Clarifying the Computer Fraud and Abuse Act
A federal court has ruled that violating a website's tems of service is not "hacking" under the Computer Fraud and Abuse Act.
The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers...
Privacy vs. Surveillance in the Age of COVID-19
The trade-offs are changing:
As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement...
Friday Squid Blogging: Squid Can Edit Their Own Genome
Amazing:
Revealing yet another super-power in the skillful squid, scientists have discovered that squid massively edit their own genetic instructions not only within the nucleus of their neurons, but also within the axon -- the long, slender neural projections that...
Story of Gus Weiss
This is a long and fascinating article about Gus Weiss, who masterminded a long campaign to feed technical disinformation to the Soviet Union, which may or may not have caused a massive pipeline explosion somewhere in Siberia in the...
On Cyber Warranties
Interesting article discussing cyber-warranties, and whether they are an effective way to transfer risk (as envisioned by Ackerlof's "market for lemons") or a marketing trick.
The conclusion:
Warranties must transfer non-negligible amounts of liability to vendors in order to meaningfully overcome...
Facial Recognition for People Wearing Masks
The Chinese facial recognition company Hanwang claims it can recognize people wearing masks:
The company now says its masked facial recognition program has reached 95 percent accuracy in lab tests, and even claims that it is more accurate in real...
Internet Voting in Puerto Rico
Puerto Rico is considered allowing for Internet voting. I have joined a group of security experts in a letter opposing the bill.
Cybersecurity experts agree that under current technology, no practically proven method exists to securely, verifiably, or privately return...
Hacking Voice Assistants with Ultrasonic Waves
I previously wrote about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves:
Voice assistants -- the demo targeted Siri, Google Assistant, and Bixby -- are designed to respond when they detect the...
Friday Squid Blogging: Squid Orders Down in Italy
COVID-19 is depressing the demand for squid in Italy. The article is a week old, and already seems almost comically quaint.
As usual, you can also use this squid post to talk about the security stories in the news that...
Emergency Surveillance During COVID-19 Crisis
Israel is using emergency surveillance powers to track people who may have COVID-19, joining China and Iran in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in...
Work-from-Home Security Advice
SANS has made freely available its "Work-from-Home Awareness Kit."
When I think about how COVID-19's security measures are affecting organizational networks, I see several interrelated problems:
One, employees are working from their home networks and sometimes from their home computers. These...
The Insecurity of WordPress and Apache Struts
Interesting data:
A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress...
TSA Admits Liquid Ban Is Security Theater
The TSA is allowing people to bring larger bottles of hand sanitizer with them on airplanes:
Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces. However, the agency cautioned that the shift...
Friday Squid Blogging: New Report on Squid Markets
This report costs $2,000. (Please don't buy it for me.)
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
The EARN-IT Act
Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes:
The EARN IT Act would create a...
Huawei’s Worrying New China Problem Just Got Worse: Here’s Why
Huawei used its 2019 results to threaten retaliation against the U.S. But the company now has serious problems closer to home.
Palantir, The $20 Billion, Peter Thiel-Backed Big Data Giant, Is Providing A Coronavirus Monitoring Tool To The CDC
Palantir will help the Centers for Disease Control keep on top of ventilator and mask needs to treat coronavirus victims, sources say.
Defense Evasion Dominated 2019 Attack Tactics
Researchers mapped tactics and techniques to the MITRE ATT&CK framework to determine which were most popular last year.
Watering-Holes Target Asian Ethnic Victims with Flash Update Decoy
About 10 compromised websites employ a multi-stage, targeted effort to fingerprint and compromise victims.
OpenWRT is vulnerable to attacks that execute malicious code
Enlarge (credit: OpenWRT)
For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital...
