Antivirus maker Sentinelone uses copyright claims to censor video of security research that revealed defects in its products

At this week's B-Sides Manchester security conference, James Williams gave a talk called "Next-gen AV vs my shitty code," in which he systematically revealed the dramatic shortcomings of anti-virus products that people pay good money for and trust to keep them safe -- making a strong case that these companies were selling defective goods. Read the rest

Criminals have perfected the art of taking over dead peoples' online accounts

When you die, your relatives will be sad and (depending on the circumstances of your death) possibly left scrambling to make arrangements for your remains, effects, and estate. Read the rest

Big Bang: the "stupid patent" on teledildonics has expired

Twenty years ago, the US Patent and Trademark Office granted patent number 6,368,268: "Method and device for interactive virtual control of sexual aids using digital computer networks," a minor classic of a majorly fucked-up genre, the bullshit tech patent that simply adds "with a computer" to some absolutely obvious and existing technology or technique. Read the rest

Award-winning security research reveals a host of never-seen, currently unblockable web-tracking techniques

Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking tools. Read the rest

Truthful security disclosures should always be legal. Period.

After a week of blockbuster security revelations from Defcon it's important to take a step back and address the ongoing battle by companies to seize a veto over who can reveal defects in their products. Read the rest

Insecure medical equipment protocols let attackers spoof diagnostic information

Douglas McKee of McAffee presented his research into the security of medical diagnostic equipment at last week's Defcon conference in Las Vegas. Read the rest

Leaked FBI memo warns banks of looming "unlimited ATM cashout"

When scammers get inside of the networks of financial institutions, they sometimes stage "cashouts" where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features in the banks' systems, enabling confederates to drain ATMs of all the cash they contain. This is called an "unlimited cashout." Read the rest

Hackers find exploitable vulnerabilities in Amazon Echo, turn one into a listening device

At Defcon, Tencent's Wu HuiYu and Qian Wenxiang presented Breaking Smart Speakers: We are Listening to You, detailing their work in successfully exploiting an Amazon Alexa speaker, albeit in a very difficult-to-achieve fashion. Read the rest

The eminently hackable police bodycam

Josh Mitchell's Defcon presentation analyzes the security of five popular brands of police bodycams (Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc) and reveals that they are universally terrible, though the Digital Ally models are the least bad of the batch, as Wired's Lily Hay Newman reports. Read the rest

Interview with a cryptocurrency scammer

Adam Guerbuez is a cryptocurrency evangelist whose Youtube channel is full of videos promoting cryptocurrency trading; when he got a Twitter message from a scammer promising to send him free Ethereum coins, he asked the scammer if they could talk about the scam. Read the rest

Stylistic analysis can de-anonymize code, even compiled code

A presentation today at Defcon from Drexel computer science prof Rachel Greenstadt and GWU computer sicence prof Aylin Caliskan builds on the pair's earlier work in identifying the authors of software and shows that they can, with a high degree of accuracy, identify the anonymous author of software, whether in source-code or binary form. Read the rest

Bad infrastructure means pacemakers can be compromised before they leave the factory

It's been ten years since the first warnings about the security defects in pacemakers, which made them vulnerable to lethal attacks over their wireless links, and since then the news has only gotten worse: one researcher found a way to make wireless pacemaker viruses that spread from patient to patient in cardiac care centers, and the medical device makers responded to all this risk by doubling down on secrecy and the use of proprietary code. Read the rest

Defective Comcast security exposes 26.5m customers' partial Social Security Numbers and addresses

Comcast Xfininty's login page had an easily found bug that allowed anyone to gain access to the partial Social Security Numbers and partial home addresses of over 26.5 million customers. Read the rest

State of Georgia goes to court to defend voting machines that recorded 243% voter turnouts

A federal lawsuit brought by voting security activists against the State of Georgia has revealed breathtaking defects in the state's notoriously terrible voting machines -- and, coincidentally, the machines in question were wiped and repeatedly degaussed by the state before they could be forensically examined as evidence of their unsuitability for continued use. Read the rest

Cornered FCC admits that its website was never hacked

When the FCC announced its intention to kill Network Neutrality, it had to accept public comments, and what followed was bizarre even by Trump-era standards: first, millions of living, breathing Americans sent so many pro-Net Neutrality comments to the FCC that the website crashed; then bots spammed the FCC with millions of obviously fake anti-Neutrality comments, stealing the identities of real Americans (including two US Senators!) to do so; despite the overwhelming evidence that humans loved Net Neutrality and bots hated it, the FCC declared that it would give the bot comments equal weight with the human ones; and then it stopped accepting comments, claiming that its website had been hacked. Read the rest

Consumer Reports now evaluates products' security and privacy

Consumer Reports is arguably America's most trusted source of product reviews -- published by Consumers Union, a venerable nonprofit with a deserved reputation for scrupulous care and neutrality -- and for years it has been wrestling with how to address privacy and cybersecurity in modern products (disclosure: I have advised them some on this). Read the rest

Equifax says it's spent $200m on security since the breach, so everything's OK now

It's been a year since Equifax doxed the nation of America through carelessness, deception and greed, lying about it and stalling while the problem got worse and worse. Read the rest

More posts