Random musings on whatever subject strikes my fancy, published every other day.

Category: InfoSec and IT Page 2 of 31


Risk is handled in one of three fundamental ways:

  • Mitigated: You reduce risk by enacting some countermeasure. Network attack risk is reduced when you install a good firewall. Malware risk is reduced when you roll out anti-virus software. Shoplifting loss risk is reduced when you install cameras and hire guards in your store.
  • Transferred: The risk is reduced by paying someone else to assume it. To put it simply: you buy insurance.
  • Accepted: You realize risk cannot be zeroed out even if you spend more money than you might lose to the threats. So you find your “sweet spot” and realize, some risk still remains. We call this, residual risk.

In information security, everything is trade-offs. Usually, the trade is resources for risk reduction. Finding the sweet spot is not even the hard part. The hard part is getting management to understand why the sweet spot is found where residual risk is still annoyingly non-zero.

There are other trade-offs. Every time we transact with a company, we risk some of our private information in exchange for some benefit that company offers us. We risk the disclosure of a credit card number, to gain the benefit of a new FitBit. We risk the privacy of our home address, to gain the benefit of having delivery of that FitBit to our door. We risk the privacy of our health information by putting that FitBit on our wrist, and syncing it to an app in our phone. This gains us the benefit of the aid that the FitBit provides to our exercise program.

Personally, I consider a FitBit too risky for privacy to be worth the benefits it can provide. Maybe someday FitBit will show me that the benefits can outweigh those risks.

See what the big deal is

But the ultimate case where I wonder how people are making these risk/benefit decisions comes with things like Alexa, Google Assistant, Siri, and (shudder) Facebook Portal. We’ve already seen cases where voice recordings from people’s homes have been grossly mishandled. What about the cases where they are handled “properly?” Where the “proper” handling of this data is to build a profile of you so detailed, your spouse would be surprised to learn some of it?

Maybe I’m the most digital Luddite around. But I will have none of that in my vicinity. When I am in its presence, unwillingly, I may do something like this:

Maybe that will tip someone’s risk-acceptance decision the right way. That’s me, always looking for a way to reduce that residual risk.

Ah, Facebook

Signal is at it again*. I’m really starting to love Moxie Marlinspike.

This is an ad that Signal bought on Instagram (owned by Facebook). In lieu of using the rich bouquet of data that Facebook presents to advertisers about the user, they just passed it along to the user.

The point was not lost on Facebook, who have banned Signal’s ads from the platform. It’s all pretty delicious.

Meanwhile: this.

Oh, yeah. One piece of advice. Get off Facebook.


Earlier Signal fun here.

Signal’s Revenge

You may have seen a story last December that a software company called Cellebrite claimed it had cracked Signal. Signal, you should already know, is the most secure messaging app you can get. You want Signal on your phone instead of whatever garbage they shipped on there.

Well, Cellebrite was lying. All they could do was copy the encrypted files Signal keeps on the phone. Nothing at all to do with breaking the encryption.

Moxie Marlinspike, the founder of Signal, was not amused. He explained the reality of the situation. All things considered, his response was quite measured.

He was clearly biding his time. (best served cold, amirite?) Yesterday, he published this blog post about a Cellebrite data-stealing kit that mysteriously came into his possession, and how he cracked it.

Read the whole thing here. The TL,DR; is that since Cellebrite indiscriminately sucks all the data off the target phone, it’s not at all difficult to craft files that will thoroughly pwn the Windows machine on which Cellebrite is being run.

But my favorite part is at the end, when he mentions:

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

I, for one, will be grinning about this for days.

Jeff is Listening

Do not, under any circumstances, have one of these in your home.

There is no reason whatsoever to assume that “smart devices” with microphones are not listening and analyzing everything they can hear 100% of the time.

There is no reason to assume that the mute button does anything other than turn on an LED.

There’s a reason that a 70″ LED monitor costs $4500 while a 70″ smart TV costs $399. They are making up the difference in revenue via the sales of your data. What you watch, what you eat, how much you argue, how much you have sex. What your kids talk about. If they can hear everything, they know everything.

I will have more about the state of IoT security in weeks to come. Suffice to say, things have not improved.

Black Friday Specials!

Super Sale! One low price for everything!

Plus: Not just free as in beer! Free as in Freedom. Not to mention, software that is constantly being inspected by a community at the source level will tend to be more secure, and will always get its serious security bugs fixed faster.

I support the Free Software Foundation, because they truly support freedom.

Page 2 of 31

Powered by WordPress & Theme by Anders Norén