Interesting look at how Google’s “auto-delete” feature is essentially useless for protecting user privacy.
(Spoiler alert: it’s got to do with the value of user data over time. Basically, by the time Google allows you to auto-delete data from its services, it’s already extracted most of the value from those data.)
Turns out the passwords of oldskool nerds were pretty shitty…
As someone who’s spent the entirety of their working life in white collar work which is both paradoxically quite “free” but also heavily surveilled, this report was… eye-opening.
Have you ever been in that situation where you kii-ii-ii-inda know your password, but not exactly? Like, you know it’s probably the name of a Naruto character but you can’t remember exactly which one, and that it’s got some 1337-speak in it but you can’t remember exactly where?
Well. There’s now an app (script) for that.
Of course the actual real-world use of this script will be password hacking based on recon about a target’s life. So if you know someone has three kids and a wife—or that they love Naruto—and you know their names and birthdays and anniversaries, you plug those values into this and… bam. Quicker than rainbow tables.
(And this is why you never base your passwords on things like your pets, hobbies, and/or family members, kids!)
Before the Internet revolution, military-grade electronics were different from consumer-grade. Military contracts drove innovation in many areas, and those sectors got the cool new stuff first. That started to change in the 1980s, when consumer electronics started to become the place where innovation happened. The military responded by creating a category of military hardware called COTS: commercial off-the-shelf technology. More consumer products became approved for military applications. Today, pretty much everything that doesn’t have to be hardened for battle is COTS and is the exact same product purchased by consumers. And a lot of battle-hardened technologies are the same computer hardware and software products as the commercial items, but in sturdier packaging.
Through the mid-1990s, there was a difference between military-grade encryption and consumer-grade encryption. Laws regulated encryption as a munition and limited what could legally be exported only to key lengths that were easily breakable. That changed with the rise of Internet commerce, because the needs of commercial applications more closely mirrored the needs of the military. Today, the predominant encryption algorithm for commercial applications — Advanced Encryption Standard (AES) — is approved by the National Security Agency (NSA) to secure information up to the level of Top Secret. The Department of Defense’s classified analogs of the Internet — Secret Internet Protocol Router Network (SIPRNet), Joint Worldwide Intelligence Communications System (JWICS) and probably others whose names aren’t yet public — use the same Internet protocols, software, and hardware that the rest of the world does, albeit with additional physical controls. And the NSA routinely assists in securing business and consumer systems, including helping Google defend itself from Chinese hackers in 2010.
Bruce Schneier on encryption.
Some of you may recall that one of my Minor Fic Bugbears is any mention of “military grade encryption” because, well. This.
Also see: Any time any politician starts talking about adding in things like key escrow of backdoors into “consumer-grade” encryption (which is what Schneier’s full article is about). In the most generous interpretation, they want to take everyone back to Cold War-era export restrictions on encryption technology. Which… ye-ee-eah. Probably not gonna happen, hey.
Breakdown of the opsec failures that lead to the closing of the Silk Road…
As an aside, I keep reading the “in the Tor Hidden Service” part of this article headline as “in the Tom Hiddleston” which… uh…
Robert Graham from Errata Security gives a basic walk-through of just how easy it (potentially) is to “hack” people’s accounts.
“Hack” is in scare quotes here because there’s no actual hacking going on; Graham is just cross-referencing data sets, specifically looking for a target’s email address in the Have I Been Pwned database. HIBP doesn’t display hacked passwords/hashes directly, but it does provide details of which datasets an email is found it. Anyone with access to the original dataset—and they’re not that difficult to obtain, for someone motivated to look—basically then has a user’s password1 and can potentially use it to breach someone’s other accounts.
The point of this, incidentally, is to point out how trivial this stuff is, and to stress the importance of tactics such as enabling multi-factor authentication and not reusing passwords2 across websites. Nothing is foolproof, but the low-hanging-fruit here is very low hanging, so… y’know. Go do something about that, maybe?
*dons flat cap* In my day, you knew a site was hacked because you’d be greeted with green-on-black text stating the site was “0wned” by the “hackersaurus” and their “l33t crew”. You’d also get a few animated GIFs of skulls, and if you were really lucky, a picture of a big ol’ arse. But now… now it’s all stealthy crypto bullshit.
Jake Archibald on hacking.
This entire article is about what happens when packages (y’know, those bits of other people’s code you include in your code) go bad, which is also an interesting topic asides from the quote above that made me lol.
It’s called a supply chain attack, incidentally, and they’re getting more and more common. I mean, why hack one thousand apps when instead you can hack just one and get auto-updated into the thousand that use it as a dependency?
Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.
Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.
Brian Krebs on security realities.
The full article has some strategies individual users (and companies, though that’s probably less relevant to This Audience) can do, taking into account Realities #1 and #2.
Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar.
Brian Krebs on legitimacy.
Spoiler alert: SSL is still a goddamn scam.
