security

SSH protects the world’s most sensitive networks. It just got a lot weaker

SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica:

Fabian Bäumer, one of three researchers from Germany’s Ruhr University Bochum who devised Terrapin, described this approach in an email:

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

[Well… that’s not good.]

Here’s a Warrant Showing the U.S. Government is Monitoring Push Notifications

Here’s a Warrant Showing the U.S. Government is Monitoring Push Notifications:

The letter does not disclose the legal mechanism used by governments to demand this data from Apple or Google. But the court record reviewed by 404 Media does include some specifics around push notification demands. Court Watch shared the record with 404 Media. The record is a search warrant application from May 2020 related to the investigation of a person suspected of theft or bribery concerning programs receiving federal funds.

In the search warrant application for information associated with a specific Yahoo email account, an FBI Special Agent writes under a section of the record entitled “Background Information Regarding Provider Services” that when a user of a mobile app installs and launches an app, the app will direct the device to obtain a “Push Token.” This is “a unique identifier that allows the provider associated with the application […] to locate the device on which the application is installed.”

[If they can, they will…]

Daring Fireball: 23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users

Daring Fireball: 23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users:

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

Here’s a real shocker: 23andMe has updated their terms of service in attempt to prevent a class action lawsuit. Good luck with that.

[I never trusted them…]

AI Risks

AI Risks:

Beneath this roiling discord is a true fight over the future of society. Should we focus on avoiding the dystopia of mass unemployment, a world where China is the dominant superpower or a society where the worst prejudices of humanity are embodied in opaque algorithms that control our lives? Should we listen to wealthy futurists who discount the importance of climate change because they’re already thinking ahead to colonies on Mars? It is critical that we begin to recognize the ideologies driving what we are being told. Resolving the fracas requires us to see through the specter of AI to stay true to the humanity of our values.

One way to decode the motives behind the various declarations is through their language. Because language itself is part of their battleground, the different AI camps tend not to use the same words to describe their positions. One faction describes the dangers posed by AI through the framework of safety, another through ethics or integrity, yet another through security, and others through economics. By decoding who is speaking and how AI is being described, we can explore where these groups differ and what drives their views.

[Context!]

Apple advances user security with powerful new data protections – Apple

Apple advances user security with powerful new data protections – Apple:

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

The below is a nice touch… I dig it!

Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.

[Making security easy is really hard. That 95% is pretty amazing outside of corporate you-don’t-have-a-choice settings. Allez!]