Kickstarting a car-hacking tool that lets you take control of your own vehicle

The fully-funded Macchina project on Kickstarter is an Arduino-based, "open, versatile" gadget that bypasses the DRM in your car's network, allowing you to configure it to work the way you want it to, so you can customize your car in all kinds of cool ways. Read the rest

The previous owners of used "smart" cars can still control them via the cars' apps (not just cars!)

It's not just that smart cars' Android apps are sloppily designed and thus horribly insecure; they are also deliberately designed with extremely poor security choices: even if you factory-reset a car after it is sold as used, the original owner can still locate it, honk its horn, and unlock its doors. Read the rest

Three states considering "right to repair" laws that would decriminalize fixing your stuff

Section 1201 of the 1998 Digital Millennium Copyright Act makes it both a crime and a civil offense to tamper with software locks that control access to copyrighted works -- more commonly known as "Digital Rights Management" or DRM. As the number of products with software in them has exploded, the manufacturers of these products have figured out that they can force their customers to use their own property in ways that benefit the company's shareholders, not the products' owners -- all they have to do is design those products so that using them in other ways requires breaking some DRM. Read the rest

FBI arrest the VW executive who stonewalled on the first Dieselgate reports for defrauding the US Government

Oliver Schmidt led Volkswagen regulatory compliance office from 2014 to Mar 2015, and it was he who issued statements dismissing the initial West Virginia University reports of cheating in the emissions control systems of the company's cars, lying to US regulators and insisting that the systems were merely buggy, and not deliberately designed to get around emissions testing; after the company admitted to the fraud, he appeared before the British Parliament and insisted that the fraud didn't violate EU law. Read the rest

This NES Classic jailbreak is a perfect parable of our feudal future of disobedient dishwashers

Nintendo's nostalgic instant sellout NES Classic (still available from scalpers) only comes with 30 games and no way to add more: but it only took two months from the announcement date for intrepid hackers to jailbreak the device and come up with a way to load your favorite ROMs, using a USB cable and a PC.

Your smart meter is very secure (against you) and very insecure (against hackers)

In On Smart Cities, Smart Energy, And Dumb Security -- Netanel Rubin's talk at this year's Chaos Communications Congress -- Rubin presents his findings on the failings in the security of commonly deployed smart meters. Read the rest

The Mirai worm is gnawing its way through the Internet of Things and will not stop

The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, it went on to infect devices all over the world, gaining virulence as it hybridized with other Internet of Things worms, endangering entire countries, growing by leaps and bounds, helped along by negligent engineering practices at major companies like Sony. Read the rest

Not just crapgadgets: Sony's enterprise CCTV can be easily hacked by IoT worms like Mirai

The unprecedented denial-of-service attacks powered by the Mirai Internet of Things worm have harnessed crappy, no-name CCTVs, PVRs, and routers to launch unstoppable floods of internet noise, but it's not just faceless Chinese businesses that crank out containerloads of vulnerable, defective-by-design gear -- it's also name brands like Sony. Read the rest

My keynote from the O'Reilly Security Conference: "Security and feudalism: Own or be pwned"

Here's the 32 minute video of my presentation at last month's O'Reilly Security Conference in New York, "Security and feudalism: Own or be pwned." Read the rest

Call for submissions for Disobedient Electronics

"'Disobedient Electronics' is a zine-oriented publishing project that seeks submissions from industrial designers, electronic artists, hackers and makers that disobey conventions, especially work that is used to highlight injustices, discrimination or abuses of power." Read the rest

A lightbulb worm could take over every smart light in a city in minutes

Researchers from Dalhousie University (Canada) and the Weizmann Institute of Science (Israel) have published a working paper detailing a proof-of-concept attack on smart lightbulbs that allows them to wirelessly take over the bulbs from up to 400m, write a new operating system to them, and then cause the infected bulbs to spread the attack to all the vulnerable bulbs in reach, until an entire city is infected. Read the rest

Why are license "agreements" so uniformly terrible?

An excerpt from The End of Ownership: Personal Property in the Digital Economy, by Aaron Perzanowski and Jason Schultz, coming this Friday from MIT Press.

Warner Bros angry that someone other than the MPAA is running an illegal internal movie server

Warner Bros has sued talent agency Innovative Artists for running an internal-use Google Drive folder that let its clients and staff review movies in the course of their duties. They say the company ripped "screeners" (DVDs sent for review purposes) and put them on the server, whence they leaked onto torrent sites. Read the rest

Mercedes' weird "Trolley Problem" announcement continues dumb debate about self-driving cars

In 1967, Philippa Foot posed the "Trolley Problem," an ethical conundrum about whether a bystander should be sacrificed to rescue the passengers of a speeding, out-of-control trolley; as self-driving cars have inched toward reality, this has been repurposed as a misleadingly chin-stroking question about autonomous vehicles: when faced with the choice of killing their owners or someone else, who should die? Read the rest

The clumsy, amateurish IoT botnet has now infected devices in virtually all of the world's countries

Mirai, the clumsily written Internet of Things virus that harnessed so many devices in an attack on journalist Brian Krebs that it overloaded Akamai, has now spread to devices in either 164 or 177 countries -- that is, pretty much everywhere with reliable electricity and internet access.

Imperva, a company that provides protection to websites against Distributed Denial of Service (DDoS) attacks, is among the ones who have been busy investigating Mirai. According to their tally, the botnet made of Mirai-infected devices has reached a total of 164 countries. A pseudonymous researcher that goes by the name MalwareTech has also been mapping Mirai, and according to his tally, the total is even higher, at 177 countries.

Internet of Things Malware Has Apparently Reached Almost All Countries on Earth [Lorenzo Franceschi-Bicchierai/Motherboard] Read the rest

The malware that's pwning the Internet of Things is terrifyingly amateurish

Following the release of the sourcecode for the Mirai botnet, which was used to harness DVRs, surveillance cameras and other Internet of Things things into one of the most powerful denial-of-service attacks the internet has ever seen, analysts have gone over its sourcecode and found that the devastatingly effective malware was strictly amateur-hour, a stark commentary on the even worse security in the millions and millions of IoT devices we've welcomed into our homes. Read the rest

HP blinked! Let's keep the pressure on! [PLEASE SHARE!]

Only three days after EFF's open letter to HP over the company's deployment of a stealth "security update" that caused its printers to reject third-party cartridges, the company issued an apology promising to let customers optionally install another update to unbreak their printers. Read the rest

More posts