‘Bots have now passed human traffic online,’ Cloudflare boss laments — says agentic traffic wasn’t expected to eclipse real people until next year | Tom’s Hardware

‘Bots have now passed human traffic online,’ Cloudflare boss laments — says agentic traffic wasn’t expected to eclipse real people until next year | Tom’s Hardware:

We were also interested in looking at Cloudflare’s breakdown of human/bot traffic by country. The most bot-ridden traffic comes from the tiny island of Gibraltar (92.1%), followed by Singapore (76.4%), then Iran (76.4%). While some of these places have a lot of data centers and hosting infrastructure compared to population size, Iran’s high bot count may rather come from the heavy use of VPNs with automated scraping and bypass tools. Cloudflare has also previously flagged Iran as a hotspot for malicious bot activity.

[What a mess…]

SSH protects the world’s most sensitive networks. It just got a lot weaker

SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica:

Fabian Bäumer, one of three researchers from Germany’s Ruhr University Bochum who devised Terrapin, described this approach in an email:

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

[Well… that’s not good.]

Here’s a Warrant Showing the U.S. Government is Monitoring Push Notifications

Here’s a Warrant Showing the U.S. Government is Monitoring Push Notifications:

The letter does not disclose the legal mechanism used by governments to demand this data from Apple or Google. But the court record reviewed by 404 Media does include some specifics around push notification demands. Court Watch shared the record with 404 Media. The record is a search warrant application from May 2020 related to the investigation of a person suspected of theft or bribery concerning programs receiving federal funds.

In the search warrant application for information associated with a specific Yahoo email account, an FBI Special Agent writes under a section of the record entitled “Background Information Regarding Provider Services” that when a user of a mobile app installs and launches an app, the app will direct the device to obtain a “Push Token.” This is “a unique identifier that allows the provider associated with the application […] to locate the device on which the application is installed.”

[If they can, they will…]

Daring Fireball: 23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users

Daring Fireball: 23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users:

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

Here’s a real shocker: 23andMe has updated their terms of service in attempt to prevent a class action lawsuit. Good luck with that.

[I never trusted them…]

New York May Require a Background Check to Buy a 3D Printer

New York May Require a Background Check to Buy a 3D Printer:

The New York bill, called AB A8132, would require a criminal history background check for anyone attempting to purchase a 3D printer capable of fabricating a firearm. It would similarly prohibit the sale of those printers to anyone with a criminal history that disqualifies them from owning a firearm. As it’s currently written, the bill doesn’t clarify what models or makes of printers would potentially fall under this broad category. The bill defines a three-dimensional printer as a “device capable of producing a three-dimensional object from a digital model.”

[I commented on Instagram… but of course, also here on the blog. I don’t disagree with the problem, but I do disagree with this attempt at solving it. It’s too broad…
]

396995882 912753713789115 7478371378068480989 n

AI Risks

AI Risks:

Beneath this roiling discord is a true fight over the future of society. Should we focus on avoiding the dystopia of mass unemployment, a world where China is the dominant superpower or a society where the worst prejudices of humanity are embodied in opaque algorithms that control our lives? Should we listen to wealthy futurists who discount the importance of climate change because they’re already thinking ahead to colonies on Mars? It is critical that we begin to recognize the ideologies driving what we are being told. Resolving the fracas requires us to see through the specter of AI to stay true to the humanity of our values.

One way to decode the motives behind the various declarations is through their language. Because language itself is part of their battleground, the different AI camps tend not to use the same words to describe their positions. One faction describes the dangers posed by AI through the framework of safety, another through ethics or integrity, yet another through security, and others through economics. By decoding who is speaking and how AI is being described, we can explore where these groups differ and what drives their views.

[Context!]

Malware Delivered through Google Search – Schneier on Security

Malware Delivered through Google Search – Schneier on Security:

Criminals using Google search ads to deliver malware isn’t new, but Ars Technica declared that the problem has become much worse recently.

[What a mess.]

Reimagining Democracy – Schneier on Security

Reimagining Democracy – Schneier on Security:

What could democracy look like if it were reinvented today? Would it even be democracy —what comes after democracy?

Some questions to think about:

Representative democracies were built under the assumption that travel and communications were difficult. Does it still make sense to organize our representative units by geography? Or to send representatives far away to create laws in our name? Is there a better way for people to choose collective representatives?
Indeed, the very idea of representative government is due to technological limitations. If an AI system could find the optimal solution for balancing every voter’s preferences, would it still make sense to have representatives —or should we vote for ideas and goals instead?
With today’s technology, we can vote anywhere and any time. How should we organize the temporal pattern of voting— and of other forms of participation?
Starting from scratch, what is today’s ideal government structure? Does it make sense to have a singular leader “in charge” of everything? How should we constrain power —is there something better than the legislative/judicial/executive set of checks and balances?
The size of contemporary political units ranges from a few people in a room to vast nation-states and alliances. Within one country, what might the smaller units be —and how do they relate to one another?
Who has a voice in the government? What does “citizen” mean? What about children? Animals? Future people (and animals)? Corporations? The land?
And much more: What about the justice system? Is the twelfth-century jury form still relevant? How do we define fairness? Limit financial and military power? Keep our system robust to psychological manipulation?

[Hmmm…]

Apple advances user security with powerful new data protections – Apple

Apple advances user security with powerful new data protections – Apple:

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

The below is a nice touch… I dig it!

Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.

[Making security easy is really hard. That 95% is pretty amazing outside of corporate you-don’t-have-a-choice settings. Allez!]

Michael Tsai – Blog – FogBugz Auto-Upgrades Free and Dormant Plans to Paid

Michael Tsai – Blog – FogBugz Auto-Upgrades Free and Dormant Plans to Paid:

Anil Dash:

I don’t recommend anyone do business with them, whether as a customer or anything else; I was CEO of Fog Creek when we decided to sell FogBugz, and if I knew the difference between what we were told ahead of the deal and what happened after, I never would have approved it. I didn’t see that they’d done this latest shitty thing until now but I really lament that they’ve sunk to an even lower new level.

I’ll add this as well… from Marco Arment who called them… “I was concerned about possibly getting sent to collections and affecting credit.

The phone guy, over a VERY laggy, scratchy overseas connection, basically said my data was already deleted and the billing failure would auto-delete the account without any more action.”

[Well, that’s quite a thing. Shame on them.]

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

turnings :: daniel berlinger

Finest Quality Mayhem :: Reckless Precision

security