Australia just voted to ban working cryptography. No, really.

Remember when Malcolm Turnbull, the goddamned idiot who was briefly Prime Minister of Australia, was told that the laws of mathematics mean that there was no way to make a cryptography system that was weak enough that the cops could use to spy on bad guys, but strong enough that the bad guys couldn't use it to spy on cops, and he said: "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia." Read the rest

A Trustmark for IoT: separating the Internet of Shit from the Internet of Things

Peter writes, "ThingsCon, our Berlin-based non-profit for a more responsible IoT, launches a trustmark for IoT - the Trustable Technology Mark. Cory gave some input to it a while back already, and finally it's launch day: We want to highlight the best work in IoT, the best/most respectful of users' rights, privacy and security. It's an entirely non-profit effort to elevate the debate in this odd space that's full of crap; I think you might like it." Read the rest

Facebook lured charities to its platform, then abandoned them once they got hacked

Facebook's walled garden/roach motel strategy made it progressively harder and harder for charities to reach supporters on the web, driving them within Facebook's confines, where they devoted thousands of hours to making their Facebook presence attractive and pleasing to Facebook's algorithm. Read the rest

Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates. Read the rest

Princeton's interdisciplinary Center for Information Technology Policy is seeking visiting scholars

Are you a PhD with interest in "the intersection of digital technology and public life, including experts in computer science, sociology, economics, law, political science, public policy, information studies, communication, and other related disciplines?" Princeton's CITP has three open job postings for 10-month residences starting Sept 1, 2019. Read the rest

Using information security to explain why disinformation makes autocracies stronger and democracies weaker

The same disinformation campaigns that epitomize the divisions in US society -- beliefs in voter fraud, vaccine conspiracies, and racist conspiracies about migrants, George Soros and Black Lives Matter, to name a few -- are a source of strength for autocracies like Russia, where the lack of a consensus on which groups and views are real and which are manufactured by the state strengthens the hand of Putin and his clutch of oligarchs. Read the rest

Malware vector: become an admin on dormant, widely-used open source projects

Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive. Read the rest

Best data erasure method ever: longbow

Julian Oliver ("Critical Engineer, artist, immigrant and educator. Shoots arrows, eats plants") has found a novel and by all appearances very satisfying way to safely erase the data from old hard drives: 50lb Longbow, two arrows at 15 yards. (via JWZ) Read the rest

For $20, you can make a DIY Stingray in minutes, using parts from Amazon

Stingrays were once the most secretive of surveillance technology: devices whose existence was so sensitive that the feds actually raided local cops and stole their crime files to stop them from being introduced in court and revealing the capability to spy on cellular phones. Read the rest

A leaky database of SMS messages is a reminder that SMS is really, really insecure

Berlin-based security researcher Sébastien Kaul discovered that Voxox (formerly Telcentris) -- a giant, San Diego-based SMS gateway company -- had left millions of SMSes exposed on an Amazon cloud server, with an easily queried search front end that would allow attackers to watch as SMSes with one-time login codes streamed through the service. Read the rest

Generative adversarial network produces a "universal fingerprint" that will unlock many smartphones

Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a "universal fingerprint" that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors). Read the rest

One year later: kids smart-watches are still a privacy and security dumpster fire

A year ago, the Norwegian Consumer Council commissioned a study into kids' smart watches, finding that they were incredibly negligent when it came to security and incredible greedy when it came to surveillance: a deadly combination that meant that these devices were sucking up tons of sensitive data on kids' lives and then leaving it lying around for anyone to take. Read the rest

If you're an American of European descent, your stupid cousins have probably put you in vast commercial genomic databases

Remember when they caught the Golden State Killer by comparing DNA crime-scene evidence to big commercial genomic databases (like those maintained by Ancestry.com, 23 and Me, etc) to find his family members and then track him down? Read the rest

"Privacy Not Included": Mozilla's guide to insecure, surveillant gadgets to avoid

"Privacy Not Included" is Mozilla's Christmas shopping (anti)-guide to toys and gadgets that spy on you and/or make stupid security blunders, rated by relative "creepiness," from the Nintendo Switch (a little creepy) to the Fredi Baby monitor (very creepy!). Read the rest

Nigerian telco says it accidentally routed Google traffic through China

BGP is a notoriously insecure process by which routes for internet data are advertised and discovered by routers; its ubiquity and insecurity make it a prime suspect whenever it seems that national spy agencies might be diverting traffic. Read the rest

Researchers keep finding Spectre-style bugs in processors

In January 2018, researchers made a blockbuster announcement of seemingly unpatchable security bugs lurking in Intel processors; after a round of initial reassurances about the mitigations for these bugs, it became apparent that the reassurances were overblown, and active exploits were found in the field -- and then still-more bugs exploiting "speculative execution," started to pour out of the security research community. Read the rest

Italian prosecutors have given up on catching the person who hacked and destroyed Hacking Team

Hacking Team (previously) was an Italian company that developed cyberweapons that it sold to oppressive government around the world, to be used against their own citizens to monitor and suppress political oppositions; in 2015, a hacker calling themselves "Phineas Fisher" hacked and dumped hundreds of gigabytes' worth of internal Hacking Team data, effectively killing the company. Read the rest

More posts