Spain. February 24, 2016. REUTERS

So, that huge hack of 500 million Yahoo user accounts last week that Yahoo blamed on a "state-sponsored actor"? A private internet security firm is calling bullshit on the "state-sponsored" part.

Read the rest

Let's kill inane "(in)security questions"


After last week's revelation of a record-smashing breach at Yahoo (which the company covered up for years), security researcher Matt Blaze tweeted: "Sorry, but if you have a Yahoo account, you will need to find a new mother, and have grown up on a different street." Ha, ha, only serious. Read the rest

O'Reilly's holding a security conference in NYC, Oct 30-Nov 2


I've been going to O'Reilly conferences since the first P2P conference in 2001; for 15 years, they've been blowing my mind. Read the rest

More posts