schneier

Facial recognition isn't just bad because it invades privacy: it's because privacy invasions fuel discrimination

Bruce Schneier writes in the New York Times that banning facial recognition (as cities like San Diego, San Francisco, Oakland, Brookline and Somerville have done) is not enough: there are plenty of other ways to automatically recognize people (gait detection, high-resolution photos of hands that reveal fingerprints, voiceprints, etc), and these will all be used for the same purpose that makes facial recognition bad for our world: to sort us into different categories and treat us different based on those categories. Read the rest

Schneier: "It's really too late to secure 5G networks"

Bruce Schneier's Foreign Policy essay in 5G security argues that we're unduly focused on the possibility of Chinese manufacturers inserting backdoors or killswitches in 5G equipment, and not focused enough on intrinsic weakness in a badly defined, badly developed standard wherein "near-term corporate profits prevailed against broader social good." Read the rest

Model stealing, rewarding hacking and poisoning attacks: a taxonomy of machine learning's failure modes

A team of researchers from Microsoft and Harvard's Berkman Center have published a taxonomy of "Failure Modes in Machine Learning," broken down into "Intentionally-Motivated Failures" and "Unintended Failures." Read the rest

The top FBI lawyer who tried to force Apple to backdoor its crypto now says working crypto is essential to public safety and national security

Jim Baker served as the FBI's general counsel from 2014 until 2017, and he presided over the the FBI's attempt to force Apple to undermine its cryptography under the rubric of investigating the San Bernadino shooters; he has long been a prominent advocate for mass surveillance, but he has had a change of heart: in a long, detailed essay on Lawfare, Baker explains why he believes that governments should not seek to introduce defects into cryptographic systems. Read the rest

Bruce Schneier makes the case for "public interest technologists"

Law school grads routinely go to work for crusading nonprofits and even those in private practice do pro bono work, thanks to a widespread understanding that lawyers have a professional duty to work for the public interest -- after all, understanding and navigating the law is a necessary precondition for freedom and fairness. Read the rest

After banning working cryptography and raiding whistleblowers, Australia's spies ban speakers from national infosec conference

Australian politics are a revolting mess of unstable governments dominated by xenophobic, climate-denying far-right oligarchs, and the only check on their power is the fact that Australian governments are so riven by internal strife and unhinged authoritarianism that they tend to collapse on a quarterly basis, triggering new elections and/or leadership contests. Read the rest

Assessing the security of devices by measuring how many difficult things the programmers tried to do

The Cyber Independent Testing Lab is a security measurement company founded by Mudge Zadko (previously), late of the Cult of the Dead Cow and l0pht Heavy Industries and the NSA's Tailored Access Operations Group; it has a unique method for assessing the security of devices derived from methods developed by Mudge at the NSA. Read the rest

Why haven't cyberinsurers exerted more pressure on companies to be better at security?

For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy peoples' lives, all the time, in wholesale quantities that beggar the imagination. Read the rest

Notpetya: the incredible story of an escaped US cyberweapon, Russian state hackers, and Ukraine's cyberwar

Andy Greenberg (previously) is Wired's senior security reporter; he did amazing work covering Russian cyberwarfare in Ukraine, which he has expanded into a forthcoming book: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (I read it for a blurb and a review; it's excellent). Read the rest

Defeating Apple's Faceid's proof-of-life by putting tape over glasses' lenses

Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness. Read the rest

Design competition to create graphics to illustrate cybersecurity stories

Illustrating abstract articles is a pain in the ass, and in the age of social media, a post without an illustration is likely to disappear without attaining any kind of readership, which leaves those of us who cover the field endlessly remixing HAL9000 eyes using walls of code, Matrix text-waterfalls, or variations on hacker-in-a-hoodie. Read the rest

Siemens contractor hid "logic bomb" in complicated spreadsheet, guaranteeing future maintenance work

David Tinley developed complex spreadsheets under contract to Siemens, which used them to manage its equipment orders; Tinley hid "logic bombs" in the spreadsheets' scripts that caused them to malfunction every couple of years, which would gin up new work for him as he was called in to fix them. Read the rest

William Barr's terrible, stupid idea to ban working crypto is slightly less terrible and stupid than earlier ideas

Proposals to ban working cryptography were all the rage in the Clinton years, but then they fell out of vogue for a decade, only to come roaring back in the form of bizarre proposals each stupider than the last, with Australia bringing home the gold in the Dumbfuck Olympics. Read the rest

US election security: still a dumpster fire

Securing Our Cyber Future, Stanford Cyber Policy Center's new report on election security, depicts a US electoral system whose glaring vulnerabilities are still in place, three years after the chaos of the 2016 elections. Read the rest

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page. Read the rest

The world's preeminent cryptographers can't get visas to speak at US conferences

Ross Anderson (previously) is one of the world's top cryptographers; the British academic and practitioner was honored by having his classic, Security Engineering, inducted into The Cybersecurity Canon; however, he was not able to attend the awards gala himself because the US government sat on his visa application for months, and ultimately did not grant it in time. Read the rest

Securepairs.org will send debullshitifying security researchers to Right to Repair hearings to fight industry FUD

Dozens of Right to Repair bills were introduced across the USA last year, only to be defeated by hardcore lobbying led by Apple and backed by a rogue's gallery of giant manufacturers of every description; one of the most effective anti-repair tactics is to spread FUD about the supposed security risks of independent repairs. Read the rest

Next page

:)