Security UI does not work

A keynote slide from 2013. In a nutshell, why cookie banners are pointless and the GDPR is a mess.

Nice small detail:

This emoji does not show in the title bar of Safari, presumably to prevent less-reputable sites pretending to be secure (encrypted using HTTPS) when they are not.

I’ll go so far as to say your password is too damn short. These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all. So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?

OverSight è una piccola utility sviluppata da Objective-See per monitorare l’uso e l’accesso alla videocamera e al microfono integrati nel Mac; l’app invia una notifica ogni volta che questi si attivano.

Cory Doctorow, su Boing Boing:

To do this, they made tiny alterations to the transparency values of the individual pixels of the accompanying banner ads, which were in the PNG format, which allows for pixel-level gradations in transparency. The javascript sent by the attackers would run through the pixels in the banners, looking for ones with the telltale alterations, then it would turn that tweaked transparency value into a character. By stringing all these characters together, the javascript would assemble a new program, which it would then execute on the target’s computer.

La pubblicità va bloccata non perché è brutta a vedersi, ma perché è l’unico modo di navigare il web che non comprometta la propria sicurezza e privacy.

Bruce Schneier:

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. […]

Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar.

Uno dei modi più semplici e efficaci per buttare giù un pezzo di internet è tramite un attacco DDoS (denial of service attack): come suggerisce il nome, un attacco che invia continue richieste fasulle a un sito finché questo non regge più, prevenendo utenti legittimi dall’accedervi.

Nel corso del weekend, il blog di uno dei maggiori esperti di sicurezza informatica (Krebs on Security) è stato buttato giù da uno dei più grandi attacchi DDoS della storia, al punto che Akamai — che si occupava di proteggerlo e di fornire banda — a un certo punto ha semplicemente rimosso il supporto al sito. Contrastare l’attacco, dice Akamai, sarebbe finito con il costare milioni di dollari. Krebs on Security è poi tornato online grazie a Project Shield, un programma di Google per difendere la libertà di parola in rete e, appunto, per proteggere siti e giornalisti indipendenti che non hanno la capacità e le risorse per difendersi:

We’ve met news organizations around the world who suffer crippling digital attacks when they publish something controversial or that questions powerful institutions. Project Shield uses Google’s infrastructure to protect independent news sites from distributed denial of service attacks (DDoS).

Schneier, nel passaggio riportato in apertura, suggerisce che dietro a questi attacchi ci possa essere la Russia o la Cina, agenzie di sicurezza, enti statali — al contrario Krebs parla di “democratizzazione della censura“: nel suo caso, un botnet è riuscito ad impossessarsi di milioni di dispositivi collegati a internet — cose come router, videocamere di sorveglianza, e altri oggetti dell’internet delle cose con standard di sicurezza scarsi — e ad utilizzarli per effettuare l’attacco:

There are currently millions — if not tens of millions — of insecure or poorly secured IoT devices that are ripe for being enlisted in these attacks at any given time. And we’re adding millions more each year. […]

What we’re allowing by our inaction is for individual actors to build the instrumentality of tyranny. And to be clear, these weapons can be wielded by anyone — with any motivation — who’s willing to expend a modicum of time and effort to learn the most basic principles of its operation.

The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.

Verso inizio giugno sono apparsi sul dark web i dati — inclusa password e email — di 117 milioni di account creati su LinkedIn, ottenuti durante l’attacco che LinkedIn subì nel 2012 (potete controllare se anche il vostro account venne compromesso su haveibeenpwned.com).

Come spiega Arstechnica, ogni volta che c’è un leak di queste dimensioni e entità (recentemente: Ashley Madison) gli hacker diventano un po’ più bravi a indovinare le nostre password su altri siti — dato che possono fare affidamento ai dati già collezionati (sia su noi stessi, preferenze e dettagli, sia sulle password), compilando così lunghissime liste di potenziali combinazioni e password:

Back in the early days of password cracking, we didn’t have much insight into the way people created passwords on a macro scale. Sure, we knew about passwords like 123456, password, secret, letmein, monkey, etc., but for the most part we were attacking password hashes with rather barbaric techniques—using literal dictionaries and stupid wordlists like klingon_words.txt. Our knowledge of the top 1,000 passwords was at least two decades old. We were damn lucky to find a password database with only a few thousand users, and when you consider the billions of accounts in existence even back then, our window into the way users created passwords was little more than a pinhole. […]

When you take both RockYou and LinkedIn and combine them with eHarmony, Stratfor, Gawker, Gamigo, Ashley Madison, and dozens of other smaller public password breaches, hackers will simply be more prepared than ever for the next big breach.