After meticulously opting out of Apple's crash telemetry time after time, year after year, over and over again, it was great to have Catalina tell me:
"based on your indicated consensual iCloud preferences, we've gone ahead and enabled crash telemetry reporting. is that right?"
all done teaching for the decade
that's it that's the tweet :)
It's great to see more cloud services advertising encryption at rest by default. That's just table stakes, however. It turns out that attackers get access to your data while the systems are on, so at-rest encryption isn't much help there. Decrypt data as close as possible to use.
I like that these hackers went to the trouble to actually steal the IP allocations, rather than just spoofing BGP. https://twitter.com/bad_packets/status/1202445266776776705
I suspect the real reason is that my university has lost all our grant funds on a crypto exchange.
The Manhattan DA's office, for example, said they now back-up all their files at least twice a day, and are considering ramping it up.
They're also a part of an encrypted Signal group chat with 17 other members (police, hospitals, mobile carriers) https://www.cnet.com/news/ransomware-devastated-cities-in-2019-officials-hope-to-stop-a-repeat-in-2020/
Very “inside academia” question: has anyone at any US university managed to pay an individual freelancer such as a copy editor, graphic designer, etc. without hiring them as an employee, or going through a big firm? My university claims this is impossible due to IRS rules.
Tomorrow at Black Hat EU @domienschepers will present our work that shows WPA-TKIP is more widespread than expected. The presentation will also include several new attacks! Academic paper of the work is already online: https://papers.mathyvanhoef.com/asiaccs2019.pdf
Genius literally caught Google redhanded stealing its content for the search engine's information boxes
SIGSALY used a very similar telephone unit. Since its actual cryptography required a basement full of electronics, the "extensions" used the WW2 equivalent of QKD for physical protection of the signal. In practice just about as secure as QKD; similar threat model.
This re:Invent talk by Eric Brandewine on how AWS uses custom Nitro hardware and hypervisor to mitigate micro-arch attacks is completely mind blowing:
NB: testing your attack on KVM/Xen running on an i3.metal instance is not an accurate proxy for EC2.
Sometimes I think LinkedIn makes stuff up just so it can remind me it exists.
Update: @Atlassian responded to my security report email in 9 minutes and they’re already working on handling this.
I did not initially think this was a private key situation which is why I just casually mentioned it. Thanks to @taviso for confirming issue. Collaboration is good. https://twitter.com/taviso/status/1202052594115284992
Emailed them the private key. I think they have 24h to revoke now.
This 4-page zinger by @benzevgreen argues that computer scientists often do harm by relying on naive, vague, and technology-centric notions of "social good". It has the most punchy introduction of any paper I've read. https://www.benzevgreen.com/wp-content/uploads/2019/11/19-ai4sg.pdf
80% of Android apps are now blocking cleartext traffic by default, and that number only continues to improve. This a big deal for user security and privacy, and the result of many years of effort including the secure network config in Android Nougat, ...
This real-time CVE-assigning thread featuring @SwiftOnSecurity and @taviso is making my morning. https://twitter.com/swiftonsecurity/status/1202043149666922498
Me: Threat-hunting rare DNS lookups in a corporate network.
The tauntaun seems like an impractical means of transportation.