"matt blaze"

Researchers find mountains of sensitive data on totalled Teslas in junkyards

Teslas are incredibly data-hungry, storing massive troves of data about their owners, including videos of crashes, location history, contacts and calendar entries from paired phones, photos of the driver and passengers taken with interior cameras, and other data; this data is stored without encryption, and it is not always clear when Teslas are gathering data, and the only way to comprehensively switch off data-gathering also de-activates over-the-air software updates for the cars, which have historically shipped with limited or buggy features that needed the over-the-air updates to fix them. Read the rest

How a cryptographer uses a key engraver

Legendary cryptographer and security researcher Matt Blaze (previously) somehow acquired a key engraver and now he's "using it to engrave entirely serious labels on my keys that are not in any way ironic or confusing." Read the rest

Defcon Voting Village report shows that hacking voting machines takes less time than voting

Every year, security researchers gather at Defcon's Voting Village to probe voting machines and report on the longstanding, systematic security problems with them, in order to give secure voting advocates the ammunition they need to convince Congress and local officials to take action into improve America's voting security. Read the rest

Here's everything that's wrong with America's insecure electronic voting machines, and what to do about it

The University of Pennsylvania's Matt Blaze (previously) is a legendary figure in cryptography and security circles; most recently he convened Defcon's Vote Hacking Village where security experts with no particular knowledge of voting machines repeatedly, fatally hacked surplus voting machines of the sort routinely used in US elections. Read the rest

WPA2 was kracked because it was based on a closed standard that you needed to pay to read

How did a bug like krack fester in WPA2, the 13-year-old wifi standard whose flaws have rendered hundreds of millions of devices insecure, some of them permanently so? Read the rest

Chelsea Manning: we're spied on all the time, and the state still can't figure out who we are

Chelsea Manning spent seven years in federal prison for blowing the whistle on illegal actions by the US in Iraq and around the world; while imprisoned, she transitioned her gender and changed her name, and, on her release, found herself unpersoned, unable to identify herself to the satisfaction of the state, despite being one of the most famous people in America and despite the state's unquenchable thirst for our personal data (and her's especially). Read the rest

Let's kill inane "(in)security questions"

After last week's revelation of a record-smashing breach at Yahoo (which the company covered up for years), security researcher Matt Blaze tweeted: "Sorry, but if you have a Yahoo account, you will need to find a new mother, and have grown up on a different street." Ha, ha, only serious. Read the rest

The DoJ is using a boring procedure to secure the right to unleash malware on the internet

The upcoming Rule 41 modifications to US Criminal Justice procedure underway at the Department of Justice will let the FBI hack computers in secret, with impunity, using dangerous tools that are off-limits to independent scrutiny -- all without Congressional approval and all at a moment at which America needs its law-enforcement community to be strengthening the nation's computers, not hoarding and weaponizing defects that put us all at risk. Read the rest

Elsevier buys SSRN

Elsevier is one of the world's largest scholarly publishers and one of the most bitter enemies that open access publishing has; SSRN is one of the biggest open access scholarly publishing repositories in the world: what could possibly go wrong? Read the rest

Look at this goverment spy truck disguised as a Google Streetview car

Security researcher Matt Blaze noticed this vehicle in Philadelphia. It had a large Google Streetview sticker on the window, but Matt noticed a Philadelphia Office of Fleet Management placard on the windshield. He took a photo of the vehicle and tweeted it, along with the comment, "WTF? Pennsylvania State Police license plate reader SUV camouflaged as Google Street View vehicle."

The PA State Police read Matt's tweet and replied via Twitter, "Matt, this is not a PSP vehicle. If this is LPR [license plate reader] technology, other agencies and companies might make use of it."

So, who is driving around in a vehicle disguised as both a Google Streetview car and is equipped with a license plate reader? Motherboard asked the office of Fleet Management, and got some more information:

A placard on the dashboard indicates that the SUV is registered with the Philadelphia Office of Fleet Management, which maintains city government’s 6,316 vehicles, indicating that the vehicle is being used by a local agency.

Christopher Cocci, who serves as the city’s fleet manager, and whose signature is on the document, says that the vehicle does not belong to the Pennsylvania State Police, which is known to use automated license plate recognition (ALPR), or the Philadelphia Parking Authority, a local agency that also utilizes ALPR. So whose surveillance truck is it?

“All city vehicles such as police, fire, streets etc.…are registered to the city. Quasi [public] agencies like PPA, Housing Authority, PGW and School District are registered to their respective agencies,” fleet manager Christopher Cocci wrote in an email to Motherboard after reviewing photos of the vehicle.

Read the rest

Clapper's ban on talking about leaks makes life difficult for crypto profs with cleared students

When James Clapper banned intelligence agency employees from discussing or acknowledging the existence of leaked docs (including the Snowden docs), he made life very hard for university professors like Matt Blaze, a security expert whose classes often have students with security clearance.

My own books -- which deal with leaks like these -- are taught at West Point at a course whose instructors include a member of US Cyber Command. I imagine a rule like this would make future inclusion on the curriculum difficult, if not impossible.

Read the rest

NSA collecting unimaginable quantities of mobile phone location data for guilt-by-association data-mining

A new Snowden leak reveals that the NSA and major US mobile phone carriers colluded to gather the location of millions of people around the world, including Americans in the USA, people not suspected of any crime, in order to data-mine them and ascribe guilt to people based on whether they were in proximity to suspected terrorists.

The program, called CO-TRAVELLER, tracks at least "hundreds of millions" of devices on "a planetary scale, and comprises at least 27 terabytes of data. According to an NSA document, they are gathering location data more quickly than they can store it, and have been building out more capacity at speed.

Less than one percent of the Snowden documents have been made public to date. Snowden was tasked by his employer with consolidating training and briefing materials from the NSA, and so he had access to enormous amounts of sensitive details on the NSA's internal programs. Read the rest

Wiretapping and crypto: those who snoop can still snoop

Matt Blaze analyzes the contents of The 2010 U.S. Wiretap Report: "Despite dire predictions to the contrary, the open availability of cryptography has done little to hinder law enforcement's ability to conduct investigations." (crypto.com) Read the rest

How the American phone companies used to feel about privacy

Back in 2008, Matt Blaze put the push for immunity for telcos that participated in GW Bush's illegal wiretapping program in context: "As someone who began his professional career in the Bell System (and who stayed around through several of its successors), the push for telco immunity represents an especially bitter disillusionment for me. Say what you will about the old Phone Company, but respect for customer privacy was once a deeply rooted point of pride in the corporate ethos. There was no faster way to be fired (or worse) than to snoop into call records or facilitate illegal wiretaps, well intentioned or not. And it was genuinely part of the culture; we believed in it, even those of us ordinarily disposed toward a skeptical view of the official company line. Now it all seems like just another bit of cynical, focus-group-tested PR."

Warrantless wiretaps, redux

(Thanks, David!)

Previously: House passes wiretap telcom immunity bill EFF sues to overturn telcom immunity House votes against telcom immunity for illegal wiretapping ... Obama will defend telco spy immunity Diverse activists from left and right band together against ... Telecom immunity video Grimly hilarious cartoon about telecom immunity and warrantless ... Telecom Immunity bill dying, thanks to you -- KEEP IT UP! - Boing ... Read the rest

Airport security and architecture

Matt Blaze has a great piece on the architecture of airport security -- not enough seating to put your shoes back on, conveyors that aren't the same heights as the tables that feed them. I keep thinking about how the security system is designed for an octopus: what else could hold a boarding card, a pair of shoes, a jacket, a laptop, a freedom baggie, ID, and a carry-on bag?

The word is that TSA has tapped Disney to redesign its checkpoints, but it seems like the TSA has been redesigning Disney instead. On a trip to Walt Disney World, I discovered fingerprinting machines at all the entrances, as well as totally meaningless, time-consuming, invasive (but perfunctory) searches.

Somehow, for all the attention to minutiae in the guidelines, everything ends up just slightly wrong by the time it gets put together at an airport. Even if we accept some form of passenger screening as a necessary evil these days, today's checkpoints seem like case studies in basic usability failure designed to inflict maximum frustration on everyone involved. The tables aren't quite at the right height to smoothly enter the X-ray machines, bins slide off the edges of tables, there's never enough space or seating for putting shoes back on as you leave the screening area, basic instructions have to be yelled across crowded hallways. According to the TSA's manual, there are four models of standard approved X-ray machines, from two different manufacturers. All four have sightly different heights, and all are different from the heights of the standard approved tables.

Read the rest

Study reveals security holes for evading wiretaps

In the NYT, John Markoff and John Schwartz report:

The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. It is also possible to falsify the numbers dialed, they said.

Someone being wiretapped can easily employ these "devastating countermeasures" with off-the-shelf equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania.

"This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also for the acceptability and weight of legal evidence derived from it," Mr. Blaze and his colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the Institute of Electrical and Electronics Engineers.

Link Read the rest

Locksmiths freak out over "Safecracking for the computer scientist"

A crypto researcher named Matt Blaze wrote a paper called "Safecracking for the computer scientist" that detailed the common vulnerabilities in safes in use today (Bruce Schneier called the paper "excellent").

The result, though, has been a round of incredible ire, bile and moaning from locksmiths and safe-maker, who have filled Usenet with angry recriminations with Blaze, who has committed the cardinal sin of explaining that their products don't work as advertised.

The real problem is that people like Blaze are in positions of trust in society. Then he abuse it by publishing trade secrets in the name of research.

When they do things like this and get away with it it gives other peoples like him the idea that this is OK. We have to nip it in the bud or soon there will be no security left after these intellectuals get through with us.

Link

(via Schneier) Read the rest

Next page

:)