Needs a caption:

View attachment 332556​

"Unauthorized Personnel Only"?

 

https://www.404media.co/eric-adams-told-fbi-he-forgot-his-phones-passcode/
Eric Adams Told FBI He Forgot His Phone’s Passcode

“But, Adams further claimed, he had forgotten the password he had just set, and thus was unable to provide the FBI with a password that would unlock the phone.”

Try: IAmNotACrook2024

 

https://www.404media.co/eric-adams-told-fbi-he-forgot-his-phones-passcode/
Eric Adams Told FBI He Forgot His Phone’s Passcode

“But, Adams further claimed, he had forgotten the password he had just set, and thus was unable to provide the FBI with a password that would unlock the phone.”

Try: IAmNotACrook2024

This is what you get for not playing ball.

 

This is what you get for not playing ball.

+1

https://www.justice.gov/usao-sdny/p...charged-bribery-and-campaign-finance-offenses

In September 2021, the Turkish Official told ADAMS that it was his turn to repay the Turkish Official, by pressuring the New York City Fire Department (“FDNY”) to facilitate the opening of a new Turkish consular building—a 36-story skyscraper—without a fire inspection, in time for a high-profile visit by Turkey’s president. At the time, the building would have failed an FDNY inspection. In exchange for free travel and other travel-related bribes in 2021 and 2022 arranged by the Turkish Official, ADAMS did as instructed. Because of ADAMS’s pressure on the FDNY, the FDNY official responsible for the FDNY’s assessment of the skyscraper’s fire safety was told that he would lose his job if he failed to acquiesce, and, after ADAMS intervened, the skyscraper opened as requested by the Turkish Official.

 

Why we should not have backdoors to security systems for government.
https://www.msn.com/en-us/news/tech...ems-targeted-in-china-linked-hack/ar-AA1rIZKx
U.S. Wiretap Systems Targeted in China-Linked Hack

cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.

For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said.


Verizon Communications, AT&T and Lumen Technologies are among the companies whose networks were breached by the recently discovered intrusion, the people said.

The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon. It appeared to be geared toward intelligence collection, the people said.

The surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.

https://9to5mac.com/2015/11/17/opinion-apple-encryption/
Opinion: Apple is right to stand firm on encryption however much terrorist attacks ramp up the pressure

Second, Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out.

You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they’re not – and if they’re not then it’s a question of when, rather than if, others are able to exploit the vulnerability.

Couple a deliberately weakened form of encryption to laws requiring Internet service providers and telecoms companies to stockpile large volumes of user data and you’d create the biggest goldmine the world has ever seen for criminals to commit identity theft and other forms of fraud. Not just private enterprise criminals, either, but rogue nations too.

 

I wish they hadn't built their argument on the notion that encryption systems are either secure or they're not. By that reasoning, since no encryption system is secure, then every encryption system is insecure, so there's no fundamental reason to not require government back doors.

Security always involves compromises. The opinion should be based on what constitutes reasonable and acceptable compromises. The argument they made in the last quoted sentence is perfectly applicable to justifying the position that intentional backdoors are not acceptable compromises.

 

I wish they hadn't built their argument on the notion that encryption systems are either secure or they're not. By that reasoning, since no encryption system is secure, then every encryption system is insecure, so there's no fundamental reason to not require government back doors.

Security always involves compromises. The opinion should be based on what constitutes reasonable and acceptable compromises. The argument they made in the last quoted sentence is perfectly applicable to justifying the position that intentional backdoors are not acceptable compromises.

Better: one should strive to minimize the attack surface -- the opposite of allowing back doors.

 

I wish they hadn't built their argument on the notion that encryption systems are either secure or they're not. By that reasoning, since no encryption system is secure, then every encryption system is insecure, so there's no fundamental reason to not require government back doors.

Security always involves compromises. The opinion should be based on what constitutes reasonable and acceptable compromises. The argument they made in the last quoted sentence is perfectly applicable to justifying the position that intentional backdoors are not acceptable compromises.

There are encryption systems that are secure (given some conditions) but not convenient to the casual user. It's what used for EAM and Nuclear authentication methods.

https://en.wikipedia.org/wiki/One-time_pad

Perfect secrecy
One-time pads are "information-theoretically secure" in that the encrypted message (i.e., the ciphertext) provides no information about the original message to a cryptanalyst (except the maximum possible length[note 1] of the message). This is a very strong notion of security first developed during WWII by Claude Shannon and proved, mathematically, to be true for the one-time pad by Shannon at about the same time. His result was published in the Bell System Technical Journal in 1949.[19] If properly used, one-time pads are secure in this sense even against adversaries with infinite computational power.

Shannon proved, using information theoretic considerations, that the one-time pad has a property he termed perfect secrecy; that is, the ciphertext C gives absolutely no additional information about the plaintext.[note 2] This is because (intuitively), given a truly uniformly random key that is used only once, a ciphertext can be translated into any plaintext of the same length, and all are equally likely. Thus, the a priori probability of a plaintext message M is the same as the a posteriori probability of a plaintext message M given the corresponding ciphertext.

 

Better: one should strive to minimize the attack surface -- the opposite of allowing back doors.

Same issue -- you can always reduce the attack surface further, but at the expense of other security goals, particularly availability. So just because not allowing a back door reduces the attack surface is not, by itself, a sufficient justification for not allowing (or requiring) them. It has to be based on a reasoned, valid, and coherent argument that allowing/requiring them increases the attack surface so much that the net effect on the overall security framework is to weaken it in an unacceptable way -- i.e., that the benefits (and there ARE legitimate benefits) do not come close to outweighing the costs. That's a pretty easy argument to make -- that one sentence that was quoted is a very good start at doing so.

 

There are encryption systems that are secure (given some conditions) but not convenient to the casual user. It's what used for EAM and Nuclear authentication methods.

https://en.wikipedia.org/wiki/One-time_pad

And yet, even one time pads have proven to be insecure.

Yes, on paper, they are perfectly secure (the only even theoretically perfectly secure system), but in practice they are not -- and cannot be -- perfectly secure. Both parties have to have the same key pad. If the key distribution system is compromised, then security is lost,

Even when this doesn't happen, improper use, for any of a number of reasons, compromises the system. Look up Project Venona.

Cryptographic systems are just that -- systems. Their security is dictated by total effect of any and all weaknesses, taking into account the likelihood of each weakness being exploited. Designers that assume that the systems they design will always be used properly have their head in the sand (or other places that are equally dark).

The German Enigma system is a prime example. Had it been used properly (and I'm only talking about it be used per the instructions at the time, not some ideal set of instructions), it is highly likely that the Allies would not have penetrated the system enough to make any meaningful breaks. The weaknesses in the underlying machine were too few and minor, it was the common misuse by operators in the field that yielded the vast majority of breaks into it on an ongoing basis.

 

+1

It's the old security meme of
Murphy vs Satan

 

https://www.msn.com/en-us/money/com...ity-of-china-s-salt-typhoon-hacks/ar-AA1s5nYC
U.S. Officials Race to Understand Severity of China’s Salt Typhoon Hacks

Sen. Ron Wyden, a Democrat on the Senate Intelligence Committee and a leading voice in Congress on cybersecurity issues, said in his own dispatch Friday to the Justice Department and the Federal Communications Commission that the companies were responsible for their own cybersecurity failures but that “the government shares much of the blame.”

The agencies for decades ignored warnings about vulnerabilities in systems required to comply with law enforcement surveillance requests, Wyden wrote. His office separately asked the FCC for security and integrity plans submitted by AT&T, Verizon, and Lumen under the Communications Assistance for Law Enforcement Act, the federal law that requires telecommunications firms to allow U.S. agencies access to data pursuant to a court order.

 

https://www.securityweek.com/white-hat-hackers-earn-500000-on-first-day-of-pwn2own-ireland-2024/
White Hat Hackers Earn $500,000 on First Day of Pwn2Own Ireland 2024

 

https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
Executive Summary
For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware.

With assistance from other cybersecurity vendors, governments, and law enforcement agencies we have been able to, with varying levels of confidence, attribute specific clusters of observed activity to Volt Typhoon, APT31 and APT41/Winnti.

Sophos X-Ops has identified, with high confidence, exploit research and development activity being conducted in the Sichuan region. Consistent with China’s vulnerability disclosure legislation, X-Ops assesses with high confidence that the developed exploits were then shared with multiple distinct state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation tooling.

 

https://arstechnica.com/information...-used-in-password-spraying-attacks/#gsc.tab=0
Thousands of hacked TP-Link routers used in years-long account takeover attacks
The botnet is being skillfully used to launch "highly evasive" password-spraying attacks.

On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.

 

https://www.securityweek.com/microchip-technology-reports-21-4-million-cost-from-ransomware-attack/
Microchip Technology Reports $21.4 Million Cost From Ransomware Attack

 

https://www.welivesecurity.com/en/e...-gelsemiums-linux-counterpart-to-gelsevirine/

 

https://www.tomshardware.com/tech-i...d-another-die-embedded-in-the-microcontroller

 

https://www.tomshardware.com/tech-i...d-another-die-embedded-in-the-microcontroller

"a cable specifically designed for penetration testing by a security researcher. So, yes, it's a feature"

https://shop.hak5.org/products/omg-cable

The O.MG Cable is a hand made USB cable with an advanced implant hidden inside. It is designed to allow your Red Team to emulate attack scenarios of sophisticated adversaries. Until now, a cable like this would cost $20,000 (ex: NSA's COTTONMOUTH-I). These cables will allow you to test new detection opportunities for your defense teams. They are also extremely impactful tools for teaching and training.

The uncompromising attention to the physical size of the cable isn't where we stopped. Thanks to continual firmware updates, the resulting power, flexibility, and ease of use have made the O.MG Cable a favorite for both new students and seasoned pros.

 

"a cable specifically designed for penetration testing by a security researcher. So, yes, it's a feature"

https://shop.hak5.org/products/omg-cable

I can't tell: are you playing down the threat, or making fun of those who do?