Group items tagged

"America's National Security Agency gathers unfathomable mountains of Internet communications from fiber optic taps and other means, but it says it only retains and searches the communications of "targeted" individuals who've done something suspicious. Guess what? If you read Boing Boing, you've been targeted."

"The NSA uses laughably sloppy tools for deciding whether a target is a "US person" (a person in the USA, or an American citizen abroad). For example, people whose address books contain foreign persons are presumed by some analysts to be foreign. Likewise, people who post in "foreign" languages (the US has no official state language) are presumed by some analysts to be non-US persons."

"But ISPs in the USA and Thailand have been caught sabotaging STARTTLS, interrupting the negotiation between mail-servers to prevent the encryption bit from being turned on, leaving millions of peoples' email liable to snooping by crooks, governments, spies and others. "

"Marlinspike's Textsecure has an impeccable reputation as a secure platform, and Whatsapp founder Jan Koum attributes his desire to add security to his users' conversations to his experiences with the surveillance state while growing up in Soviet Ukraine. However, without any independent security audit or (even better) source-code publication, we have to take the company's word that it has done the right thing and that it's done it correctly."

"Major Wall Street institutions were cracked wide open by a phishing scam from FIN4, a hacker group that, unlike its competition, can write convincingly and employs some basic smarts about why people open attachments."

"This is what's about to happen with twitpic, for years the go-to service for posting photos to Twitter, and the people in charge appear to be doing what they can to prevent the Internet Archive preserving the database and to deny users functional archive access to their own uploads. "

"The Micormax Joy phone is no iPhone. Selling at around $11, it is a candybar style device with color screen and keyboard wheel controls, and runs on the Android-based Cyanogen OS. "

"Facewatch is being connected to realtime facial recognition systems that can be tied into the CCTVs of its 10,000+ participating retailers. If your face is on the blacklist and the system recognises you (or if your face isn't on the blacklist and you generate a false positive), the shopkeeper/security staff will get an alert when you enter their premises and they can make you leave. "

"The OS is a marvel of paranoid terribleness, with lots of marvellously bad features. The one I was most interested in is its covert insertion of watermarks into every file that it touches, either on the OS's launch disk or removable USB sticks."

"Shodan is a search engine for the Internet of Things, scanning the public Internet for devices communicating on ports and over protocols that are commonly used by IoT devices. By feeding it the right parameters -- Real Time Streaming Protocol (RTSP, port 554) -- you can find innumerable publicly shared webcams, ranging from CCTVs that oversee marijuana grow-ops and many, many baby-monitors. "

"O'Neill recounts an exercise to improve service to homeless families in New York City, in which data-analysis was used to identify risk-factors for long-term homelessness. The problem, O'Neill describes, was that many of the factors in the existing data on homelessness were entangled with things like race (and its proxies, like ZIP codes, which map extensively to race in heavily segregated cities like New York). Using data that reflects racism in the system to train a machine-learning algorithm whose conclusions can't be readily understood runs the risk of embedding that racism in a new set of policies, these ones scrubbed clean of the appearance of bias with the application of objective-seeming mathematics. "

"This is where Google's Project Shield comes through: sites pre-register with Google to "reverse proxy" their traffic through Google's cloud platform. By making a change in DNS, publishers can route all their traffic through Google. This means that a DDoS attack has to be sufficiently robust as to take down Google's cloud (much harder than taking down a WordPress install on a rack in a commodity hosting provider)"

"$500 method for using a 300dpi scan of a fingerprint (which can be captured from a fingerprint sensor itself) to produce a working replica printed with conductive ink fed through a normal inkjet printer, in a prodcedure that takes less than 15 minutes. "

"Wired recently started an anti-ad-blocking campaign that attempts to prevent ad-blocked users from reading articles unless they pay a monthly subscription fee. On the heels of this decision comes a roundup of the major ad-blockers, some of which are pretty dodgy indeed. Adblock Plus comes off the worst of the lot. The company charges publishers fees to allow their ads through its filters, based on criteria about size and placement. Ghostery blocks trackers, but by default gathers "anonymized" data about your browsing habits (it's very hard to conclusively describe any deep data set as anonymized). "

"Researchers at Incapsula have discovered a botnet that runs on compromised CCTV cameras. There are hundreds of millions, if not billions, of these in the field, and like many Internet of Things devices, their security is an afterthought and not fit for purpose. "

"A 10-passenger bus in Trikala, Greece has been providing free service for six months. 11,302 passengers have ridden it for a total of 3500 kilometers without an accident (other than driving up a sidewalk). "

"GCHQ, the UK's spy agency, designed a security protocol for voice-calling called MIKEY-SAKKE and announced that they'll only certify VoIP systems as secure if they use MIKEY-SAKKE, and it's being marketed as "government-grade security." But a close examination of MIKEY-SAKKE reveals some serious deficiencies. The system is designed from the ground up to support "key escrow" -- that is, the ability of third parties to listen in on conversations without the callers knowing about it."

"To date, activity trackers have been used medically only to encourage or monitor patient activity, particularly in conjunction with weight loss programs.5, 6 To our knowledge, this is the first report to use the information in an activity tracker-smartphone system to assist in specific medical decisionmaking."

"The adoption of security chips has not slowed credit card fraud, either. 60,000,000 US credit cards were compromised in the past 12 months and 90% of those were chip-enabled. The majority of compromised cards were stolen by infected point-of-sale terminals. The US has the worst credit card security in the world. The findings come from a Gemini Advisory report, which blames a "lack of chip compliance" in merchants for the rise."

""Privacy Not Included" is Mozilla's Christmas shopping (anti)-guide to toys and gadgets that spy on you and/or make stupid security blunders, rated by relative "creepiness," from the Nintendo Switch (a little creepy) to the Fredi Baby monitor (very creepy!). Mozilla's reviews include a detailed rationale for each ranking, including whether the product includes encryption, whether it forces a default password change, how easy to understand the documentation is, whether it shares your data for "unexpected reasons," whether it has known security vulnerabilities, whether it has parental controls and more."