Boing Boing 

Spies can't make cyberspace secure AND vulnerable to their own attacks


In his Sunday Observer column, John Naughton makes an important point that's hammered home by the escape of the NSA/GCHQ Regin cyberweapon into the wild: spies who make war on the Internet can't be trusted with its security.

Read the rest

Innovation in lockpicks: the "hall pass" and the EOD speed-picking set

The Hall Pass is a stainless steel, credit-card-sized pick designed to be slid between the door and the jamb (saving you from cracking your credit cards); the EOD is an extensive speed-pick set that is nevertheless optimized for portability and compactness.

Read the rest

Wall Street phishers show how dangerous good syntax and a good pitch can be


Major Wall Street institutions were cracked wide open by a phishing scam from FIN4, a hacker group that, unlike its competition, can write convincingly and employs some basic smarts about why people open attachments.

Read the rest

Analysis of leaked logs from Syria's censoring national firewall


Syria's brutal Assad government uses censorware from California's Blue Coat System as part of its systematic suppression of dissent and to help it spy on dissidents; 600GB of 2011 logs from Syria's seven SG-9000 internet proxies were leaked by hacktivist group Telecomix and then analyzed by University College London's Emiliano De Cristofaro.

Read the rest

Essential reading: the irreconcilable tension between cybersecurity and national security


Citizenlab's Ron Diebert lays out the terrible contradiction of putting spy agencies -- who rely on vulnerabilities in the networks used by their adversaries -- in change of cybersecurity, which is securing those same networks for their own citizens.

Read the rest

E-cigs and malware: real threat or Yellow Peril 2.0?


After a redditor claimed to have gotten a computer virus from factory-installed malware on an e-cig charger, the Guardian reported out the story and concluded that it's possible.

Read the rest

Router for gamers lets you filter games by distance

The forthcoming Netduma router has a geofilter that lets you restrict the games you join by distance, so you only play against nearby gamers, eliminating a leading cause of lag.

Read the rest

ISPs caught sabotaging their customers' email encryption


Ever since 2013, when the Electronic Frontier Foundation started shaming email providers that did not encrypt their customers' email, more and more mail providers have turned on STARTTLS, which protects email in transit from snooping, without requiring users to take any additional steps.

Read the rest

Cyberwar's hidden victims: NGOs


A new report from the storied Citizen Lab at the University of Toronto documents the advanced, persistent threats levied against civil society groups and NGOs -- threats that rival those facing any government or Fortune 100 company, but whose targets are much less well-equipped to defend themselves.

Read the rest

Indispensable BBC/OU series on cybercrime starts tomorrow

Mike from the Open University sez, "The OU and the BBC have created a new six part series about cybercrime, presented by the technology journalist Ben Hammersley."

Read the rest

Inside Secure threatens security researcher who demonstrated product flaws

Martin Holst Swende maintains a free/open tool for testing software that uses the (notoriously flawed) Iclass Software, which is used by Inside Secure for its RFID-based access systems.

Read the rest

What's the best way to weaken crypto?


Daniel Bernstein, the defendant in the landmark lawsuit that legalized cryptography (over howls of protest from the NSA) engages in a thought-experiment about how the NSA might be secretly undermining crypto through sabotage projects like BULLRUN/EDGEHILL.

Making sure crypto stays insecure [PDF/Daniel J Bernstein]

(via O'Reilly Radar)

FBI chief demands an end to cellphone security

If your phone is designed to be secure against thieves, voyeurs, and hackers, it'll also stop spies and cops. So the FBI has demanded that device makers redesign their products so that they -- and anyone who can impersonate them -- can break into them at will.

Read the rest

How to enable two-step authentication on Google, Facebook, etc.

Gizmodo has a handy guide to enabling two-factor authentication on your accounts with Apple, Google, Microsoft, Twitter, Dropbox, etc.

Two-step, or two-factor authentication protects your accounts by requiring you to provide an additional piece of information after you give your password to get into your account. In the most common implementation, after correctly entering your password, an online service will send you a text message with a unique string of numbers that you'll need to punch in to get access to your account.

The idea is that you're drastically more secure if somebody needs both your password and the physical phone to get access to your accounts. Add a passcode to your phone, and you're safeguarded against someone stealing both.

Is it perfect? No. But it's way better than just irrationally hoping nobody ever gets a hold of your password.

Darkmatter: a secure Paranoid Android version that hides from attackers

Stock Android phones with the Darkmatter OS use encrypted storage, OS-level app controls, and secure messaging by default, but if the phone thinks it's under attack, it dismounts all the encrypted stuff and reboots as a stock Android phone with no obvious hints that its owner has anything hidden on it.

Read the rest

Petition: make it safe to report security flaws in computers


Laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act put security researchers at risk of felony prosecution for telling you about bugs in the computers you put your trust in, turning the computers that know everything about us and watch everything we do into reservoirs of long-lived pathogens that governments, crooks, cops, voyeurs and creeps can attack us with.

Read the rest

Sourcecode for "unpatchable" USB exploit now on Github


Last summer's Black Hat presentation on "Badusb" by Karsten Nohl alerted the world to the possibility that malware could be spread undetectably by exploiting the reprogrammable firmware in USB devices -- now, a second set of researchers have released the code to let anyone try it out for themselves.

Read the rest