[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

It's the second in two months. Video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Hacking a Segway

Jul. 21st, 2017 11:23 am
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

The Segway has a mobile app. It is hackable:

While analyzing the communication between the app and the Segway scooter itself, Kilbride noticed that a user PIN number meant to protect the Bluetooth communication from unauthorized access wasn't being used for authentication at every level of the system. As a result, Kilbride could send arbitrary commands to the scooter without needing the user-chosen PIN.

He also discovered that the hoverboard's software update platform didn't have a mechanism in place to confirm that firmware updates sent to the device were really from Segway (often called an "integrity check"). This meant that in addition to sending the scooter commands, an attacker could easily trick the device into installing a malicious firmware update that could override its fundamental programming. In this way an attacker would be able to nullify built-in safety mechanisms that prevented the app from remote-controlling or shutting off the vehicle while someone was on it.

"The app allows you to do things like change LED colors, it allows you to remote-control the hoverboard and also apply firmware updates, which is the interesting part," Kilbride says. "Under the right circumstances, if somebody applies a malicious firmware update, any attacker who knows the right assembly language could then leverage this to basically do as they wish with the hoverboard."

Courtesy of Facebook's On This Day

Jul. 21st, 2017 12:30 am
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll
I just got to a series of posts from 2014 Wiscon harassment meltdown. Ah, memory lane.
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll
Previous models set first occupation significantly later. Much earlier and the first humans on the path to Australia would have left footprints in the still-cooling ashes of the Toba eruption.

Ethereum Hacks

Jul. 20th, 2017 02:12 pm
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

The press is reporting a $32M theft of the cryptocurrency Ethereum. Like all such thefts, they're not a result of a cryptographic failure in the currencies, but instead a software vulnerability in the software surrounding the currency -- in this case, digital wallets.

This is the second Ethereum hack this week. The first tricked people in sending their Ethereum to another address.

This is my concern about digital cash. The cryptography can be bulletproof, but the computer security will always be an issue.

Bah

Jul. 19th, 2017 10:12 pm
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll
Reliable sources report the death of Jordin Kare.

Password Masking

Jul. 19th, 2017 03:35 pm
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

Slashdot asks if password masking -- replacing password characters with asterisks as you type them -- is on the way out. I don't know if that's true, but I would be happy to see it go. Shoulder surfing, the threat is defends against, is largely nonexistent. And it is becoming harder to type in passwords on small screens and annoying interfaces. The IoT will only exacerbate this problem, and when passwords are harder to type in, users choose weaker ones.

Saaaaaaaaavvvvvvveeee mmmmmeeeeeeee

Jul. 19th, 2017 10:00 am
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll
It turns out you can connect Calibre directly to Project Gutenberg.

Having downloaded a bunch of public domain books, I then went looking for the proper cover art. Interestingly, although I am convinced I owned mid-1970s editions of both Blackman's Burden and Border, Breed nor Birth, I can find no evidence those editions actually existed.

Another interesting thing. This is the list of science fiction books on PG and this is the list of science fiction works by women on PG.

Fig and the big window

Jul. 18th, 2017 06:07 pm
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll
Things that do not inspire Fig to go into hunting mode:

A baby rabbit

Things that do inspire Fig to go into hunting mode:

A robin
A 50 kilogram dog

Many of My E-Books for Cheap

Jul. 18th, 2017 11:38 am
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

Humble Bundle is selling a bunch of cybersecurity books very cheaply. You can get copies of Applied Cryptography, Secrets and Lies, and Cryptography Engineering -- and also Ross Anderson's Security Engineering, Adam Shostack's Threat Modeling, and many others.

This is the cheapest you'll ever see these books. And they're all DRM-free.

Fig and Ibid still need rehoming

Jul. 17th, 2017 09:40 pm
james_davis_nicoll: (Default)
[personal profile] james_davis_nicoll


In case the photos don't show up with the embed

Read more... )
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

News from Australia:

Under the law, internet companies would have the same obligations telephone companies do to help law enforcement agencies, Prime Minister Malcolm Turnbull said. Law enforcement agencies would need warrants to access the communications.

"We've got a real problem in that the law enforcement agencies are increasingly unable to find out what terrorists and drug traffickers and pedophile rings are up to because of the very high levels of encryption," Turnbull told reporters.

"Where we can compel it, we will, but we will need the cooperation from the tech companies," he added.

Never mind that the law 1) would not achieve the desired results because all the smart "terrorists and drug traffickers and pedophile rings" will simply use a third-party encryption app, and 2) would make everyone else in Australia less secure. But that's all ground I've covered before.

I found this bit amusing:

Asked whether the laws of mathematics behind encryption would trump any new legislation, Mr Turnbull said: "The laws of Australia prevail in Australia, I can assure you of that.

"The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia."

Next Turnbull is going to try to legislate that pi = 3.2.

Another article. BoingBoing post.

EDITED TO ADD: More commentary.

Page generated Jul. 21st, 2017 10:44 pm
Powered by Dreamwidth Studios