AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
   Networked Database  Computer Support/Help/Discussion...   [735 / 1624] RSS
 From   To   Subject   Date/Time 
Message   TCOB1    All   CRYPTO-GRAM, October 15, 2022   October 16, 2022
 5:53 PM *  

Crypto-Gram
October 15, 2022

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

Relay Attack against Teslas
Massive Data Breach at Uber
Large-Scale Collection of Cell Phone Data at US Borders Credit Card Fraud That
Bypasses 2FA Automatic Cheating Detection in Human Racing Prompt
Injection/Extraction Attacks against AI Systems Leaking Screen Information on
Zoom Calls through Reflections in Eyeglasses Leaking Passwords through the
Spellchecker New Report on IoT Security
Cold War Bugging of Soviet Facilities Differences in App Security/Privacy Based
on Country Security Vulnerabilities in Covert CIA Websites Detecting Deepfake
Audio by Modeling the Human Acoustic Tract NSA Employee Charged with Espionage
October Is Cybersecurity Awareness Month Spyware Maker Intellexa Sued by
Journalist Complex Impersonation Story
Inserting a Backdoor into a Machine-Learning System Recovering Passwords by
Measuring Residual Heat Digital License Plates
Regulating DAOs
Upcoming Speaking Engagements
** *** ***** ******* *********** *************

Relay Attack against Teslas

[2022.09.15] Nice work:

Radio relay attacks are technically complicated to execute, but conceptually
easy to understand: attackers simply extend the range of your existing key using
what is essentially a high-tech walkie-talkie. One thief stands near you while
youΓÇÖre in the grocery store, intercepting your keyΓÇÖs transmitted signal with
a radio transceiver. Another stands near your car, with another transceiver,
taking the signal from their friend and passing it on to the car. Since the car
and the key can now talk, through the thievesΓÇÖ range extenders, the car has no
reason to suspect the key isnΓÇÖt inside -- and fires right up.

But TeslaΓÇÖs credit card keys, like many digital keys stored in cell phones,
donΓÇÖt work via radio. Instead, they rely on a different protocol called Near
Field Communication or NFC. Those keys had previously been seen as more secure,
since their range is so limited and their handshakes with cars are more complex.

Now, researchers seem to have cracked the code. By reverse-engineering the
communications between a Tesla Model Y and its credit card key, they were able
to properly execute a range-extending relay attack against the crossover. While
this specific use case focuses on Tesla, itΓÇÖs a proof of concept -- NFC
handshakes can, and eventually will, be reverse-engineered.

** *** ***** ******* *********** *************

Massive Data Breach at Uber

[2022.09.16] ItΓÇÖs big:

The breach appeared to have compromised many of UberΓÇÖs internal systems, and a
person claiming responsibility for the hack sent images of email, cloud storage
and code repositories to cybersecurity researchers and The New York Times.

ΓÇ£They pretty much have full access to Uber,ΓÇ¥ said Sam Curry, a security
engineer at Yuga Labs who corresponded with the person who claimed to be
responsible for the breach. ΓÇ£This is a total compromise, from what it looks
like.ΓÇ¥

It looks like a pretty basic phishing attack; someone gave the hacker their
login credentials. And because Uber has lousy internal security, lots of people
have access to everything. So once a hacker gains a foothold, they have access
to everything.

This is the same thing that Mudge accuses Twitter of: too many employees have
broad access within the companyΓÇÖs network.

More details. Slashdot thread.

EDITED TO ADD (9/20): More details.

** *** ***** ******* *********** *************

Large-Scale Collection of Cell Phone Data at US Borders

[2022.09.19] The Washington Post is reporting that the US Customs and Border
Protection agency is seizing and copying cell phone, tablet, and computer data
from ΓÇ£as many asΓÇ¥ 10,000 phones per year, including an unspecified number of
American citizens. This is done without a warrant, because ΓÇ£...courts have
long granted an exception to border authorities, allowing them to search
peopleΓÇÖs devices without a warrant or suspicion of a crime.ΓÇ¥

CBPΓÇÖs inspection of peopleΓÇÖs phones, laptops, tablets and other electronic
devices as they enter the country has long been a controversial practice that
the agency has defended as a low-impact way to pursue possible security threats
and determine an individualΓÇÖs ΓÇ£intentions upon entryΓÇ¥ into the U.S. But
the revelation that thousands of agents have access to a searchable database
without public oversight is a new development in what privacy advocates and some
lawmakers warn could be an infringement of AmericansΓÇÖ Fourth Amendment rights
against unreasonable searches and seizures.

[...]

CBP conducted roughly 37,000 searches of travelersΓÇÖ devices in the 12 months
ending in October 2021, according to agency data, and more than 179 million
people traveled that year through U.S. ports of entry.

More articles. Slashdot thread.

** *** ***** ******* *********** *************

Credit Card Fraud That Bypasses 2FA

[2022.09.20] Someone in the UK is stealing smartphones and credit cards from
people who have stored them in gym lockers, and is using the two items in
combination to commit fraud:

Phones, of course, can be made inaccessible with the use of passwords and face
or fingerprint unlocking. And bank cards can be stopped.

But the thief has a method which circumnavigates those basic safety protocols.

Once they have the phone and the card, they register the card on the relevant
bankΓÇÖs app on their own phone or computer. Since it is the first time that
card will have been used on the new device, a one-off security passcode is
demanded.

That verification passcode is sent by the bank to the stolen phone. The code
flashes up on the locked screen of the stolen phone, leaving the thief to tap it
into their own device. Once accepted, they have control of the bank account.
They can transfer money or buy goods, or change access to the account.

** *** ***** ******* *********** *************

Automatic Cheating Detection in Human Racing

[2022.09.21] This is a fascinating glimpse of the future of automatic cheating
detection in sports:

Maybe you heard about the truly insane false-start controversy in track and
field? Devon Allen -- a wide receiver for the Philadelphia Eagles -- was
disqualified from the 110-meter hurdles at the World Athletics Championships a
few weeks ago for a false start.

HereΓÇÖs the problem: You canΓÇÖt see the false start. Nobody can see the false
start. By sight, Allen most definitely does not leave before the gun.

But hereΓÇÖs the thing: World Athletics has determined that it is not possible
for someone to push off the block within a tenth of a second of the gun without
false starting. They have science that shows it is beyond human capabilities to
react that fast. Of course there are those (IΓÇÖm among them) who would tell you
thatΓÇÖs nonsense, thatΓÇÖs pseudoscience, thereΓÇÖs no way that they can limit
human capabilities like that. There is science that shows it is humanly
impossible to hit a fastball. There was once science that showed human beings
could not run a four-minute mile.

Besides, do you know what Devon AllenΓÇÖs reaction time was? It was 0.99
seconds. One thousandth of a second too fast, according to World AthleticsΓÇÖ
science. TheyΓÇÖre THAT sure that .01 seconds -- and EXACTLY .01 seconds -- is
the limit of human possibilities that they will disqualify an athlete who has
trained his whole life for this moment because he reacted one thousandth of a
second faster than they think possible?

We in the computer world are used to this sort of thing. ΓÇ£The computer is
always right,ΓÇ¥ even when itΓÇÖs obviously wrong. But now computers are leaving
the world of keyboards and screens, and this sort of thing will become more
pervasive. In sports, computer systems are used to detect when a ball is out of
bounds in tennis and other games and when a pitch is a strike in baseball. IΓÇÖm
sure thereΓÇÖs more -- are computers detecting first downs in football? -- but
IΓÇÖm not enough of a sports person to know them.

EDITED TO ADD (10/14): This article shows that start times have been decreasing
over the past few years, and that AllenΓÇÖs start is statistically expected.

And soccer is using technology to detect offsides violations.

** *** ***** ******* *********** *************

Prompt Injection/Extraction Attacks against AI Systems

[2022.09.22] This is an interesting attack I had not previously considered.

The variants are interesting, and I think weΓÇÖre just starting to understand
their implications.

EDITED TO ADD (10/13): More details from the researcher who discovered the
problem.

** *** ***** ******* *********** *************

Leaking Screen Information on Zoom Calls through Reflections in Eyeglasses

[2022.09.23] Okay, itΓÇÖs an obscure threat. But people are researching it:

Our models and experimental results in a controlled lab setting show it is
possible to reconstruct and recognize with over 75 percent accuracy on-screen
texts that have heights as small as 10 mm with a 720p webcam.ΓÇ¥ That
corresponds to 28 pt, a font size commonly used for headings and small
headlines.

[...]

Being able to read reflected headline-size text isnΓÇÖt quite the privacy and
security problem of being able to read smaller 9 to 12 pt fonts. But this
technique is expected to provide access to smaller font sizes as high-resolution
webcams become more common.

ΓÇ£We found future 4k cameras will be able to peek at most header texts on
almost all websites and some text documents,ΓÇ¥ said Long.

[...]

A variety of factors can affect the legibility of text reflected in a video
conference participantΓÇÖs glasses. These include reflectance based on the
meeting participantΓÇÖs skin color, environmental light intensity, screen
brightness, the contrast of the text with the webpage or application background,
and the characteristics of eyeglass lenses. Consequently, not every
glasses-wearing person will necessarily provide adversaries with reflected
screen sharing.

With regard to potential mitigations, the boffins say that Zoom already provides
a video filter in its Background and Effects settings menu that consists of
reflection-blocking opaque cartoon glasses. Skype and Google Meet lack that
defense.

Research paper.

** *** ***** ******* *********** *************

Leaking Passwords through the Spellchecker

[2022.09.26] Sometimes browser spellcheckers leak passwords:

When using major web browsers like Chrome and Edge, your form data is
transmitted to Google and Microsoft, respectively, should enhanced spellcheck
features be enabled.

Depending on the website you visit, the form data may itself include PII --
including but not limited to Social Security Numbers (SSNs)/Social Insurance
Numbers (SINs), name, address, email, date of birth (DOB), contact information,
bank and payment information, and so on.

The solution is to only use the spellchecker options that keep the data on your
computer -- and donΓÇÖt send it into the cloud.

** *** ***** ******* *********** *************

New Report on IoT Security

[2022.09.27] The Atlantic Council has published a report on securing the
Internet of Things: ΓÇ£Security in the Billions: Toward a Multinational Strategy
to Better Secure the IoT Ecosystem.ΓÇ¥ The report examines the regulatory
approaches taken by four countries -- the US, the UK, Australia, and Singapore
-- to secure home, medical, and networking/telecommunications devices. The
report recommends that regulators should 1) enforce minimum security standards
for manufacturers of IoT devices, 2) incentivize higher levels of security
through public contracting, and 3) try to align IoT standards internationally
(for example, international guidance on handling connected devices that stop
receiving security updates).

This report looks to existing security initiatives as much as possible -- both
to leverage existing work and to avoid counterproductively suggesting an
entirely new approach to IoT security -- while recommending changes and
introducing more cohesion and coordination to regulatory approaches to IoT
cybersecurity. It walks through the current state of risk in the ecosystem,
analyzes challenges with the current policy model, and describes a synthesized
IoT security framework. The report then lays out nine recommendations for
government and industry actors to enhance IoT security, broken into three
recommendation sets: setting a baseline of minimally acceptable security (or
ΓÇ£Tier 1ΓÇ¥), incentivizing above the baseline (or ΓÇ£Tier 2ΓÇ¥ and above),
and pursuing international alignment on standards and implementation across the
entire IoT product lifecycle (from design to sunsetting). It also includes
implementation guidance for the United States, Australia, UK, and Singapore,
providing a clearer roadmap for cou ntries to operationalize the recommendations
in their specific jurisdictions -- and push towards a stronger, more cohesive
multinational approach to securing the IoT worldwide.

Note: One of the authors of this report was a student of mine at Harvard Kennedy
School, and did this work with the Atlantic Council under my supervision.

** *** ***** ******* *********** *************

Cold War Bugging of Soviet Facilities

[2022.09.28] Found documents in Poland detail US spying operations against the
former Soviet Union.

The file details a number of bugs found at Soviet diplomatic facilities in
Washington, D.C., New York, and San Francisco, as well as in a Russian
government-owned vacation compound, apartments used by Russia personnel, and
even Russian diplomatsΓÇÖ cars. And the bugs were everywhere: encased in plaster
in an apartment closet; behind electrical and television outlets; bored into
concrete bricks and threaded into window frames; inside wooden beams and
baseboards and stashed within a buildingΓÇÖs foundation itself; surreptitiously
attached to security cameras; wired into ceiling panels and walls; and secretly
implanted into the backseat of cars and in their window panels, instrument
panels, and dashboards. ItΓÇÖs an impressive -- and impressively thorough --
effort by U.S. counterspies.

We have long read about sophisticated Russian spying operations -- bugging the
Moscow embassy, bugging Selectric typewriters in the Moscow embassy, bugging the
new Moscow embassy. These are the first details IΓÇÖve read about the US bugging
the RussiansΓÇÖ embassy.

EDITED TO ADD (10/12): How the CIA bugged Xerox copiers.

** *** ***** ******* *********** *************

Differences in App Security/Privacy Based on Country

[2022.09.29] Depending on where you are when you download your Android apps, it
might collect more or less data about you.

The apps we downloaded from Google Play also showed differences based on country
in their security and privacy capabilities. One hundred twenty-seven apps varied
in what the apps were allowed to access on usersΓÇÖ mobile phones, 49 of which
had additional permissions deemed ΓÇ£dangerousΓÇ¥ by Google. Apps in Bahrain,
Tunisia and Canada requested the most additional dangerous permissions.

Three VPN apps enable clear text communication in some countries, which allows
unauthorized access to usersΓÇÖ communications. One hundred and eighteen apps
varied in the number of ad trackers included in an app in some countries, with
the categories Games, Entertainment and Social, with Iran and Ukraine having the
most increases in the number of ad trackers compared to the baseline number
common to all countries.

One hundred and three apps have differences based on country in their privacy
policies. Users in countries not covered by data protection regulations, such as
GDPR in the EU and the California Consumer Privacy Act in the U.S., are at
higher privacy risk. For instance, 71 apps available from Google Play have
clauses to comply with GDPR only in the EU and CCPA only in the U.S.
Twenty-eight apps that use dangerous permissions make no mention of it, despite
GoogleΓÇÖs policy requiring them to do so.

Research paper: ΓÇ£A Large-scale Investigation into Geodifferences in Mobile
AppsΓÇ£:

Abstract: Recent studies on the web ecosystem have been raising alarms on the
increasing geodifferences in access to Internet content and services due to
Internet censorship and geoblocking. However, geodifferences in the mobile app
ecosystem have received limited attention, even though apps are central to how
mobile users communicate and consume Internet content. We present the first
large-scale measurement study of geodifferences in the mobile app ecosystem. We
design a semi-automatic, parallel measurement testbed that we use to collect
5,684 popular apps from Google Play in 26 countries. In all, we collected
117,233 apk files and 112,607 privacy policies for those apps. Our results show
high amounts of geoblocking with 3,672 apps geoblocked in at least one of our
countries. While our data corroborates anecdotal evidence of takedowns due to
government requests, unlike common perception, we find that blocking by
developers is significantly higher than takedowns in all our countries, and has
the most influen
ce on geoblocking in the mobile app ecosystem. We also find instances of
developers releasing different app versions to different countries, some with
weaker security settings or privacy disclosures that expose users to higher
security and privacy risks. We provide recommendations for app market
proprietors to address the issues discovered.

EDITED TO ADD (10/14): Project website.

** *** ***** ******* *********** *************

Security Vulnerabilities in Covert CIA Websites

[2022.09.30] Back in 2018, we learned that covert system of websites that the
CIA used for communications was compromised by -- at least -- China and Iran,
and that the blunder caused a bunch of arrests, imprisonments, and executions.
WeΓÇÖre now learning that the CIA is still ΓÇ£using an irresponsibly secured
system for asset communication.ΓÇ¥

Citizen Lab did the research:

Using only a single website, as well as publicly available material such as
historical internet scanning results and the Internet ArchiveΓÇÖs Wayback
Machine, we identified a network of 885 websites and have high confidence that
the United States (US) Central Intelligence Agency (CIA) used these sites for
covert communication.

The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts
that implemented or apparently loaded covert communications apps. In addition,
blocks of sequential IP addresses registered to apparently fictitious US
companies were used to host some of the websites. All of these flaws would have
facilitated discovery by hostile parties.

[...]

The bulk of the websites that we discovered were active at various periods
between 2004 and 2013. We do not believe that the CIA has recently used this
communications infrastructure. Nevertheless, a subset of the websites are linked
to individuals who may be former and possibly still active intelligence
community employees or assets:

Several are currently abroad
Another left mainland China in the timeframe of the Chinese crackdown Another
was subsequently employed by the US State Department Another now works at a
foreign intelligence contractor Citizen Lab is not publishing details, of
course.

When I was a kid, I thought a lot about being a spy. And this, right here, was
the one thing I worried about. It didnΓÇÖt matter how clever and resourceful I
was. If my handlers were incompetent, I was dead.

Another news article.

EDITED TO ADD (10/2): Slashdot thread.

** *** ***** ******* *********** *************

Detecting Deepfake Audio by Modeling the Human Acoustic Tract

[2022.10.03] This is interesting research:

In this paper, we develop a new mechanism for detecting audio deepfakes using
techniques from the field of articulatory phonetics. Specifically, we apply
fluid dynamics to estimate the arrangement of the human vocal tract during
speech generation and show that deepfakes often model impossible or
highly-unlikely anatomical arrangements. When parameterized to achieve 99.9%
precision, our detection mechanism achieves a recall of 99.5%, correctly
identifying all but one deepfake sample in our dataset.

From an article by two of the researchers:

The first step in differentiating speech produced by humans from speech
generated by deepfakes is understanding how to acoustically model the vocal
tract. Luckily scientists have techniques to estimate what someone -- or some
being such as a dinosaur -- would sound like based on anatomical measurements of
its vocal tract.

We did the reverse. By inverting many of these same techniques, we were able to
extract an approximation of a speakerΓÇÖs vocal tract during a segment of
speech. This allowed us to effectively peer into the anatomy of the speaker who
created the audio sample.

From here, we hypothesized that deepfake audio samples would fail to be
constrained by the same anatomical limitations humans have. In other words, the
analysis of deepfaked audio samples simulated vocal tract shapes that do not
exist in people.

Our testing results not only confirmed our hypothesis but revealed something
interesting. When extracting vocal tract estimations from deepfake audio, we
found that the estimations were often comically incorrect. For instance, it was
common for deepfake audio to result in vocal tracts with the same relative
diameter and consistency as a drinking straw, in contrast to human vocal tracts,
which are much wider and more variable in shape.

This is, of course, not the last word. Deepfake generators will figure out how
to use these techniques to create harder-to-detect fake voices. And the deepfake
detectors will figure out another, better, detection technique. And the arms
race will continue.

Slashdot thread.

** *** ***** ******* *********** *************

NSA Employee Charged with Espionage

[2022.10.04] An ex-NSA employee has been charged with trying to sell classified
data to the Russians (but instead actually talking to an undercover FBI agent).

ItΓÇÖs a weird story, and the FBI affidavit raises more questions than it
answers. The employee only worked for the NSA for three weeks -- which is weird
in itself. I canΓÇÖt figure out how he linked up with the undercover FBI agent.
ItΓÇÖs not clear how much of this was the employeeΓÇÖs idea, and whether he was
goaded by the FBI agent. Still, hooray for not leaking NSA secrets to the
Russians. (And, almost ten years after Snowden, do we still have this much
trouble vetting people before giving them security clearances?)

Mr. Dalke, who had already left the N.S.A. but told the agent that he still
worked there on a temporary assignment, then revealed that had taken ΓÇ£highly
sensitive informationΓÇ¥ related to foreign targeting of U.S. systems and
information on cyber operations, the prosecutors said. He offered the
information in exchange for cryptocurrency and said he was in ΓÇ£financial
need.ΓÇ¥ Court records show he had nearly $84,000 in debt between student loans
and credit cards.

EDITED TO ADD (10/5): Marcy Wheeler notes that the FBI seems to be sitting on
some common recruitment point, and collecting potential Russian spies.

** *** ***** ******* *********** *************

October Is Cybersecurity Awareness Month

[2022.10.05] For the past nineteen years, October has been Cybersecurity
Awareness Month here in the US, and that event that has always been part advice
and part ridicule. I tend to fall on the apathy end of the spectrum; I donΓÇÖt
think IΓÇÖve ever mentioned it before. But the memes can be funny.

HereΓÇÖs a decent rundown of some of the chatter.

** *** ***** ******* *********** *************

Spyware Maker Intellexa Sued by Journalist

[2022.10.07] The Greek journalist Thanasis Koukakis was spied on by his own
government, with a commercial spyware product called ΓÇ£Predator.ΓÇ¥ That
product is sold by a company in North Macedonia called Cytrox, which is in turn
owned by an Israeli company called Intellexa.

Koukakis is suing Intellexa.

The lawsuit filed by Koukakis takes aim at Intellexa and its executive, alleging
a criminal breach of privacy and communication laws, reports Haaretz. The
founder of Intellexa, a former Israeli intelligence commander named Taj Dilian,
is listed as one of the defendants in the suit, as is another shareholder, Sara
Hemo, and the firm itself. The objective of the suit, Koukakis says, is to spur
an investigation to determine whether a criminal indictment should be brought
against the defendants.

Why does it always seem to be Israel? The world would be a much safer place if
that government stopped this cyberweapons arms trade from inside its borders.

** *** ***** ******* *********** *************

Complex Impersonation Story

[2022.10.10] This is a story of one piece of what is probably a complex
employment scam. Basically, real programmers are having their resumes copied and
co-opted by scammers, who apply for jobs (or, I suppose, get recruited from
various job sites), then hire other people with Western looks and language
skills are to impersonate those first people on Zoom job interviews. Presumably,
sometimes the scammers get hired and...I suppose...collect paychecks for a while
until they get found out and fired. But that requires a bunch of banking fraud
as well, so I donΓÇÖt know.

EDITED TO ADD (10/11): Brian Krebs writes about fake LinkedIn profiles, which
is probably another facet of this fraud system. Someone needs to unravel all of
the threads.

** *** ***** ******* *********** *************

Inserting a Backdoor into a Machine-Learning System

[2022.10.11] Interesting research: ΓÇ£ImpNet: Imperceptible and
blackbox-undetectable backdoors in compiled neural networks, by Tim Clifford,
Ilia Shumailov, Yiren Zhao, Ross Anderson, and Robert Mullins:

Abstract: Early backdoor attacks against machine learning set off an arms race
in attack and defence development. Defences have since appeared demonstrating
some ability to detect backdoors in models or even remove them. These defences
work by inspecting the training data, the model, or the integrity of the
training procedure. In this work, we show that backdoors can be added during
compilation, circumventing any safeguards in the data preparation and model
training stages. As an illustration, the attacker can insert weight-based
backdoors during the hardware compilation step that will not be detected by any
training or data-preparation process. Next, we demonstrate that some backdoors,
such as ImpNet, can only be reliably detected at the stage where they are
inserted and removing them anywhere else presents a significant challenge. We
conclude that machine-learning model security requires assurance of provenance
along the entire technical pipeline, including the data, model architecture,
compiler, and hardw
are specification.

Ross Anderson explains the significance:

The trick is for the compiler to recognise what sort of model itΓÇÖs compiling
-- whether itΓÇÖs processing images or text, for example -- and then devising
trigger mechanisms for such models that are sufficiently covert and general. The
takeaway message is that for a machine-learning model to be trustworthy, you
need to assure the provenance of the whole chain: the model itself, the software
tools used to compile it, the training data, the order in which the data are
batched and presented -- in short, everything.

** *** ***** ******* *********** *************

Recovering Passwords by Measuring Residual Heat

[2022.10.12] Researchers have used thermal cameras and ML guessing techniques to
recover passwords from measuring the residual heat left by fingers on keyboards.
From the abstract:

We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal
images of keyboards with heat traces resulting from input publicly available.
Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol,
12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%,
and 55% respectively, and even higher accuracy when thermal images are taken
within 30 seconds. We found that typing behavior significantly impacts
vulnerability to thermal attacks, where hunt-and-peck typists are more
vulnerable than fast typists (92% vs 83% thermal attack success if performed
within 30 seconds). The second study showed that the keycaps material has a
statistically significant effect on the effectiveness of thermal attacks: ABS
keycaps retain the thermal trace of users presses for a longer period of time,
making them more vulnerable to thermal attacks, with a 52% average attack
accuracy compared to 14% for keyboards with PBT keycaps.

ΓÇ£ABSΓÇ¥ is Acrylonitrile Butadiene Styrene, which some keys are made of.
Others are made of Polybutylene Terephthalate (PBT). PBT keys are less
vulnerable.

But, honestly, if someone can train a camera at your keyboard, you have bigger
problems.

News article.

** *** ***** ******* *********** *************

Digital License Plates

[2022.10.13] California just legalized digital license plates, which seems like
a solution without a problem.

The Rplate can reportedly function in extreme temperatures, has some
customization features, and is managed via Bluetooth using a smartphone app.
Rplates are also equipped with an LTE antenna, which can be used to push
updates, change the plate if the vehicle is reported stolen or lost, and notify
vehicle owners if their car may have been stolen.

Perhaps most importantly to the average car owner, Reviver said Rplate owners
can renew their registration online through the Reviver mobile app.

ThatΓÇÖs it?

Right now, an Rplate for a personal vehicle (the battery version) runs to
$19.95 a month for 48 months, which will total $975.60 if kept for the full
term. If opting to pay a year at a time, the price is $215.40 a year for the
same four-year period, totaling $861.60. Wired plates for commercial vehicles
run $24.95 for 48 months, and $275.40 if paid yearly.

ThatΓÇÖs a lot to pay for the luxury of not having to find an envelope and
stamp.

Plus, the privacy risks:

Privacy risks are an obvious concern when thinking about strapping an
always-connected digital device to a car, but the California law has taken steps
that may address some of those concerns.

ΓÇ£The bill would generally prohibit an alternative device [i.e. digital plate]
from being equipped with GPS or other vehicle location tracking capability,ΓÇ¥
CaliforniaΓÇÖs legislative digest said of the new law. Commercial fleets are
exempt from the rule, unsurprisingly.

More important are the security risks. Do we think for a minute that your
digital license plate is secure from denial-of-service attacks, or number
swapping attacks, or whatever new attacks will be dreamt up? Seems like a piece
of stamped metal is the most secure option.

** *** ***** ******* *********** *************

Regulating DAOs

[2022.10.14] In August, the US TreasuryΓÇÖs Office of Foreign Assets Control
(OFAC) sanctioned the cryptocurrency platform Tornado Cash, a virtual currency
ΓÇ£mixerΓÇ¥ designed to make it harder to trace cryptocurrency transactions --
and a worldwide favorite money-laundering platform. Americans are now forbidden
from using it. According to the US government, Tornado Cash was sanctioned
because it allegedly laundered over $7 billion in cryptocurrency, $455 million
of which was stolen by a North Korean state-sponsored hacking group.

Tornado Cash is not a traditional company run by human beings, but instead a
series of ΓÇ£smart contractsΓÇ¥: self-executing code that exists only as
software. Critics argue that prohibiting Americans from using Tornado Cash is a
restraint of free speech, pointing to court rulings in the 1990s that
established that computer language is a form of language, and that software
programs are a form of speech. They also suggest that the Treasury Department
has the authority to sanction only humans and not software.

We think that the most useful way to understand the speech issues involved with
regulating Tornado Cash and other decentralized autonomous organizations (DAOs)
is through an analogy: the golem. There are many versions of the Jewish golem
legend, but in most of them, a person-like clay statue comes to life after
someone writes the word ΓÇ£truthΓÇ¥ in Hebrew on its forehead, and eventually
starts doing terrible things. The golem stops only when a rabbi erases one of
those letters, turning ΓÇ£truthΓÇ¥ into the Hebrew word for ΓÇ£death,ΓÇ¥ and the
golem ceases to function.

The analogy between DAOs and golems is quite precise, and has important
consequences for the relationship between free speech and code. Ultimately, just
as the golem needed the intervention of a rabbi to stop wreaking havoc on the
world, so too do DAOs need to be subject to regulation.

The equivalency of code and free speech was established during the first
ΓÇ£crypto warsΓÇ¥ of the 1990s, which were about cryptography, not
cryptocurrencies. US agencies tried to use export control laws to prevent
sophisticated cryptography software from being exported outside the US.
Activists and lawyers cleverly showed how code could be transformed into speech
and vice versa, turning the source code for a cryptographic product into a
printed book and daring US authorities to prevent its export. In 1996, US
District Judge Marilyn Hall Patel ruled that computer code is a language, just
like German or French, and that coded programs deserve First Amendment
protection. That such code is also functional, instructing a computer to do
something, was irrelevant to its expressive capabilities, according to PatelΓÇÖs
ruling. However, both a concurring and dissenting opinion argued that computer
code also has the ΓÇ£functional purpose of controlling computers and, in that
regard, does not command protection under th e First Amendment.ΓÇ¥

This disagreement highlights the awkward distinction between ordinary language
and computer code. Language does not change the world, except insofar as it
persuades, informs, or compels other people. Code, however, is a language where
words have inherent power. Type the appropriate instructions and the computer
will implement them without hesitation, second-guessing, or independence of
will. They are like the words inscribed on a golemΓÇÖs forehead (or the written
instructions that, in some versions of the folklore, are placed in its mouth).
The golem has no choice, because it is incapable of making choices. The words
are code, and the golem is no different from a computer.

Unlike ordinary organizations, DAOs donΓÇÖt rely on human beings to carry out
many of their core functions. Instead, those functions have been translated into
a set of instructions that are implemented in software. In the case of Tornado
Cash, its code exists as part of Ethereum, a widely used cryptocurrency that can
also run arbitrary computer code.

Cryptocurrency zealots thought that DAOs would allow them to place their trust
in secure computer code, which would do exactly what they wanted it to do,
rather than fallible human beings who might fail or cheat. Humans could still
have input, but under rules that were enshrined in self-running software. The
past several years of DAO activity has taught these zealots a series of painful
and expensive lessons on the limits of both computer security and incomplete
contracts: Software has bugs, and contracts may do weird things under
unanticipated circumstances. The combination frequently results in
multimillion-dollar frauds and thefts.

Further complicating the matter is that individual DAOs can have very different
rules. DAOs were supposed to create truly decentralized services that could
never turn into a source of state power and coercion. Today, some DAOs talk a
big game about decentralization, but provide power to founders and big investors
like Andreessen Horowitz. Others are deliberately set up to frustrate outside
control. Indeed, the creators of Tornado Cash explicitly wanted to create a
golem-like entity that would be immune from law. In doing so, they were
following in a long libertarian tradition.

In 2014, Gavin Woods, one of EthereumΓÇÖs core developers, gave a talk on what
he called ΓÇ£allegalityΓÇ¥ of decentralized software services. WoodsΓÇÖs
argument was very simple. Companies like PayPal employ real people and real
lawyers. That meant that ΓÇ£if they provide a service to you that is deemed
wrong or illegal ... then they get fucked ... maybe [go] to prison.ΓÇ¥ But
cryptocurrencies like Bitcoin ΓÇ£had no operator.ΓÇ¥ By using software running
on blockchains rather than people to run your organization, you could do an
end-run around normal, human law. You could create services that ΓÇ£cannot be
shut down. Not by a court, not by a police force, not by a nation state.ΓÇ¥
People would be able to set whatever rules they wanted, regardless of what any
government prohibited.

WoodsΓÇÖs speech helped inspire the first DAO (The DAO), and his ideas live on
in Tornado Cash. Tornado Cash was designed, in its founderΓÇÖs words, ΓÇ£to be
unstoppable.ΓÇ¥ The way the protocol is ΓÇ£designed, decentralized and
autonomous ...[,] thereΓÇÖs nobody in charge.ΓÇ¥ The people who ran Tornado Cash
used a decentralized protocol running on the Ethereum computing platform, which
is itself radically decentralized. But they used indelible ink. The protocol was
deliberately instructed never to accept an update command.

Other elements of Tornado Cash -- its website, and the GitHub repository where
its source code was stored -- have been taken down. But the protocol that
actually mixes cryptocurrency is still available through the Ethereum network,
even if it doesnΓÇÖt have a user-friendly front end. Like a golem that has been
set in motion, it will just keep on going, taking in, processing, and returning
cryptocurrency according to its original instructions.

This gets us to the argument that the US government, by sanctioning a software
program, is restraining free speech. Not only is it more complicated than that,
but itΓÇÖs complicated in ways that undercut this argument. OFACΓÇÖs actions
arenΓÇÖt aimed against free speech and the publication of source code, as its
clarifications have made clear. Researchers are not prohibited from copying,
posting, ΓÇ£discussing, teaching about, or including open-source code in written
publications, such as textbooks.ΓÇ¥ GitHub could potentially still host the
source code and the project. OFACΓÇÖs actions are aimed at preventing persons
from using software applications that undercut one of the most basic functions
of government: regulating activities that it deems endangers national security.

The question is whether the First Amendment covers golems. When your words are
used not to persuade or argue, but to animate a mindless entity that will exist
as long as the Ethereum blockchain exists and will carry out your final
instructions no matter what, should your golem be immune from legal action?

When Patel issued her famous ruling, she caustically dismissed the argument that
ΓÇ£even one drop of ΓÇÿdirect functionality'ΓÇ¥ overwhelmed peopleΓÇÖs
expressive rights. Arguably, the question with Tornado Cash is whether a
possibly notional droplet of free speech expressivity can overwhelm the direct
functionality of running code, especially code designed to refuse any further
human intervention. The Tornado Cash protocol will accept and implement the
routine commands described by its protocol: It will still launder
cryptocurrency. But the protocol itself is frozen.

We certainly donΓÇÖt think that the US government should ban DAOs or code
running on Ethereum or other blockchains, or demand any universal right of
access to their workings. That would be just as sweeping -- and wrong -- as the
general claim that encrypted messaging results in a ΓÇ£lawless space,ΓÇ¥ or the
contrary notion that regulating code is always a prior restraint on free speech.
There is wide scope for legitimate disagreement about government regulation of
code and its legal authorities over distributed systems.

However, itΓÇÖs hard not to sympathize with OFACΓÇÖs desire to push back against
a radical effort to undermine the very idea of government authority. What would
happen if the Tornado Cash approach to the law prevailed? That is, what would be
the outcome if judges and politicians decided that entities like Tornado Cash
could not be regulated, on free speech or any other grounds?

Likely, anyone who wanted to facilitate illegal activities would have a strong
incentive to turn their operation into a DAO -- and then throw away the key.
EthereumΓÇÖs programming language is Turing-complete. That means, as Woods
argued back in 2014, that one could turn all kinds of organizational rules into
software, whether or not they were against the law.

In practice, it wouldnΓÇÖt be so easy. Turning business principles into running
code is hard, and doing it without creating bugs or loopholes is much harder
still. Ethereum and other blockchains still have hard limits on computing power.
But human ingenuity can accomplish many things when thereΓÇÖs a lot of money at
stake.

People have legitimate reasons for seeking anonymity in their financial
transactions, but these reasons need to be weighed against other harms to
society. As privacy advocate Cory Doctorow wrote recently: ΓÇ£When you combine
anonymity with finance -- not the right to speak anonymously, but the right to
run an investment fund anonymously -- youΓÇÖre rolling out the red carpet for
serial scammers, who can run a scam, get caught, change names, and run it again,
incorporating the lessons they learned.ΓÇ¥

ItΓÇÖs a mistake to defend DAOs on the grounds that code is free speech. Some
code is speech, but not all code is speech. And code can also directly affect
the world. DAOs, which are in essence autonomous golems, made from code rather
than clay, make this distinction especially stark.

This will become even more important as robots become more capable and
prevalent. Robots are even more obviously golems than DAOs are, performing
actions in the physical world. Should their code enjoy a safe harbor from the
law? What if robots, like DAOs, are designed to obey only their initial
instructions, however unlawful -- and refuse all further updates or commands?
Assuming that code is free speech and only free speech, and ignoring its
functional purpose, will at best tangle the law up in knots.

Tying free speech arguments to the cause of DAOs like Tornado Cash imperils some
of the important free speech victories that were won in the past. But the risks
for everyone might be even greater if that argument wins. A world where
democratic governments are unable to enforce their laws is not a world where
civic spaces or civil liberties will thrive.

This essay was written with Henry Farrell, and previously appeared on
Lawfare.com.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2022.10.14] This is a current list of where and when I am scheduled to speak:

IΓÇÖm speaking at the World Ethical Data Forum, online, October 26-28, 2022.
IΓÇÖm speaking at the 24th International Information Security Conference in
Madrid, Spain, on November 17, 2022. The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.

Copyright © 2022 by Bruce Schneier.

** *** ***** ******* *********** *************

--- BBBS/Li6 v4.10 Toy-5
 * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page

VADV-PHP
Execution Time: 0.02 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2024 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
v2.1.241108