• CRYPTO-GRAM, December 15, 2022

    From TCOB1@21:1/229 to All on Thursday, December 22, 2022 12:41:18
    Delivered-To: thecivvie@gmail.com
    Received: by 2002:a59:db88:0:b0:32a:f9c0:8122 with SMTP id z8csp234815vqc;
    Wed, 14 Dec 2022 23:42:39 -0800 (PST)
    X-Google-Smtp-Source: AA0mqf59d4S5x4zGSYwMfotNLkcu9t/vUPoy/wXePcnA632n6G1cbscIk byIscEEnNx7YXm5wlFj
    X-Received: by 2002:a81:3e07:0:b0:421:2aa5:749e with SMTP id l7-20020a813e07000000b004212aa5749emr9954427ywa.23.1671090159127;
    Wed, 14 Dec 2022 23:42:39 -0800 (PST)
    ARC-Seal: i=1; a=rsa-sha256; t=1671090159; cv=none;
    d=google.com; s=arc-20160816;
    b=QB9M27W/IeWQ298YT3A2nGBrDGGnH5NvFUEXYnm0UykN4X7VgDuEPNKXcfmCx5HXLp
    EP05DPFdGSTblOfohgNim9WevXP6Dv2bTjWeHk6mzPI5Tja0xqgvlMXlzc2V46IASe9/
    B9gRyD1/E6pI5fGql2POlHc2elz7KwAUYyzQL+gzLLxp5zDpSJqSOSM+pLzrCqSDVf+t
    NzR6x58Lkr6v6GvUy91NGzZv6Ma9F1lJc0mTZYjZ0sIhfdlfur6/jD0raV//+3A5GmhY
    cMPQ0G5zvUuSa8FTOMe50KpIds02XXsHkYrHSJEPS6FHplmwj70tRjoM5eH7clKs8fF8
    ypIg==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
    h=mime-version:list-unsubscribe-post:list-unsubscribe:list-id
    :feedback-id:message-id:date:to:reply-to:from:subject:dkim-signature
    :dkim-signature;
    bh=vbOqQRrd5JNnc2doghd07IzSAR1bEQIB4zFnZONRf/o=;
    b=rvoypNvrVAQP6cehhoLUBEEgwGeB/bib5Q9E1b+O+N4s84wOLVbvU69v1YJfSuZ0br
    IRuyZ2JMAYjHUK84h8UzKqgDS18ybldI00ENkN5JsMPhDesm2qWmTLdmq8Zs7fGvZ2gN
    szcT4Z37eSoWnwg+qHaFZ+n8Kzara75Xk8q7AAhnaLmouVGiZNH4tRsKxPXfJHjKnbYY
    Vg9z4Cf8y31GsBmR4Mnyj+k14z52jEUSSeHG8GTdK3ksP1oPabm0+gkzdivBG155G7ad
    Xps8Vak3UgYGIGa1thWR8Km0zTilSpLeBTOz/0ioB951TIiA/oppItLjK5SSMoQStgM8
    PerQ==
    ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@gmail.mcsv.net header.s=k1 header.b=DuIaH5Nf;
    dkim=pass header.i=@schneier.com header.s=k1 header.b=fALtRBPE;
    spf=pass (google.com: domain of bounce-mc.us18_96479565.368210-d6f5467f8 3@mail9.suw131.mcsv.net designates 198.2.188.9 as permitted sender) smtp.mailfrom=bounce-mc.us18_96479565.368210-d6f5467f83@mail9.suw131.mcsv.net
    Return-Path: <bounce-mc.us18_96479565.368210-d6f5467f83@mail9.suw131.mcsv.net> Received: from mail9.suw131.mcsv.net (mail9.suw131.mcsv.net. [198.2.188.9])
    by mx.google.com with ESMTPS id l186-20020a8194c3000000b00393ca880984si 2015618ywg.70.2022.12.14.23.42.38
    for <thecivvie@gmail.com>
    (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
    Wed, 14 Dec 2022 23:42:39 -0800 (PST)
    Received-SPF: pass (google.com: domain of bounce-mc.us18_96479565.368210-d6f5467f83@mail9.suw131.mcsv.net designates 198.2.188.9 as permitted sender) client-ip=198.2.188.9; Authentication-Results: mx.google.com;
    dkim=pass header.i=@gmail.mcsv.net header.s=k1 header.b=DuIaH5Nf;
    dkim=pass header.i=@schneier.com header.s=k1 header.b=fALtRBPE;
    spf=pass (google.com: domain of bounce-mc.us18_96479565.368210-d6f5467f8 3@mail9.suw131.mcsv.net designates 198.2.188.9 as permitted sender) smtp.mailfrom=bounce-mc.us18_96479565.368210-d6f5467f83@mail9.suw131.mcsv.net
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.mcsv.net;
    s=k1; t=1671089788; x=1671392188;
    bh=vbOqQRrd5JNnc2doghd07IzSAR1bEQIB4zFnZONRf/o=;
    h=Subject:From:Reply-To:To:Date:Message-ID:X-MC-User:Feedback-ID:
    List-ID:List-Unsubscribe:List-Unsubscribe-Post:Content-Type:
    MIME-Version:CC:Date:Subject:From;
    b=DuIaH5NfLm6Yd1fMmKyL5EBV9TwZdDPRHFV8wa/JG9s0pWT1x1qsWBNrXYQJSAtLr
    lG4mPdvTR9b4QAymms9J8VDA/x/hyCxgD9FrXl/0WCoYmNRBLe8zkEcnQXxIlqZAzW
    qrXErO6rKBw1ER3S/yl8cen4LRlsjQyt1xOhmYTIK5okyjq9gb1cpvGxc4v2f7Esqq
    1MsmXjx00hteZHcJLzpC+iL5MPvxQrv6Zz66eI1HzoTnlfp+E22w8YO16X9oF9ktLG
    yQenNpe4bsN5jPKxGtvTHkcxlJL3BIqqKcHdkLlTDzpNSESEwbMGfk4BwIIh4SexWC
    t/UTJnLRQhMEg==
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=schneier.com; s=k1;
    t=1671089788; x=1671392188; i=schneier@schneier.com;
    bh=vbOqQRrd5JNnc2doghd07IzSAR1bEQIB4zFnZONRf/o=;
    h=Subject:From:Reply-To:To:Date:Message-ID:X-MC-User:Feedback-ID:
    List-ID:List-Unsubscribe:List-Unsubscribe-Post:Content-Type:
    MIME-Version:CC:Date:Subject:From;
    b=fALtRBPEfi9pDXhFSfhedBygrjjEMcg8tPcRwWSPCpM42rDRJP0bw6XUgGmRCD6wt
    dBvuNo231n8hlDJGQ4yCP1Ii0hY5/TR04GkhObWIG9NUz6/gID6xVBv+JiVtrdhfnh
    /Bxz05VEmueDvfMKyBnIuUkGdJIkAz4Vry4ZXW/E=
    Received: from localhost (localhost [127.0.0.1])
    by mail9.suw131.mcsv.net (Mailchimp) with ESMTP id 4NXkZ406p3zLfkdbj
    for <thecivvie@gmail.com>; Thu, 15 Dec 2022 07:36:28 +0000 (GMT) Subject: =?utf-8?Q?CRYPTO=2DGRAM=2C=20December=2015=2C=202022?=
    From: =?utf-8?Q?Bruce=20Schneier?= <schneier@schneier.com>
    Reply-To: =?utf-8?Q?Bruce=20Schneier?= <schneier@schneier.com>
    To: <thecivvie@gmail.com>
    Date: Thu, 15 Dec 2022 07:35:33 +0000
    Message-ID: <f99e2b5ca82502f48675978be.d6f5467f83.20221215073521.39d832de42.ccb 91762@mail9.suw131.mcsv.net>
    X-Mailer: Mailchimp Mailer - **CID39d832de42d6f5467f83** X-Campaign: mailchimpf99e2b5ca82502f48675978be.39d832de42 X-campaignid: mailchimpf99e2b5ca82502f48675978be.39d832de42 X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u=f99e2b5ca82502f48675978be&id=39d832de42&
    e=d6f5467f83
    X-MC-User: f99e2b5ca82502f48675978be Feedback-ID: 96479565:96479565.368210:us18:mc List-ID: f99e2b5ca82502f48675978bemc list
    <f99e2b5ca82502f48675978be.57885.list-id.mcsv.net>
    X-Accounttype: pd
    List-Unsubscribe: <https://schneier.us18.list-manage.com/unsubscribe?u=f99e2b5c a82502f48675978be&id=22184111ab&e=d6f5467f83&c=39d832de42>,
    <mailto:unsubscribe-mc.us18_f99e2b5ca82502f48675978be.39d832de42-d6f5467f83@uns ubscribe.mailchimpapp.net?subject=unsubscribe>
    List-Unsubscribe-Post: List-Unsubscribe=One-Click Content-Type: multipart/alternative; boundary="_----------=_MCPart_1654239436"
    MIME-Version: 1.0

    This is a multi-part message in MIME format

    --_----------=_MCPart_1654239436
    Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable

    ** CRYPTO-GRAM
    DECEMBER 15=2C 2022 ------------------------------------------------------------

    by Bruce Schneier
    Fellow and Lecturer=2C Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries=2C analyses=2C insights=2C a= nd commentaries on security: computer and otherwise.

    For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].

    Read this issue on the web [https://www.schneier.com/crypto-gram/archives= /2022/1215.html]

    These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
    section. An RSS feed is available.

    ** *** ***** ******* *********** *************


    ** IN THIS ISSUE:
    ------------------------------------------------------------

    1. Another Event-Related Spyware App
    2. Russian Software Company Pretending to Be American
    3. Failures in Twitter=E2=80=99s Two-Factor Authentication System
    4. Successful Hack of Time-Triggered Ethernet
    5. First Review of _A Hacker=E2=80=99s Mind_
    6. Breaking the Zeppelin Ransomware Encryption Scheme
    7. Apple=E2=80=99s Device Analytics Can Identify iCloud Users
    8. The US Has a Shortage of Bomb-Sniffing Dogs
    9. Computer Repair Technicians Are Stealing Your Data
    10. Charles V of Spain Secret Code Cracked
    11. Facebook Fined $276M under GDPR
    12. Sirius XM Software Vulnerability
    13. LastPass Security Breach
    14. Existential Risk and the Fermi Paradox
    15. CAPTCHA
    16. CryWiper Data Wiper Targeting Russian Sites
    17. The Decoupling Principle
    18. Leaked Signing Keys Are Being Used to Sign Malware
    19. Security Vulnerabilities in Eufy Cameras
    20. Hacking Trespass Law
    21. Apple Is Finally Encrypting iCloud Backups
    22. Obligatory ChatGPT Post
    23. Hacking Boston=E2=80=99s CharlieCard
    24. Reimagining Democracy

    ** *** ***** ******* *********** *************


    ** ANOTHER EVENT-RELATED SPYWARE APP ------------------------------------------------------------

    [2022.11.15] [https://www.schneier.com/blog/archives/2022/11/another-eve= nt-related-spyware-app.html] Last month=2C we were warned not to install Q= atar=E2=80=99s World Cup app [https://www.schneier.com/blog/archives/2022=
    /10/qatar-spyware.html] because it was spyware. This month=2C it=E2=80=99s=
    Egypt=E2=80=99s COP27 Summit app [https://www.politico.eu/article/cop-27= -climate-change-app-cybersecurity-weapon-risks/]:

    The app is being promoted as a tool to help attendees navigate the event=
    =2E But it risks giving the Egyptian government permission to read users=E2= =80=99 emails and messages. Even messages shared via encrypted services li=
    ke WhatsApp are vulnerable=2C according to POLITICO=E2=80=99s technical re= view of the application=2C and two of the outside experts.

    The app also provides Egypt=E2=80=99s Ministry of Communications and Inf=
    ormation Technology=2C which created it=2C with other so-called backdoor p= rivileges=2C or the ability to scan people=E2=80=99s devices.

    On smartphones running Google=E2=80=99s Android software=2C it has permi=
    ssion to potentially listen into users=E2=80=99 conversations via the app=
    =2C even when the device is in sleep mode=2C according to the three expert=
    s and POLITICO=E2=80=99s separate analysis. It can also track people=E2=80= =99s locations via smartphone=E2=80=99s built-in GPS and Wi-Fi technologie= s=2C according to two of the analysts.

    ** *** ***** ******* *********** *************


    ** RUSSIAN SOFTWARE COMPANY PRETENDING TO BE AMERICAN ------------------------------------------------------------

    [2022.11.16] [https://www.schneier.com/blog/archives/2022/11/russian-sof= tware-company-pretending-to-be-american.html] Computer code developed by a=
    company called Pushwoosh [https://www.reuters.com/technology/exclusive-r= ussian-software-disguised-american-finds-its-way-into-us-army-cdc-2022-11-= 14/] is in about 8=2C000 Apple and Google smartphone apps. The company pre= tends to be American when it is actually Russian.

    According to company documents publicly filed in Russia and reviewed by=
    Reuters=2C Pushwoosh is headquartered in the Siberian town of Novosibirsk=
    =2C where it is registered as a software company that also carries out dat=
    a processing. It employs around 40 people and reported revenue of 143=2C27= 0=2C000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russ= ian government to pay taxes in Russia.

    On social media and in US regulatory filings=2C however=2C it presents its= elf as a US company=2C based at various times in California=2C Maryland=2C=
    and Washington=2C DC=2C Reuters found.

    What does the code do? Spy on people:

    Pushwoosh provides code [https://tmsnrt.rs/3fV0CYE] and data processing=
    support for software developers=2C enabling them to profile the online ac= tivity of smartphone app users and send tailor-made push notifications fro= m Pushwoosh servers.

    On its website=2C Pushwoosh says it does not collect sensitive informati=
    on=2C and Reuters found no evidence Pushwoosh mishandled user data. Russia= n authorities=2C however=2C have compelled local companies [https://www.r= euters.com/business/autos-transportation/russia-draws-up-law-force-taxi-fi=
    rms-share-data-with-fsb-document-2022-03-29/] to hand over user data to do= mestic security agencies [https://www.reuters.com/technology/how-crypto-g= iant-binance-built-ties-russian-fsb-linked-agency-2022-04-22/].

    I have called supply chain security =E2=80=9Can insurmountably hard proble= m=2C=E2=80=9D and this is just another example of that.

    EDITED TO ADD (12/12): Here [https://internetsafetylabs.org/blog/news-pre= ss/reuters-breaks-story-on-dangerous-sdk-pushwoosh-found-by-isl/] is a lis= t of apps that use the Pushwoosh SDK.

    ** *** ***** ******* *********** *************


    ** FAILURES IN TWITTER=E2=80=99S TWO-FACTOR AUTHENTICATION SYSTEM ------------------------------------------------------------

    [2022.11.17] [https://www.schneier.com/blog/archives/2022/11/failures-in= -twitters-two-factor-authentication-system.html] Twitter is having intermi= ttent problems [https://www.wired.com/story/twitter-two-factor-sms-proble= ms/] with its two-factor authentication system:

    Not all users are having problems receiving SMS authentication codes=2C=
    and those who rely on an authenticator app or physical authentication tok=
    en to secure their Twitter account may not have reason to test the mechani= sm. But users have been self-reporting issues on Twitter since the weekend=
    =2C and WIRED confirmed that on at least some accounts=2C authentication t= exts are hours delayed or not coming at all. The meltdown comes less than=
    two weeks after Twitter laid off about half of its workers [https://www.= wired.com/story/musk-layoffs-twitter-management/]=2C roughly 3=2C700 peopl= e. Since then=2C engineers=2C operations specialists=2C IT staff=2C and se= curity teams have been stretched thin attempting to adapt Twitter=E2=80=99= s offerings and build new features per new owner Elon Musk=E2=80=99s agend= a.

    On top of that=2C it seems that the system has a new vulnerability [https= ://www.inforisktoday.com/twitter-two-factor-authentication-has-vulnerabili= ty-a-20475]:

    A researcher contacted Information Security Media Group on condition of=
    anonymity to reveal that texting =E2=80=9CSTOP=E2=80=9D to the Twitter ve= rification service results in the service turning off SMS two-factor authe= ntication.

    =E2=80=9CYour phone has been removed and SMS 2FA has been disabled from=
    all accounts=2C=E2=80=9D is the automated response.

    The vulnerability=2C which ISMG verified=2C allows a hacker to spoof the=
    registered phone number to disable two-factor authentication. That potent= ially exposes accounts to a password reset attack or account takeover thro= ugh password stuffing.

    This is not a good sign.

    ** *** ***** ******* *********** *************


    ** SUCCESSFUL HACK OF TIME-TRIGGERED ETHERNET ------------------------------------------------------------

    [2022.11.18] [https://www.schneier.com/blog/archives/2022/11/successful-= hack-of-time-triggered-ethernet.html] Time-triggered Ethernet (TTE) is use= d in spacecraft=2C basically to use the same hardware to process traffic w= ith different timing and criticality. Researchers have defeated it [https=
    ://arstechnica.com/information-technology/2022/11/researchers-break-securi= ty-guarantees-of-tte-networking-used-in-spacecraft/]:

    On Tuesday=2C researchers published findings [https://web.eecs.umich.ed=
    u/~barisk/public/pcspoof.pdf] that=2C for the first time=2C break TTE=E2= =80=99s isolation guarantees. The result is PCspooF=2C an attack that allo=
    ws a single non-critical device connected to a single plane to disrupt syn= chronization and communication between TTE devices on all planes. The atta= ck works by exploiting a vulnerability in the TTE protocol. The work was c= ompleted by researchers at the University of Michigan=2C the University of=
    Pennsylvania=2C and NASA=E2=80=99s Johnson Space Center.

    =E2=80=9COur evaluation shows that successful attacks are possible in se=
    conds and that each successful attack can cause TTE devices to lose synchr= onization for up to a second and drop tens of TT messages -- both of which=
    can result in the failure of critical systems like aircraft or automobile= s=2C=E2=80=9D the researchers wrote. =E2=80=9CWe also show that=2C in a si= mulated spaceflight mission=2C PCspooF causes uncontrolled maneuvers that=
    threaten safety and mission success.=E2=80=9D

    Much more detail in the article -- and the research paper [https://web.ee= cs.umich.edu/~barisk/public/pcspoof.pdf].

    ** *** ***** ******* *********** *************


    ** FIRST REVIEW OF _A HACKER=E2=80=99S MIND_ ------------------------------------------------------------

    [2022.11.18] [https://www.schneier.com/blog/archives/2022/11/first-revie= w-of-a-hackers-mind.html] _Kirkus_ reviews [https://www.kirkusreviews.com=
    /book-reviews/bruce-schneier/a-hackers-mind-powerful/] _A Hacker=E2=80=99s=
    Mind_:

    A cybersecurity expert examines how the powerful game whatever system is=
    put before them=2C leaving it to others to cover the cost.

    Schneier=2C a professor at Harvard Kennedy School and author of such boo=
    ks as _Data and Goliath_ and _Click Here To Kill Everybody_=2C regularly c= hallenges his students to write down the first 100 digits of pi=2C a nearl= y impossible task -- but not if they cheat=2C concerning which he admonish= es=2C =E2=80=9CDon=E2=80=99t get caught.=E2=80=9D Not getting caught is th= e aim of the hackers who exploit the vulnerabilities of systems of all kin= ds. Consider right-wing venture capitalist Peter Thiel=2C who located a ha= ck in the tax code: =E2=80=9CBecause he was one of the founders of PayPal=
    =2C he was able to use a $2=2C000 investment to buy 1.7 million shares of=
    the company at $0.001 per share=2C turning it into $5 billion -- all fore=
    ver tax free.=E2=80=9D It was perfectly legal -- and even if it weren=E2= =80=99t=2C the wealthy usually go unpunished. The author=2C a fluid writer=
    and tech communicator=2C reveals how the tax code lends itself to hacking=
    =2C as when tech companies like Apple and Google avoid paying billions of=
    dollars by transferring profits out of the U.S. to corporate-friendly nat= ions such as Ireland=2C then offshoring the =E2=80=9Cdisappeared=E2=80=9D=
    dollars to Bermuda=2C the Caymans=2C and other havens. Every system conta=
    ins trap doors that can be breached to advantage. For example=2C Schneier=
    cites =E2=80=9Cthe Pudding Guy=2C=E2=80=9D who hacked an airline miles pr= ogram by buying low-cost pudding cups in a promotion that=2C for $3=2C150=
    =2C netted him 1.2 million miles and =E2=80=9Clifetime Gold frequent flier=
    status.=E2=80=9D Since it was all within the letter if not the spirit of=
    the offer=2C =E2=80=9Cthe company paid up.=E2=80=9D The companies often d= o=2C because they=E2=80=99re gaming systems themselves. =E2=80=9CAny rule=
    can be hacked=2C=E2=80=9D notes the author=2C be it a religious dietary r= estriction or a legislative procedure. With technology=2C =E2=80=9Cwe can=
    hack more=2C faster=2C better=2C=E2=80=9D requiring diligent monitoring a=
    nd a demand that everyone play by rules that have been hardened against ta= mpering.

    An eye-opening=2C maddening book that offers hope for leveling a badly t=
    ilted playing field.

    I got a starred review. Libraries make decisions on what to buy based on s= tarred reviews. Publications make decisions about what to review based on=
    starred reviews. This is a big deal.

    Book=E2=80=99s webpage [https://www.schneier.com/books/a-hackers-mind/].

    ** *** ***** ******* *********** *************


    ** BREAKING THE ZEPPELIN RANSOMWARE ENCRYPTION SCHEME ------------------------------------------------------------

    [2022.11.21] [https://www.schneier.com/blog/archives/2022/11/breaking-th= e-zeppelin-ransomware-encryption-scheme.html] Brian Krebs writes [https:/=
    /krebsonsecurity.com/2022/11/researchers-quietly-cracked-zeppelin-ransomwa= re-keys/] about how the Zeppelin ransomware encryption scheme was broken:

    The researchers said their break came when they understood that while Ze=
    ppelin used three different types of encryption keys to encrypt files=2C t= hey could undo the whole scheme by factoring or computing just one of them=
    : An ephemeral RSA-512 public key that is randomly generated on each machi=
    ne it infects.

    =E2=80=9CIf we can recover the RSA-512 Public Key from the registry=2C w=
    e can crack it and get the 256-bit AES Key that encrypts the files!=E2=80=
    =9D they wrote. =E2=80=9CThe challenge was that they delete the [public k=
    ey] once the files are fully encrypted. Memory analysis gave us about a 5-= minute window after files were encrypted to retrieve this public key.=E2=
    =80=9D

    Unit 221B ultimately built a =E2=80=9CLive CD=E2=80=9D version of Linux=
    that victims could run on infected systems to extract that RSA-512 key. F=
    rom there=2C they would load the keys into a cluster of 800 CPUs donated b= y hosting giant Digital Ocean that would then start cracking them. The com= pany also used that same donated infrastructure to help victims decrypt th= eir data using the recovered keys.

    A company offered recovery services based on this break=2C but was relucta= nt to advertise because it didn=E2=80=99t want Zeppelin=E2=80=99s creators=
    to fix their encryption flaw.

    Technical details [https://blog.unit221b.com/dont-read-this-blog/0xdead-z= eppelin].

    EDITED TO ADD (12/12): When BitDefender publicly advertised a decryption t=
    ool for a strain of DarkSide ransomware=2C DarkSide immediately updated [= https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-rans=
    omware-bitdefender/amp/] its ransomware to render the tool obsolete. It=E2= =80=99s hard to come up with a solution to this problem.

    ** *** ***** ******* *********** *************


    ** APPLE=E2=80=99S DEVICE ANALYTICS CAN IDENTIFY ICLOUD USERS ------------------------------------------------------------

    [2022.11.22] [https://www.schneier.com/blog/archives/2022/11/apples-devi= ce-analytics-can-identify-icloud-users.html] Researchers claim [https://w= ww.macrumors.com/2022/11/21/apple-device-analytics-identifying-user/] that=
    supposedly anonymous device analytics information can identify users:

    On Twitter [https://twitter.com/mysk_co/status/1594515229915979776?s=3D=
    61&t=3DrpR_X8V52MjKkTSK1fwzZg]=2C security researchers Tommy Mysk and Tala= l Haj Bakry have found that Apple=E2=80=99s device analytics data includes=
    an iCloud account and can be linked directly to a specific user=2C includ=
    ing their name=2C date of birth=2C email=2C and associated information sto= red on iCloud.

    Apple has long claimed otherwise:

    On Apple=E2=80=99s device analytics and privacy legal page [https://www=
    =2Eapple.com/legal/privacy/data/en/device-analytics/]=2C the company says no=
    information collected from a device for analytics purposes is traceable b=
    ack to a specific user. =E2=80=9CiPhone Analytics may include details abou= t hardware and operating system specifications=2C performance statistics=
    =2C and data about how you use your devices and applications. None of the=
    collected information identifies you personally=2C=E2=80=9D the company c= laims.

    Apple was just sued [https://www.theregister.com/2022/11/14/apple_data_co= llection_lawsuit/] for tracking iOS users without their consent=2C even wh= en they explicitly opt out of tracking.

    ** *** ***** ******* *********** *************


    ** THE US HAS A SHORTAGE OF BOMB-SNIFFING DOGS ------------------------------------------------------------

    [2022.11.23] [https://www.schneier.com/blog/archives/2022/11/the-us-has-= a-shortage-of-bomb-sniffing-dogs.html] Nothing beats a dog=E2=80=99s nose=
    for detecting explosives. Unfortunately=2C there aren=E2=80=99t enough do=
    gs [https://www.wired.com/story/us-bomb-dog-shortage/]:

    Last month=2C the US Government Accountability Office (GAO) released a n=
    early 100-page report [https://www.gao.gov/assets/gao-23-104489.pdf] abou= t working dogs and the need for federal agencies to better safeguard their=
    health and wellness. The GOA says that as of February the US federal gove= rnment had approximately 5=2C100 working dogs=2C including detection dogs=
    =2C across three federal agencies. Another 420 dogs =E2=80=9Cserved the fe= deral government in 24 contractor-managed programs within eight department= s and two independent agencies=2C=E2=80=9D the GAO report says.

    The report also underscores the demands placed on detection dogs and the=
    potential for overwork if there aren=E2=80=99t enough dogs available. =E2= =80=9CWorking dogs might need the strength to suddenly run fast=2C or to l=
    eap over a tall barrier=2C as well as the physical stamina to stand or wal= k all day=2C=E2=80=9D the report says. =E2=80=9CThey might need to search=
    over rubble or in difficult environmental conditions=2C such as extreme h=
    eat or cold=2C often wearing heavy body armor. They also might spend the d= ay detecting specific scents among thousands of others=2C requiring intens= e mental concentration. Each function requires dogs to undergo specialized=
    training.=E2=80=9D

    A decade and a half ago I was optimistic [https://www.schneier.com/blog/a= rchives/2005/12/bombsniffing_wa.html] about bomb-sniffing bees and wasps=
    =2C but nothing seems to have come of that.

    ** *** ***** ******* *********** *************


    ** COMPUTER REPAIR TECHNICIANS ARE STEALING YOUR DATA ------------------------------------------------------------

    [2022.11.28] [https://www.schneier.com/blog/archives/2022/11/computer-re= pair-technicians-are-stealing-your-data.html] Laptop technicians routinely=
    violate the privacy [https://arstechnica.com/information-technology/2022= /11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-fi= nds/] of the people whose computers they repair:

    Researchers at University of Guelph in Ontario=2C Canada=2C recovered lo=
    gs from laptops after receiving overnight repairs from 12 commercial shops=
    =2E The logs showed that technicians from six of the locations had accessed=
    personal data and that two of those shops also copied data onto a persona=
    l device. Devices belonging to females were more likely to be snooped on=
    =2C and that snooping tended to seek more sensitive data=2C including both=
    sexually revealing and non-sexual pictures=2C documents=2C and financial=
    information.

    [...]

    In three cases=2C Windows Quick Access or Recently Accessed Files had be=
    en deleted in what the researchers suspect was an attempt by the snooping=
    technician to cover their tracks. As noted earlier=2C two of the visits r= esulted in the logs the researchers relied on being unrecoverable. In one=
    =2C the researcher explained they had installed antivirus software and per= formed a disk cleanup to =E2=80=9Cremove multiple viruses on the device.= =E2=80=9D The researchers received no explanation in the other case.

    [...]

    The laptops were freshly imaged Windows 10 laptops. All were free of mal=
    ware and other defects and in perfect working condition with one exception=
    : the audio driver was disabled. The researchers chose that glitch because=
    it required only a simple and inexpensive repair=2C was easy to create=2C=
    and didn=E2=80=99t require access to users=E2=80=99 personal files.

    Half of the laptops were configured to appear as if they belonged to a m=
    ale and the other half to a female. All of the laptops were set up with em= ail and gaming accounts and populated with browser history across several=
    weeks. The researchers added documents=2C both sexually revealing and non= -sexual pictures=2C and a cryptocurrency wallet with credentials.

    A few notes. One: this is a very small study -- only twelve laptop repairs=
    =2E Two=2C some of the results were inconclusive=2C which indicated -- but d= id not prove -- log tampering by the technicians. Three=2C this study was=
    done in Canada. There would probably be more snooping by American repair=
    technicians.

    The moral isn=E2=80=99t a good one: if you bring your laptop in to be repa= ired=2C you should expect the technician to snoop through your hard drive=
    =2C taking what they want.

    Research paper [https://arxiv.org/pdf/2211.05824.pdf].

    ** *** ***** ******* *********** *************


    ** CHARLES V OF SPAIN SECRET CODE CRACKED ------------------------------------------------------------

    [2022.11.29] [https://www.schneier.com/blog/archives/2022/11/charles-v-o= f-spain-secret-code-cracked.html] Diplomatic code cracked [https://www.th= eguardian.com/world/2022/nov/24/emperor-charles-vs-secret-code-cracked-aft=
    er-five-centuries] after 500 years:

    In painstaking work backed by computers=2C Pierrot found =E2=80=9Cdistin=
    ct families=E2=80=9D of about 120 symbols used by Charles V. =E2=80=9CWhol= e words are encrypted with a single symbol=E2=80=9D and the emperor replac= ed vowels coming after consonants with marks=2C she said=2C an inspiration=
    probably coming from Arabic.

    In another obstacle=2C he used meaningless symbols to mislead any advers=
    ary trying to decipher the message.

    The breakthrough came in June when Pierrot managed to make out a phrase=
    in the letter=2C and the team then cracked the code with the help of Cami=
    lle Desenclos=2C a historian. =E2=80=9CIt was painstaking and long work bu= t there was really a breakthrough that happened in one day=2C where all of=
    a sudden we had the right hypothesis=2C=E2=80=9D she said.

    ** *** ***** ******* *********** *************


    ** FACEBOOK FINED $276M UNDER GDPR ------------------------------------------------------------

    [2022.11.30] [https://www.schneier.com/blog/archives/2022/11/facebook-fi= ned-276m-under-gdpr.html] Facebook -- Meta -- was just fined [https://www=
    =2Etheverge.com/2022/11/28/23481786/meta-fine-facebook-data-leak-ireland-dpc= -gdpr] $276 million (USD) for a data leak that included full names=2C birt=
    h dates=2C phone numbers=2C and location.

    Meta=E2=80=99s total fine by the Data Protection Commission is over $700 m= illion. Total GDPR fines [https://www.enforcementtracker.com/?insights] a= re over =E2=82=AC2 billion (EUR) since 2018.

    ** *** ***** ******* *********** *************


    ** SIRIUS XM SOFTWARE VULNERABILITY ------------------------------------------------------------

    [2022.12.01] [https://www.schneier.com/blog/archives/2022/12/sirius-xm-s= oftware-vulnerability.html] This is new [https://gizmodo.com/sirius-xm-bu= g-honda-nissan-acura-hack-1849836987]:

    Newly revealed research [https://twitter.com/samwcyo/status/15977920971=
    75674880] shows that a number of major car brands=2C including Honda=2C Ni= ssan=2C Infiniti=2C and Acura=2C were affected by a previously undisclosed=
    security bug that would have allowed a savvy hacker to hijack vehicles an=
    d steal user data. According to researchers=2C the bug was in the car=E2= =80=99s Sirius XM telematics infrastructure and would have allowed a hacke=
    r to remotely locate a vehicle=2C unlock and start it=2C flash the lights=
    =2C honk the horn=2C pop the trunk=2C and access sensitive customer info l=
    ike the owner=E2=80=99s name=2C phone number=2C address=2C and vehicle det= ails.

    Cars are just computers with four wheels and an engine. It=E2=80=99s no su= rprise that the software is vulnerable=2C and that everything is connected=
    =2E

    ** *** ***** ******* *********** *************


    ** LASTPASS SECURITY BREACH ------------------------------------------------------------

    [2022.12.02] [https://www.schneier.com/blog/archives/2022/12/lastpass-se= curity-breach.html] The company was [https://www.bleepingcomputer.com/new= s/security/lastpass-says-hackers-accessed-customer-data-in-new-breach/] ha= cked [https://www.theregister.com/2022/12/01/lastpass/]=2C and customer i= nformation accessed. No passwords were compromised.

    ** *** ***** ******* *********** *************


    ** EXISTENTIAL RISK AND THE FERMI PARADOX ------------------------------------------------------------

    [2022.12.02] [https://www.schneier.com/blog/archives/2022/12/existential= -risk-and-the-fermi-paradox.html] We know that complexity is the worst ene=
    my of security=2C because it makes attack easier and defense harder. This=
    becomes catastrophic as the effects of that attack become greater.

    In _A Hacker=E2=80=99s Mind_ [https://www.schneier.com/books/a-hackers-mi= nd/] (coming in February 2023)=2C I write:

    Our societal systems=2C in general=2C may have grown fairer and more jus=
    t over the centuries=2C but progress isn=E2=80=99t linear or equitable. Th= e trajectory may appear to be upwards when viewed in hindsight=2C but from=
    a more granular point of view there are a lot of ups and downs. It=E2=80=
    =99s a =E2=80=9Cnoisy=E2=80=9D process.

    Technology changes the amplitude of the noise. Those near-term ups and d=
    owns are getting more severe. And while that might not affect the long-ter= m trajectories=2C they drastically affect all of us living in the short te= rm. This is how the twentieth century could -- statistically -- both be th= e most peaceful in human history and also contain the most deadly wars.

    Ignoring this noise was only possible when the damage wasn=E2=80=99t pot=
    entially fatal on a global scale; that is=2C if a world war didn=E2=80=99t=
    have the potential to kill everybody or destroy society=2C or occur in pl= aces and to people that the West wasn=E2=80=99t especially worried about.=
    We can=E2=80=99t be sure of that anymore. The risks we face today are exi= stential in a way they never have been before. The magnifying effects of t= echnology enable short-term damage to cause long-term planet-wide systemic=
    damage. We=E2=80=99ve lived for half a century under the potential specte=
    r of nuclear war and the life-ending catastrophe that could have been. Fas= t global travel allowed local outbreaks to quickly become the COVID-19 pan= demic=2C costing millions of lives and billions of dollars while increasin= g political and social instability. Our rapid=2C technologically enabled c= hanges to the atmosphere=2C compounded through feedback loops and tipping=
    points=2C may make Earth much less hospitable for the coming centuries. T= oday=2C individual hacking decisions can have planet-wide effects. Sociobi= ologist Edward O. Wilson once described [https://www.nytimes.com/2019/12/= 05/opinion/digital-technology-brain.html] the fundamental problem with hum= anity is that =E2=80=9Cwe have Paleolithic emotions=2C medieval institutio= ns=2C and godlike technology.=E2=80=9D

    Technology could easily get to the point where the effects of a successful=
    attack could be existential. Think biotech=2C nanotech=2C global climate=
    change=2C maybe someday cyberattack -- everything that people like Nick B= ostrom study [https://nickbostrom.com/existential/risks]. In these areas=
    =2C like everywhere else in past and present society=2C the technologies o=
    f attack develop faster the technologies of defending against attack. But=
    suddenly=2C our inability to be proactive becomes fatal. As the noise due=
    to technological power increases=2C we reach a threshold where a small gr=
    oup of people can irrecoverably destroy the species. The six-sigma guy can=
    ruin it for everyone. And if they can=2C sooner or later they will. It=E2= =80=99s possible that I have just explained the Fermi paradox [https://en= =2Ewikipedia.org/wiki/Fermi_paradox].

    ** *** ***** ******* *********** *************


    ** CAPTCHA
    ------------------------------------------------------------

    [2022.12.05] [https://www.schneier.com/blog/archives/2022/12/captcha.htm= l] This is an actual CAPTCHA I was shown when trying to log into PayPal.

    https://www.schneier.com/wp-content/uploads/2022/12/bc5c9f8f-6e44-4dfc-b1a= 9-0bc888c1218f.jpg

    As an actual human and not a bot=2C I had no idea how to answer. Is this a=
    joke? (Seems not.) Is it a Magritte-like existential question? (It=E2=80=
    =99s not a bicycle. It=E2=80=99s a drawing of a bicycle. Actually=2C it=E2= =80=99s a photograph of a drawing of a bicycle. No=2C it=E2=80=99s really=
    a computer image of a photograph of a drawing of a bicycle.) Am I overthi= nking this? (Definitely.) I stared at the screen=2C paralyzed=2C for way t= oo long.

    It=E2=80=99s probably the best CAPTCHA I have ever encountered; a computer=
    would have just answered.

    (In the end=2C I treated the drawing as a real bicycle and selected the ap= propriate squares...and it seemed to like that.)

    ** *** ***** ******* *********** *************


    ** CRYWIPER DATA WIPER TARGETING RUSSIAN SITES ------------------------------------------------------------

    [2022.12.06] [https://www.schneier.com/blog/archives/2022/12/crywiper-da= ta-wiper-targeting-russian-sites.html] Kaspersky is reporting [https://ww= w.kaspersky.com/blog/crywiper-pseudo-ransomware/46480/] on a data wiper ma= squerading as ransomware that is targeting local Russian government networ= ks.

    The Trojan corrupts any data that=E2=80=99s not vital for the functionin=
    g of the operating system. It doesn=E2=80=99t affect files with extensions=
    .exe=2C .dll=2C .lnk=2C .sys or .msi=2C and ignores several system folder=
    s in the C:\Windows directory. The malware focuses on databases=2C archive= s=2C and user documents.

    So far=2C our experts have seen only pinpoint attacks on targets in the=
    Russian Federation. However=2C as usual=2C no one can guarantee that the=
    same code won=E2=80=99t be used against other targets.

    Nothing leading to an attribution.

    News article [https://arstechnica.com/information-technology/2022/12/neve= r-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offices/=
    ].

    Slashdot thread [https://it.slashdot.org/story/22/12/03/0044234/new-crywi= per-data-wiper-targets-russian-courts-mayors-offices].

    ** *** ***** ******* *********** *************


    ** THE DECOUPLING PRINCIPLE ------------------------------------------------------------

    [2022.12.07] [https://www.schneier.com/blog/archives/2022/12/the-decoupl= ing-principle.html] This is a really interesting paper [https://conferenc= es.sigcomm.org/hotnets/2022/papers/hotnets22_schmitt.pdf] that discusses w= hat the authors call the Decoupling Principle:

    The idea is simple=2C yet previously not clearly articulated: to ensure=
    privacy=2C information should be divided architecturally and institutiona=
    lly such that each entity has only the information they need to perform th= eir relevant function. Architectural decoupling entails splitting function= ality for different fundamental actions in a system=2C such as decoupling=
    authentication (proving who is allowed to use the network) from connectiv=
    ity (establishing session state for communicating). Institutional decoupli= ng entails splitting what information remains between non-colluding entiti= es=2C such as distinct companies or network operators=2C or between a user=
    and network peers. This decoupling makes service providers individually b= reach-proof=2C as they each have little or no sensitive data that can be l= ost to hackers. Put simply=2C the Decoupling Principle suggests always sep= arating who you are from what you do.

    Lots of interesting details in the paper.

    ** *** ***** ******* *********** *************


    ** LEAKED SIGNING KEYS ARE BEING USED TO SIGN MALWARE ------------------------------------------------------------

    [2022.12.08] [https://www.schneier.com/blog/archives/2022/12/leaked-sign= ing-keys-are-being-used-to-sign-malware.html] A bunch of Android OEM signi= ng keys [https://arstechnica.com/gadgets/2022/12/samsungs-android-app-sig= ning-key-has-leaked-is-being-used-to-sign-malware/] have been leaked or st= olen=2C and they are actively being used to sign malware.

    =C5=81ukasz Siewierski=2C a member of Google=E2=80=99s Android Security=
    Team=2C has a post on the Android Partner Vulnerability Initiative (AVPI)=
    issue tracker detailing leaked platform certificate keys [https://bugs.c= hromium.org/p/apvi/issues/detail?id=3D100] that are actively being used to=
    sign malware. The post is just a list of the keys=2C but running each one=
    through APKMirror [https://www.apkmirror.com/] or Google=E2=80=99s Virus= Total [https://www.virustotal.com/gui/home/upload] site will put names to=
    some of the compromised keys: Samsung [https://www.apkmirror.com/?post_t= ype=3Dapp_release&searchtype=3Dapp&sortby=3Ddate&sort=3Ddesc&s=3D34df0e7a9= f1cf1892e45c056b4973cd81ccf148a4050d11aea4ac5a65f900a42]=2C LG [https://w= ww.apkmirror.com/?post_type=3Dapp_release&searchtype=3Dapp&sortby=3Ddate&s=
    ort=3Ddesc&s=3D4274243d7a954ac6482866f0cc67ca1843ca94d68a0ee53f837d6740a81= 34421]=2C and Mediatek [https://www.virustotal.com/gui/file/19c84a2386abd= e0c0dae8661b394e53bf246f6f0f9a12d84cfc7864e4a809697/details] are the heavy=
    hitters on the list of leaked keys=2C along with some smaller OEMs like R= evoview [http://www.revoview.com/gms/] and Szroco=2C which makes Walmart= =E2=80=99s Onn tablets [https://arstechnica.com/gadgets/2020/07/the-100-t= ablet-shootout-amazon-fire-8-hd-plus-vs-walmart-onn-8-tablet-pro/].

    This is a huge problem. The whole system of authentication rests on the as= sumption that signing keys are kept secret by the legitimate signers. Once=
    that assumption is broken=2C all bets are off:

    Samsung=E2=80=99s compromised key is used for everything: Samsung Pay=2C=
    Bixby=2C Samsung Account=2C the phone app=2C and a million other things y=
    ou can find on the 101 pages of results for that key. It would be possible=
    to craft a malicious update for any one of these apps=2C and Android woul=
    d be happy to install it overtop of the real app. Some of the updates are=
    from _today_=2C indicating Samsung has still not changed the key.

    ** *** ***** ******* *********** *************


    ** SECURITY VULNERABILITIES IN EUFY CAMERAS ------------------------------------------------------------

    [2022.12.09] [https://www.schneier.com/blog/archives/2022/12/security-vu= lnerabilities-in-eufy-cameras.html] Eufy cameras claim to be local only=2C=
    but upload [https://arstechnica.com/gadgets/2022/12/more-eufy-camera-fla= ws-found-including-remote-unencrypted-feed-viewing/] data [https://www.th= everge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-en=
    cryption-authentication-storage] to the cloud. The company is basically ly= ing to reporters=2C despite being shown evidence to the contrary. The comp= any=E2=80=99s behavior is so egregious that ReviewGeek is no longer [http= s://www.reviewgeek.com/138235/why-review-geek-cant-recommend-wyze-or-eufy-=
    cameras-anymore/] recommending them.

    This will be interesting to watch. If Eufy can ignore security researchers=
    and the press without there being any repercussions in the market=2C othe=
    rs will follow suit. And we will lose public shaming as an incentive to im= prove security.

    Update [https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-= camera-cloud-private-encryption-authentication-storage]:

    After further testing=2C we=E2=80=99re not seeing the VLC streams begin=
    based solely on the camera detecting motion. We=E2=80=99re not sure if th= at=E2=80=99s a change since yesterday or something I got wrong in our init= ial report. It does appear that Eufy is making changes -- it appears to ha= ve removed access to the method we were using to get the address of our st= reams=2C although an address we already obtained is still working.

    ** *** ***** ******* *********** *************


    ** HACKING TRESPASS LAW ------------------------------------------------------------

    [2022.12.09] [https://www.schneier.com/blog/archives/2022/12/hacking-tre= spass-law.html] This article [https://www.nytimes.com/2022/11/26/business=
    /hunting-wyoming-elk-mountain-access.html] talks about public land in the=
    US that is completely surrounded by private land=2C which in some cases m= akes it inaccessible to the public. But there=E2=80=99s a hack:

    Some hunters have long believed=2C however=2C that the publicly owned pa=
    rcels on Elk Mountain can be legally reached using a practice called corne= r-crossing.

    Corner-crossing can be visualized in terms of a checkerboard. Ever since=
    the Westward Expansion=2C much of the Western United States has been divi=
    ded into alternating squares of public and private land. Corner-crossers=
    =2C like checker pieces=2C literally step from one public square to anothe=
    r in diagonal fashion=2C avoiding trespassing charges. The practice is nei= ther legal nor illegal. Most states discourage it=2C but none ban it.

    It=E2=80=99s an interesting ambiguity in the law: does checker trespass on=
    white squares when it moves diagonally over black squares? But=2C of cour= se=2C the legal battle isn=E2=80=99t really about that. It=E2=80=99s about=
    the rights of property owners vs the rights of those who wish to walk on=
    this otherwise-inaccessible public land.

    This particular hack will be adjudicated in court. State court=2C I think=
    =2C which means the answer might be different in different states. It=E2= =80=99s not an example I discuss in my new book [https://www.schneier.com= /books/a-hackers-mind/]=2C but it=E2=80=99s similar to many I do discuss.=
    It=E2=80=99s the act of adjudicating hacks that allows systems to evolve.

    ** *** ***** ******* *********** *************


    ** APPLE IS FINALLY ENCRYPTING ICLOUD BACKUPS ------------------------------------------------------------

    [2022.12.12] [https://www.schneier.com/blog/archives/2022/12/apple-is-fi= nally-encrypting-icloud-backups.html] After way too many years=2C Apple is=
    _finally_ encrypting iCloud backups [https://www.theverge.com/2022/12/7/= 23498580/apple-end-to-end-encryption-icloud-backups-advanced-data-protecti= on]:

    Based on a screenshot from Apple=2C these categories are covered when yo=
    u flip on Advanced Data Protection: device backups=2C messages backups=2C=
    iCloud Drive=2C Notes=2C Photos=2C Reminders=2C Safari bookmarks=2C Siri=
    Shortcuts=2C Voice Memos=2C and Wallet Passes. Apple says the only =E2=80= =9Cmajor=E2=80=9D categories not covered by Advanced Data Protection are i= Cloud Mail=2C Contacts=2C and Calendar because =E2=80=9Cof the need to int= eroperate with the global email=2C contacts=2C and calendar systems=2C=E2=
    =80=9D according to its press release.

    You can see the full list of data categories and what is protected under=
    standard data protection=2C which is the default for your account=2C and=
    Advanced Data Protection on Apple=E2=80=99s website [https://support.app= le.com/en-us/HT202303].

    With standard data protection=2C Apple holds the encryption keys for thi=
    ngs that aren=E2=80=99t end-to-end encrypted=2C which means the company ca= n help you recover that data if needed. Data that=E2=80=99s end-to-end enc= rypted can _only_ be encrypted on =E2=80=9Cyour trusted devices where you=
    =E2=80=99re signed in with your Apple ID=2C=E2=80=9D according to Apple=2C=
    meaning that the company -- or law enforcement or hackers -- cannot acces=
    s your data from Apple=E2=80=99s databases.

    Note that this system doesn=E2=80=99t have the backdoor that was in Apple= =E2=80=99s previous proposal=2C the one put there under the guise of detec= ting CSAM.

    Apple says [https://www.wsj.com/articles/apple-plans-new-encryption-syste= m-to-ward-off-hackers-and-protect-icloud-data-11670435635] that it will ro= ll out worldwide by the end of next year. I wonder how China will react to=
    this.

    ** *** ***** ******* *********** *************


    ** OBLIGATORY CHATGPT POST ------------------------------------------------------------

    [2022.12.13] [https://www.schneier.com/blog/archives/2022/12/obligatory-= chatgpt-post.html] Seems [https://oneusefulthing.substack.com/p/the-mecha= nical-professor] like [https://www.nytimes.com/2022/12/05/technology/chat= gpt-ai-twitter.html] absolutely [https://www.theatlantic.com/technology/a= rchive/2022/12/openai-chatgpt-writing-high-school-english-essay/672412/] e= veryone [https://theconversation.com/the-chatgpt-chatbot-is-blowing-peopl= e-away-with-its-writing-skills-an-expert-explains-why-its-so-impressive-19=
    5908] everywhere [https://www.theatlantic.com/technology/archive/2022/12/= openai-chatgpt-chatbot-messages/672411/?utm_source=3Dnextdraft&utm_medium=
    =3Demail] is [https://www.theatlantic.com/technology/archive/2022/12/chat= gpt-ai-writing-college-student-essays/672371/] playing [https://techcrunc= h.com/2022/12/05/chatgpt-shrugged/] with [https://www.bleepingcomputer.co= m/news/technology/openais-new-chatgpt-bot-10-dangerous-things-its-capable-=
    of/] Chat GPT [https://chat.openai.com/chat].

    So I did=2C too....

    _Write an essay in the style of Bruce Schneier on how ChatGPT will affect=
    cybersecurity._

    As with any new technology=2C the development and deployment of ChatGPT=
    is likely to have a significant impact on the field of cybersecurity. In=
    many ways=2C ChatGPT and other AI technologies hold great promise for imp= roving the ability of organizations and individuals to defend against cybe= r threats. At the same time=2C however=2C the use of these technologies al= so raises important questions and concerns about the potential risks and c= hallenges they may pose.

    One of the key ways in which ChatGPT is likely to affect cybersecurity i=
    s by enabling organizations to more quickly and accurately identify potent= ial security threats. With its ability to analyze vast amounts of data and=
    identify patterns and trends that might be difficult for humans to spot=
    =2C ChatGPT could be a valuable tool for detecting and responding to cyber= attacks. This could be especially useful in the case of complex=2C coordin= ated attacks that might otherwise be difficult to identify and defend agai= nst.

    Another potential benefit of ChatGPT in the realm of cybersecurity is it=
    s ability to improve communication and coordination among different organi= zations and agencies. By enabling these groups to more easily share inform= ation and work together to defend against cyber threats=2C ChatGPT could h= elp to make the overall cybersecurity landscape more effective and efficie= nt. This could be especially important in the case of large-scale attacks=
    that require a coordinated response from multiple organizations.

    Of course=2C as with any new technology=2C there are also potential risk=
    s and challenges associated with the use of ChatGPT in the field of cybers= ecurity. One key concern is the potential for ChatGPT to be used by malici= ous actors to conduct cyberattacks. By automating the process of planning=
    and executing attacks=2C ChatGPT could make it easier for attackers to ca=
    rry out sophisticated=2C coordinated attacks at a much faster pace than wo= uld be possible without AI. This could potentially make it more difficult=
    for organizations and individuals to defend against such attacks.

    Another potential risk is the possibility that ChatGPT could be used to=
    create fake news or propaganda=2C which could be used to spread misinform= ation or confusion. In the context of cybersecurity=2C the spread of false=
    information could potentially lead to confusion and panic=2C making it mo=
    re difficult for organizations and individuals to respond effectively to c= yber threats. Additionally=2C the use of ChatGPT to create fake news or pr= opaganda could also undermine trust in information and communications syst= ems=2C potentially undermining the overall security of these systems.

    Overall=2C the development and deployment of ChatGPT is likely to have a=
    significant impact on the field of cybersecurity. While ChatGPT and other=
    AI technologies hold great promise for improving the ability of organizat= ions and individuals to defend against cyber threats=2C it is important to=
    carefully consider the potential risks and challenges they may pose=2C an=
    d to take appropriate measures to mitigate these risks. This may include i= mplementing strict security protocols and safeguards to prevent unauthoriz= ed access to ChatGPT and other AI systems=2C as well as ongoing monitoring=
    and evaluation to ensure that these technologies are being used in a safe=
    and responsible manner.

    Not bad. I don=E2=80=99t think I can retire=2C but I probably can go on va= cation for a few days. And=2C of course=2C it=E2=80=99s going to get bette= r...a lot better...and probably sooner than we expect. This is a big deal.

    ** *** ***** ******* *********** *************


    ** HACKING BOSTON=E2=80=99S CHARLIECARD ------------------------------------------------------------

    [2022.12.14] [https://www.schneier.com/blog/archives/2022/12/hacking-bos= tons-charliecard.html] Interesting discussion [https://medium.com/@bobbyr= sec/operation-charlie-hacking-the-mbta-charliecard-from-2008-to-present-24=
    ea9f0aaa38] of vulnerabilities and exploits against Boston=E2=80=99s Charl= ieCard.

    ** *** ***** ******* *********** *************


    ** REIMAGINING DEMOCRACY ------------------------------------------------------------

    [2022.12.14] [https://www.schneier.com/blog/archives/2022/12/reimagining= -democracy.html] Last week=2C I hosted a two-day workshop on reimagining d= emocracy [https://www.schneier.com/iword/2022].

    The idea was to bring together people from a variety of disciplines who ar= e all thinking about different aspects of democracy=2C less from a =E2=80=
    =9Cwhat we need to do today=E2=80=9D perspective and more from a blue-sky=
    future perspective. My remit to the participants was this:

    The idea is to start from scratch=2C to pretend we=E2=80=99re forming a=
    new country and don=E2=80=99t have any precedent to deal with. And that w=
    e don=E2=80=99t have any unique interests to perturb our thinking. The mod= ern representative democracy was the best form of government mid-eighteent= h century politicians technology could invent. The twenty-first century is=
    a very different place technically=2C scientifically=2C and philosophical=
    ly. What could democracy look like if it were reinvented today? Would it e= ven be democracy -- what comes after democracy?

    Some questions to think about:

    * Representative democracies were built under the assumption that t=
    ravel and communications were difficult. Does it still make sense to organ= ize our representative units by geography? Or to send representatives far=
    away to create laws in our name? Is there a better way for people to choo=
    se collective representatives?
    * Indeed=2C the very idea of representative government is due to te=
    chnological limitations. If an AI system could find the optimal solution f= or balancing every voter=E2=80=99s preferences=2C would it still make sens= e to have representatives -- or should we vote for ideas and goals instead=
    ?
    * With today=E2=80=99s technology=2C we can vote anywhere and any t=
    ime. How should we organize the temporal pattern of voting -- and of other=
    forms of participation?
    * Starting from scratch=2C what is today=E2=80=99s ideal government=
    structure? Does it make sense to have a singular leader =E2=80=9Cin charg= e=E2=80=9D of everything? How should we constrain power -- is there someth= ing better than the legislative/judicial/executive set of checks and balan= ces?
    * The size of contemporary political units ranges from a few people=
    in a room to vast nation-states and alliances. Within one country=2C what=
    might the smaller units be -- and how do they relate to one another?
    * Who has a voice in the government? What does =E2=80=9Ccitizen=E2=
    =80=9D mean? What about children? Animals? Future people (and animals)? Co= rporations? The land?
    * And much more: What about the justice system? Is the twelfth-cent=
    ury jury form still relevant? How do we define fairness? Limit financial a= nd military power? Keep our system robust to psychological manipulation?

    My perspective=2C of course=2C is security. I want to create a system that=
    is resilient against hacking [https://www.schneier.com/books/a-hackers-m= ind/]: one that can evolve as both technologies and threats evolve.

    The format was one that I have used before [https://www.schneier.com/blog= /archives/2022/05/security-and-human-behavior-shb-2022.html]. Forty-eight=
    people meet over two days. There are four ninety-minute panels per day=2C=
    with six people on each. Everyone speaks for ten minutes=2C and the rest=
    of the time is devoted to questions and comments. Ten minutes means that=
    no one gets bogged down in jargon or details. Long breaks between session=
    s and evening dinners allow people to talk more informally. The result is=
    a very dense=2C idea-rich environment that I find extremely valuable.

    It was amazing event. Everyone participated. Everyone was interesting. (De= tails of the event -- emerging themes=2C notes from the speakers -- are in=
    the comments.) It=E2=80=99s a week later and I am still buzzing with idea=
    s. I hope this is only the first of an ongoing series of similar workshops=
    =2E

    ** *** ***** ******* *********** *************

    Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
    To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].

    You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].

    Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
    reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist=2C cal= led a security guru by the _Economist_. He is the author of over one dozen=
    books -- including his latest=2C _We Have Root_ [https://www.schneier.co= m/books/root/] -- as well as hundreds of articles=2C essays=2C and academi= c papers. His newsletter and blog are read by over 250=2C000 people. Schne= ier is a fellow at the Berkman Klein Center for Internet & Society at Harv= ard University; a Lecturer in Public Policy at the Harvard Kennedy School;=
    a board member of the Electronic Frontier Foundation=2C AccessNow=2C and=
    the Tor Project; and an Advisory Board Member of the Electronic Privacy I= nformation Center and VerifiedVoting.org. He is the Chief of Security Arch= itecture at Inrupt=2C Inc.

    Copyright (c) 2022 by Bruce Schneier.

    ** *** ***** ******* *********** *************

    Mailing list hosting graciously provided by MailChimp [https://mailchimp.= com/]. Sent without web bugs or link tracking.

    This email was sent to: thecivvie@gmail.com

    _You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._

    Unsubscribe from this list: https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3Dd6f5467f83&c=3D39d832d=
    e42

    Update subscription preferences: https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3Dd6f5467f83&c=3D39d832=
    de42

    Bruce Schneier
    Harvard Kennedy School
    1 Brattle Square
    Cambridge=2C MA 02138
    USA
    --_----------=_MCPart_1654239436
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C December 15=2C 2022</title></head><body>
    <div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
    <h1 style=3D"font-size:140%">Crypto-Gram <br>
    <span style=3D"display:block;padding-top:.5em;font-size:80%">December 15=
    =2C 2022</span></h1>


    <p>by Bruce Schneier
    <br>Fellow and Lecturer=2C Harvard Kennedy School
    <br>schneier@schneier.com
    <br><a href=3D"https://www.schneier.com">https://www.schneier.com</a>


    <p>A free monthly newsletter providing summaries=2C analyses=2C insights=
    =2C and commentaries on security: computer and otherwise.</p>

    <p>For back issues=2C or to subscribe=2C visit <a href=3D"https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>

    <p><a href=3D"https://www.schneier.com/crypto-gram/archives/2022/1215.html= ">Read this issue on the web</a></p>

    <p>These same essays and news items appear in the <a href=3D"https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
    n this issue:</a></h2>

    <p><em>If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2022/1215.html">reading this i= ssue of Crypto-Gram on the web.</a></em></p>




    <li><a href=3D"#cg1">Another Event-Related Spyware App</a></li>
    <li><a href=3D"#cg2">Russian Software Company Pretending to Be American</a= ></li>
    <li><a href=3D"#cg3">Failures in Twitter=E2=80=99s Two-Factor Authenticati=
    on System</a></li>
    <li><a href=3D"#cg4">Successful Hack of Time-Triggered Ethernet</a></li>
    <li><a href=3D"#cg5">First Review of <i>A Hacker=E2=80=99s Mind</i></a></l=

    <li><a href=3D"#cg6">Breaking the Zeppelin Ransomware Encryption Scheme</a= ></li>
    <li><a href=3D"#cg7">Apple=E2=80=99s Device Analytics Can Identify iCloud=
    Users</a></li>
    <li><a href=3D"#cg8">The US Has a Shortage of Bomb-Sniffing Dogs</a></li> <li><a href=3D"#cg9">Computer Repair Technicians Are Stealing Your Data</a= ></li>
    <li><a href=3D"#cg10">Charles V of Spain Secret Code Cracked</a></li>
    <li><a href=3D"#cg11">Facebook Fined $276M under GDPR</a></li>
    <li><a href=3D"#cg12">Sirius XM Software Vulnerability</a></li>
    <li><a href=3D"#cg13">LastPass Security Breach</a></li>
    <li><a href=3D"#cg14">Existential Risk and the Fermi Paradox</a></li>
    <li><a href=3D"#cg15">CAPTCHA</a></li>
    <li><a href=3D"#cg16">CryWiper Data Wiper Targeting Russian Sites</a></li> <li><a href=3D"#cg17">The Decoupling Principle</a></li>
    <li><a href=3D"#cg18">Leaked Signing Keys Are Being Used to Sign Malware</= a></li>
    <li><a href=3D"#cg19">Security Vulnerabilities in Eufy Cameras</a></li>
    <li><a href=3D"#cg20">Hacking Trespass Law</a></li>
    <li><a href=3D"#cg21">Apple Is Finally Encrypting iCloud Backups</a></li> <li><a href=3D"#cg22">Obligatory ChatGPT Post</a></li>
    <li><a href=3D"#cg23">Hacking Boston=E2=80=99s CharlieCard</a></li>
    <li><a href=3D"#cg24">Reimagining Democracy</a></li>
    </ol>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">A= nother Event-Related Spyware App</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/another-event= -related-spyware-app.html"><strong>[2022.11.15]</strong></a> Last month=
    =2C we were warned not to install Qatar=E2=80=99s <a href=3D"https://www.s= chneier.com/blog/archives/2022/10/qatar-spyware.html">World Cup app</a> be= cause it was spyware. This month=2C it=E2=80=99s Egypt=E2=80=99s <a href=
    =3D"https://www.politico.eu/article/cop-27-climate-change-app-cybersecurit= y-weapon-risks/">COP27 Summit app</a>:</p>

    <blockquote><p>The app is being promoted as a tool to help attendees navig=
    ate the event. But it risks giving the Egyptian government permission to r= ead users=E2=80=99 emails and messages. Even messages shared via encrypted=
    services like WhatsApp are vulnerable=2C according to POLITICO=E2=80=99s=
    technical review of the application=2C and two of the outside experts.</p=


    <p>The app also provides Egypt=E2=80=99s Ministry of Communications and In= formation Technology=2C which created it=2C with other so-called backdoor=
    privileges=2C or the ability to scan people=E2=80=99s devices.</p>

    <p>On smartphones running Google=E2=80=99s Android software=2C it has perm= ission to potentially listen into users=E2=80=99 conversations via the app=
    =2C even when the device is in sleep mode=2C according to the three expert=
    s and POLITICO=E2=80=99s separate analysis. It can also track people=E2=80= =99s locations via smartphone=E2=80=99s built-in GPS and Wi-Fi technologie= s=2C according to two of the analysts.</p></blockquote>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">R= ussian Software Company Pretending to Be American</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/russian-softw= are-company-pretending-to-be-american.html"><strong>[2022.11.16]</strong>=
    </a> Computer code developed by <a href=3D"https://www.reuters.com/technol=
    ogy/exclusive-russian-software-disguised-american-finds-its-way-into-us-ar= my-cdc-2022-11-14/">a company called Pushwoosh</a> is in about 8=2C000 App= le and Google smartphone apps. The company pretends to be American when it=
    is actually Russian.</p>

    <blockquote><p>According to company documents publicly filed in Russia and=
    reviewed by Reuters=2C Pushwoosh is headquartered in the Siberian town of=
    Novosibirsk=2C where it is registered as a software company that also car= ries out data processing. It employs around 40 people and reported revenue=
    of 143=2C270=2C000 rubles ($2.4 mln) last year. Pushwoosh is registered w=
    ith the Russian government to pay taxes in Russia.</p></blockquote>

    <p>On social media and in US regulatory filings=2C however=2C it presents=
    itself as a US company=2C based at various times in California=2C Marylan= d=2C and Washington=2C DC=2C Reuters found.</p>

    <p>What does the code do? Spy on people:</p>

    <blockquote><p><a href=3D"https://tmsnrt.rs/3fV0CYE">Pushwoosh provides co= de</a> and data processing support for software developers=2C enabling the= m to profile the online activity of smartphone app users and send tailor-m= ade push notifications from Pushwoosh servers.</p>

    <p>On its website=2C Pushwoosh says it does not collect sensitive informat= ion=2C and Reuters found no evidence Pushwoosh mishandled user data. Russi= an authorities=2C however=2C have <a href=3D"https://www.reuters.com/busin= ess/autos-transportation/russia-draws-up-law-force-taxi-firms-share-data-w=
    ith-fsb-document-2022-03-29/">compelled local companies</a> to hand over u= ser data to <a href=3D"https://www.reuters.com/technology/how-crypto-giant=
    -binance-built-ties-russian-fsb-linked-agency-2022-04-22/">domestic securi=
    ty agencies</a>.</p></blockquote>

    <p>I have called supply chain security =E2=80=9Can insurmountably hard pro= blem=2C=E2=80=9D and this is just another example of that.</p>

    <p>EDITED TO ADD (12/12): <a href=3D"https://internetsafetylabs.org/blog/n= ews-press/reuters-breaks-story-on-dangerous-sdk-pushwoosh-found-by-isl/">H= ere</a> is a list of apps that use the Pushwoosh SDK.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">F= ailures in Twitter=E2=80=99s Two-Factor Authentication System</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/failures-in-t= witters-two-factor-authentication-system.html"><strong>[2022.11.17]</stro= ng></a> Twitter is having <a href=3D"https://www.wired.com/story/twitter-t= wo-factor-sms-problems/">intermittent problems</a> with its two-factor aut= hentication system:</p>

    <blockquote><p>Not all users are having problems receiving SMS authenticat=
    ion codes=2C and those who rely on an authenticator app or physical authen= tication token to secure their Twitter account may not have reason to test=
    the mechanism. But users have been self-reporting issues on Twitter since=
    the weekend=2C and WIRED confirmed that on at least some accounts=2C auth= entication texts are hours delayed or not coming at all. The meltdown come= s less than two weeks after Twitter <a href=3D"https://www.wired.com/story=
    /musk-layoffs-twitter-management/">laid off about half of its workers</a>=
    =2C roughly 3=2C700 people. Since then=2C engineers=2C operations speciali= sts=2C IT staff=2C and security teams have been stretched thin attempting=
    to adapt Twitter=E2=80=99s offerings and build new features per new owner=
    Elon Musk=E2=80=99s agenda.</p></blockquote>

    <p>On top of that=2C it seems that the system has a <a href=3D"https://www= =2Einforisktoday.com/twitter-two-factor-authentication-has-vulnerability-a-2= 0475">new vulnerability</a>:</p>

    <blockquote><p>A researcher contacted Information Security Media Group on=
    condition of anonymity to reveal that texting =E2=80=9CSTOP=E2=80=9D to t=
    he Twitter verification service results in the service turning off SMS two= -factor authentication.</p>

    <p>=E2=80=9CYour phone has been removed and SMS 2FA has been disabled from=
    all accounts=2C=E2=80=9D is the automated response.</p>

    <p>The vulnerability=2C which ISMG verified=2C allows a hacker to spoof th=
    e registered phone number to disable two-factor authentication. That poten= tially exposes accounts to a password reset attack or account takeover thr= ough password stuffing.</p></blockquote>

    <p>This is not a good sign.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">S= uccessful Hack of Time-Triggered Ethernet</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/successful-ha= ck-of-time-triggered-ethernet.html"><strong>[2022.11.18]</strong></a> Tim= e-triggered Ethernet (TTE) is used in spacecraft=2C basically to use the s= ame hardware to process traffic with different timing and criticality. Res= earchers have <a href=3D"https://arstechnica.com/information-technology/20= 22/11/researchers-break-security-guarantees-of-tte-networking-used-in-spac=
    ecraft/">defeated it</a>:</p>

    <blockquote><p>On Tuesday=2C researchers <a href=3D"https://web.eecs.umich= =2Eedu/~barisk/public/pcspoof.pdf">published findings</a> that=2C for the fi= rst time=2C break TTE=E2=80=99s isolation guarantees. The result is PCspoo= F=2C an attack that allows a single non-critical device connected to a sin= gle plane to disrupt synchronization and communication between TTE devices=
    on all planes. The attack works by exploiting a vulnerability in the TTE=
    protocol. The work was completed by researchers at the University of Mich= igan=2C the University of Pennsylvania=2C and NASA=E2=80=99s Johnson Space=
    Center.</p>

    <p>=E2=80=9COur evaluation shows that successful attacks are possible in s= econds and that each successful attack can cause TTE devices to lose synch= ronization for up to a second and drop tens of TT messages -- both of whic= h can result in the failure of critical systems like aircraft or automobil= es=2C=E2=80=9D the researchers wrote. =E2=80=9CWe also show that=2C in a s= imulated spaceflight mission=2C PCspooF causes uncontrolled maneuvers that=
    threaten safety and mission success.=E2=80=9D</p></blockquote>

    <p>Much more detail in the article -- and the <a href=3D"https://web.eecs.= umich.edu/~barisk/public/pcspoof.pdf">research paper</a>.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">F= irst Review of <i>A Hacker=E2=80=99s Mind</i></a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/first-review-= of-a-hackers-mind.html"><strong>[2022.11.18]</strong></a> <i>Kirkus</i> <= a href=3D"https://www.kirkusreviews.com/book-reviews/bruce-schneier/a-hack= ers-mind-powerful/">reviews</a> <i>A Hacker=E2=80=99s Mind</i>:</p>

    <blockquote><p>A cybersecurity expert examines how the powerful game whate=
    ver system is put before them=2C leaving it to others to cover the cost.</=


    <p>Schneier=2C a professor at Harvard Kennedy School and author of such bo=
    oks as <i>Data and Goliath</i> and <i>Click Here To Kill Everybody</i>=2C=
    regularly challenges his students to write down the first 100 digits of p= i=2C a nearly impossible task -- but not if they cheat=2C concerning which=
    he admonishes=2C =E2=80=9CDon=E2=80=99t get caught.=E2=80=9D Not getting=
    caught is the aim of the hackers who exploit the vulnerabilities of syste=
    ms of all kinds. Consider right-wing venture capitalist Peter Thiel=2C who=
    located a hack in the tax code: =E2=80=9CBecause he was one of the founde=
    rs of PayPal=2C he was able to use a $2=2C000 investment to buy 1.7 millio= n shares of the company at $0.001 per share=2C turning it into $5 billion=
    -- all forever tax free.=E2=80=9D It was perfectly legal -- and even if i=
    t weren=E2=80=99t=2C the wealthy usually go unpunished. The author=2C a fl= uid writer and tech communicator=2C reveals how the tax code lends itself=
    to hacking=2C as when tech companies like Apple and Google avoid paying b= illions of dollars by transferring profits out of the U.S. to corporate-fr= iendly nations such as Ireland=2C then offshoring the =E2=80=9Cdisappeared=
    =E2=80=9D dollars to Bermuda=2C the Caymans=2C and other havens. Every sys=
    tem contains trap doors that can be breached to advantage. For example=2C=
    Schneier cites =E2=80=9Cthe Pudding Guy=2C=E2=80=9D who hacked an airline=
    miles program by buying low-cost pudding cups in a promotion that=2C for=
    $3=2C150=2C netted him 1.2 million miles and =E2=80=9Clifetime Gold frequ=
    ent flier status.=E2=80=9D Since it was all within the letter if not the s= pirit of the offer=2C =E2=80=9Cthe company paid up.=E2=80=9D The companies=
    often do=2C because they=E2=80=99re gaming systems themselves. =E2=80=9CA=
    ny rule can be hacked=2C=E2=80=9D notes the author=2C be it a religious di= etary restriction or a legislative procedure. With technology=2C =E2=80=9C= we can hack more=2C faster=2C better=2C=E2=80=9D requiring diligent monito= ring and a demand that everyone play by rules that have been hardened agai= nst tampering.</p>

    <p>An eye-opening=2C maddening book that offers hope for leveling a badly=
    tilted playing field.</p></blockquote>

    <p>I got a starred review. Libraries make decisions on what to buy based o=
    n starred reviews. Publications make decisions about what to review based=
    on starred reviews. This is a big deal.</p>

    <p>Book=E2=80=99s <a href=3D"https://www.schneier.com/books/a-hackers-mind= /">webpage</a>.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">B= reaking the Zeppelin Ransomware Encryption Scheme</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/breaking-the-= zeppelin-ransomware-encryption-scheme.html"><strong>[2022.11.21]</strong>=
    </a> Brian Krebs <a href=3D"https://krebsonsecurity.com/2022/11/researcher=
    s-quietly-cracked-zeppelin-ransomware-keys/">writes</a> about how the Zepp= elin ransomware encryption scheme was broken:</p>

    <blockquote><p>The researchers said their break came when they understood=
    that while Zeppelin used three different types of encryption keys to encr=
    ypt files=2C they could undo the whole scheme by factoring or computing ju= st one of them: An ephemeral RSA-512 public key that is randomly generated=
    on each machine it infects.</p>

    <p>=E2=80=9CIf we can recover the RSA-512 Public Key from the registry=2C=
    we can crack it and get the 256-bit AES Key that encrypts the files!=E2= =80=9D they wrote. =E2=80=9CThe challenge was that they delete the [publi=
    c key] once the files are fully encrypted. Memory analysis gave us about a=
    5-minute window after files were encrypted to retrieve this public key.= =E2=80=9D</p>

    <p>Unit 221B ultimately built a =E2=80=9CLive CD=E2=80=9D version of Linux=
    that victims could run on infected systems to extract that RSA-512 key. F=
    rom there=2C they would load the keys into a cluster of 800 CPUs donated b= y hosting giant Digital Ocean that would then start cracking them. The com= pany also used that same donated infrastructure to help victims decrypt th= eir data using the recovered keys.</p></blockquote>

    <p>A company offered recovery services based on this break=2C but was relu= ctant to advertise because it didn=E2=80=99t want Zeppelin=E2=80=99s creat= ors to fix their encryption flaw.</p>

    <p>Technical <a href=3D"https://blog.unit221b.com/dont-read-this-blog/0xde= ad-zeppelin">details</a>.</p>

    <p>EDITED TO ADD (12/12): When BitDefender publicly advertised a decryptio=
    n tool for a strain of DarkSide ransomware=2C DarkSide <a href=3D"https://= www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-b=
    itdefender/amp/">immediately updated</a> its ransomware to render the tool=
    obsolete. It=E2=80=99s hard to come up with a solution to this problem.</=


    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">A= pple=E2=80=99s Device Analytics Can Identify iCloud Users</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/apples-device= -analytics-can-identify-icloud-users.html"><strong>[2022.11.22]</strong><=
    Researchers <a href=3D"https://www.macrumors.com/2022/11/21/apple-devi=
    ce-analytics-identifying-user/">claim</a> that supposedly anonymous device=
    analytics information can identify users:</p>

    <blockquote><p>On <a href=3D"https://twitter.com/mysk_co/status/1594515229= 915979776?s=3D61&t=3DrpR_X8V52MjKkTSK1fwzZg">Twitter</a>=2C security resea= rchers Tommy Mysk and Talal Haj Bakry have found that Apple=E2=80=99s devi= ce analytics data includes an iCloud account and can be linked directly to=
    a specific user=2C including their name=2C date of birth=2C email=2C and=
    associated information stored on iCloud.</p></blockquote>

    <p>Apple has long claimed otherwise:</p>

    <blockquote><p>On Apple=E2=80=99s device analytics and privacy <a href=3D"= https://www.apple.com/legal/privacy/data/en/device-analytics/">legal page<= /a>=2C the company says no information collected from a device for analyti=
    cs purposes is traceable back to a specific user. =E2=80=9CiPhone Analytic= s may include details about hardware and operating system specifications=
    =2C performance statistics=2C and data about how you use your devices and=
    applications. None of the collected information identifies you personally= =2C=E2=80=9D the company claims.</p></blockquote>

    <p>Apple was <a href=3D"https://www.theregister.com/2022/11/14/apple_data_= collection_lawsuit/">just sued</a> for tracking iOS users without their co= nsent=2C even when they explicitly opt out of tracking.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">T=
    he US Has a Shortage of Bomb-Sniffing Dogs</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/the-us-has-a-= shortage-of-bomb-sniffing-dogs.html"><strong>[2022.11.23]</strong></a> No= thing beats a dog=E2=80=99s nose for detecting explosives. Unfortunately=
    =2C there <a href=3D"https://www.wired.com/story/us-bomb-dog-shortage/">ar= en=E2=80=99t enough dogs</a>:</p>

    <blockquote><p>Last month=2C the US Government Accountability Office (GAO)=
    released a nearly 100-page <a href=3D"https://www.gao.gov/assets/gao-23-1= 04489.pdf">report</a> about working dogs and the need for federal agencies=
    to better safeguard their health and wellness. The GOA says that as of Fe= bruary the US federal government had approximately 5=2C100 working dogs=2C=
    including detection dogs=2C across three federal agencies. Another 420 do=
    gs =E2=80=9Cserved the federal government in 24 contractor-managed program= s within eight departments and two independent agencies=2C=E2=80=9D the GA= O report says.</p>

    <p>The report also underscores the demands placed on detection dogs and th=
    e potential for overwork if there aren=E2=80=99t enough dogs available.=
    =E2=80=9CWorking dogs might need the strength to suddenly run fast=2C or=
    to leap over a tall barrier=2C as well as the physical stamina to stand o=
    r walk all day=2C=E2=80=9D the report says. =E2=80=9CThey might need to se= arch over rubble or in difficult environmental conditions=2C such as extre= me heat or cold=2C often wearing heavy body armor. They also might spend t= he day detecting specific scents among thousands of others=2C requiring in= tense mental concentration. Each function requires dogs to undergo special= ized training.=E2=80=9D</p></blockquote>

    <p>A decade and a half ago I was <a href=3D"https://www.schneier.com/blog/= archives/2005/12/bombsniffing_wa.html">optimistic</a> about bomb-sniffing=
    bees and wasps=2C but nothing seems to have come of that.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">C= omputer Repair Technicians Are Stealing Your Data</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/computer-repa= ir-technicians-are-stealing-your-data.html"><strong>[2022.11.28]</strong>=
    </a> Laptop technicians <a href=3D"https://arstechnica.com/information-tec=
    hnology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-d= ata-study-finds/">routinely violate the privacy</a> of the people whose co= mputers they repair:</p>

    <blockquote><p>Researchers at University of Guelph in Ontario=2C Canada=2C=
    recovered logs from laptops after receiving overnight repairs from 12 com= mercial shops. The logs showed that technicians from six of the locations=
    had accessed personal data and that two of those shops also copied data o=
    nto a personal device. Devices belonging to females were more likely to be=
    snooped on=2C and that snooping tended to seek more sensitive data=2C inc= luding both sexually revealing and non-sexual pictures=2C documents=2C and=
    financial information.</p>

    <p>[...]</p>

    <p>In three cases=2C Windows Quick Access or Recently Accessed Files had b=
    een deleted in what the researchers suspect was an attempt by the snooping=
    technician to cover their tracks. As noted earlier=2C two of the visits r= esulted in the logs the researchers relied on being unrecoverable. In one=
    =2C the researcher explained they had installed antivirus software and per= formed a disk cleanup to =E2=80=9Cremove multiple viruses on the device.= =E2=80=9D The researchers received no explanation in the other case.</p>

    <p>[...]</p>

    <p>The laptops were freshly imaged Windows 10 laptops. All were free of ma= lware and other defects and in perfect working condition with one exceptio= n: the audio driver was disabled. The researchers chose that glitch becaus= e it required only a simple and inexpensive repair=2C was easy to create=
    =2C and didn=E2=80=99t require access to users=E2=80=99 personal files.</p=


    <p>Half of the laptops were configured to appear as if they belonged to a=
    male and the other half to a female. All of the laptops were set up with=
    email and gaming accounts and populated with browser history across sever=
    al weeks. The researchers added documents=2C both sexually revealing and n= on-sexual pictures=2C and a cryptocurrency wallet with credentials.</p></b= lockquote>

    <p>A few notes. One: this is a very small study -- only twelve laptop repa= irs. Two=2C some of the results were inconclusive=2C which indicated -- bu= t did not prove -- log tampering by the technicians. Three=2C this study w= as done in Canada. There would probably be more snooping by American repai= r technicians.</p>

    <p>The moral isn=E2=80=99t a good one: if you bring your laptop in to be r= epaired=2C you should expect the technician to snoop through your hard dri= ve=2C taking what they want.</p>

    <p>Research <a href=3D"https://arxiv.org/pdf/2211.05824.pdf">paper</a>.</p=


    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >Charles V of Spain Secret Code Cracked</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/charles-v-of-= spain-secret-code-cracked.html"><strong>[2022.11.29]</strong></a> Diploma= tic code <a href=3D"https://www.theguardian.com/world/2022/nov/24/emperor-= charles-vs-secret-code-cracked-after-five-centuries">cracked</a> after 500=
    years:</p>

    <blockquote><p>In painstaking work backed by computers=2C Pierrot found=
    =E2=80=9Cdistinct families=E2=80=9D of about 120 symbols used by Charles=
    V. =E2=80=9CWhole words are encrypted with a single symbol=E2=80=9D and t=
    he emperor replaced vowels coming after consonants with marks=2C she said=
    =2C an inspiration probably coming from Arabic.</p>

    <p>In another obstacle=2C he used meaningless symbols to mislead any adver= sary trying to decipher the message.</p>

    <p>The breakthrough came in June when Pierrot managed to make out a phrase=
    in the letter=2C and the team then cracked the code with the help of Cami=
    lle Desenclos=2C a historian. =E2=80=9CIt was painstaking and long work bu= t there was really a breakthrough that happened in one day=2C where all of=
    a sudden we had the right hypothesis=2C=E2=80=9D she said.</p></blockquot=


    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >Facebook Fined $276M under GDPR</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/11/facebook-fine= d-276m-under-gdpr.html"><strong>[2022.11.30]</strong></a> Facebook -- Met= a -- was <a href=3D"https://www.theverge.com/2022/11/28/23481786/meta-fine=
    -facebook-data-leak-ireland-dpc-gdpr">just fined</a> $276 million (USD) fo=
    r a data leak that included full names=2C birth dates=2C phone numbers=2C=
    and location.</p>

    <p>Meta=E2=80=99s total fine by the Data Protection Commission is over $70=
    0 million. <a href=3D"https://www.enforcementtracker.com/?insights">Total=
    GDPR fines</a> are over =E2=82=AC2 billion (EUR) since 2018.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >Sirius XM Software Vulnerability</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/sirius-xm-sof= tware-vulnerability.html"><strong>[2022.12.01]</strong></a> This is <a hr= ef=3D"https://gizmodo.com/sirius-xm-bug-honda-nissan-acura-hack-1849836987=
    ">new</a>:</p>

    <blockquote><p>Newly revealed <a href=3D"https://twitter.com/samwcyo/statu= s/1597792097175674880">research</a> shows that a number of major car brand= s=2C including Honda=2C Nissan=2C Infiniti=2C and Acura=2C were affected b= y a previously undisclosed security bug that would have allowed a savvy ha= cker to hijack vehicles and steal user data. According to researchers=2C t= he bug was in the car=E2=80=99s Sirius XM telematics infrastructure and wo= uld have allowed a hacker to remotely locate a vehicle=2C unlock and start=
    it=2C flash the lights=2C honk the horn=2C pop the trunk=2C and access se= nsitive customer info like the owner=E2=80=99s name=2C phone number=2C add= ress=2C and vehicle details.</p></blockquote>

    <p>Cars are just computers with four wheels and an engine. It=E2=80=99s no=
    surprise that the software is vulnerable=2C and that everything is connec= ted.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"= >LastPass Security Breach</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/lastpass-secu= rity-breach.html"><strong>[2022.12.02]</strong></a> The company <a href= =3D"https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-a= ccessed-customer-data-in-new-breach/">was</a> <a href=3D"https://www.there= gister.com/2022/12/01/lastpass/">hacked</a>=2C and customer information ac= cessed. No passwords were compromised.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >Existential Risk and the Fermi Paradox</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/existential-r= isk-and-the-fermi-paradox.html"><strong>[2022.12.02]</strong></a> We know=
    that complexity is the worst enemy of security=2C because it makes attack=
    easier and defense harder. This becomes catastrophic as the effects of th=
    at attack become greater.</p>

    <p>In <a href=3D"https://www.schneier.com/books/a-hackers-mind/"><i>A Hack= er=E2=80=99s Mind</i></a> (coming in February 2023)=2C I write:</p>

    <blockquote><p>Our societal systems=2C in general=2C may have grown fairer=
    and more just over the centuries=2C but progress isn=E2=80=99t linear or=
    equitable. The trajectory may appear to be upwards when viewed in hindsig= ht=2C but from a more granular point of view there are a lot of ups and do= wns. It=E2=80=99s a =E2=80=9Cnoisy=E2=80=9D process.</p>

    <p>Technology changes the amplitude of the noise. Those near-term ups and=
    downs are getting more severe. And while that might not affect the long-t=
    erm trajectories=2C they drastically affect all of us living in the short=
    term. This is how the twentieth century could -- statistically -- both be=
    the most peaceful in human history and also contain the most deadly wars.=


    <p>Ignoring this noise was only possible when the damage wasn=E2=80=99t po= tentially fatal on a global scale; that is=2C if a world war didn=E2=80=99= t have the potential to kill everybody or destroy society=2C or occur in p= laces and to people that the West wasn=E2=80=99t especially worried about.=
    We can=E2=80=99t be sure of that anymore. The risks we face today are exi= stential in a way they never have been before. The magnifying effects of t= echnology enable short-term damage to cause long-term planet-wide systemic=
    damage. We=E2=80=99ve lived for half a century under the potential specte=
    r of nuclear war and the life-ending catastrophe that could have been. Fas= t global travel allowed local outbreaks to quickly become the COVID-19 pan= demic=2C costing millions of lives and billions of dollars while increasin= g political and social instability. Our rapid=2C technologically enabled c= hanges to the atmosphere=2C compounded through feedback loops and tipping=
    points=2C may make Earth much less hospitable for the coming centuries. T= oday=2C individual hacking decisions can have planet-wide effects. Sociobi= ologist Edward O. Wilson <a href=3D"https://www.nytimes.com/2019/12/05/opi= nion/digital-technology-brain.html">once described</a> the fundamental pro= blem with humanity is that =E2=80=9Cwe have Paleolithic emotions=2C mediev= al institutions=2C and godlike technology.=E2=80=9D</p></blockquote>

    <p>Technology could easily get to the point where the effects of a success=
    ful attack could be existential. Think biotech=2C nanotech=2C global clima= te change=2C maybe someday cyberattack -- everything that people like Nick=
    Bostrom <a href=3D"https://nickbostrom.com/existential/risks">study</a>.=
    In these areas=2C like everywhere else in past and present society=2C the=
    technologies of attack develop faster the technologies of defending again=
    st attack. But suddenly=2C our inability to be proactive becomes fatal. As=
    the noise due to technological power increases=2C we reach a threshold wh=
    ere a small group of people can irrecoverably destroy the species. The six= -sigma guy can ruin it for everyone. And if they can=2C sooner or later th=
    ey will. It=E2=80=99s possible that I have just explained the <a href=3D"h= ttps://en.wikipedia.org/wiki/Fermi_paradox">Fermi paradox</a>.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >CAPTCHA</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/captcha.html"= ><strong>[2022.12.05]</strong></a> This is an actual CAPTCHA I was shown=
    when trying to log into PayPal.</p>

    <p><img decoding=3D"async" loading=3D"lazy" src=3D"https://www.schneier.co= m/wp-content/uploads/2022/12/bc5c9f8f-6e44-4dfc-b1a9-0bc888c1218f.jpg" alt= =3D"" width=3D"592" height=3D"872" class=3D"alignnone size-full wp-image-6= 6304" srcset=3D"https://www.schneier.com/wp-content/uploads/2022/12/bc5c9f= 8f-6e44-4dfc-b1a9-0bc888c1218f.jpg 592w=2C https://www.schneier.com/wp-con= tent/uploads/2022/12/bc5c9f8f-6e44-4dfc-b1a9-0bc888c1218f-204x300.jpg 204w= " sizes=3D"(max-width: 592px) 100vw=2C 592px"></p>

    <p>As an actual human and not a bot=2C I had no idea how to answer. Is thi=
    s a joke? (Seems not.) Is it a Magritte-like existential question? (It=E2= =80=99s not a bicycle. It=E2=80=99s a drawing of a bicycle. Actually=2C it= =E2=80=99s a photograph of a drawing of a bicycle. No=2C it=E2=80=99s real=
    ly a computer image of a photograph of a drawing of a bicycle.) Am I overt= hinking this? (Definitely.) I stared at the screen=2C paralyzed=2C for way=
    too long.</p>

    <p>It=E2=80=99s probably the best CAPTCHA I have ever encountered; a compu=
    ter would have just answered.</p>

    <p>(In the end=2C I treated the drawing as a real bicycle and selected the=
    appropriate squares...and it seemed to like that.)</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >CryWiper Data Wiper Targeting Russian Sites</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/crywiper-data= -wiper-targeting-russian-sites.html"><strong>[2022.12.06]</strong></a> Ka= spersky is <a href=3D"https://www.kaspersky.com/blog/crywiper-pseudo-ranso= mware/46480/">reporting</a> on a data wiper masquerading as ransomware tha= t is targeting local Russian government networks.</p>

    <blockquote><p>The Trojan corrupts any data that=E2=80=99s not vital for t=
    he functioning of the operating system. It doesn=E2=80=99t affect files wi= th extensions .exe=2C .dll=2C .lnk=2C .sys or .msi=2C and ignores several=
    system folders in the C:\Windows directory. The malware focuses on databa= ses=2C archives=2C and user documents.</p>

    <p>So far=2C our experts have seen only pinpoint attacks on targets in the=
    Russian Federation. However=2C as usual=2C no one can guarantee that the=
    same code won=E2=80=99t be used against other targets.</p></blockquote>

    <p>Nothing leading to an attribution.</p>

    <p>News <a href=3D"https://arstechnica.com/information-technology/2022/12/= never-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offi= ces/">article</a>.</p>

    <p>Slashdot <a href=3D"https://it.slashdot.org/story/22/12/03/0044234/new-= crywiper-data-wiper-targets-russian-courts-mayors-offices">thread</a>.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >The Decoupling Principle</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/the-decouplin= g-principle.html"><strong>[2022.12.07]</strong></a> This is a <a href=3D"= https://conferences.sigcomm.org/hotnets/2022/papers/hotnets22_schmitt.pdf"=
    really interesting paper</a> that discusses what the authors call the Dec= oupling Principle:</p>

    <blockquote><p>The idea is simple=2C yet previously not clearly articulate=
    d: to ensure privacy=2C information should be divided architecturally and=
    institutionally such that each entity has only the information they need=
    to perform their relevant function. Architectural decoupling entails spli= tting functionality for different fundamental actions in a system=2C such=
    as decoupling authentication (proving who is allowed to use the network)=
    from connectivity (establishing session state for communicating). Institu= tional decoupling entails splitting what information remains between non-c= olluding entities=2C such as distinct companies or network operators=2C or=
    between a user and network peers. This decoupling makes service providers=
    individually breach-proof=2C as they each have little or no sensitive dat=
    a that can be lost to hackers. Put simply=2C the Decoupling Principle sugg= ests always separating who you are from what you do.</p></blockquote>

    <p>Lots of interesting details in the paper.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >Leaked Signing Keys Are Being Used to Sign Malware</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/leaked-signin= g-keys-are-being-used-to-sign-malware.html"><strong>[2022.12.08]</strong>=
    </a> A bunch of Android OEM <a href=3D"https://arstechnica.com/gadgets/202=
    2/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-mal= ware/">signing keys</a> have been leaked or stolen=2C and they are activel= y being used to sign malware.</p>

    <blockquote><p>=C5=81ukasz Siewierski=2C a member of Google=E2=80=99s Andr=
    oid Security Team=2C has a post on the Android Partner Vulnerability Initi= ative (AVPI) issue tracker detailing <a href=3D"https://bugs.chromium.org/= p/apvi/issues/detail?id=3D100">leaked platform certificate keys</a> that a= re actively being used to sign malware. The post is just a list of the key= s=2C but running each one through <a href=3D"https://www.apkmirror.com/">A= PKMirror</a> or Google=E2=80=99s <a href=3D"https://www.virustotal.com/gui=
    /home/upload">VirusTotal</a> site will put names to some of the compromise=
    d keys: <a href=3D"https://www.apkmirror.com/?post_type=3Dapp_release&sear= chtype=3Dapp&sortby=3Ddate&sort=3Ddesc&s=3D34df0e7a9f1cf1892e45c056b4973cd=
    81ccf148a4050d11aea4ac5a65f900a42">Samsung</a>=2C <a href=3D"https://www.a= pkmirror.com/?post_type=3Dapp_release&searchtype=3Dapp&sortby=3Ddate&sort=
    =3Ddesc&s=3D4274243d7a954ac6482866f0cc67ca1843ca94d68a0ee53f837d6740a81344= 21">LG</a>=2C and <a href=3D"https://www.virustotal.com/gui/file/19c84a238= 6abde0c0dae8661b394e53bf246f6f0f9a12d84cfc7864e4a809697/details">Mediatek<=
    are the heavy hitters on the list of leaked keys=2C along with some sm=
    aller OEMs like <a href=3D"http://www.revoview.com/gms/">Revoview</a> and=
    Szroco=2C which makes <a href=3D"https://arstechnica.com/gadgets/2020/07/= the-100-tablet-shootout-amazon-fire-8-hd-plus-vs-walmart-onn-8-tablet-pro/= ">Walmart=E2=80=99s Onn tablets</a>.</p></blockquote>

    <p>This is a huge problem. The whole system of authentication rests on the=
    assumption that signing keys are kept secret by the legitimate signers. O=
    nce that assumption is broken=2C all bets are off:</p>

    <blockquote><p>Samsung=E2=80=99s compromised key is used for everything: S= amsung Pay=2C Bixby=2C Samsung Account=2C the phone app=2C and a million o= ther things you can find on the 101 pages of results for that key. It woul= d be possible to craft a malicious update for any one of these apps=2C and=
    Android would be happy to install it overtop of the real app. Some of the=
    updates are from <i>today</i>=2C indicating Samsung has still not changed=
    the key.</p></blockquote>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >Security Vulnerabilities in Eufy Cameras</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/security-vuln= erabilities-in-eufy-cameras.html"><strong>[2022.12.09]</strong></a> Eufy=
    cameras claim to be local only=2C but <a href=3D"https://arstechnica.com/= gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-= feed-viewing/">upload</a> <a href=3D"https://www.theverge.com/2022/11/30/2= 3486753/anker-eufy-security-camera-cloud-private-encryption-authentication=
    -storage">data</a> to the cloud. The company is basically lying to reporte= rs=2C despite being shown evidence to the contrary. The company=E2=80=99s=
    behavior is so egregious that ReviewGeek is <a href=3D"https://www.review= geek.com/138235/why-review-geek-cant-recommend-wyze-or-eufy-cameras-anymor= e/">no longer</a> recommending them.</p>

    <p>This will be interesting to watch. If Eufy can ignore security research=
    ers and the press without there being any repercussions in the market=2C o= thers will follow suit. And we will lose public shaming as an incentive to=
    improve security.</p>

    <p><a href=3D"https://www.theverge.com/2022/11/30/23486753/anker-eufy-secu= rity-camera-cloud-private-encryption-authentication-storage">Update</a>:</=


    <blockquote><p>After further testing=2C we=E2=80=99re not seeing the VLC s= treams begin based solely on the camera detecting motion. We=E2=80=99re no= t sure if that=E2=80=99s a change since yesterday or something I got wrong=
    in our initial report. It does appear that Eufy is making changes -- it a= ppears to have removed access to the method we were using to get the addre= ss of our streams=2C although an address we already obtained is still work= ing.</p></blockquote>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"= >Hacking Trespass Law</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/hacking-tresp= ass-law.html"><strong>[2022.12.09]</strong></a> This <a href=3D"https://w= ww.nytimes.com/2022/11/26/business/hunting-wyoming-elk-mountain-access.htm=
    l">article</a> talks about public land in the US that is completely surrou= nded by private land=2C which in some cases makes it inaccessible to the p= ublic. But there=E2=80=99s a hack:</p>

    <blockquote><p>Some hunters have long believed=2C however=2C that the publ= icly owned parcels on Elk Mountain can be legally reached using a practice=
    called corner-crossing.</p>

    <p>Corner-crossing can be visualized in terms of a checkerboard. Ever sinc=
    e the Westward Expansion=2C much of the Western United States has been div= ided into alternating squares of public and private land. Corner-crossers=
    =2C like checker pieces=2C literally step from one public square to anothe=
    r in diagonal fashion=2C avoiding trespassing charges. The practice is nei= ther legal nor illegal. Most states discourage it=2C but none ban it.</p><=
    /blockquote>

    <p>It=E2=80=99s an interesting ambiguity in the law: does checker trespass=
    on white squares when it moves diagonally over black squares? But=2C of c= ourse=2C the legal battle isn=E2=80=99t really about that. It=E2=80=99s ab= out the rights of property owners vs the rights of those who wish to walk=
    on this otherwise-inaccessible public land.</p>

    <p>This particular hack will be adjudicated in court. State court=2C I thi= nk=2C which means the answer might be different in different states. It=E2= =80=99s not an example I discuss in my <a href=3D"https://www.schneier.com= /books/a-hackers-mind/">new book</a>=2C but it=E2=80=99s similar to many I=
    do discuss. It=E2=80=99s the act of adjudicating hacks that allows system=
    s to evolve.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >Apple Is Finally Encrypting iCloud Backups</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/apple-is-fina= lly-encrypting-icloud-backups.html"><strong>[2022.12.12]</strong></a> Aft= er way too many years=2C Apple is <i>finally</i> <a href=3D"https://www.th= everge.com/2022/12/7/23498580/apple-end-to-end-encryption-icloud-backups-a=
    dvanced-data-protection">encrypting iCloud backups</a>:</p>

    <blockquote><p>Based on a screenshot from Apple=2C these categories are co= vered when you flip on Advanced Data Protection: device backups=2C message= s backups=2C iCloud Drive=2C Notes=2C Photos=2C Reminders=2C Safari bookma= rks=2C Siri Shortcuts=2C Voice Memos=2C and Wallet Passes. Apple says the=
    only =E2=80=9Cmajor=E2=80=9D categories not covered by Advanced Data Prot= ection are iCloud Mail=2C Contacts=2C and Calendar because =E2=80=9Cof the=
    need to interoperate with the global email=2C contacts=2C and calendar sy= stems=2C=E2=80=9D according to its press release.</p>

    <p>You can see the full list of data categories and what is protected unde=
    r standard data protection=2C which is the default for your account=2C and=
    Advanced Data Protection <a href=3D"https://support.apple.com/en-us/HT202= 303">on Apple=E2=80=99s website</a>.</p>

    <p>With standard data protection=2C Apple holds the encryption keys for th= ings that aren=E2=80=99t end-to-end encrypted=2C which means the company c= an help you recover that data if needed. Data that=E2=80=99s end-to-end en= crypted can <i>only</i> be encrypted on =E2=80=9Cyour trusted devices wher= e you=E2=80=99re signed in with your Apple ID=2C=E2=80=9D according to App= le=2C meaning that the company -- or law enforcement or hackers -- cannot=
    access your data from Apple=E2=80=99s databases.</p></blockquote>

    <p>Note that this system doesn=E2=80=99t have the backdoor that was in App= le=E2=80=99s previous proposal=2C the one put there under the guise of det= ecting CSAM.</p>

    <p>Apple <a href=3D"https://www.wsj.com/articles/apple-plans-new-encryptio= n-system-to-ward-off-hackers-and-protect-icloud-data-11670435635">says</a>=
    that it will roll out worldwide by the end of next year. I wonder how Chi=
    na will react to this.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg22"><a name=3D"cg22"= >Obligatory ChatGPT Post</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/obligatory-ch= atgpt-post.html"><strong>[2022.12.13]</strong></a> <a href=3D"https://one= usefulthing.substack.com/p/the-mechanical-professor">Seems</a> <a href=3D"= https://www.nytimes.com/2022/12/05/technology/chatgpt-ai-twitter.html">lik=
    e</a> <a href=3D"https://www.theatlantic.com/technology/archive/2022/12/op= enai-chatgpt-writing-high-school-english-essay/672412/">absolutely</a> <a=
    href=3D"https://theconversation.com/the-chatgpt-chatbot-is-blowing-people= -away-with-its-writing-skills-an-expert-explains-why-its-so-impressive-195= 908">everyone</a> <a href=3D"https://www.theatlantic.com/technology/archiv= e/2022/12/openai-chatgpt-chatbot-messages/672411/?utm_source=3Dnextdraft&u= tm_medium=3Demail">everywhere</a> <a href=3D"https://www.theatlantic.com/t= echnology/archive/2022/12/chatgpt-ai-writing-college-student-essays/672371=
    /">is</a> <a href=3D"https://techcrunch.com/2022/12/05/chatgpt-shrugged/">= playing</a> <a href=3D"https://www.bleepingcomputer.com/news/technology/op= enais-new-chatgpt-bot-10-dangerous-things-its-capable-of/">with</a> <a hre= f=3D"https://chat.openai.com/chat">Chat GPT</a>.</p>

    <p>So I did=2C too....</p>

    <p><i>Write an essay in the style of Bruce Schneier on how ChatGPT will af= fect cybersecurity.</i></p>

    <blockquote><p>As with any new technology=2C the development and deploymen=
    t of ChatGPT is likely to have a significant impact on the field of cybers= ecurity. In many ways=2C ChatGPT and other AI technologies hold great prom= ise for improving the ability of organizations and individuals to defend a= gainst cyber threats. At the same time=2C however=2C the use of these tech= nologies also raises important questions and concerns about the potential=
    risks and challenges they may pose.</p>

    <p>One of the key ways in which ChatGPT is likely to affect cybersecurity=
    is by enabling organizations to more quickly and accurately identify pote= ntial security threats. With its ability to analyze vast amounts of data a= nd identify patterns and trends that might be difficult for humans to spot=
    =2C ChatGPT could be a valuable tool for detecting and responding to cyber= attacks. This could be especially useful in the case of complex=2C coordin= ated attacks that might otherwise be difficult to identify and defend agai= nst.</p>

    <p>Another potential benefit of ChatGPT in the realm of cybersecurity is i=
    ts ability to improve communication and coordination among different organ= izations and agencies. By enabling these groups to more easily share infor= mation and work together to defend against cyber threats=2C ChatGPT could=
    help to make the overall cybersecurity landscape more effective and effic= ient. This could be especially important in the case of large-scale attack= s that require a coordinated response from multiple organizations.</p>

    <p>Of course=2C as with any new technology=2C there are also potential ris=
    ks and challenges associated with the use of ChatGPT in the field of cyber= security. One key concern is the potential for ChatGPT to be used by malic= ious actors to conduct cyberattacks. By automating the process of planning=
    and executing attacks=2C ChatGPT could make it easier for attackers to ca=
    rry out sophisticated=2C coordinated attacks at a much faster pace than wo= uld be possible without AI. This could potentially make it more difficult=
    for organizations and individuals to defend against such attacks.</p>

    <p>Another potential risk is the possibility that ChatGPT could be used to=
    create fake news or propaganda=2C which could be used to spread misinform= ation or confusion. In the context of cybersecurity=2C the spread of false=
    information could potentially lead to confusion and panic=2C making it mo=
    re difficult for organizations and individuals to respond effectively to c= yber threats. Additionally=2C the use of ChatGPT to create fake news or pr= opaganda could also undermine trust in information and communications syst= ems=2C potentially undermining the overall security of these systems.</p>

    <p>Overall=2C the development and deployment of ChatGPT is likely to have=
    a significant impact on the field of cybersecurity. While ChatGPT and oth=
    er AI technologies hold great promise for improving the ability of organiz= ations and individuals to defend against cyber threats=2C it is important=
    to carefully consider the potential risks and challenges they may pose=2C=
    and to take appropriate measures to mitigate these risks. This may includ=
    e implementing strict security protocols and safeguards to prevent unautho= rized access to ChatGPT and other AI systems=2C as well as ongoing monitor= ing and evaluation to ensure that these technologies are being used in a s= afe and responsible manner.</p></blockquote>

    <p>Not bad. I don=E2=80=99t think I can retire=2C but I probably can go on=
    vacation for a few days. And=2C of course=2C it=E2=80=99s going to get be= tter...a lot better...and probably sooner than we expect. This is a big de= al.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg23"><a name=3D"cg23"= >Hacking Boston=E2=80=99s CharlieCard</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/hacking-bosto= ns-charliecard.html"><strong>[2022.12.14]</strong></a> Interesting <a hre= f=3D"https://medium.com/@bobbyrsec/operation-charlie-hacking-the-mbta-char=
    liecard-from-2008-to-present-24ea9f0aaa38">discussion</a> of vulnerabiliti= es and exploits against Boston=E2=80=99s CharlieCard.</p>

    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


    <h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg24"><a name=3D"cg24"= >Reimagining Democracy</a></h2>

    <p><a href=3D"https://www.schneier.com/blog/archives/2022/12/reimagining-d= emocracy.html"><strong>[2022.12.14]</strong></a> Last week=2C I hosted a=
    two-day <a href=3D"https://www.schneier.com/iword/2022">workshop on reima= gining democracy</a>.</p>

    <p>The idea was to bring together people from a variety of disciplines who=
    are all thinking about different aspects of democracy=2C less from a =E2= =80=9Cwhat we need to do today=E2=80=9D perspective and more from a blue-s=
    ky future perspective. My remit to the participants was this:</p>

    <blockquote><p>The idea is to start from scratch=2C to pretend we=E2=80=99=
    re forming a new country and don=E2=80=99t have any precedent to deal with=
    =2E And that we don=E2=80=99t have any unique interests to perturb our think= ing. The modern representative democracy was the best form of government m= id-eighteenth century politicians technology could invent. The twenty-firs= t century is a very different place technically=2C scientifically=2C and p= hilosophically. What could democracy look like if it were reinvented today=
    ? Would it even be democracy -- what comes after democracy?</p>

    <p>Some questions to think about:</p>



    <li>Representative democracies were built under the assumption that tr= avel and communications were difficult. Does it still make sense to organi= ze our representative units by geography? Or to send representatives far a= way to create laws in our name? Is there a better way for people to choose=
    collective representatives?</li>

    <li>Indeed=2C the very idea of representative government is due to tec= hnological limitations. If an AI system could find the optimal solution fo= r balancing every voter=E2=80=99s preferences=2C would it still make sense=
    to have representatives -- or should we vote for ideas and goals instead?= </li>

    <li>With today=E2=80=99s technology=2C we can vote anywhere and any ti=
    me. How should we organize the temporal pattern of voting -- and of other=
    forms of participation?</li>

    <li>Starting from scratch=2C what is today=E2=80=99s ideal government=
    structure? Does it make sense to have a singular leader =E2=80=9Cin charg= e=E2=80=9D of everything? How should we constrain power -- is there someth= ing better than the legislative/judicial/executive set of checks and balan= ces?</li>

    <li>The size of contemporary political units ranges from a few people=
    in a room to vast nation-states and alliances. Within one country=2C what=
    might the smaller units be -- and how do they relate to one another?</li>

    <li>Who has a voice in the government? What does =E2=80=9Ccitizen=E2= =80=9D mean? What about children? Animals? Future people (and animals)? Co= rporations? The land?</li>

    <li>And much more: What about the justice system? Is the twelfth-centu=
    ry jury form still relevant? How do we define fairness? Limit financial an= d military power? Keep our system robust to psychological manipulation?</l=

    </ul>
    </blockquote>

    <p>My perspective=2C of course=2C is security. I want to create a system t=
    hat is <a href=3D"https://www.schneier.com/books/a-hackers-mind/">resilien= t against hacking</a>: one that can evolve as both technologies and threat= s evolve.</p>

    <p>The format was one that I have <a href=3D"https://www.schneier.com/blog= /archives/2022/05/security-and-human-behavior-shb-2022.html">used before</=
    . Forty-eight people meet over two days. There are four ninety-minute pa= nels per day=2C with six people on each. Everyone speaks for ten minutes=
    =2C and the rest of the time is devoted to questions and comments. Ten min= utes means that no one gets bogged down in jargon or details. Long breaks=
    between sessions and evening dinners allow people to talk more informally=
    =2E The result is a very dense=2C idea-rich environment that I find extremel=
    y valuable.</p>

    <p>It was amazing event. Everyone participated. Everyone was interesting.=
    (Details of the event -- emerging themes=2C notes from the speakers -- ar=
    e in the comments.) It=E2=80=99s a week later and I am still buzzing with=
    ideas. I hope this is only the first of an ongoing series of similar work= shops.</p>


    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=




    <p>Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
    summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>

    <p>You can also read these articles on my blog=2C <a href=3D"https://www.s= chneier.com">Schneier on Security</a>.</p>

    <p>Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
    to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.</p>

    <p><span style=3D"font-style: italic">Bruce Schneier is an internationally=
    renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do= zen books -- including his latest=2C <a href=3D"https://www.schneier.com/b= ooks/root/"><cite style=3D"font-style:normal">We Have Root</cite></a> -- a= s well as hundreds of articles=2C essays=2C and academic papers. His newsl= etter and blog are read by over 250=2C000 people. Schneier is a fellow at=
    the Berkman Klein Center for Internet & Society at Harvard University; a=
    Lecturer in Public Policy at the Harvard Kennedy School; a board member o=
    f the Electronic Frontier Foundation=2C AccessNow=2C and the Tor Project;=
    and an Advisory Board Member of the Electronic Privacy Information Center=
    and VerifiedVoting.org. He is the Chief of Security Architecture at Inrup= t=2C Inc.</span></p>

    <p>Copyright &copy; 2022 by Bruce Schneier.</p>


    <p style=3D"font-size:88%">** *** ***** ******* *********** *************<=

    <p>Mailing list hosting graciously provided by <a href=3D"https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.</p>
    <p>This email was sent to: thecivvie@gmail.com
    <br><em>You are receiving this email because you subscribed to the Crypto-= Gram newsletter.</em></p>

    <p><a style=3D"display:inline-block" href=3D"https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3Dd6f5467f 83&c=3D39d832de42">unsubscribe from this list</a>&nbsp;&nbsp;&nbsp;&nbs= p;<a style=3D"display:inline-block" href=3D"https://schneier.us18.list-man= age.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3Dd6f5467f83=
    &c=3D39d832de42">update subscription preferences</a>
    <br>Bruce Schneier &middot; Harvard Kennedy School &middot; 1 Brattle Squa=
    re &middot; Cambridge=2C MA 02138 &middot; USA</p>


    </body></html>
    --_----------=_MCPart_1654239436--

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (21:1/229)