Anatomy of how you get pwned
Today, somebody had a problem: they kept seeing a popup on their screen, and obvious scam trying to sell them McAfee anti-virus. Where was this coming from?In this blogpost, I follow this rabbit hole on down. What we see...
Ethics: University of Minnesota’s hostile patches
The University of Minnesota (UMN) got into trouble this week for doing a study where they have submitted deliberately vulnerable patches into open-source projects, in order to test whether hostile actors can do this to hack things. After a...
A quick FAQ about NFTs
I thought I'd write up 4 technical questions about NFTs. They may not be the ones you ask, but they are the ones you should be asking. The questions:What does the token look like?How does it contain the artwork?...
Deconstructing that $69million NFT
"NFTs" have hit the mainstream news with the sale of an NFT based digital artwork for $69 million. I thought I'd write up an explainer. Specifically, I deconstruct that huge purchase and show what actually was exchanged, down to...
We are living in 1984 (ETERNALBLUE)
In the book 1984, the protagonist questions his sanity, because his memory differs from what appears to be everybody else's memory.The Party said that Oceania had never been in alliance with Eurasia. He, Winston Smith, knew that Oceania had...
Review: Perlroth’s book on the cyberarms market
New York Times reporter Nicole Perlroth has written a book on zero-days and nation-state hacking entitled “This Is How They Tell Me The World Ends”. Here is my review.I’m not sure what the book intends to be. The blurbs...
No, 1,000 engineers were not needed for SolarWinds
Microsoft estimates it would take 1,000 to carry out the famous SolarWinds hacker attacks. This means in reality that it was probably fewer than 100 skilled engineers. I base this claim on the following Tweet:<blockquote class="twitter-tweet" data-conversation="none" data-dnt="true"><p lang="en"...
The deal with DMCA 1201 reform
There are two fights in Congress now against the DMCA, the "Digital Millennium Copyright Act". One is over Section 512 covering "takedowns" on the web. The other is over Section 1201 covering "reverse engineering", which weakens cybersecurity.Even before digital...
Why Biden: Principle over Party
There exist many #NeverTrump Republicans who agree that while Trump would best achieve their Party's policies, that he must nonetheless be opposed on Principle. The Principle at question isn't that Trump is a liar, a misogynist, a racist, or...
No, that’s not how warrantee expiration works
The NYPost Hunter Biden story has triggered a lot of sleuths obsessing on technical details trying to prove it's a hoax. So far, these claims are wrong. The story is certainly bad journalism aiming to misinform readers, but it...
No, font errors mean nothing in that NYPost article
The NYPost has an article on Hunter Biden emails. Critics claim that these don't look like emails, and that there are errors with the fonts, thus showing they are forgeries. This is false. This is how Apple's "Mail" app...
Yes, we can validate leaked emails
When emails leak, we can know whether they are authenticate or forged. It's the first question we should ask of today's leak of emails of Hunter Biden. It has a definitive answer.Today's emails have "cryptographic signatures" inside the metadata. Such signatures...
Factcheck: Regeneron’s use of embryonic stem cells
This week, Trump's opponents misunderstood a Regeneron press release to conclude that the REG-COV2 treatment (which may have saved his life) was created from stem cells. When that was proven false, his opponents nonetheless deliberately misinterpreted events to conclude...
Cliché: Security through obscurity (yet again)
Infosec is a largely non-technical field. People learn a topic only as far as they need to regurgitate the right answer on a certification test. Over time, they start to believe misconceptions about that topic that they never learned....
How CEOs think
Recently, Twitter was hacked. CEOs who read about this in the news ask how they can protect themselves from similar threats. The following tweet expresses our frustration with CEOs, that they don't listen to their own people, but instead...
Blessed are the cryptographers, labelling them criminal enablers is just foolish
Preserving privacy is hard. I know because when I tried, I quickly learned not to play with weapons Column Nearly a decade ago I decided to try my hand as a cryptographer. It went about as well as you...
Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations
The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data ransom demands are not met.
"The...
NSA and ODNI analyze potential risks to 5G networks
U.S. Intelligence agencies warn of weaknesses in 5G networks that could be exploited by crooks and nation-state actors for intelligence gathering.
The U.S. National Security Agency (NSA), along with the DHS Cybersecurity and Infrastructure Security Agency (CISA), and the Office...
Alert: Hackers Exploit Adobe Reader 0-Day Vulnerability in the Wild
Adobe has released Patch Tuesday updates for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild.
The list of updated applications includes Adobe Experience Manager,...
Beijing twirls ban-hammer at 84 more apps it says need to stop slurping excess data
Online lending apps and more given fifteen days to ‘rectify’ behaviour China’s Central Cyberspace Affairs Commission has named 84 apps it says breach local privacy laws and given their developers 15 days to “rectify” their code.…
