FBI tells tech companies offering encryption to reconsider “their business model”

FBI Director James Comey, 2014.  [REUTERS]

Despite zero indication the people responsible for recent terrorist attacks in Paris and San Bernardino used encryption, the FBI is launching an all-out PR war on crypto.

Now, FBI director James Comey is making tech firms that offer end-to-end encryption tools an offer they can't refuse: they should reconsider “their business model,” he said today, and instead adopt encryption techniques that let them intercept communications, and hand them over to law enforcement when asked.

Read the rest

Everybody knows: FBI won't confirm or deny buying cyberweapons from Hacking Team

1449679579152245

Back in July, a hacker dumped the emails and other files from Hacking Team, Italy's notorious cyber-arms dealer. Coincidentally, Vice had recently filed a Freedom of Information Act request with the FBI, asking if they were buying cyberweapons from Hacking Team. Read the rest

Army decides to stop putting soldiers' Social Security numbers on their dog tags

dog-tags-600x400

In a major policy change that sounds like a Very Good Idea, the U.S. Army announced today that dog tags will no longer include the Social Security numbers of the soldier wearing them. SSNs have been part of this identification system for over 40 years.

Read the rest

What will you hide in your $11 book safe?

safe1

If a burglar got their hands on this book safe ($11 on Amazon) disguised as a dictionary, they would have no trouble breaking it open on the spot. More likely, they'd just take it home and open it there. But if you stick it on a shelf with a lot of real books, and put a book cover on it, it's unlikely to be spotted. It comes with two keys and has a 2 x 5.625 x 9-inch storage area.

Read the rest

Let's Encrypt enters public beta: free HTTPS certificates for everyone!

free-ssl-certificate

Let's Encrypt is a joint project from EFF, Mozilla and others that allows anyone to create a free HTTPS certificate in minutes, this being a critical piece of infrastructure, necessary for making connections between a web-server and a browser secure and private. Read the rest

I Can't Let You Do That, Dave: why computer scientists should care about DRM

HAL-9000

I have an editorial in the current issue of Communications of the Association of Computing Machinery, a scholarly journal for computer scientists, in which I describe the way that laws that protect digital locks (like America's DMCA) compromise the fundamentals of computer security. Read the rest

What happened when a parent fought for his kid's privacy at an all-Chromebook school

katie_w-2

Katherine W was seven when her third-grade teacher issued Chromebooks to her class. Her dad, Jeff, is a serious techie, but the school's tech choices didn't sit well with him. He was able to get Katherine an exception that let her use a more private, non-cloud computer for the year, but the next year, Katherine's school said she would have to switch to a laptop that would exfiltrate everything she did to Google's data-centers. Read the rest

Vtech toy data-breach gets worse: 6.3 million children implicated

81eiD8pf-ML._SL1500_

The Hong Kong-based toymaker/crapgadget purveyor didn't even know it had been breached until journalists from Vice asked why data from its millions of customers and their families were in the hands of a hacker, and then the company tried to downplay the breach and delayed telling its customers about it. Read the rest

Secret National Security Letters demanded your browsing history

Screen-Shot-2015-11-30-at-10.46.38-AM-640x289

Thousands of National Security Letters are sent annually, don't need a judge's signoff, and it's illegal to tell anyone you got one. What do they demand? Web browsing history, the IP addresses of everyone corresponded with, all online purchases, and more.

Read the rest

Vtech breach dumps 4.8m families' information, toy security is to blame

image_thumb11

Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints. Read the rest

Dell apologizes for preinstalling bogus root-certificate on computers

serial-number (1)

Yesterday, Dell was advising customers not to try to uninstall the bogus root certificate it had snuck onto their Windows machine, which would allow attackers to undetectably impersonate their work intranets, bank sites, or Google mail. Today, they apologized and offered an uninstaller -- even as we've learned that at least one SCADA controller was compromised by the bad cert, and that Dell has snuck even more bogus certs onto some of its machines. Read the rest

Not just Lenovo: Dell ships computers with self-signed root certificates

serial-number

Last February, Lenovo shocked its security-conscious customers by pre-installing its own, self-signed root certificates on the machines it sold. These certificates, provided by a spyware advertising company called Superfish, made it possible for attackers create "secure" connections to undetectable fake versions of banking sites, corporate intranets, webmail providers, etc. Read the rest

How browser extensions steal logins & browsing habits; conduct corporate espionage

small-description-box

Seemingly harmless browser extensions that generate emojis, enlarge thumbnails, help you debug Javascript errors and other common utilities routinely run secret background processes that collect and retransmit your login credentials, private URLs that grant access to sensitive files, corporate secrets, full PDFs and other personally identifying, potentially compromising data. Read the rest

Zero: the number of security experts Ted Koppel consulted for hysterical cyberwar book

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x867

Ted Koppel's new book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath warns of an impending disaster when America's critical infrastructure will be destroyed by cyberattackers, plunging the nation into a literal dark age. Read the rest

The Web is pretty great with Javascript turned off

testing

Wired's Klint Finley tried turning off Javascript and discovered a better Web, one without interruptors asking you to sign up for mailing list, without infinitely scrolling pages, without ads and without malvertising. Read the rest

Hospitals are patient zero for the Internet of Things infosec epidemic

mri

As I have often noted, medical devices have terrifyingly poor security models, even when compared to the rest of the nascent Internet of Things, where security is, at best, an afterthought (at worst, it's the enemy!). Read the rest

Did the FBI pay Carnegie Mellon $1 million to identify and attack Tor users?

torcmufbi

Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the FBI.

No matter who the researchers and which institution, it sounds like a serious ethical breach.

First, from VICE, a report which didn't name CMU but revealed that a U.S. University helped the FBI bust Silk Road 2, and suspects in child pornography cases:

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

Here's a screenshot of the relevant portion of one of the court Documents that Motherboard/Vice News published:

Later today, a followup from Wired about discussion that points the finger directly at CMU:

The Tor Project on Wednesday afternoon sent WIRED a statement from its director Roger Dingledine directly accusing Carnegie Mellon of providing its Tor-breaking research in secret to the FBI in exchange for a payment of “at least $1 million.” And while Carnegie Mellon’s attack had been rumored to have been used in takedowns of dark web drug markets that used Tor’s “hidden service” features to obscure their servers and administrators, Dingledine writes that the researchers’ dragnet was larger, affecting innocent users, too.

Read the rest

More posts