Friday Squid Blogging: Eyeball Collector Wants a Giant-Squid Eyeball
They’re rare:
The one Dubielzig really wants is an eye from a giant squid, which has the biggest eye of any living animal—it’s the size of a dinner plate.
“But there are no intact specimens of giant squid eyes, only rotten specimens that have been beached,” he says.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Ben A. • July 14, 2017 4:41 PM
1Password [AgileBits] have betrayed their users yet again even though they have previously (and hypocritcally) accused their competitors of doing the same thing: forcing users to store their passwords in their cloud.
The company has a history of lies, deceit and disinformation. Only recently Tavis Ormandy unearthed a treasure trove of 1Password user data publicly accessible via Google search. They accused the respected Google staffer of lying so he published the data to prove they were being disingenuous towards their users.
1Password also uses wonky browser crypto which is so bad that their own security chief (Jeffrey Goldberg) doesn’t even use it. Now Unix pioneer Matt Blaze and multiple other experts have criticised 1Password for removing the option for local storage in 1Password for Windows 6 (Mac users still have the option but its expected to be removed). The company says perpetual licensing works financially yet they still want to force everybody into their cloud, which has a monthly subscription.
There’s a well-documented history of security incidents at 1Password including the discovery by Microsoft’s Dale Myers that 1Password leaks metadata. On each occasion the company publishes their own blog rebuke and then claims the experts have “misunderstood” or “don’t understand” before taking to Twitter and posting contradictory and patronising information. Their most recent blog post has been likened to a “car crash”.
http://www.androidpolice.com/2017/07/12/1change-manydeceits-1password-betrayed-users-disappointed-security-experts-moving-license-local-storage-monthly-cloud-subscription/
https://motherboard.vice.com/en_us/article/evdbdz/why-security-experts-are-pissed-that-1password-is-pushing-users-to-the-cloud
https://www.theregister.co.uk/2017/07/13/1password_not_killing_onprem_storage/
Decent password manager alternatives
“KeePass” has the most features, smartcard support and cross-platform apps including mobile. “Password Safe” is the most simple and has the fewest features which makes it the easiest to peer review (it was also developed by Bruce Schneier). “Password Store” is a command line platform manager which is just a wrapper around GPG – there are also community releases which provide a very basic GUI. All these applications are free and open source.
http://keepass.info/
https://pwsafe.org/
https://www.passwordstore.org/
A largely self-contained and complete security proof for quantum key distribution
“…we focus on a class of prepare-and-measure protocols based on the Bennett-Brassard (BB84) protocol as well as a class of entanglement-based protocols similar to the Bennett-Brassard-Mermin (BBM92) protocol. We carefully formalize the different steps in these protocols, including randomization, measurement, parameter estimation, error correction and privacy amplification, allowing us to be mathematically precise throughout the security analysis.”
https://arxiv.org/abs/1506.08458v3
Vault 7: new WikiLeaks dump details Android SMS snooping malware
“HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post (LP) by proxying “incoming” and “outgoing” SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.”
https://nakedsecurity.sophos.com/2017/07/14/vault-7-new-wikileaks-dump-details-android-sms-snooping-malware/
US border agents: We won’t search data “located solely on remote servers”
“The recently published letter from CBP reiterated what federal officials have said before: electronic border searches are extremely rare, and the government claims the legal authority to compel assistance to open a device (including forcing someone to hand over their password). But it also distinguishes between data held on the phone and data held in the cloud.”
https://arstechnica.com/tech-policy/2017/07/us-border-agents-we-wont-search-data-located-solely-on-remote-servers/
https://assets.documentcloud.org/documents/3894769/170712-Cpb-Wyden-Letter.pdf
https://www.theregister.co.uk/2017/07/14/border_device_searches_stop_at_the_cloud/
€100 ‘typewriter’ turns out to be €45,000 Enigma machine
“A cryptography professor wandering through a Romanian flea market has turned a nice ROI on his €100 investment: €45,000.”
https://www.theregister.co.uk/2017/07/13/100_euro_typewriter_turns_out_to_be_45000_euro_enigma_machine/
Uncle Sam says ‘nyet’ to Kaspersky amid fresh claims of Russian ties
https://www.theregister.co.uk/2017/07/11/uncle_sam_says_nyet_to_kaspersky/
https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-response-clarifying-inaccurate-statements-published-in-bloomberg-businessweek-on-july-11-2017
https://arstechnica.com/security/2017/07/kaspersky-denies-inappropriate-ties-with-russian-govt-after-bloomberg-story/
Former GCHQ boss backs end-to-end encryption
https://www.theregister.co.uk/2017/07/10/former_gchq_wades_into_encryption_debate/
Former GCHQ director Robert Hannigan has spoken out against building backdoors into end-to-end encryption and has suggested they should “target the target’s device”.
G20 calls for ‘lawful and non-arbitrary access to available information’ to fight terror
“Turnbull’s speech singled out Whatsapp, Telegram and Signal, asking why they should “be able to establish end-to-end encryption in such a way that nobody, not the owners and not the courts, has the ability to find out what is being communicated”?”
https://www.theregister.co.uk/2017/07/11/g20_calls_for_lawful_and_nonarbitrary_access_to_available_information_to_fight_terror/
Elliptic Curve Cryptography Tutorial
https://www.johannes-bauer.com/compsci/ecc/
SQL injection attacks controlled using Telegram messaging app
https://nakedsecurity.sophos.com/2017/07/14/sql-injection-attacks-controlled-using-telegram-messaging-app/
Russians told to log in to Pornhub using verified social media accounts
https://nakedsecurity.sophos.com/2017/07/12/russians-told-to-log-in-to-pornhub-using-verified-social-media-accounts/
https://news.vice.com/story/russians-now-need-a-passport-to-watch-pornhub
Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’
https://krebsonsecurity.com/2017/07/thieves-used-infrared-to-pull-data-from-atm-insert-skimmers/
EULAlyzer – analyse licence agreements for interesting words and phrases.
https://www.brightfort.com/eulalyzer.html