Friday, September 30, 2022

What could possibly go wrong?

from here and here (image source)

This gentleman is demonstrating something far more elaborate than footguns, but it is essentially the same premise, and also the same premise as disabling your antivirus when installing new software. 

If you want it to be easy malware authors to trick users into lowering their defenses, just normalize the practice of disabling the antivirus when installing software. Once it becomes normal the malware authors can ask users to do the same thing.

At least it's well labeled

found on Izismile

If you see a bright red plane in the sky with the word "SURVEILLANCE" on it, it would probably be a good time to stop doing shady shit.

Thursday, September 29, 2022

The cipher can't be trusted right now

from here and here

It seems that life is imitating art a weird sort of way. Matrix, an ecosystem of open source chat and collaboration clients, has vulnerabilities that subvert the protection of it's end to end encryption, but unlike the movie there's a fix that allows you to trust the cipher again if you hurry up and apply the patch.

Build Your Own Porch Pirate Package Protector


Watch on YouTube

Now you too can defeat porch pirates with magic. Not Harry Potter magic, mind you, more like David Copperfield. Practical stage magic.

Wednesday, September 28, 2022

The future will be out of date

from here and here

The Internet of Things is going to be unmanageable if we keep building it out of general purpose computers.  If we must have smart devices, we should use special purpose computers with fixed, first order functionality. Not only would updates not be necessary, they wouldn't be possible.

One of the main reasons we use general purpose computers is because their generality allows us to use the same computer for pretty much any application, so we can benefit from an economy of scale by mass producing lots of them knowing we'll find a use for them. I think it might be possible to get similar benefits from special purpose computers used to build a set of fundamental controls - there are only a relatively small number of ways we control the devices around us (ex. toggle switches, dials, etc) and since each of those fundamental control types would be common across a number of different devices, a smaller economy of scale could still be achieved with special purpose computers that drive such controls but with the benefit of lower maintenance than can be achieved with general purpose computers.

You'd never be able to build a toaster that sings to you that way, but why would you want to?

Too bad it only works on the young

found on eBaum's World

Maybe I'm wrong, but I'm pretty sure the older generation knows how to drive stick.  

Tuesday, September 27, 2022

Taking your privacy seriously

from here and here

That's not the problem they want to solve. It's cheaper and easier to change the company's appearance than it is to change the company's business model.

I'm An Advanced Persistent Threat shirt


Product Page

I can't help but think that this is not something an APT would actually wear (to paraphrase Ser Davos Seaworth, if you're a famous APT you're not doing it right), but just as there are shirts that say hacker on them that get worn by people who aren't hackers, so too with the advanced persistent threats.

Monday, September 26, 2022

Heavy duty trucks call for heavy duty locks

from here and here (image source)

This is the first time I've seen such a clean installation of a Master lock on a vehicle. It must be brand new. It's also the first time I've seen a hidden shackle lock used. Normally it's just an ordinary padlock (or in some cases just a sliding lock). Whoever opted for this really went all out.

Too bad the vehicle still has glass windows.

Protecting your privacy helps protect everyone's privacy

found on Reddit

It seems like if the runner had followed social norms and kept that behaviour confined to private spaces, then that surveillance wouldn't have been added. But not only can you harm everyone's privacy by squandering your own, you can also help protect everyone's privacy by fighting for your own. Every encroachment on privacy that isn't challenged is a further erosion of everyone's privacy.

Friday, September 23, 2022

When they opt out of your opt out

from here and here

In a move that surprises exactly no one, Facebook has apparently decided that they don't have to follow the explicitly stated wishes of it's users. Their users are starting to sue them over it. That's right, it's not just complaining, it's lawsuits (if we're lucky they'll become class action lawsuits) 

When your elevator needs a decryption key

found on Reddit

It may just be simple substitution, but clearly it's effective enough at hiding the meaning that a key needs to be provided to allow passengers to reverse it.  

Thursday, September 22, 2022

The sponsor for today's meme is [whatever]VPN

from here and here

If you want to fly the Jolly Roger or evade your streaming service's geoblocking then a VPN is your friend. If you're just browsing normal websites (even from public WiFi) then the fact that virtually all websites are using encryption now makes VPNs redundant for most people.

And if you're not most people, if you have special security concerns, maybe you should consider something more than just a consumer grade VPN provider. TOR for example. 

Losing $750k to a fake Elon Musk


Watch on YouTube

I didn't realize scammers were using deep faked videos now. In fact, I've heard it said that scammers don't need to use deep fake because cheap fake still works surprisingly well. So I guess this should be a wake-up call - just because scammers don't need to do something, doesn't mean they won't do it.

Wednesday, September 21, 2022

It's not much of a fine if it's fine with them

from here and here

Thousands of unencrypted hard drives and tapes full of millions of customer records, and Morgan Stanley only has to pay $35M to make up for failing to wipe them before they got sold off to 3rd parties. That's maybe a couple dollars per affected customer. You'd think a financial institution of their calibre would be able to afford a couple more zeros.

FAFO Security

found on Reddit

Is it a fail or a win? I'm not sure. On the one hand it's not a professional security business so they might not know what they're doing. On the other hand the lack of professionalism might mean things are even more dangerous.

Tuesday, September 20, 2022

Who doxes the doxers?

from here and here

I for one am not got to lose any sleep over the possibility of Kiwi Farms getting breached and their emails and passwords leaked. It's challenging to imagine a more deserving group of people for that kind of outcome. 

Running Exploits Is My Cardio hat

Product Page

The hat is white, of course, because a blackhat would never advertise their presence like that. It would be bad OpSec. A hat like this only works if you're not the bad guy.

Monday, September 19, 2022

Fixes ain't for nothing but the scares are free

from here and here

Getting hit by scareware in the middle of a pandemic when family tech support isn't available is particularly troublesome. Ask me how I know.

Eliminating the last vestiges of privacy

found on Izismile

I think I'll hold it. I'd rather not piss away my last shred of privacy, thank you very much. 

Friday, September 16, 2022

Can't unsee what you saw on Seesaw

from here and here

Apparently Seesaw suffered a credential stuffing attack and the attacker(s) sent Goatse pics all over the place. Now you might be thinking "Wait a minute, credential stuffing is hardly their fault", but there are defenses against such things, so the fact that the attack worked suggests that Seesaw did not have adequate defenses against what is a fairly ordinary kind of attack, all things considered.

No wonder we get sick of spam calls

found on Izismile

I suppose it could have been worse. It could have been from Trick Inosis.

Thursday, September 15, 2022

Bad Vibes

from here and here

It's a fantastical story, and kind of hard to believe, but apparently there are those who think a chess grand master cheated using high-tech anal beads. The theory appears to be that, using the remote controlled vibrations of the beads, an accomplice would have sent messages to the wearer instructing them what move to make. 

If only attribution was always this easy (and satisfying)


Watch on YouTube

Attackers do sometimes leave themselves open to counter-attack, but not nearly often enough, and usually not in nearly as satisfying a way as this. That thief has learned a very painful lesson.

Wednesday, September 14, 2022

What could possibly go wrong?

from here and here

The idea that if Twitter already has one spy on the payroll there's no harm in getting more is just so bizarre. It's like they're applying the logic people use to rationalize littering to spies. That just leads to more and more litter (and spies), though, so definitely don't follow that logic.

Suddenly, disabling antivirus doesn't seen quite so bad

found on 9Gag

I bet this makes security people rethink their priorities. If I had known you could monetize infected machines this way, I'd be a millionaire right now.

Tuesday, September 13, 2022

A face recognition pushmi-pullyu

from here and here (image source)

It may be terrible taste, but it actually looks like pretty good execution. I can definitely see face rec systems falling for it. Now the question is, does that resemble his actual face or is he going to try and pull a fast one.

Can You Read Me Hidden Message shirt

Product Page

I'm a sucker for a puzzle and this design is supposed to be a puzzle. Hopefully it's more than just picking out the 4 obvious words amongst the symbols. It would be great if it was some kind of cryptogram. 

Monday, September 12, 2022

Taking our security seriously in 3...2...1...

from here and here

I can't imagine Patreon's recent firing of their entire security team ending in anything less than some kind of compromise. There will be no continuity of security. Anyone hired on after this will either be struggling to figure out what those before them did without anyone to on-board them, or they're going to be starting over from scratch.

Seems Legit

found on Izismile

Maybe it's an ATM family reunion. They could be having an ATM BBQ real soon.

Or maybe... every ATM that ever there was is gathered there for certain because today's the day the ATMs have their piiiiicnic.

Friday, September 9, 2022

In email roulette, always bet on spam

from here and here

I'm probably an outlier in the fact that I never receive actual spam in my Gmail account, but I do get spam false positives just like everybody else. I wish they'd make it easier to check my spam folder since legit email ends up there so often.

Next level theft prevention

found on Reddit

Maybe it's just me, but I would have thought this would be more on-brand for Target.

Thursday, September 8, 2022

Beware the knights of Scamalot

from here and here

The Queen is dead and that's just the kind of thing criminals love to latch on to in order to trick people into clicking on things. Don't fall for it. If you really want details, do a search and get them from reputable news sources that hopefully won't be serving any malware.

Passcode Door Minecraft PE Tutorial


Watch on YouTube

Even in virtual worlds we recreate the security controls we're familiar with in the real world.

Wednesday, September 7, 2022

How'd you like a reminder of your younger, cringier self

from here and here

And the cringey reminders are the best case scenario. There are probably worse memories stored in your Facebook account, and almost no one ever bothers to get rid of that stuff.

Younger people seem to have the good sense not to use Facebook in the first place, though. They've probably seen what it's like when people with numerous years of history on Facebook get haunted by the most painful or embarrassing moments of their past. 

What's in YOUR threat model?

found on Funny Junk

Are limbo dancers likely? I suppose that depends on what part of the world this is from. I think we all recognize that someone peeking under the door or over the stall or through the crack in the door are at least somewhat realistic privacy threats. Maybe you've even made eye contact with someone that way before (I know I have).

Tuesday, September 6, 2022

It's now safe to turn off your lights

from here and here

I've seen this template so many times but finally we have an explanation for why the lights are still on.

Keep Your Password Under Wraps button

Product Page

This is sound advice. Mum(my)'s the word. 

Monday, September 5, 2022

When you're hooked on one door code in particular

from here (image source)

Not only is it easy to tell what numbers are in the code, the order seems like it should be easy to guess as well. I feel confident that it's 1709 - it can be entered in a relatively fluid motion that saves time and effort. You might think that the door code should be changed on a more regular basis, but that would invite people to write it down and that that slip of paper could get lost or stolen and compromise the security. Instead the keypad should be better maintained and replaced when wear patterns start to give away the code.

We have justifiable trust issues

found on Izismile

Data anonymization never seems to stick in practice. Maybe they're just not good at it, maybe there are perverse incentives to keeping more data than they actually need, or maybe it's just not truly possible. Whatever the case may be, the track record for that sort of thing is terrible, so don't trust it.

Friday, September 2, 2022

You wouldn't DoS a car

from here and here (image source)

Sometimes whether a thing is an attack or a defense depends entirely on perspective. The motorcyclist could be trying to prevent his motorcycle from getting stolen, but the car owner can't go anywhere now because the motorcycle is anchoring him in place. You could make a lot of arguments about the motorcyclist knowing better, but this site has seen cars chained up as if they were bicycles, so I don't doubt this could have been a sincere attempt to prevent theft (even if it is ridiculous).

Now those are effective countermeasures

found on Funny Junk

This seems like a tree you would want to get rid of and yet at the same time can't. 

Thursday, September 1, 2022

Fine for thee but not for me

from here and here

As long as ad companies fail to crack down on malvertising, ad blocking remains a necessary security measure. Malware should not be the price of viewing web content. 

Richard Henderson : Old MacDonald Had a Barcode, E I E I CAR


Watch on YouTube

This DEFCON presentation gives me new appreciation for whoever it was that tried to put the EICAR string on the blockchain.