An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients' confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, "available to anyone with basic computer expertise." Read the rest
Eleanor Saitta's (previously) 2016 essay "Coercion-Resistant Design" (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don't back-door your product. Read the rest
For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy peoples' lives, all the time, in wholesale quantities that beggar the imagination. Read the rest
The Canadian activist group Open Privacy Research Society has discovered that Vancouver, BC hospitals routinely wirelessly broadcast patient telemetry and admissions data, without encryption to doctor paging systems. It is trivial to intercept these transmission. Read the rest
Andy Greenberg (previously) is Wired's senior security reporter; he did amazing work covering Russian cyberwarfare in Ukraine, which he has expanded into a forthcoming book: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (I read it for a blurb and a review; it's excellent). Read the rest
Purism (previously) is a company that crowdfunds free/open laptops and phones whose design goal is to have no proprietary software, even at the lowest levels. The company is best known for its Purism laptops, and I'm very fond of mine (it didn't end up replacing my Thinkpad, only because I'm addicted to the trackpoint for mousing, and trackpads give me raging RSI) (that said, getting any GNU/Linux to run on a current-model Thinkpad is so hard and results in such a rotten experience that I'm reconsidering whether to switch back). Read the rest
I once found myself staying in a small hotel with a "State Department" family whose members clearly all worked for some kind of three letter agency (the family patriarch had been with USAID with the tanks rolled into Budapest) and I had some of the weirdest discussions of my life with them. Read the rest
You know what's great about putting wifi-enabled, Turing-complete computers into things like lightbulbs? Not. A. Single. Fucking. Thing. Read the rest
Last week at Defcon, a security researcher named Smea presented their findings on vulnerabilities in the Lovesense Hush, an internet-of-things buttplug that has already been shown to have critical privacy vulnerabilities. Read the rest
Few states have voting machines that are simultaneously more obviously defective and more ardently defended by the state government than Georgia, where 16-year-old touchscreen systems are prone to reporting ballots cast by 243% of the eligible voters and where gross irregularities in election administration sends voters to the wrong polling places or sends co-habitating husbands and wives to polls in different cities to cast their votes. Read the rest
Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness. Read the rest
Security research Matt Wixey from PWC UK tried putting different kinds of consumer speakers -- noise canceling headphones, smart speakers, parametric speakers -- in an anechoic chamber after infecting them with malware that caused them to emit tones beyond those intended by the manufacturer. Read the rest
Election Systems & Software (ES&S) is America's leading voting machine vendor; they tell election officials (who are county-level officials who often have zero cybersecurity advice or expertise) not to connect their systems to the internet, except briefly to transmit unofficial tallies on election night. Read the rest
One of the wonderful and terrible things about the internet is how it allows people seeking others with hard-to-find traits to find them: advertisers can find people thinking about buying a refrigerator; people who think they might be trans can find others in the same boat and make common cause; people with the same rare disease can form support groups, and Nazis can find sociopaths to march through the streets of Charlottesville carrying tiki torches and chanting "Jews will not replace us." Read the rest
This week at B-Sides LV, security researcher Pavel Tsakalidis presented his work on security defects in the Electron framework, a cross-platform development framework that combines Javascript with Node.js: apps built with Electron include Skype, Slack, Whatsapp, Visual Studio Code and others. Read the rest
IBM's ridiculously named X-Force Red have documented a new attack vector they've dubbed "Warshipping": they mailed a sub-$100 custom, wifi-enabled low-power PC with a cellular radio to their target's offices. Read the rest
