Boing Boing 

ISPs caught sabotaging their customers' email encryption


Ever since 2013, when the Electronic Frontier Foundation started shaming email providers that did not encrypt their customers' email, more and more mail providers have turned on STARTTLS, which protects email in transit from snooping, without requiring users to take any additional steps.

Read the rest

Cyberwar's hidden victims: NGOs


A new report from the storied Citizen Lab at the University of Toronto documents the advanced, persistent threats levied against civil society groups and NGOs -- threats that rival those facing any government or Fortune 100 company, but whose targets are much less well-equipped to defend themselves.

Read the rest

Indispensable BBC/OU series on cybercrime starts tomorrow

Mike from the Open University sez, "The OU and the BBC have created a new six part series about cybercrime, presented by the technology journalist Ben Hammersley."

Read the rest

Inside Secure threatens security researcher who demonstrated product flaws

Martin Holst Swende maintains a free/open tool for testing software that uses the (notoriously flawed) Iclass Software, which is used by Inside Secure for its RFID-based access systems.

Read the rest

What's the best way to weaken crypto?


Daniel Bernstein, the defendant in the landmark lawsuit that legalized cryptography (over howls of protest from the NSA) engages in a thought-experiment about how the NSA might be secretly undermining crypto through sabotage projects like BULLRUN/EDGEHILL.

Making sure crypto stays insecure [PDF/Daniel J Bernstein]

(via O'Reilly Radar)

FBI chief demands an end to cellphone security

If your phone is designed to be secure against thieves, voyeurs, and hackers, it'll also stop spies and cops. So the FBI has demanded that device makers redesign their products so that they -- and anyone who can impersonate them -- can break into them at will.

Read the rest

How to enable two-step authentication on Google, Facebook, etc.

Gizmodo has a handy guide to enabling two-factor authentication on your accounts with Apple, Google, Microsoft, Twitter, Dropbox, etc.

Two-step, or two-factor authentication protects your accounts by requiring you to provide an additional piece of information after you give your password to get into your account. In the most common implementation, after correctly entering your password, an online service will send you a text message with a unique string of numbers that you'll need to punch in to get access to your account.

The idea is that you're drastically more secure if somebody needs both your password and the physical phone to get access to your accounts. Add a passcode to your phone, and you're safeguarded against someone stealing both.

Is it perfect? No. But it's way better than just irrationally hoping nobody ever gets a hold of your password.

Darkmatter: a secure Paranoid Android version that hides from attackers

Stock Android phones with the Darkmatter OS use encrypted storage, OS-level app controls, and secure messaging by default, but if the phone thinks it's under attack, it dismounts all the encrypted stuff and reboots as a stock Android phone with no obvious hints that its owner has anything hidden on it.

Read the rest

Petition: make it safe to report security flaws in computers


Laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act put security researchers at risk of felony prosecution for telling you about bugs in the computers you put your trust in, turning the computers that know everything about us and watch everything we do into reservoirs of long-lived pathogens that governments, crooks, cops, voyeurs and creeps can attack us with.

Read the rest

Sourcecode for "unpatchable" USB exploit now on Github


Last summer's Black Hat presentation on "Badusb" by Karsten Nohl alerted the world to the possibility that malware could be spread undetectably by exploiting the reprogrammable firmware in USB devices -- now, a second set of researchers have released the code to let anyone try it out for themselves.

Read the rest

Security cruft means every exploit lives forever

Security failures will live on forever, because protocols have no sell-by date. Glenn Fleishman exposes the eternity we face with broken software.Read the rest

Get 2600's archives from 1987

Emmanuel Goldstein from 2600 Magazine writes, "Volume 4 of The Hacker Digest has been put into PDF format, comprised of issues of 2600 Magazine from 1987."

This was the first year that 2600 adopted the digest format. For the first time ever, a hacker magazine would show up on newsstands and in bookstores around the world. New concepts such as cellular phone fraud and electronic mailboxes for $20 a month were introduced to the public and scrutinized in the pages of 2600, while traditions like the letters section, payphone photos, and 2600 meetings were in their infancy. The hacker spirit from these early issues is remarkably similar to that of today: defiant, curious, and overflowing with data.

VOLUME 4 OF THE HACKER DIGEST RELEASED ALONG WITH DETAILS ON ITS HISTORY

(Thanks, Emmanuel!)

Insecure printer firmware hacked to play Doom

Printer security sucks -- but Michael Jordon's work on hacking the firmware of the standalone Canon Pixma printer is a more playful example of that suckitude than ever seen before.

Read the rest

Bruce Sterling's "The Epic Struggle of the Internet of Things"

It's a new long-form essay in the tradition of Sterling's must-read, groundbreaking 2005 book Shaping Things, a critical perspective on what it means to have a house full of "smart" stuff that answers to giant corporations and the states that exert leverage over them.

Read the rest

Tabnapping: a new phishing attack [2010]

Aza Raskin's Tabnapping is a proof-of-concept for a fiendish attack: a tab that waits until you're not watching, then turns itself into a convincing Google login screen that you assume you must have opened.

Read the rest

In the Interests of Safety: using evidence to beat back security theater

"Health and Safety" is the all-purpose excuse for any stupid, bureaucratic, humiliating rubbish that officialdom wants to shove down our throats. In the Interests of Safety, from Tracey Brown and Michael Hanlon, is the antidote: an expert dismantling of bad risk-analysis and a call-to-arms to do something about it, fighting superstition and silliness with evidence.Read the rest

Fake, phone-attacking cell-towers are all across America


The towers attack the baseband radio in your phone and use it to hack the OS; they're only visible if you're using one of the customized, paranoid-Android, post-Snowden secure phones, and they're all around US military bases.

Read the rest

When law-enforcement depends on cyber-insecurity, we're all at risk


It's not enough to pass rules limiting use of "stingray" mobile-phone surveillance devices by civilians: for so long as cops depend on these devices, the vulnerabilities they exploit will not be fixed, leaving us all at risk.

Read the rest

Trundling lidar-guided printerbot will find you and deliver your hardcopy


A Fuji-Xerox prototype printer-robot builds a model of the room and then drives itself to your desk to deliver your printouts, saving you the precious calories you'd waste, running around the office, trying to figure out which printer you sent your job to.

Read the rest

3D printed bump keys make short work of high-security locks

High-end locks rely on their unique key-shapes to prevent "bumping" (opening a lock by inserting a key-blank and hitting it with a hammer, causing the pins to fly up), but you can make a template for a bump key by photographing the keyhole and modelling it in software.

Read the rest

Google Images hacked


Google's Image Search has apparently been hacked. All queries return a line or two of normal images, followed by thousands of differently-sized versions of the image above, depicting a grisly car-crash ganked from a Ukrainian news site's coverage of the wreck.

Read the rest

USB Condom: charge your devices without allowing sneaky data-transfers


Those public USB charging points are tempting, but could be used to propagate all kind of grotesque malware (imagine what happens when your phone's camera, mic, storage, keyboard and GPS start leaking your data to voyeurs and identity thieves) -- sure, you can always buy a charge-only cable, but these crowdfunded adapters turn any cable into a power-only source.

Read the rest

Cybersecurity czar is proud of his technical illiteracy

Michael Daniel thinks "being too down in the weeds at the technical level could actually be a little bit of a distraction"; Ed Felten counters, "Imagine reaction if White House economic advisor bragged about lack of economics knowledge, or Attorney General bragged about lack of legal expertise."

Read the rest

Save the net, break up the NSA

Bruce Schneier nails it: "efficiency is not the most important goal here; security and liberty are."

Read the rest

A video about cybersecurity that you should really watch

Dan Geer's Black Hat 2014 talk Cybersecurity as Realpolitik (also available as text) is thoughtful, smart, vital, and cuts through -- then ties together -- strands of security, liability, governance, privacy, and fairness, and is a veritable manifesto for a better world.

Read the rest

Uber-like service for private security

94bd8a8bd3e856a5b2ddc43862f56a0f

The task routing craze continues with Bannerman, an on-demand private security force that promises to send muscle your way in around 30 minutes. The booking process is similar to Uber and the company says the guards "have passed background checks by the FBI & the department of Justice" and have "physical presence for visual deterrence." Now available in the SF Bay Area with other cities coming soon. (Thanks, Adam Shandobil!)

Journalist believes his phone was hacked by spooks at HOPE X, will upload image for forensics


Douglas writes, "My rooted CyanogenMod phone got hacked at HOPE X. I'm planning to get it write-blocked and imaged to crowdsource forensics."

Read the rest

Back doors in Apple's mobile platform for law enforcement, bosses, spies (possibly)

Jonathan Zdziarski's HOPE X talk, Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices, suggests that hundreds of millions of Iphone and Ipad devices ship from Apple with intentional back-doors that can be exploited by law enforcement, identity thieves, spies, and employers.

Read the rest

EFF unveils secure, sharing-friendly, privacy-minded router OS

As promised, the Open Wireless Movement's new sharing-friendly, privacy-minded router operating system was unveiled at HOPE X in New York last weekend.

Read the rest

Fake TSA screener infiltrates SFO checkpoint, gropes women


He was allegedly drunk, and had at least two victims before SFO's crackerjack private aviation security outfit, Covenant, noticed (they're the same ones who smashed my brand new camera some years ago and refused to take responsibility for it).

Read the rest