Lockpick earrings

Matthew (of Guy Fawkes bandanna fame) writes, "These acid-etched stainless steel lockpick earrings are an elegant accessory perfect for quick escapes, late nights, and lost keys. They feature a selection of picks, rakes, and a tension bar. The earrings are slim and lightweight, meant for wearing around everyday and having a set on hand in case of emergencies - getting locked out, losing your keys, or showing up everybody at a spontaneous locksport competition." 35 bucks (cheap!).

Lock Pick Earrings Read the rest

How the NSA weaponized the Internet's backbone

Nicholas Weaver from the UCSD International Computer Science Institute wrote a guest editorial for Wired about the NSA's weaponization of the Internet, explaining in detail how the agency targets individuals with malware payloads injected straight from the backbone. Read the rest

NSA net-security sabotage means the end of US Internet "stewardship"

Speaking at a presentation in DC, Bruce Schneier nailed the strategic cost of allowing the NSA to sabotage Internet security through BULLRUN: it has cost the US government all credibility as a contributor to Internet governance. The total depraved indifference to everyday Internet users displayed in the sabotage program means that the era of the US being seen as the best steward for the health and integrity of the net has come to a close. Read the rest

Your smartphone's hidden, radio-controlling OS is totally insecure

Every mobile phone runs two operating systems; the one you interact with (like Android or Ios), and the one that controls the radio hardware. This second OS is ancient, creaking, and wildly insecure. Security researcher Ralf-Philipp Weinmann of the University of Luxembourg presented work on reverse-engineering the most popular "baseband" OSes from Qualcomm and Infineon and the horrifying security vulnerabilities he found. Anyone operating a cellular base-station (you can buy 'em on Ebay or build them from open source hardware specs) can send a 73-byte message that lets them run raw code on the processor; can silently activate auto-answer, crash the device, brick devices, install rootkits, send SMSes to premium numbers, and more. Read the rest

Google security engineer on NSA: "Fuck these guys"

In a heartfelt and personal blog-post, Google security engineer Brandon Downey discusses his feelings on the discovery that the NSA had tapped Google's private fiber links. In three words: "Fuck these guys." But you should read the rest, too. Read the rest

Rob Ford apparently hired a hacker to nuke the crack-smoking video

As the story of Toronto Mayor Rob Ford continues to unravel, everyone's pulling out their dirt on old Mayor Laughable Bumblefuck. Vice has a detailed email chain between Ford's communications director and a hacker for hire who was allegedly hired to delete the video of Hizzoner smoking crack and making racist and homophobic remarks from a cloud storage provider that may have belonged to a local gang, who were allegedly blackmailing him. Read the rest

NIST trying to win back crypto-cred after NSA sabotage

The National Institution for Standards and Technology is one of the key players in setting standards for cryptography. Following the Snowden-leaked revelation that its standards-setting efforts had been infiltrated and sabotaged by the NSA, it is embarking on a charm-offensive to lure cryptographers back into its processes. It's reassessing all of its standards, and then conducting a public consultation on its conclusions. And they're having independent auditors to look at their process. Read the rest

Power over USB: when charging a computer means connecting to untrusted data-sources

Some of the proposed enhancements to USB 3 would allow it to deliver a whopping 100W of power. There are some pretty great implications for this, including the ability to safely wire and re-wire room lighting and other low-power applications without an electrician's help.

But as O'Reilly's Mike Loukides points out, putting data and power in the same cable also has some intense security implications -- if you can't charge your laptop without connecting it to an untrusted data-source, there's some crazy shenanigan potential.

I've seen USB 2 power-only cables that short out the data-wire, and I wonder if Mike's problem couldn't be solved by just having a power-only USB port on the back of your laptop for charging -- but I also wonder if people would buy such a laptop, or if they'd demand the convenience of being able to use any port for charging or data. Read the rest

NSA hacked email of Mexican president and drug-war reformers

A Snowden leak, discussed in detail in Der Spiegel, shows how the NSA broke into the email servers of the Mexican president Felipe Calderon's public account, and used that access to wiretap the president, cabinet members, and senior diplomats. The NSA described the program, called "Flatliquid" as "lucrative." A second program, "Whitetamale," also spied on senior Mexican politicians (including presidential candidate Peña Nieto), targeting efforts to change the country's disastrous War on Drugs. Read the rest

Snowden's CIA career taught him that going through channels achieved nothing

In an interview with the NYT's James Risen, Edward Snowden explains what was really going on back in his CIA days, when he was allegedly reprimanded for accessing systems he wasn't supposed to see. It turns out Snowden had found a security vulnerability in their sensitive systems, which he reported through channels, got blown off for, and then kept pushing. In the end, the manager who had tried to cover up the vulnerability took revenge on Snowden by putting a black mark on his record. Read the rest

Rebutting Apple's claim of Imessage security: Apple can too spy on users

Ios jailbreaker and security researcher Cyril Cattiaux presented his work on Apple's Imessage software at the Hack in the Box conference in Kuala Lumpur. Apple had previously stated that its messaging software was resistant to Prism-style surveillance because of its secure key-handling, through which the company itself could not see what its users were saying. Cattiaux called this "basically lies" and showed that there was scope for undetectably swapping out keys, allowing the company (or anyone it cooperates with) to spy on users. Cattiaux worked with other researchers, including Moxie Marlinspike, and showed that there were ways of designing Imessage such that users could detect key-substitutions and other attacks on the integrity of their messages, but that Apple had chosen to implement their system in a less secure way. Read the rest

Why email services should be court-order resistant

With admirable clarity and brevity, Princeton's Ed Felten explains why Lavabit's owner was right to design his email service to be resistant to court orders. The whole piece is good and important, but here's the takeaway: "At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel. From a purely technological standpoint, these two scenarios are exactly the same."

As Felten goes on to point out, insider attacks are brutal -- just look at what happened to the NSA when insider Edward Snowden decided to go after it. Read the rest

Phoenix TSA makes breast cancer survivors remove their prostheses

The Arizona Republic has found a large cohort of elderly and retired people who claim to have been abused by TSA staff at Phoenix's Sky Harbor airport. The passengers claim that they were required to remove their prostheses (particularly prosthetic breasts worn by cancer survivors), and that their objections were met with threats and hostility. Read the rest

HOWTO maintain an air-gapped system

Bruce Schneier's written a long and in-depth guide to maintaining "air gaps" for sensitive computers. Air gaps -- computers that are never connected to the Internet or your local network -- are conceptually simple but notoriously hard to make work in practice. Schneier's got lots of good advice for minimizing the potential for human-error-based breaches to your air gapped sensitive system. Read the rest

Rise of predatory, parasitic spambooks

Charlie Stross considers the confluence of bookspam; Turing-complete, Javascript enabled ebooks, and auctorial disappointment and posits a hostile ecosystem of parasitic ebooks who go around devouring the competition. Read the rest

EFF's guide to the NSA's official malware

Alan sez, "EFF's Deeplinks blog brings us an update on what we know (so far) about how the NSA has been deploying malware onto servers and peoples' computers.

The template for attacking people with malware used by the NSA is in widespread use by criminals and fraudsters, as well as foreign intelligence agencies, so it's important to understand and defend against this threat to avoid being a victim to the plethora of attackers out there.

Read the rest

Nine-year-old hitches a ride on Delta from Minneapolis to Vegas

A nine-year-old boy with "behavioral problems" snuck onto a plane in Minneapolis and flew all the way to Las Vegas, though he was taken away by Child Protective Services on landing (a flight attendant noticed he wasn't on the roster). The kid travelled to the airport by light rail on two consecutive days, once to scope it out and once to fly. That kid is going places. Read the rest

More posts