Notices by Dan Goodin (dangoodin@infosec.exchange)

It should be clear now that it was and remains a catastrophic mistake for people to view privately owned social media platforms as any kind of public resource. People didn't know better a decade ago. They have no excuse now.

People following me for cybersecurity content: Chris Bing, one of the most distinguished reporters on this beat, recently joined the Fediverse. Chris has broken way too many stories to count and also has valuable insight into all things related to hacking. Please follow him.

@Bing_Chris

And please boost for reach.

I didn’t join Mastodon until after we launched 404 Media. I joined, frankly, because lots of people told me that we should. Mastodon had been decried by many (me, previously), as a social media platform that is too complicated or weird to sign up for. I had also convinced myself that people on Mastodon would be mad at me if I made jokes, which has (mostly) not been the case.

I’ve now been using it for about two months and I am here to tell you that it is, in principle, what we should want the internet to be. If you have been remotely interested in Mastodon but had reservations about joining because you thought it would be difficult, confusing, or otherwise annoying, it is not.

https://www.404media.co/mastodon-is-the-good-one/

GPUs from all major suppliers are vulnerable to new pixel-stealing attack

https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

Here someone is challenging my use of pro-fascist to describe the dead bird site. "Pro-fascist? Really?"

Yes, really.

-- Elon personally intervened to get the pro-Nazi, pro-Hitler, anti-semetic Kanye West reinstated.

-- Twitter is a haven for groups like White Lives Matter California, an organization the Southern Poverty Law Center has designated a hate group.

-- Musk has threatened to sue researchers tracking hate speech on the platform

-- The dead bird paid Andrew Tate $20k and End Wokeness $10k.

-- It paid $16k to Ian Miles Cheong, a far-right user has used Twitter to falsely identify an innocent Black man as the “number one suspect” in the shooting of two police officers

-- It has paid QAnon influencer Jacob Creech.

-- Elmo has called for the the QAnon shaman who particpated in the Jan. 6 riot to be freed.

-- He has defended the Jan 6 rioters, saying they were peaceful.

-- He reinstated Michael Flynn.

I could go on an on, but I would burn up way too much time because there are so many more examples.

My point is: Twitter most definitely welcomes, encourages and even pays for far-right extremist views that include anti-semitism, support for Hitler and nazis, and support for an illegal riot that saw multiple members of the Capitol Police brutally killed.

I stand by my description of Twitter as "pro-fascist."

Dear Twitter users. Your support of a social media platform that welcomes and pays for far-right content is NOT the fault of capitalism. No one is forcing you to post cat pics on the fascist-friendly dead bird site. This is YOUR decision and history won't judge it kindly.

Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on.

The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader—or of an attached peripheral device—to pull a 256-bit ECDSA key off a government-approved smartcard. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset.

https://arstechnica.com/information-technology/2023/06/hackers-can-steal-cryptographic-keys-by-video-recording-connected-power-leds-60-feet-away/

A wide range of Android phones are vulnerable to attacks that fully compromise the devices at their deepest level: the baseband. Fixes have yet to be delivered, except to a subset of vulnerable Pixels. In the meantime, Google and Samsung advise, users should do something that's not possible for most vulnerable devices: turn off VoLTE. Both Google and Samsung declined to provide further, actionable guidance to at-risk customers. Worse, even if/when it's possible to turn off VoLTE, this advice completely neuters most phones of any kind of voice calling capability.

This incident once again underscores the security mess of the Android ecosystem. It also demonstrates the lack of cooperation Google and Samsung regularly exhibit in keeping their customers safe.

Super sad.

https://arstechnica.com/information-technology/2023/03/critical-vulnerabilities-allow-some-android-phones-to-be-hacked/

RSA’s demise from quantum attacks is very much exaggerated, expert says

At the Enigma 2023 Conference in Santa Clara, California, on Tuesday, computer scientist and security and privacy expert Simson Garfinkel assured researchers that the demise of RSA was greatly exaggerated. For the time being, he said, quantum computing has few, if any, practical applications.

Here’s the basis for his assessment:

https://arstechnica.com/information-technology/2023/01/fear-not-rsa-encryption-wont-fall-to-quantum-computing-anytime-soon/

Encrypted messenger billed as better than Signal is riddled with vulnerabilities

This is a cautionary tale for anyone who works with crypto (as in cryptography). When you spin out your own protocols, you have a high chance of getting a critical part of it wrong. In the case of Threema, an app that's mandated for use by the Swiss Army and used by many other high-profile organizations in Euope, it got several critical parts wrong.

Remember: don't roll your own crypto.

Threema's case is aggravated by the unusually bold security claims it made. Pride comes before the fall, I suppose.

https://arstechnica.com/information-technology/2023/01/messenger-billed-as-better-than-signal-is-riddled-with-vulnerabilities/