Ray Ozzie's Encryption Backdoor

Last month, Wired published a long article about Ray Ozzie and his supposed new scheme for adding a backdoor in encrypted devices. It's a weird article. It paints Ozzie's proposal as something that "attains the impossible" and "satisfies both law enforcement and privacy purists," when 1 it's bare...

Friday Squid Blogging: US Army Developing 3D-Printable Battlefield Robot Squid

The next major war will be super weird. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Detecting Laptop Tampering

Micah Lee ran a two-year experiment designed to detect whether or not his laptop was ever tampered with. The results are inconclusive, but demonstrate how difficult it can be to detect laptop tampering...

LC4: Another Pen-and-Paper Cipher

Interesting symmetric cipher: LC4: Abstract: ElsieFour LC4 is a low-tech cipher that can be computed by hand; but unlike many historical ciphers, LC4 is designed to be hard to break. LC4 is intended for encrypted communication between humans only, and therefore it encrypts and decrypts plaintexts...

NIST Issues Call for "Lightweight Cryptography" Algorithms

This is interesting: Creating these defenses is the goal of NIST's lightweight cryptography initiative, which aims to develop cryptographic algorithm standards that can work within the confines of a simple electronic device. Many of the sensors, actuators and other micromachines that will functio...

IoT Inspector Tool from Princeton

Researchers at Princeton University have released IoT Inspector, a tool that analyzes the security and privacy of IoT devices by examining the data they send across the Internet. They've already used the tool to study a bunch of different IoT devices. From their blog post: Finding 3: Many IoT...

Security Vulnerabilities in VingCard Electronic Locks

Researchers have disclosed a massive vulnerability in the VingCard eletronic lock system, used in hotel rooms around the world: With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over...

Friday Squid Blogging: Bizarre Contorted Squid

This bizarre contorted squid might be a new species, or a previously known species exhibiting a new behavior. No one knows. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

TSB Bank Disaster

This seems like an absolute disaster: The very short version is that a UK bank, TSB, which had been merged into and then many years later was spun out of Lloyds Bank, was bought by the Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB systems and was to transfer them over t...

New NSA/Cyber Command Head Confirmed by Senate

It's Lt. Gen. Paul Nakasone. I know nothing about him...

Two NSA Algorithms Rejected by the ISO

The ISO has rejected two symmetric encryption algorithms: SIMON and SPECK. These algorithms were both designed by the NSA and made public in 2013. They are optimized for small and low-cost processors like IoT devices. The risk of using NSA-designed ciphers, of course, is that they include...

Baseball Code

Info on the coded signals used by the Colorado Rockies...

Computer Alarm that Triggers When Lid Is Opened

"Do Not Disturb" is a Macintosh app that send an alert when the lid is opened. The idea is to detect computer tampering. Wired article: Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with...

Russia is Banning Telegram

Russia has banned the secure messaging app Telegram. It's making an absolute mess of the ban -- blocking 16 million IP addresses, many belonging to the Amazon and Google clouds -- and it's not even clear that it's working. But, more importantly, I'm not convinced Telegram is secure in the first...

Yet Another Biometric: Ear Shape

This acoustic technology identifies individuals by their ear shapes. No information about either false positives or false negatives...

Friday Squid Blogging: Squid Prices Rise as Catch Decreases

In Japan: Last year's haul sank 15% to 53,000 tons, according to the JF Zengyoren national federation of fishing cooperatives. The squid catch has fallen by half in just two years. The previous low was plumbed in 2016. Lighter catches have been blamed on changing sea temperatures, which impedes t...

Securing Elections

Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems ar...

Lifting a Fingerprint from a Photo

Police in the UK were able to read a fingerprint from a photo of a hand: Staff from the unit's specialist imaging team were able to enhance a picture of a hand holding a number of tablets, which was taken from a mobile phone, before fingerprint experts were able to positively identify that the ha...

Oblivious DNS

Interesting idea: ...we present Oblivious DNS ODNS, which is a new design of the DNS ecosystem that allows current DNS servers to remain unchanged and increases privacy for data in motion and at rest. In the ODNS system, both the client is modified with a local resolver, and there is a new...

Hijacking Emergency Sirens

Turns out it's easy to hijack emergency sirens with a radio transmitter...

The DMCA and its Chilling Effects on Research

The Center for Democracy and Technology has a good summary of the current state of the DMCA's chilling effects on security research. To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all typ...

Friday Squid Blogging: Eating Firefly Squid

In Tokama, Japan, you can watch the firefly squid catch and eat them in various ways: "It's great to eat hotaruika around when the seasons change, which is when people tend to get sick," said Ryoji Tanaka, an executive at the Toyama prefectural federation of fishing cooperatives. "In addition to...

COPPA Compliance

Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale": Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance...

Cybersecurity Insurance

Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But...

The Digital Security Exchange Is Live

Last year I wrote about the Digital Security Exchange. The project is live: The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats. We do this by pairing civil society and social sector organizations with...

DARPA Funding in AI-Assisted Cybersecurity

DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS Computers and Humans Exploring Software Security, and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the...

Obscure E-Mail Vulnerability

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so [email protected] is the same as [email protected] is the same as [email protected]. Note: I do not own any of those email addresse...

Friday Squid Blogging: Sake Decanters Made of Dried Squid

This is interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Subverting Backdoored Encryption

This is a really interesting research result. This paper proves that two parties can create a secure communications channel using a communications system with a backdoor. It's a theoretical result, so it doesn't talk about how easy that channel is to create. And the assumptions on the adversary a...

Public Hearing on IoT Risks

The US Consumer Product Safety Commission is holding hearings on IoT risks: The U.S. Consumer Product Safety Commission CPSC, Commission, or we will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with...

Musical Ciphers

Interesting history...

Friday Squid Blogging: Market Squid in Alaskan Waters

Rising sea temperatures is causing market squid to move north into Alaskan waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Unlocking iPhones with Dead People's Fingerprints

It's routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people...

Facebook and Cambridge Analytica

In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when...

Another Branch Prediction Attack

When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors. Here's another one: In the new attack, an attacker primes the PHT and running branch instructions so that the PHT...

Breaking the Anonymity in the Cryptocurrency Monero

Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions. Research paper. BoingBoing post...

Tracing Stolen Bitcoin

Ross Anderson has a really interesting paper on tracing stolen bitcoin. From a blog post: Previous attempts to track tainted coins had used either the "poison" or the "haircut" method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then und...

Fooling Face Recognition with Infrared Light

Yet another development in the arms race between facial recognition systems and facial-recognition-system foolers. BoingBoing post...

Adding Backdoors at the Chip Level

Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here: Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientif...

Friday Squid Blogging: Giant Squid Stealing Food from Each Other

An interesting hunting strategy: Off of northern Spain, giant squid often feed on schools of fish called blue whiting. The schools swim 400 meters or less below the surface, while the squid prefer to hang out around a mile deep. The squid must ascend to hunt, probably seizing fish from below with...

Zeynep Tufekci on Facebook and Cambridge Analytica

Zeynep Tufekci is particularly cogent about Facebook and Cambridge Analytica. Several news outlets asked me to write about this issue. I didn't, because 1 my book manuscript is due on Monday finally!, and 2 I knew Zeynep would say what I would say, only better...

GreyKey iPhone Unlocker

Some details about the iPhone unlocker from the US company Greyshift, with photos. Little is known about Grayshift or its sales model at this point. We don't know whether sales are limited to US law enforcement, or if it is also selling in other parts of the world. Regardless of that, it's highly...

Reverse Engineering the Cuban Sonic Weapon

Interesting analysis and speculation...

Hijacking Computers for Cryptocurrency Mining

Interesting paper "A first look at browser-based cryptojacking": Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code-bases. In this model, a user visiting a website will download ...

Dan Geer on the Dangers of Computer-Only Systems

A good warning, delivered in classic Dan Geer style...

Israeli Security Attacks AMD by Publishing Zero-Day Exploits

Last week, the Israeli security company CTS Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things...

Friday Squid Blogging: New Squid Species Discovered in Australia

A new species of pygmy squid was discovered in Western Australia. It's pretty cute. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

Interesting Article on Marcus Hutchins

This is a good article on the complicated story of hacker Marcus Hutchins...

Artificial Intelligence and the Attack/Defense Balance

Artificial intelligence technologies have the potential to upend the longstanding advantage that attack has over defense on the Internet. This has to do with the relative strengths and weaknesses of people and computers, how those all interplay in Internet security, and where AI technologies migh...

The 600+ Companies PayPal Shares Your Data With

One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good...