On behalf of the #privacy community that has long been saying that #SurveillanceCapitalism is fundamentally incompatible with democracy and a graver national security threat than terrorism, I'd like to say:
We fucking told you so!
Credit where credit is due: yesterday Intel released the Firmware Support Package (FSP) for Coffee Lake generation of CPUs on github. After a request to change the license so it is no issue to distribute for coreboot etc they (Vincent Zimmer & Nathan Desimone) did! This is great news!
Repos on Github: https://github.com/IntelFsp/FSP
Coreboot mailing list thread:
I've been a big fan of the U2FZero, an open-source open-hardware #DIY U2F usb dongle for those that take "trust no one" seriously.
Anyway, looks like Conor Patrick (developer of the U2FZero) has finalized the design of the new generation #FIDO2 key.
Looks like they're releasing it through a kickstarter campaign. I'd definitely wait until you can build and program your own, as the supply chain for these prebuilt devices will be anything but secure.
With a President that leans heavily towards Hitler, he's worried about the guy that leans heavily towards FDR. What a fucking schmuck.
We've developed a new attack on WPA/WPA2. There's no more complete 4-way handshake recording required. Here's all details and tools you need: https://hashcat.net/forum/thread-7717.html
If you're feeling like our politics are hopelessly imbecile in the face of grave national threats, remember that Lincoln (a sitting president, during a Civil War) had to go before the Senate and personally testify that Mary Todd Lincoln wasn't a confederate spy.
This too shall pass.
Today's BGP hijack of Cloudflare's 22.214.171.124 DNS service to an AS in China demonstrates how using a centralized DNS service is dangerous.
Running a recursive resolver, preferably with DNSSEC validation and enforcement, should help mitigate issues like what happened this morning.
#efail attack to decrypt and exfiltrate pgp or s/mime encrypted email is pretty hilarious.
Intercept an encrypted email and modify the email to add an HTML image URL directed to your malicious domain. Leave the image tag open (without closed quotes) and paste in the encrypted email and then close the image tag. Most clients will decrypt the text and query the malicious domain looking for an image matching the decrypted text.
This is why we encrypt and authenticate kids.
Presenting Cryptopals Set 8 challenge 6: KEY RECOVERY ON BIASED ECDSA NONCES. https://toadstyle.org/cryptopals/76f2e314809b2a34ce9ff0d2a08f7a7f.txt
Every DSA signature needs a random nonce, but not every DSA signature truly has one. With even a _bias_ in the nonce, a little linear algebra recovers keys.
Cryptocurrency hot take Show more
Cryptocurrency is a terrible application of an otherwise interesting idea (distributed public ledgering)--and is doomed to instant collapse the second reasonable regulations on exchanges are introduced. Until then it will continue to primarily furnish oligarchs (Russian/Chinese/etc) with means of laundering money and getting around sanctions on the backs of speculators and petty criminals.
Masto meta; etiquette Show more
Things that often prevent me from boosting your posts:
* Shortened URL (t.co or bit.ly)
* Images without alt text
* Politics, etc. without a CW
Even if I really agree with you or find it clever or funny or insightful, I'll probably just let it pass because of bad etiquette
Some great resources for redteamers https://firstname.lastname@example.org/top-five-ways-the-red-team-breached-the-external-perimeter-262f99dc9d17 #redteam #pentest #offsec
roses are red
violets are blue
in surveillance capitalism
poem reads you
and shows you ads
for flower shops
and tracks your clicks
and never stops
it cares not about
if privacy's harmed
the money is green
when people are farmed
twitter is cyan
facebook is blue
your friends are the product
and so are you
I am toot. You click star, click boostybutton, author find out you exist. Might check you out.
Me bait, you fish.
Honest question for #infosec:
How practical is real-time voice synthesis (i.e. to reliably mimic a known target's voice and make it say what you want in a real conversation)? Assuming access to a large sample set (say a Skype scale dataset ;p), it seems like a much easier problem than real-time video fakes.
Anyway, it seems like there is an interesting class of exploits for such tech (from bypassing "your voice is your password" systems to social engineering).
I may do a patent search later.
US Politics Show more
John Bolton as National Security Adviser heading into face-to-face talks with North Korea.
More than half of America would want to nuke America after an encounter with a blowhard fuck-wit like Bolton.
Seriously. American friends, move away from population centers if you can.
Lawyers and techies working on pro bono privacy projects in our spare time.
Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!