| website | https://homes.esat.kuleuven.be/~preneel/ |
| COSIC | https://www.esat.kuleuven.be/cosic/ |
| bigband | https://www.kuleuven.be/ibb |
| https://twitter.com/bpreneel1 |
Microsoft could fix ransomware by rate limiting createfile(), the api that’s used to open files. Opening files is a crucial step to encrypting or exfiltrating the data, and very few apps need to open a lot of files at once.
I’ve heard that Microsofts reason for not fixing it is … because user experience shouldn’t change because of windows update… https://wandering.shop/@xgranade/112498285644883431
I remember when Windows 10 mail was local only, before a Windows Update made it cloud-only. I remember Edge didn't have built-in ads, before an update put ads everywhere. I remember when the My Documents folder was local-only by default, until a new version of OneDrive pushed it all to the cloud by default. History suggests that this kind of product is too often a wedge to justify more abuse of personal information in the future.
The Belgian presidency has drafted yet another tweaked #chatcontrol proposal. In summary, the proposal remains completely unacceptable.
TLDR: All the problems pointed our in our earlier open letters are still there
https://nce.mpi-sp.org/index.php/s/eqjiKaAw9yYQF87
https://docs.google.com/document/d/13Aeex72MtFBjKhExRTooVMWN9TC-pbH-5LEaAbMF91Y/
a) the risk of abuse of the solution for other applications (including political purposes)
b) the huge number of false positives (no waiting for 2 alerts does not work)
c) the fact that the real targets will use other technologies (e.g. sharing links to encrypted files).
d) chilling effect on teenagers.
Summary of latest proposal:
1) Detection of known CSAM and of new CSAM using AI (2 hits before you are reported) remain fully unacceptable because it just does not work for technical reasons pointed out earlier.
2) Grooming detection in text and audio is abandoned; information is pseudonymized before it is reported (presumably identity of the user is known)
3) User has to give consent before the client side scanning; details are not known but it is unclear what happens if consent is not given – is the message not sent? Why do policy makes believe that popups solve problems (cookies anyone)?
Source (in German):
https://netzpolitik.org/2024/internes-protokoll-belgien-will-nutzer-verpflichten-chatkontrolle-zuzustimmen/
NEW, by me: The check-in computers at several hotels around the U.S. are running a consumer-grade spyware app called pcTattletale.
pcTattletale was seen stealthily and continually capturing screenshots of the hotel booking systems, which contained guest information and reservation details.
This was discovered because a security researcher found a flaw in the spyware is exposing these screenshots to the internet, not just the spyware's intended users.
More: https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/
This is sadly entirely accurate, and the whole problem...
(Edit: Original is here. Go follow the artist. https://mastodon.social/@workchronicles/112417993863156684)
Reason #2,391 why revisiting security assumptions is always a good idea.
[Bimi] No cryptographic connection between VMC and DKIM key
https://mailarchive.ietf.org/arch/msg/bimi/Ba3jFfJ8K6ic7qg4DzPsIsGW5UY/
My favorite part:
"I guess some may consider what I just said as an unimportant or a merely theoretical issue, so I would like to illustrate it with an example. Let's take the domain entrust.com. It has a DKIM key
configured at "dkim._domainkey.entrust.com". The TXT record is the following:
"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyGF0xzO7Eig1H8QdIErjEKOGnIVvoLU5VjcMRBRWZK65NinL+gVnjuMD2mYdjC3f+7sQCWxGDSKIFn/bB+iXxO2x1/ktkwXHQfQ/9FcFuy+LE0Snsm0SwXN/2l1m5f9e1xdswC+dzHt6DIpDSDENsRal019YKQTqwVyB++7QORwIDAQAB"
This is a 1024 bit RSA key, which is not up to modern standards. But breaking 1024 bit RSA is still only feasible for very powerful attackers. However, this key has another problem: it is vulnerable to
the Debian OpenSSL bug (CVE-2008-0166). It is trivially possible to
find the private key (you can use my tool badkeys -
https://badkeys.info/ - to do that):
https://github.com/badkeys/debianopenssl/blob/main/rsa1024/ssl/le32/25731-rnd.key"
Apple's 'incredibly private' Safari is not so private in Europe
Infosec eggheads find iGiant left EU iOS 17 users open to being tracked around the web Apple's grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking.…
#theregister #IT
https://go.theregister.com/feed/www.theregister.com/2024/04/30/apple_safari_europe_tracking/
A controversial push by European Union lawmakers to legally require messaging platforms to scan citizens' private communications for child sexual abuse A controversial push by European Union lawmakers to put a legal requirement on messaging platforms to scan citizens' private digital communications if they receive an order to detect child sexual abuse material (CSAM) could lead to millions of false positives per day, hundreds of security and privacy experts are warning in an open letter Thursday.
What a surprise.
"The auditor for former president Donald Trump’s media company was charged with “massive fraud” Friday by the Securities and Exchange Commission, which accused the firm of being a “sham audit mill” whose failures put investors at risk."
Ei/Ψ
Adam Shostack 
Zack Whittaker
Larry Garfield
BrianKrebs
Piratenpartij Nederland
The Register
Glyn Moody