Attribution is hard: the incredible skullduggery used to try to blame the 2018 Olympic cyberattack on North Korea

Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers. Read the rest

China's new cybersecurity rules ban foreign companies from using VPNs to phone home

For decades, it was a commonplace in western business that no one could afford to ignore China: whatever problems a CEO might have with China's human rights record could never outweigh the profits to be had by targeting the growing Chinese middle-class. Read the rest

Proof-of-concept supply-chain poisoning: tiny, undetectable hardware alterations could compromise corporate IT

A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise IT firms, and that when some of the victims discovered this fact, they quietly ripped out whole data-centers and replaced all their servers. Read the rest

One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair

How can a single, ill-conceived law wreak havoc in so many ways? It prevents you from making remix videos. It blocks computer security research. It keeps those with print disabilities from reading ebooks. It makes it illegal to repair people's cars. It makes it harder to compete with tech companies by designing interoperable products. It's even been used in an attempt to block third-party ink cartridges for printers. Read the rest

Computer historians crack passwords of Unix's early pioneers

Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman. Read the rest

WhatsApp fixes security bug that let hackers take over with a GIF

A spokesperson for the Facebook-owned WhatsApp says the company has fixed a security vulnerability that let hackers take control of the messaging app by way of a malicious GIF. Read the rest

Checkm8: an "unstoppable" Iphone jailbreaking crack

Last month, a developer called Axi0mx released an Iphone crack called Checkm8, which attacks a defect in the Ios bootrom, a low-level piece of code that has not been successfully attacked since 2010. The bootrom is read-only, making its defects effectively unpatchable, short of removing the chip and swapping it for one with more robust code (the attack also works on version 1, 2 and 3 Apple Watches). Read the rest

Two bear cubs rescued after 'bearjacking' van, locking selves in, honking horn

Nature's li'l hackers break into security contractor's van

2600 Magazine is finally available as a digital publication

Aestetix writes, "On Tuesday, October 8th, for the very first time ever, the new issue of 2600 will be released digitally in non-DRM PDF format. We know there are many of you who have been unable to secure copies of 2600 in recent years. With high distribution costs and a declining bookstore landscape, it's become much harder to publish a paper magazine and get it to all the places our readers are. This digital version can help solve that problem once and for all - and help restore the funding we need to survive." Read the rest

Assessing the security of devices by measuring how many difficult things the programmers tried to do

The Cyber Independent Testing Lab is a security measurement company founded by Mudge Zadko (previously), late of the Cult of the Dead Cow and l0pht Heavy Industries and the NSA's Tailored Access Operations Group; it has a unique method for assessing the security of devices derived from methods developed by Mudge at the NSA. Read the rest

Researchers think that adversarial examples could help us maintain privacy from machine learning systems

Machine learning systems are pretty good at finding hidden correlations in data and using them to infer potentially compromising information about the people who generate that data: for example, researchers fed an ML system a bunch of Google Play reviews by reviewers whose locations were explicitly given in their Google Plus reviews; based on this, the model was able to predict the locations of other Google Play reviewers with about 44% accuracy. Read the rest

Don't hold your breath for that U.S. online privacy bill

No new bill on online privacy expected expected to show up in Congress before the end of the year, Reuters reports, citing three unnamed sources on Capitol Hill. Read the rest

Landmark Theatres bans cosplay during 'Joker' opening weekend, citing security

Sorry, no cosplay

DoorDash data breach: 4.9 million customers, workers, and merchants' info stolen

Another data security disaster for 'food delivery on demand' startup DoorDash, and it's not their first. The company confirms a data breach, and says sensitive information belonging to 4.9 million individual customers, delivery workers, and merchants -- all stolen by hackers. Read the rest

Propublica finds millions of Americans' medical images and data sitting on unprotected, publicly accessible servers

An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients' confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, "available to anyone with basic computer expertise." Read the rest

In Cambridge Analytica clean-up, Facebook says it killed 'Tens of Thousands' of apps

Of course they announced it at the end of the day on Friday, that's what you do with bad news. Read the rest

Penetration testers jailed after they broke into a courthouse to test its physical security

Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test. Read the rest

More posts