Author: Jon Evans

Hating the wrong tech people for the right reasons

The slings and arrows aimed at tech’s titans these days are almost too numerous to count. Jeff Bezos: squandering money on space while exploiting warehouse employees. Mark Zuckerberg: complicit in everything from genocide to the death of democracy. Larry Page and Sergey Brin: in bed with China and the military. Elon Musk: where even to begin? Tim Cook has mostly escaped the brickbats, but if Steve Jobs were still with us, it seems plausible he’d be the biggest target of all. And the list goes on from there, of course. Let’s not kid ourselves: a lot of this criticism...

Read More

What the hell is the deal with Tether?

It was a simple concept: a cryptocurrency whose units were always and constantly worth exactly one dollar, because they were backed by dollars held in a bank. Voila: dollars with the powers of crypto, such as the ability to quickly and permissionlessly transfer an arbitrary amount … and, er, a certain lack of pesky regulations. Now there are $2.7 billion worth of Tether in circulation, and they are anything but simple. (Euro Tether also exist but they’re a rounding error.) Who created Tether? The same people behind the exchange BitFinex, with whom Tether shares a CEO, a CFO, and (until recently) a Chief Strategy Officer. That much we can be fairly confident about. But everything else about this money is shrouded in a deep fog of mystery tinged with misconduct. Who buys Tether? It’s hard to say; you can trade USD for them at a couple of crypto exchanges, notably Kraken in addition to the BitFinex exchange, but I haven’t been able to find any recent public examples of anyone, institution or person, actually buying newly issued Tethers from Bitfinex. So who provides the US dollars which are said to back all newly issued Tether? It’s very hard to say. Who audits them, to ensure those dollars are there? Well — actually — nobody, despite their web site‘s assurances that their reserve holdings are “subject to frequent professional audits”...

Read More

Nobody minding the store: security in the age of the lowest bidder

So, to recap: Satellite communication systems worldwide are “protected” by easily cracked hard-coded passwords. The private internet connecting the world’s mobile phone operators remains replete with vulnerabilities. Russia has successfully hacked into American power-plant control systems. Oh, and voting machines in use in 18 states can be remotely hijacked. Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don’t need physical access–we showed how malicious code can spreads from the election office when officials program the ballot design. pic.twitter.com/wa97HWqlv5 — J. Alex Halderman (@jhalderm) August...

Read More

Voatz: a tale of a terrible, horrible, no-good, very bad idea

Let’s get the fish in the barrel out of the way. Voatz are a tech startup whose bright idea was to disrupt democracy by having people vote on their phone, and store the votes on, you guessed it, a blockchain. Does this sound like a bad idea? Welp. It turned out that they seemed awfully casual about basic principles of software security, such as not hard-coding your AWS credentials. It turned out that their blockchain was an eight-node Hyperledger install, i.e. one phenomenologically not especially distinguishable from databases secured by passwords. They have been widely and justly chastised for...

Read More

Hackers on new “secure” phone networks can bill your account for their roaming charges

I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g.when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes. One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network which connected five Scandinavian phone systems in 1991, using the SS7 protocol...

Read More

Cryptocurrency insecurity: IOTA, BCash and too many more

Cryptocurrencies: a weird agglomerate of fascinating technology built by brilliant engineers; a whole new and potentially important form of economics; … and hype-machine puffed-up crazy-talk nonsense. So, as you might expect, they also combine state-of-the art resilient engineering and comical clown-car so-called security. Yes, that’s right — I want to talk about IOTA, and (to an extent) Bitcoin Cash. Modern security practices include: an understanding of and commitment to responsible disclosure; making yourself available and accessible to third-party security researchers; offering bug bounties; fuzzing your code; etcetera. They also include valuable truisms such as “don’t roll your own crypto.”...

Read More

Everything is … less terrible

To hack: to study a system’s flaws and emergent properties, and use them for your own ends; to instil your own instructions into a computer’s memory, and coerce its microprocessor to run them. To pick at the air gaps and missed stitches in the many overlapping layers of software from which our modern world is woven. Et voilà, an entire industry, employing countless thousands. Information Security a.k.a. infosec. It is said that there are four PR people for every journalist in America, which seems high, but I expect the ratio of infosec people to actual hackers is higher yet,...

Read More

Hack the planet: vulnerabilities unearthed in satellite systems used around the globe

So this is bad. Black Hat, the king of enterprise security conventions, kicked off today, and most noticeable amid the fusillade of security research was some impressive work from Ruben Santamarta of IOActive, whose team has unearthed worrying vulnerabilities in satellite communication systems, aka SATCOM, used by airplanes, ships, and military units worldwide. Now, it’s not catastrophically bad: in particular, while attackers could mess with or disable your in-flight Wi-Fi, conceivably try to hack into devices connected to them, and/or disable all in-flight satellite comms, they couldn’t actually affect any systems which control the airplane. The bigger worries are...

Read More

Right Now in Politics and Business