Author: Jon Evans

Nobody minding the store: security in the age of the lowest bidder

TECHCRUNCH So, to recap: Satellite communication systems worldwide are “protected” by easily cracked hard-coded passwords. The private internet connecting the world’s mobile phone operators remains replete with vulnerabilities. Russia has successfully hacked into American power-plant control systems. Oh, and voting machines in use in 18 states can be remotely hijacked. Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don’t need physical access–we showed how malicious code can spreads from the election office when officials program the ballot design. pic.twitter.com/wa97HWqlv5 — J. Alex Halderman (@jhalderm)...

Read More

Voatz: a tale of a terrible, horrible, no-good, very bad idea

TECHCRUNCH Let’s get the fish in the barrel out of the way. Voatz are a tech startup whose bright idea was to disrupt democracy by having people vote on their phone, and store the votes on, you guessed it, a blockchain. Does this sound like a bad idea? Welp. It turned out that they seemed awfully casual about basic principles of software security, such as not hard-coding your AWS credentials. It turned out that their blockchain was an eight-node Hyperledger install, i.e. one phenomenologically not especially distinguishable from databases secured by passwords. They have been widely and justly chastised...

Read More

Hackers on new “secure” phone networks can bill your account for their roaming charges

TECHCRUNCH I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g.when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes. One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network which connected five Scandinavian phone systems in 1991, using the SS7...

Read More

Cryptocurrency insecurity: IOTA, BCash and too many more

TECHCRUNCH Cryptocurrencies: a weird agglomerate of fascinating technology built by brilliant engineers; a whole new and potentially important form of economics; … and hype-machine puffed-up crazy-talk nonsense. So, as you might expect, they also combine state-of-the art resilient engineering and comical clown-car so-called security. Yes, that’s right — I want to talk about IOTA, and (to an extent) Bitcoin Cash. Modern security practices include: an understanding of and commitment to responsible disclosure; making yourself available and accessible to third-party security researchers; offering bug bounties; fuzzing your code; etcetera. They also include valuable truisms such as “don’t roll your own...

Read More

Everything is … less terrible

TECHCRUNCH To hack: to study a system’s flaws and emergent properties, and use them for your own ends; to instil your own instructions into a computer’s memory, and coerce its microprocessor to run them. To pick at the air gaps and missed stitches in the many overlapping layers of software from which our modern world is woven. Et voilà, an entire industry, employing countless thousands. Information Security a.k.a. infosec. It is said that there are four PR people for every journalist in America, which seems high, but I expect the ratio of infosec people to actual hackers is higher...

Read More

Hack the planet: vulnerabilities unearthed in satellite systems used around the globe

TECHCRUNCH So this is bad. Black Hat, the king of enterprise security conventions, kicked off today, and most noticeable amid the fusillade of security research was some impressive work from Ruben Santamarta of IOActive, whose team has unearthed worrying vulnerabilities in satellite communication systems, aka SATCOM, used by airplanes, ships, and military units worldwide. Now, it’s not catastrophically bad: in particular, while attackers could mess with or disable your in-flight Wi-Fi, conceivably try to hack into devices connected to them, and/or disable all in-flight satellite comms, they couldn’t actually affect any systems which control the airplane. The bigger worries...

Read More

Who do you trust?

TECHCRUNCH Another week, another high-profile hack. This week it was (checks notes) Reddit. What makes this one marginally more interesting is that the victims were using two-factor authentication, i.e. SMS codes texted to them to verify their identities when their accounts were accessed — which turned out to be little more than a speed bump for the attackers. This surprised exactly zero (good) security people. It has long been known that your phone service can be hacked either via SS7, the ancient and insecure system used to interconnect the planet’s phone networks, or by the more old-fashioned but even...

Read More

Branded Worlds: how technology recentralized entertainment

TECHCRUNCH I love Hollywood box-office numbers because they provide a hard statistical view of cultural currents. Did you know, for instance, that there had never been a weekend when 8 of the top 10 movies in America were sequels — until this month? Or that, while almost 400 movies were released in the first half of 2018, nearly 40% of their total accumulated revenue came from just four releases, all of which were superhero sequels? This is not what was supposed to happen. Ten years ago people thought that visual storytelling would be democratized; that new cameras, new editing...

Read More

Right Now in Politics