Random musings on whatever subject strikes my fancy, published every other day.

Category: InfoSec and IT Page 2 of 31

Signal’s Revenge

You may have seen a story last December that a software company called Cellebrite claimed it had cracked Signal. Signal, you should already know, is the most secure messaging app you can get. You want Signal on your phone instead of whatever garbage they shipped on there.

Well, Cellebrite was lying. All they could do was copy the encrypted files Signal keeps on the phone. Nothing at all to do with breaking the encryption.

Moxie Marlinspike, the founder of Signal, was not amused. He explained the reality of the situation. All things considered, his response was quite measured.

He was clearly biding his time. (best served cold, amirite?) Yesterday, he published this blog post about a Cellebrite data-stealing kit that mysteriously came into his possession, and how he cracked it.

Read the whole thing here. The TL,DR; is that since Cellebrite indiscriminately sucks all the data off the target phone, it’s not at all difficult to craft files that will thoroughly pwn the Windows machine on which Cellebrite is being run.

But my favorite part is at the end, when he mentions:

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

I, for one, will be grinning about this for days.

Jeff is Listening

Do not, under any circumstances, have one of these in your home.

There is no reason whatsoever to assume that “smart devices” with microphones are not listening and analyzing everything they can hear 100% of the time.

There is no reason to assume that the mute button does anything other than turn on an LED.

There’s a reason that a 70″ LED monitor costs $4500 while a 70″ smart TV costs $399. They are making up the difference in revenue via the sales of your data. What you watch, what you eat, how much you argue, how much you have sex. What your kids talk about. If they can hear everything, they know everything.

I will have more about the state of IoT security in weeks to come. Suffice to say, things have not improved.

Black Friday Specials!

Super Sale! One low price for everything!

Plus: Not just free as in beer! Free as in Freedom. Not to mention, software that is constantly being inspected by a community at the source level will tend to be more secure, and will always get its serious security bugs fixed faster.

I support the Free Software Foundation, because they truly support freedom.

Single Point of Failure

By now you have seen this image all over.

Check out the coverage of this story in The Hacker News. It’s better than most, but still doesn’t get it quite right… in my opinion.

Here’s the thing: Not Obama nor Gates nor Bezos nor any of these prominent figures “got hacked.” What they did was, they trusted their identity and part of their public face to a single entity: Twitter. Twitter is the only one in this story that “got hacked.” The Hacker News article details why they did, but it’s the fact that it matters so much that I find so distressing.

To me, the problem is not that Twitter got hacked, the problem is what a gigantic vulnerability for everyone this points up. I can think of one particular moron who could literally start World War III via his Twitter account. In fact, he damn near did.

Is this what humanity needs as a single point of failure for… all of civilization? Twitter?

Always Ask Why

Feature this scene: I am on my LinkedIn page and I have private messages from two people within minutes of each other.

In window #1, a friend of several years– and a co-worker of several jobs– who’s just been laid off due to COVID-19. They’re a star performer but only began their current job about 10 months ago. And their company followed a strict Last-In-First-Out method for making cuts. (Abysmally stupid but that is a rant for another day.)

In window #2, a recruiter looking for someone just like my friend in window #1. “In NYC”. My friend in window #1 would blow the doors off this gig, and it would be amazing to hook them up with the gig in window #2. But they are on the Left Coast.

My BS alarm goes off right away. Why “in NYC?” Are they going to an office next Monday if they get the gig? Hell, no! So they will start as a remote worker, right? Why can’t they just BE a remote worker?

But that’s just the line I got from window #2: they can start remotely but “after the lock-down” they must be onsite. I tried to get window #2 to poke at this. If a client tells you it has to be onsite, ask WHY. Especially if they are willing to onboard remotely but then switch to the onsite requirement “after lock-down ends.”

First off, I promise you, they have NO IDEA when– or if– the lock-down will end. Second, what is it about the job’s requirements that allows working from home now but magically changes if the lock-down ends? If the job’s information security requirements aren’t compatible with WFH after lock-down, they aren’t compatible with it now, either.

Recruiters, you are missing out on a lot of good prospects. People are already in enough uncertainty, THEY can’t be sure if they will be able to move. Make your clients break their old useless mental habits.

The world is changing about this issue
right freakin’ now

Page 2 of 31

Powered by WordPress & Theme by Anders Norén