https://arxiv.org/pdf/2002.01078.pdf

Interesting but not very practical for mass data theft as the transfer rate is very slow.

 

https://arxiv.org/pdf/2002.01078.pdf

Interesting but not very practical for mass data theft as the transfer rate is very slow.

Agreed, though there a huge fraction of very valuable and sensitive information comes in small amounts of data (such as passwords and access codes), so it's a very potential issue.

It makes me wonder what the lowest data rate is at which useful sensitive information has been exfiltrated. I could well imagine it might be something measured in bits per hour or even less.

This falls under the TEMPEST umbrella, which includes some really interesting and bizarre techniques. One of the more interesting ones I've read about was about a decade ago and a team of researchers used the accelerometers on smartphones to sense someone else's keystrokes on a nearby computer with something like a 75% success rate of recovering the words typed.

These and other attacks underscore the need to prohibit all non-secure electronic devices from both the electronic and the physical vicinity of secure systems -- and this includes infrastructure systems as well. If your secure computer facility has an intercom system as part of the fire protection system, then that intercom system has to be secured. Potentially even the various sensors used in the system and the systems that access their data need to be secured.

 

Agreed, though there a huge fraction of very valuable and sensitive information comes in small amounts of data (such as passwords and access codes), so it's a very potential issue.

It makes me wonder what the lowest data rate is at which useful sensitive information has been exfiltrated. I could well imagine it might be something measured in bits per hour or even less.

This falls under the TEMPEST umbrella, which includes some really interesting and bizarre techniques. One of the more interesting ones I've read about was about a decade ago and a team of researchers used the accelerometers on smartphones to sense someone else's keystrokes on a nearby computer with something like a 75% success rate of recovering the words typed.

These and other attacks underscore the need to prohibit all non-secure electronic devices from both the electronic and the physical vicinity of secure systems -- and this includes infrastructure systems as well. If your secure computer facility has an intercom system as part of the fire protection system, then that intercom system has to be secured. Potentially even the various sensors used in the system and the systems that access their data need to be secured.

Image: Ben-Gurion University of the Negev, Israel

Plenty fast for cryptographic keys in the order of a few kbits. We had routine TEMPEST van checks at the control stations but most serious compromises were the direct result of humans. Trust (who watches the watchers) is the one variable that can't be controlled by technology when humans manage the system.

https://fas.org/irp/eprint/heath.pdf

Many people have asked the question, “Why did John Walker spy for the Soviets?” The answer is both amply documented and utterly simple: he was greedy. He wanted money, and he did not care whom he had to hurt to get it. Greed and selfishness are an unfortunate fact of human nature; there always have been, and always will be, pathologically greedy and selfish people in any organization...

 

Four members of the People's Liberation Army of china charged by the US with espionage for hacking into Equifax in Atlanta.
https://www.msn.com/en-us/news/us/c...ericans-data-us-says/ar-BBZQBQu?ocid=msedgntp

 

https://www.reuters.com/article/us-...irm-helped-cia-break-codes-idUSKBN2051X2?il=0

ZURICH (Reuters) - Switzerland said on Tuesday it was probing reports that the U.S. Central Intelligence Agency and the German BND spy service used a Swiss firm’s encryption technology to crack other nations’ top-secret messages.


https://www.washingtonpost.com/grap...ity/cia-crypto-encryption-machines-espionage/

The program had limits. America’s main adversaries, including the Soviet Union and China, were never Crypto customers. Their well-founded suspicions of the company’s ties to the West shielded them from exposure, although the CIA history suggests that U.S. spies learned a great deal by monitoring other countries’ interactions with Moscow and Beijing.

https://www.cryptomuseum.com/manuf/crypto/friedman.htm

We don't use them for internal equipment for obvious reasons. NSA designs and builds (via a few US contractors) USA crypto machines.

 

https://www.techdirt.com/articles/2...ndefinitely-refusing-to-decrypt-devices.shtml

The Third Circuit Court of Appeals has finally decided -- after more than four years -- that the government can't keep someone locked up indefinitely for contempt of court charges.

Former Philadelphia policeman Francis Rawls has been locked up since 2015 for refusing to decrypt external hard drives the government claims contain child porn images. The government's claims are based on Rawls' sister's statements. She said Rawls showed her "hundreds" of child porn images that were located on these drives.

Not a very nice guy it seems but there needs to be some limits on government power to persuade compliance.

 

https://www.techdirt.com/articles/2...ndefinitely-refusing-to-decrypt-devices.shtml


Not a very nice guy it seems but there needs to be some limits on government power to persuade compliance.

After four years, I doubt I would even remember the decryption keys so that I couldn't decrypt them even if I wanted to. So how could the government distinguish between someone not being able to recall the key and someone claiming to not being able to remember the key? Do you keep someone locked up for the rest of their life for not being able to recall a piece of information despite having zero evidence that they've done anything wrong?

Regarding this case specifically, I'm troubled by the claim in the article that the government already has enough evidence, without the information on the drives, to secure a conviction and multi-decade sentence apparently based solely on his sister's assertion that he has child porn. It seems like this is following a very dangerous route: Person A claims Person B did something illegal, but can produce no proof or physical evidence. Person B is presumed innocent until proven guilty beyond a reasonable doubt. But apparently Person A making the claim, without any proof or physical evidence, constitutes proof beyond a reasonable doubt.

Seems to me that history is replete with societies in which people could be jailed (or worse) based solely on being denounced by someone without any evidence. I don't recall many of those societies ending well.

 

https://arstechnica.com/tech-policy...for-removing-police-gps-tracker-from-his-car/
Cops put GPS tracker on man’s car, charge him with theft for removing it

https://arstechnica.com/tech-policy...-device-from-your-car-isnt-theft-court-rules/

An Indiana man may beat a drug prosecution after the state's highest court threw out a search warrant against him late last week. The search warrant was based on the idea that the man had "stolen" a GPS tracking device belonging to the government. But Indiana's Supreme Court concluded that he'd done no such thing—and the cops should have known it.

 

Last I heard on that one is that it NOW requires a search warrant to attach one. I bet they will be arguing about "removing" one for a while. They will have to prove "HE" removed it and not that it just "fell off". Then what did he do with it??? Simply removing it is one issue, destroying it is another whole ball of wax. With some cars they don't even have to attach one and simply need a warrant to tap into it's antitheft location device. Ain't Hitech wonderful!

 

Last I heard on that one is that it NOW requires a search warrant to attach one. I bet they will be arguing about "removing" one for a while. They will have to prove "HE" removed it and not that it just "fell off". Then what did he do with it??? Simply removing it is one issue, destroying it is another whole ball of wax. With some cars they don't even have to attach one and simply need a warrant to tap into it's antitheft location device. Ain't Hitech wonderful!

As far as I'm concerned (and the courts may well not agree with me), if I find something attached to my car then I don't see that I am under any obligation in any way with regards to it -- at least not any more than if I happen to find it in my front yard where it fell off a passing truck. I can remove it, destroy it, throw it away, sell it, or repurpose it (perhaps to a doggie chew toy) and that is their problem. If they wanted it they should have taken care of it and not lost it on my property.

 

https://arstechnica.com/tech-policy...-device-from-your-car-isnt-theft-court-rules/

Even if Heuring did take the device off the vehicle, he couldn't have known for sure that it belonged to the government. It wasn't exactly labeled as the property of the Warrick County Sheriff's Office.

A lawyer for the government acknowledged that it wouldn't be theft to remove a tracking device put there by a private party. But he argued that things are different when the government has a warrant to use a tracking device. The device had a legal basis for being on the car, the lawyer argued. By removing it and preventing tracking, Heuring was depriving the government of the use of its property.

So now we are required to be psychic and be able to divine who the tracking device we find belongs to and that they have an unserved warrant for its use without our knowledge.

 

So now we are required to be psychic and be able to divine who the tracking device we find belongs to and that they have an unserved warrant for its use without our knowledge.

I can just envision their next line or reasoning -- charging someone that stops using the car that they put the tracking device on and who switches to another car on the basis that doing so deprived the government of the information it was seeking regarding the person's whereabouts which, after all, was the whole point of getting the original warrant and putting in on the first car.

Sadly, I really can envision the government coming up with an argument like this and some court upholding it.

 

I like what I call the "Ronald Reagan Defense" ie "I don't recall". Not "I'm not going to tell you", "I have no idea what you are referring to" or "I plead the 5th" just simply "I don't recall". And at over 65 years old it is a pretty solid defense for just about anything to argue against in court.

 

https://asset-group.github.io/disclosures/sweyntooth/

SweynTooth captures a family of 12 vulnerabilities (more under non-disclosure) across different BLE software development kits (SDKs) of seven major system-on-a-chip (SoC) vendors. The vulnerabilities expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes and buffer overflows or completely bypass security depending on the circumstances.

 

It's a war out there. Measures and Countermeasures.

Ron

 

It's a war out there. Measures and Countermeasures.

Ron

Some of the firmware faults are Cheese Eating Surrender Monkeys.

An attacker in Radio range can abuse this vulnerability to completely bypass security in a BLE products which rely in secure connections pairing to protect user privacy. Furthermore, device’s functionalities which were only allowed to be accessed by an authorized user, can be trivially bypassed. In short, this vulnerability allows an attacker full communication control over a protected BLE application.

As a side note, this vulnerability only affects Telink devices that allows secure connection pairing. In reality, affected products that disable secure connections pairing (the currently secure BLE pairing mode) and enable only the insecure legacy pairing mode, are in fact more secure due to this vulnerability.

 

Some of the firmware faults are Cheese Eating Surrender Monkeys.

Uh Oh, would you believe I was just thinking about making myself a grilled cheese sandwich and you come up with "Cheese Eating Surrender Monkeys".

Ron

 

Uh Oh, would you believe I was just thinking about making myself a grilled cheese sandwich and you come up with "Cheese Eating Surrender Monkeys".

Ron

I WAS making a grilled ham & cheese.

 

Well don't let the monkies steal it.

 

https://www.nbcnews.com/news/us-new...-ride-past-burglarized-home-made-him-n1151761

For most of his life, McCoy said, he had tried to live online anonymously, a habit that dated to the early days of the internet when there was less expectation that people would use their real names. He used pseudonyms on his social media accounts and the email account that Google used to notify him about the police investigation.

But until then, he hadn’t thought much about Google collecting information about him.