Schneier: "It's really too late to secure 5G networks"

Bruce Schneier's Foreign Policy essay in 5G security argues that we're unduly focused on the possibility of Chinese manufacturers inserting backdoors or killswitches in 5G equipment, and not focused enough on intrinsic weakness in a badly defined, badly developed standard wherein "near-term corporate profits prevailed against broader social good." Read the rest

Tickets for Hackers on Planet Earth (HOPE) 2020 are now on sale!

Aestetix writes, "HOPE 2020 [ed: Hackers on Planet Earth, the triennial, astoundingly great hacker con put on by 2600 Magazine] is in a brand new location and will be bigger and better than ever with lots more activities and space - all without leaving New York City! It will be held from July 31st to August 2nd at St. John's University in Queens. Get your tickets now for only $200, while supplies lasts. Read the rest

A Public Service: a comprehensive, comprehensible guide to leaking documents to journalists and public service groups without getting caught

In A Public Service, activist/trainer Tim Schwartz presents the clearest-ever guide to securely blowing the whistle, explaining how to exfiltrate sensitive information from a corrupt employer -- ranging from governments to private firms -- and get it into the hands of a journalist or public interest group in a way that maximizes your chances of making a difference (and minimizes your chances of getting caught).

A profile of Cliff "Cuckoo's Egg" Stoll, a pioneering "hacker hunter"

Cliff Stoll (previously) is a computing legend: his 1989 book The Cuckoo's Egg tells the story of how he was drafted to help run Lawrence Berkeley Lab's computers (he was a physicist who knew a lot about Unix systems), and then discovered a $0.75 billing discrepancy that set him on the trail of East German hackers working for the Soviet Union, using his servers as a staging point to infiltrate US military networks. Read the rest

Idiotic security mistakes in smart conferencing gear allows hackers to spy on board rooms, steal presentations

Dten is a "certified hardware provider" for Zoom, making smart screens and whiteboards for videoconferencing; a Forescout Research report reveals that Dten committed a string of idiotic security blunders in designing its products, exposing its customers to video and audio surveillance, as well as theft of presentations and whiteboard data. Read the rest

Happy 10th birthday, TAILS -- the real Paranoid Linux!

In my 2008 novel Little Brother, the underground resistance uses a secure operating system called "Paranoid Linux" that is designed to prevent surveillance and leave no evidence of its use; that was fiction, but there's a real Paranoid Linux out there: Tails, The Amnesic Incognito Live System, and it turns 10 today. Read the rest

Nulledcast: a podcast where hackers play live audio of themselves breaking into Ring cameras and tormenting their owners

Nulledcast is a realtime podcast streamed on a Discord channel for the hacking forum Nulled: the hosts break into Ring and Nest cameras in realtime, blare sirens at the owners, then torment them with insults and racist slurs, livestreaming their responses to hundreds of listeners. Read the rest

Family puts Ring camera in children's room, discovers that hacker is watching their kids 24/7, taunting them through the speaker

A family in DeSoto County, Mississippi, bought a Ring security camera so they could keep an eye on their three young girls in their bedroom. Four days later, they learned that a hacker had broken into the camera and subjected their children to continuous bedroom surveillance, taunting the children through the camera's built-in speaker. Read the rest

Amazon's Ring surveillance doorbell leaks its customers' home addresses, linked to their doorbell videos

Evan from Fight for the Future writes, "A new investigation from Gizmodo just revealed that anyone, anywhere can get geographic coordinates of Ring devices from Amazon’s Neighbors App. Not only can someone find out where users live, they can use footage to track bystanders, locate children, and monitor people going into buildings, like clinics, for private appointments. Amazon sells these devices under the guise of keeping us safe. They’re lying. Their surveillance devices and network puts us all in danger. We need lawmakers to fully investigate the threats associated with Amazon’s dragnet and its impact on our privacy, security, and civil liberties. Fight for the Future has launched a campaign calling for Congress to investigate Amazon's surveillance practices. You can add your name here." (Image: Dan Calacci/MIT) Read the rest

Model stealing, rewarding hacking and poisoning attacks: a taxonomy of machine learning's failure modes

A team of researchers from Microsoft and Harvard's Berkman Center have published a taxonomy of "Failure Modes in Machine Learning," broken down into "Intentionally-Motivated Failures" and "Unintended Failures." Read the rest

95% of America's largest voting districts' mailservers lack basic anti-phishing protection

DMARC is an anti-email-spoofing tool that mail-server administrators can enable; it's designed to reject emails with forged return addresses. Read the rest

Browser plugins from Avast and AVG yanked for stealing user data

The Firefox extensions store removed four plugins from Avast/AVG, including two that are supposed to keep users safe from malicious activity because they appeared to be stealing browser histories and other user data. Read the rest

This Welsh password generator might keep you safe from hackers, but definitely from dragons

Inspired by XKCD's classic diceware strip, a programmer named Alice created an open-source algorithm to randomly generate secure passphrases in Welsh. As difficult as it would be for any human or computer to figure out a nonsense phrase like, "correct horse battery staple," it would be even more difficult to guess, "stwffwl batri ceffyl cywir," especially when there are only about 700,000 Welsh speakers to begin with.

While I'm no cryptologist, I did run a few of the passwords through HowSecureIsMyPassword.net and My1Login.net and they seemed to work out all right. According to those sites, it would take 11 quattuordecillion years or 1 trillion trillion trillion years for a computer to crack "DrefnasidRhyd-y-meirchSefydlogiad6*." Similarly, "GlaeruchdyrauGymreigeiddiaiBarcdir0**" would take 429 tredecillion years, or 94 billion trillion trillion years, respectively.

However, as Alice the programmer warns: "It's probably not a good idea to actually use this, since the wordlist is freely available along with the algorithm being used."

So it might not stop a really clever hacker from getting into your email. But it will almost certainly stop a mythic Welsh dragon from stealing your identity. Probably. I'm assuming their claws are pretty clumsy on the keyboard.

Welsh Password Generator [WheresAlice.info]

Image via Lewis Ogden/Flickr (altered)

*Google Translate tells me this means, "The ford of the horses was arranged." I don't know that I trust it—Google Translate is famously sloppy with the grammar of some Celtic languages—but it certainly sounds epic.

**Similarly, this became "Parkland was a Welsh occupation" which sounds like something you would hear on the Breton version of InfoWars. Read the rest

Tiny alterations in training data can introduce "backdoors" into machine learning models

In TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents, a group of Boston University researchers demonstrate an attack on machine learning systems trained with "reinforcement learning" in which ML systems derive solutions to complex problems by iteratively trying multiple solutions. Read the rest

Consumer Reports Labs is hiring 8 staffers: technologists, journalists and wonks

Consumer Reports' Digital Lab does groundbreaking privacy research: they're hiring for eight positions including technologists ("resident hacker," "digital standard manager," "information security researcher," "program manager, security and testing," and "privacy testing project leader"); journalists ("digital content manager"); policy and comms ("senior researcher, digital competition" and "associate director, strategic communications — technology and privacy"). Most of the positions are NYC or SF or DC based, several allow for remote workers. (Thanks, Ben)!) Read the rest

Sand thieves believed to be behind epidemic of Chinese GPS jamming

Ship's captains and outside monitoring firms have reported waves of GPS jamming around Shanghai's ports, on a scale and of a severity never seen before: the jamming causes ships' locations to be incorrectly displayed and to jump around; the observations were confirmed via an anonymized (sic) data-set from a short-hire bike firm, whose bikes are also mysteriously appearing and disappearing at locations all through the region. The spoofing has created a massive local shipping hazard and has led to spectacular shipwrecks. Read the rest

An interview with Andy Greenberg about his book Sandworm, on the Russian state hackers who attack power grids

Wired security reporter Andy Greenberg's latest book is Sandworm (previously), a true-life technothriller that tells the stories of the cybersecurity experts who analyzed and attributed as series of ghastly cyberwar attacks that brought down parts of the Ukrainian power grid, and then escaped the attackers' control and spread all over the world. Read the rest

More posts