Boing Boing 

Report: Uber uses GPS to punish drivers in China who get close to protests

CHINA UBER

Uber is urging its drivers in China “not to get involved in conflicts with authorities and has threatened to punish those who disobey,” reports the Wall Street Journal.

Read the rest

Argentine police raid programmer who discovered fatal e-voting flaws


Joaquín Sorianello found the defects in MSA, manufacturer of the Vot.ar e-voting system, and the next he heard about it was when the police came to his house, seized every piece of electronic equipment.

Read the rest

Computer scientists on the excruciating stupidity of banning crypto

A paper from some of the most important names in crypto/security history scorchingly condemns plans by the US and UK governments to ban "strong" (e.g. "working") crypto.

Read the rest

New York nears settlement with local Muslim leaders over spying lawsuit

Muslim-Americans protesting NYPD surveillance. Image: Reuters


Muslim-Americans protesting NYPD surveillance. Image: Reuters

The NYC government has come to initial settlement terms with Muslims, represented by the American Civil Liberties Union, who challenged police surveillance as an unconstitutional and stigmatizing intrusion on their religious rights.

Read the rest

Navy openly solicits for 0-day bugs to weaponize


A solicitation on FedBizOpps from the Navy asks security researchers to sell them their "vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software."

Read the rest

US Government Office of Personnel Management has a second, much worse breach


The second attack is being blamed on Chinese state actors, and it netted the archives of Standard Form 86, which records applicants' mental illnesses, drug and alcohol use, past arrests and bankruptcies and lists of contacts and relatives.

Read the rest

Radio Shack bankruptcy update: most customer data will be destroyed, not sold to pay creditors

giphy (5)

When electronics retailer Radio Shack filed for bankruptcy, the chain proposed selling customers' personal data to raise cash and repay creditors. That's not gonna happen, and the news is seen as a win for the right to privacy.

Read the rest

US CIO defies the FBI, orders HTTPS for all government websites


Tony Scott, CIO of the US government, has spit in the eye of assistant FBI director Michael Steinbach, who called on companies "to build technological solutions to prevent encryption above all else."

Read the rest

If the FBI has a backdoor to Facebook or Apple encryption, we are less safe

Reuters


Reuters

Freedom of the Press Foundation director Trevor Timm tells Boing Boing,

Now that the USA Freedom Act is out of the way, it seems pretty clear the next battle in Congress will almost certainly be over encryption, as the FBI has not stopped its push to force tech companies to insert a backdoor into their communications tools, despite being ridiculed for it by security experts. The FBI seems to push it even farther in the past week, testifying before Congress that they need to stop encryption "above all else" and leaking a story to the LA Times about ISIS using encrypted text messaging apps. I wrote about what a dumb move it is on several levels for the Guardian.

Read the rest

Internet-connected hospital drug pumps vulnerable to remote lethal-dose attacks


Researcher Billy Rios (previously) has extended his work on vulnerabilities in hospital drug pumps, discovering a means by which their firmware can be remotely overwritten with new code that can result in lethal overdoses for patients.

Read the rest

Open garage-doors in less than a minute with a hacked kid's toy

Applied Hacking's Samy Kamkar (previously) has released Opensesame, an app for hacked IM-ME texting toys that can open millions of fixed-code garage doors in less than a minute.

Read the rest

Facebook rolls out new encryption features

Reuters


Reuters

An update rolled out today by Facebook allows users to post their public email encryption key on their Facebook profile, so others can encrypt future emails to that user. Here's the official blog post at Facebook.

More at CPJ:

Facebook profiles now have a field for PGP public keys--just like for phone numbers or email addresses. Uploaded keys can be shared as widely or narrowly as desired, just like other information on a Facebook profile. For journalists who use Facebook to connect with sources and disseminate, share, and comment on news, their profile will now indicate they are available for encrypted emails. The new feature will also make it easier to securely contact potential sources.

A sample display of the new encryption feature offered to users by Facebook.


A sample display of the new encryption feature offered to users by Facebook.

"Status update: Facebook users now have access to PGP encryption" and "CPJ welcomes Facebook move to add PGP encryption features" [Committee to Protect Journalists]

"Securing Email Communications from Facebook" [Facebook]

NSA can't legally surveil Americans' every phone call, for now. Thanks, Edward Snowden.

GARY CAMERON/REUTERS


GARY CAMERON/REUTERS

nsa-eagle_0

Today is a big day for privacy in the United States: each of us can now call our mom, our best friend, or a pizza delivery service without the NSA automatically keeping a record of who we called, when, and how long the conversation lasts.

Read the rest

IRS leaks 100K taxpayers' data to identity thieves


The IRS sent extensive dossiers on 100,000 US taxpayers to identity thieves who used weak "secret security" questions to trick the agency's "Get Transcript" service.

Read the rest

Secret security questions deemed insecure

Security

Google analyzed the "secret questions" used by its vast userbase and was not surprised to learn that they are mostly terrible.

In a blog post at the company's Online Security Blog, Elie Bursztein said that "secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism."

"That’s because they suffer from a fundamental flaw," Bursztein wrote. "Their answers are either somewhat secure or easy to remember—but rarely both."

Here are some specific insights:

With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question

• "What is your favorite food?" (it was ‘pizza’, by the way) With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question

• "What’s your first teacher’s name?" With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question,

• "What is your father’s middle name?" With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.

They're not the first to acknowledge the problems with secret questions.

Experimental plugin lets computers share URLs with ultrasonic tones


Tone is an experimental Chrome plugin from Google Research that lets computers share small amounts of information (like URLs) with ultrasonic chirps.

Read the rest

Today's terrifying Web security vulnerability, courtesy of the 1990s crypto wars

The Logjam bug allows attackers to break secure connections by tricking the browser and server to communicate using weak crypto -- but why do browsers and servers support weak crypto in the first place?

Read the rest