I was on Paul's Security Weekly in early January. Here's my interview segment. I was actually on the whole show, which went 3+ hours...
I’ve been in IT for decades, worked as an industrial engineer, programmer, sysadmin, network engineer, and now in #infosec. Being selective makes sense, but I like my electronic locks, Nest thermostats and doorbells, i can turn my air compressor on with my phone, and find OpenWRT to be more trouble than its worth (ubiquiti unifi all the way).
Smart speakers seem a bit much, though.
“After leaving her job at the NSA in 2014, Lori Stroud worked as a contract intelligence operative for the UAE. Stroud, now living in an undisclosed location in America, said the mission crossed a line when she learned her unit was spying on Americans.” Photo by Reuters/Joel Schectman
An interesting note on the ex-NSA mercenaries working for the United Arab Emirates story: the third party software they used to easily root iPhones via iMessage sounds very similar to exploits described by Lookout researchers at #ShmooCon when they recently exposed an unnamed nation state's attempt to purchase spying tools (and named the names of the vendors selling those tools). Point is, these 0-day phone exploits are available to the highest bidder.
1. I can not imagine the users, children and teens, have full informed consent.
2. I feel dirty reading this article. No app (maybe antivirus) should install a root cert. This is terrible invasion of privacy and misuse of user trust.
3. No, just no.
Facebook pays teens to download Research app with root access outside App Store Facebook pays teens to download Research app with root access outside App Store https://techcrunch.com/2019/01/29/facebook-project-atlas/
What a bug... FaceTime lets you call another iOS user and listen to their microphone briefly without them even answering https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
For people that are into #AppSec, here's a blog with some useful resources. I regularly update it. If you have good resources that are missing please contribute!
Everybody Does It: The Messy Truth About Infiltrating Computer Supply Chains
Not strictly #infosec related, but this is a very big deal. The main hurdle facing the plaintiffs' bar on these suits was this standing/injury issue. If your company has been playing fast and loose with #biometric data...you may want to get on top of that. https://capitolfax.com/2019/01/25/supreme-court-rules-against-six-flags-on-state-biometric-law/
I’m after some advice from the #infosec community, I’ll be publishing #security advised and best practices for regular people in an easy to understand way, mostly via a blog and facebook. I would like to get feedback on what topics, also why that topic. If you know of a great example already please let me know. The aim is to help regular people be more aware of the pitfalls of computers and security, making the internet a safe place for all.
I’m open to all suggestions.
Got a Nest security camera? Enable two-step verification now.
What on *earth* could Jenny Radcliffe be describing in the new episode of "Smashing Security" out tonight (Weds 7pm EST, Midnight UK)?
Subscribe in your favourite podcast app to make sure you don't miss out.
Emergency Directive 19-01 - Mitigate DNS Infrastructure Tampering.
The real problem is not the DNS infrastructure but the stolen credentials. Sure, controls can be put in place to measure DNS setting deltas but why are credentials tied to a regular user account in the first place.
Important→ Someone hacked the official site of #PHP PEAR and replaced package manager (go-pear.phar) with a "tainted version"