Musings tagged as security

Remember the 50 million batches of private user data Facebook gave lost to Cambridge Analytica, the data analysis company?

Well, looks like they also like to use other methods as an undercover investigation by Channel 4 found out. Things like bribing politicians or using sex workers to entrap them were among the glorious deeds the executives from Cambridge Analytica boasted about.

So keep on using Facebook and browsing the web while you are logged in. I am sure your private and personal life will be put to good use.

Skynet: 1 - Humans: 0

Mon, Mar 19, 2018

Congratulations! You are the first human to be killed by a self-driving Uber car. I mean, you were just crossing the street and now you’re dead but hey, a record’s a record.

I still can not believe they actually allow these piles of junk on public roads. Will be interesting to see who gets the blame. Poor woman though :/

Update: The police chief involved in the investigation has stated that Uber is not to blame because it happened during low-light conditions in the evening and

it’s very clear it would have been difficult to avoid this collision in any kind of mode (autonomous or human-driven) based on how she came from the shadows right into the roadway

Came from the shadows? Those self-driving cars use, among other sensors, a combination of LIDAR and RADAR (Here’s a nice overview). Both systems do not give a shit about low-light conditions or shadows. That is exactly what they are made for!

Two words: BULL-SHIT!

Oh, and another statement from the police chief:

I won’t rule out the potential to file charges against the (backup driver) in the Uber vehicle

There’s nothing like the good old pawn sacrifice.

Update (again): There is a video that has been released by the police, showing the external and internal cameras up to the point of the crash.

While the safety driver apparently looks down and not on the road, the exterior view clearly shows a slow walking woman coming from the left of the lane. So she was out in the open on the tarmac. Essentially at the same position as an oncoming vehicle, right before she stepped on the lane the car was driving on.
If your RADAR and LIDAR systems can not pick that up then you should look for a different job. And once again: Neither RADAR nor LIDAR give a shit whether it is dark or not! They do not operate in the visible spectrum of light.

Remember how Facebook “failed to protect” the data of 30 million users back in 2017?

Turns out the whole thing is a bit more dramatic. Apparently Facebook essentially gave the private data of 50 million users to a “researcher” who told them he needed it for “research purposes”. So Facebook is like “Sure, go for it.” without properly checking anything. Turns out the “researcher” then gave the data to the data analylzing company Cambridge Analytica which used the private data of those 50 million profiles to analyze and predict voter behaviour for the election campaign of Trump.

Facebook claims that it is not their fault because they got scammed by the researcher. What a shitty excuse for failing to protect data entrusted to them. If your bank tells you “We’re sorry that your account is empty, but some guy came by and told us that you said he could have all your cash. So we gave it to him. How could we have known? We are not to blame! We got scammed!”

And people still ask me why I am not on Facebook…. you guys need to fucking wake up. Ever wondered why Facebook is free and you don’t have to pay anything? Want to guess how they pay for all their employees, data centers, and office buildings?

If you are not the customer, you are the product!

Cortana, Open Sesame!

Wed, Mar 7, 2018

Two Israeli researchers have found a way to bypass the screen lock protection of Windows 10 machines and install malware. How? Well, just talk to Cortana and tell her to visit a website serving malicious code because she still listens even if the screen is locked… :)

Here, Hold My Private Key

Wed, Feb 28, 2018

Paid certificate authority Trustico provides a premium installation service where they offer to take all the hassle, which comes with getting an SSL certificate running on your website, from you. Oh, this includes your private key but hey, service is service, right?

If you prefer, we can also generate your Certificate Signing Request, Private Key and Certificate and then provide it to you.

trustico thumb

Now, what could possibly go wrong if the guys who can sign your security certificate also have your private key and can modify your certificate at will? It is seriously amazing how the commercial CAs are cutting the branch they are sitting on. As if Let’s Encrypt, the completely free open source CA, chopping on the base of their tree wasn’t enough already. ^^

Update: In a contract struggle with DigiCert, Trustico asked DigiCert to revoke all certificates of Trustico’s customers, which are managed by DigiCert. DigiCert tells Trustico that only the customers can issue a revoke request for their certificates. They add, that they can only do a mass-revoke of all certificates if there is evidence of a security incident, compromising the customers private keys.

So Trustico sends an e-mail to DigiCert, containing more than 23,000 private keys. This apparently happened on the 27th of Feb. So now DigiCert has revoked all those 23k private keys effective 1st of Mar and sent e-mails to all those customers notifying them of the revocation.

Apparently Trustico did not only just generate the private keys for premium installation customers, they also saved them. As I said, what could possibly go wrong…

Oh, and Trustico has responded to DigiCert claiming

At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised

They did not offer any explanation as to where the 23,000 private keys came from, though. I smell proper legal action incoming and think I should stock up on my popcorn reserves!

Update Update: Trustico released a statement, admitting that they stored private keys for their customers SSL certificates. Additionally, among the compromised private keys are ones that were used by secure banking email servers or … Equifax!

There have already been calls for all other CAs to suspend or terminate their relationship with Trustico.

This gets better by the hour ^^

In an attempt to win the fight against software piracy not by making a quality product for which customers want to pay money, but by shady and potentially illegal methods, flight sim company flightsimlabs (FSLabs) has installed malware onto their customers PCs. The malware consists of a password dumper that automatically locates the google chrome browser’s login file and then dumps all the usernames and passwords which can then be extracted by FSLabs.

The company claims it only uses this tool against pirates which, I think, is totally beside the point. Not a single paying customer, during the ordering or installation process, gave them consent to have a password stealing tool installed on their computer. Quite on the contrary, FSLabs also asks you to turn off your antivirus (not that those would be a big help anyway) software before installation. Now why would they do that? :)

While FSLabs has, after receiving a lot of backlash, apparently released an installer that does not contain this malware, they have served as another glowing beacon that shows why DRM is anti-consumer and totally despisable. I certainly would not buy anything from a company that thought it ok to install a password-stealing malware onto their paying customers machines.