Tuesday, March 31, 2020
Bruce Schneier

Clarifying the Computer Fraud and Abuse Act

A federal court has ruled that violating a website's tems of service is not "hacking" under the Computer Fraud and Abuse Act. The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers...
Bruce Schneier

Privacy vs. Surveillance in the Age of COVID-19

The trade-offs are changing: As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement...
Bruce Schneier

Friday Squid Blogging: Squid Can Edit Their Own Genome

Amazing: Revealing yet another super-power in the skillful squid, scientists have discovered that squid massively edit their own genetic instructions not only within the nucleus of their neurons, but also within the axon -- the long, slender neural projections that...
Bruce Schneier

Story of Gus Weiss

This is a long and fascinating article about Gus Weiss, who masterminded a long campaign to feed technical disinformation to the Soviet Union, which may or may not have caused a massive pipeline explosion somewhere in Siberia in the...
Bruce Schneier

On Cyber Warranties

Interesting article discussing cyber-warranties, and whether they are an effective way to transfer risk (as envisioned by Ackerlof's "market for lemons") or a marketing trick. The conclusion: Warranties must transfer non-negligible amounts of liability to vendors in order to meaningfully overcome...
Bruce Schneier

Facial Recognition for People Wearing Masks

The Chinese facial recognition company Hanwang claims it can recognize people wearing masks: The company now says its masked facial recognition program has reached 95 percent accuracy in lab tests, and even claims that it is more accurate in real...
Bruce Schneier

Internet Voting in Puerto Rico

Puerto Rico is considered allowing for Internet voting. I have joined a group of security experts in a letter opposing the bill. Cybersecurity experts agree that under current technology, no practically proven method exists to securely, verifiably, or privately return...
Bruce Schneier

Hacking Voice Assistants with Ultrasonic Waves

I previously wrote about hacking voice assistants with lasers. Turns you can do much the same thing with ultrasonic waves: Voice assistants -- the demo targeted Siri, Google Assistant, and Bixby -- are designed to respond when they detect the...
Bruce Schneier

Friday Squid Blogging: Squid Orders Down in Italy

COVID-19 is depressing the demand for squid in Italy. The article is a week old, and already seems almost comically quaint. As usual, you can also use this squid post to talk about the security stories in the news that...
Bruce Schneier

Emergency Surveillance During COVID-19 Crisis

Israel is using emergency surveillance powers to track people who may have COVID-19, joining China and Iran in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in...
Bruce Schneier

Work-from-Home Security Advice

SANS has made freely available its "Work-from-Home Awareness Kit." When I think about how COVID-19's security measures are affecting organizational networks, I see several interrelated problems: One, employees are working from their home networks and sometimes from their home computers. These...
Bruce Schneier

The Insecurity of WordPress and Apache Struts

Interesting data: A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress...
Bruce Schneier

TSA Admits Liquid Ban Is Security Theater

The TSA is allowing people to bring larger bottles of hand sanitizer with them on airplanes: Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces. However, the agency cautioned that the shift...
Bruce Schneier

Friday Squid Blogging: New Report on Squid Markets

This report costs $2,000. (Please don't buy it for me.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.
Bruce Schneier

The EARN-IT Act

Prepare for another attack on encryption in the U.S. The EARN-IT Act purports to be about protecting children from predation, but it's really about forcing the tech companies to break their encryption schemes: The EARN IT Act would create a...

Huawei’s Worrying New China Problem Just Got Worse: Here’s Why

Huawei used its 2019 results to threaten retaliation against the U.S. But the company now has serious problems closer to home.

Palantir, The $20 Billion, Peter Thiel-Backed Big Data Giant, Is Providing A Coronavirus Monitoring Tool To The CDC

Palantir will help the Centers for Disease Control keep on top of ventilator and mask needs to treat coronavirus victims, sources say.

Defense Evasion Dominated 2019 Attack Tactics

Researchers mapped tactics and techniques to the MITRE ATT&CK framework to determine which were most popular last year.

Watering-Holes Target Asian Ethnic Victims with Flash Update Decoy

About 10 compromised websites employ a multi-stage, targeted effort to fingerprint and compromise victims.

OpenWRT is vulnerable to attacks that execute malicious code

Enlarge (credit: OpenWRT) For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital...