Son of Spectre: researchers are about to announce eight more Meltdown-style defects in common microprocessors

The New Years revelation that decades' worth of Intel's processors had deep, scary defects called "Spectre" and "Meltdown" still has security experts reeling as they contemplate the scale of patching billions of devices that are vulnerable to attack. Read the rest

In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries

The Vingcard Vision locks are RFID-based hotel locks; at this week's Infiltrate conference in Miami, Tomi Tuominen and Timo Hirvonen from F-Secure will present a method for combining a $300 Proxmark RFID tool with any discarded key from a given hotel to derive the master keys that allow them to unlock every room in the hotel, a process that takes less than 60 seconds. Read the rest

Dropbox has some genuinely great security reporting guidelines, but reserves the right to jail you if you disagree

Dropbox has published a set of guidelines for how companies can "encourage, support, and celebrate independent open security research" -- and they're actually pretty great, a set of reasonable commitments to take bug reports seriously and interact respectfully with researchers. Read the rest

Teen's devastating bug-report on a "tamper-proof" cryptocurrency wallet shows why companies can't be left in charge of bad news about their products

Saleem Rashid is a 15 year old self-taught British programmer who discovered a fatal defect in the Ledger Nano S, an offline cryptocurrency wallet that is marketed as being "tamper-proof." Read the rest

Origin story of the Mimikatz password cracker is a parable about security, disclosure, cyberwar, and crime

Five years ago, Benjamin Delpy was working for an unspecified French government agency and teaching himself to program in C, and had discovered a vital flaw in the way that Windows protected its users' passwords. Read the rest

Security researchers repeatedly warned Kids Pass about bad security, only to be ignored and blocked

Kids Pass is a service that offers discounts on family activities in the UK; their website makes several common -- and serious -- security problems that could allow hackers to capture their users' passwords, which endangers those users' data on other services where they have (unwisely) recycled those same passwords. Read the rest

Camera-equipped sex toy manufacturer ignores multiple warnings about horrible, gaping security vulnerability

The uniquely horribly named Svakom Siime Eye is an Internet of Things sex-toy with a wireless camera that allows you to stream video of the insides of your orifices as they are penetrated by it; researchers at the UK's Pen Test Partners discovered that once you login to it via the wifi network (default password "88888888"), you can root it and control it from anywhere in the world. Read the rest

Wikileaks offers tech giants access to sourcecode for CIA Vault 7 exploits

Wikileaks' seismic Vault 7 release didn't follow the usual Wikileaks procedure: perhaps in response to earlier criticism, the organization redacted many of the files prior to their release, cutting names of CIA operatives and the sourcecode for the cyber-weapons the CIA had developed, which exploit widely used mobile devices, embedded systems, and operating systems. Read the rest

This dump of Iphone-cracking tools shows how keeping software defects secret makes everyone less secure

Last month, a hacker took 900GB of data from Cellebrite, an Israeli cyber-arms dealer that was revealed to be selling surveillance and hacking tools to Russia, the UAE, and Turkey. Read the rest

Panasonic's in-flight entertainment systems have critical security flaws

In March 2015, IOActive's Ruben Santamarta privately disclosed his findings on the major bugs in Panasonic's Avionics IFE in-flight entertainment systems; 18 months later, it's not clear whether all airlines have patched these bugs. Read the rest

Security researcher discovers glaring problem with patient data system, FBI stages armed dawn raid

Justin Shafer was roused from his bed this week by thunderous knocking at his North Richland Hills, Texas home, and when he opened the door, found himself staring down the barrel of a 'big green' assault weapon, wielded by one of the 12-15 armed FBI agents on his lawn. Read the rest

Proof-of-concept firmware worm targets Apple computers

It's like Bad USB, with extra Thunderbolt badness: Web-based attacks can insert undetectable malicious software into a Mac's UEFI/BIOS, which spreads to other machines by infecting Thunderbolt and USB devices. Read the rest