Australia just voted to ban working cryptography. No, really.

Remember when Malcolm Turnbull, the goddamned idiot who was briefly Prime Minister of Australia, was told that the laws of mathematics mean that there was no way to make a cryptography system that was weak enough that the cops could use to spy on bad guys, but strong enough that the bad guys couldn't use it to spy on cops, and he said: "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia." Read the rest

A Trustmark for IoT: separating the Internet of Shit from the Internet of Things

Peter writes, "ThingsCon, our Berlin-based non-profit for a more responsible IoT, launches a trustmark for IoT - the Trustable Technology Mark. Cory gave some input to it a while back already, and finally it's launch day: We want to highlight the best work in IoT, the best/most respectful of users' rights, privacy and security. It's an entirely non-profit effort to elevate the debate in this odd space that's full of crap; I think you might like it." Read the rest

Marriott-Starwood data breach: 500 million guests may be affected, hackers active since 2014

How bad is the Marriott/Starwood breach disclosed today? "Unauthorized access to the Starwood network since 2014 … For approximately 327M of these guests, the info includes some combination of name, mailing address, phone number, email address, passport number.”

Marriott says information from as many as 500 million people has been compromised, and credit card numbers and expiration dates of some guests may have been taken. Read the rest

Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates. Read the rest

Princeton's interdisciplinary Center for Information Technology Policy is seeking visiting scholars

Are you a PhD with interest in "the intersection of digital technology and public life, including experts in computer science, sociology, economics, law, political science, public policy, information studies, communication, and other related disciplines?" Princeton's CITP has three open job postings for 10-month residences starting Sept 1, 2019. Read the rest

Malware vector: become an admin on dormant, widely-used open source projects

Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive. Read the rest

But Her Emails: Ivanka Trump used personal email account for messages about her government work

Yes, irony is dead. The Washington Post reports that Presidential Daddy Daughter Ivanka Trump used a personal email account to receive and send emails about her work for the government of the United States. Read the rest

A leaky database of SMS messages is a reminder that SMS is really, really insecure

Berlin-based security researcher Sébastien Kaul discovered that Voxox (formerly Telcentris) -- a giant, San Diego-based SMS gateway company -- had left millions of SMSes exposed on an Amazon cloud server, with an easily queried search front end that would allow attackers to watch as SMSes with one-time login codes streamed through the service. Read the rest

Generative adversarial network produces a "universal fingerprint" that will unlock many smartphones

Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a "universal fingerprint" that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors). Read the rest

One year later: kids smart-watches are still a privacy and security dumpster fire

A year ago, the Norwegian Consumer Council commissioned a study into kids' smart watches, finding that they were incredibly negligent when it came to security and incredible greedy when it came to surveillance: a deadly combination that meant that these devices were sucking up tons of sensitive data on kids' lives and then leaving it lying around for anyone to take. Read the rest

Companies keep losing your data because it doesn't cost them anything

Data breaches keep happening, they keep getting worse, and yet companies keep collecting our data in ever-more-invasive ways, subjecting it to ever-longer retention, and systematically underinvesting in security. Read the rest

If you're an American of European descent, your stupid cousins have probably put you in vast commercial genomic databases

Remember when they caught the Golden State Killer by comparing DNA crime-scene evidence to big commercial genomic databases (like those maintained by Ancestry.com, 23 and Me, etc) to find his family members and then track him down? Read the rest

Challenge yourself by building this DIY wooden combination lock

Is a wooden lock as tough as one made out of metal? Nope. Is buying a lock easier than building one? Absolutely. Is a lock you made with your own two hands significantly more badass than anything you can purchase, ready-to-use? Without a shadow of a doubt.

If you're looking for an unusual woodworking project to undertake, Matthias Wandel has you covered. You can buy the plans for his wooden mechanical lock, here. Once you do, you'll also get access to the plans for a laser cut iteration of the project. While it might not provide the level of security that you'd want for keeping your valuables safe, the level of whimsy that this project could bring to a woodworker's life looks like it would be hard to beat. Read the rest

"Privacy Not Included": Mozilla's guide to insecure, surveillant gadgets to avoid

"Privacy Not Included" is Mozilla's Christmas shopping (anti)-guide to toys and gadgets that spy on you and/or make stupid security blunders, rated by relative "creepiness," from the Nintendo Switch (a little creepy) to the Fredi Baby monitor (very creepy!). Read the rest

Alex Jones blames "leftist stay-behind networks in US intelligence agencies" for malware on his site

Alex Jones, starved of attention since he was no-platformed by Big Tech, has launched a desperate bid for notoriety, releasing an unhinged (even by Jones's standards) statement blaming the credit-card skimming malware his online store was serving on "a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies" (he also blamed it on "big tech, the communist Chinese, and the Democratic party" "globalist forces, "the corporate press, Antifa and rogue intelligence operatives"). Read the rest

Nigerian telco says it accidentally routed Google traffic through China

BGP is a notoriously insecure process by which routes for internet data are advertised and discovered by routers; its ubiquity and insecurity make it a prime suspect whenever it seems that national spy agencies might be diverting traffic. Read the rest

Researchers keep finding Spectre-style bugs in processors

In January 2018, researchers made a blockbuster announcement of seemingly unpatchable security bugs lurking in Intel processors; after a round of initial reassurances about the mitigations for these bugs, it became apparent that the reassurances were overblown, and active exploits were found in the field -- and then still-more bugs exploiting "speculative execution," started to pour out of the security research community. Read the rest

More posts