Facebook
Google
GitHub
Linkedin
Anything works with the foolish and trusting.
Privacy lost...
- Thread starter cmartinez
- Start date
https://english.elpais.com/technolo...pert-exposed-a-global-network-of-thieves.html
Never steal a hacker’s girlfriend’s phone: How an expert exposed a global network of thieves
Gangs that rob gadgets are looking for new ways to extract more value from them. An expert analyzed the work of one organization as it was dismantled by the police
Never steal a hacker’s girlfriend’s phone: How an expert exposed a global network of thieves
Gangs that rob gadgets are looking for new ways to extract more value from them. An expert analyzed the work of one organization as it was dismantled by the police
What they might as well all say: "Be assured, safeguarding your privacy details is our number one priority...We pride ourselves on the appearance of integrity."
The algorithm has to be guessed. My first thought was that it was digit-by-digit, keeping the units digit for each place. But I'm guessing that that is unlikely and that it is actually a simple addition problem of two large numbers.
But it also sends my mind down attack paths.
Neither the key nor the plaintext are truly random. At first blush, the key would appear to be an 8-digit number, meaning ten billion possible keys. But its more likely limited to about twenty-five thousand. For instance, it's pretty safe to assume that the first two digits of the year are either '19' or '20'. We also know that the first digit of the day is from the set {0,1,2,3} and the first digit of the month is from the set {0,1}. If the first two digits of the year are '20', then the third digit is almost certainly from {0,1} (and most likely 0, but technically could be 2). If the first two digits are '19', then the third digit is unlikely to be less than 5.
For ease of computation, we can assume that there are 100 possible values of the year -- and we can prioritize them to explore the most likely ones first. That gives us about 36 thousand possible values of the key. That can probably be whittled down, or at least prioritized, based on restrictions on the first several digits of the phone number to around 25k, so we've already eliminated 99.99998% of the key space.
I have no idea what country this would be in, in which the phone number is a nine-digit number. But we know that it must start with a '0' (I can't imagine why the lead zero in the ciphertext would have been included otherwise). The second digit is going to be from the set {3,4,5}. We actually know a lot about many of the digits:
{0}{3,4,5}{x}{5,6,7}{x}{'43','44','45'}{xx}
If we at least start with the assumption that the phone number is from a local number (the leading zero might make that not the case), then we can probably create a small list of prefixes, each of which has about 300 possible values for the last four digits.
Now we can either use an autodialer program with an AI to "talk" to whomever answers, or enlist the local kids to play a game and split up the list and call, in exchange for having fun (whitewashing the fence kind of fun) and some candy and drinks.
But, thus far, we have assumed that the attacker only has the note and, probably, knowledge of the general area where the wallet was found (and hence some knowledge of the structure of local phone numbers).
But some potential attackers probably have more information. While possible, it's unlikely that the person that found the wallet has kept that information entirely secret. So anyone that knows that they have found a wallet can start with a guessed plaintext attack. If the wallet were found (based on where the note was posted) in, say, a college campus, then an attacker could guess that the phone number might be a campus phone number and use that to prioritize the search.
Or, before doing any of that, we can evaluate whether it is worth the effort -- which is the exact same thing that real cryptanalysts have to consider. Does the likely payout from being successful, or the likely penalty for failing, justify the effort given the likelihood of success? At which point we might, hopefully, realize that breaking the code successfully, while almost certainly emotionally gratifying, is unlikely to actually result in any payout since the first thing the person is going to ask is "What is the name on the ID that I got the birthday from?"
At which point we realize that this has all been a flight of fancy that has provided nothing more than an entertaining break to the day.
https://appleinsider.com/articles/25/09/29/fcc-mistakenly-leaks-confidential-iphone-16e-schematics
For complex communications hardware to go on sale, it has to undergo testing and certification through regulators around the world. While typically a formality and involving many confidential elements, sometimes there can be leaks by mistake.
On Monday, a file was discovered that had been published by the FCC, and republished by FCCID.IO. The file in question was a 163-page PDF showing the electrical schematics for the iPhone 16e, described as the A3212, A3408, A3409, and A3410.
The problem with the document's release is that it seems that it was a mistake by the FCC itself.
For complex communications hardware to go on sale, it has to undergo testing and certification through regulators around the world. While typically a formality and involving many confidential elements, sometimes there can be leaks by mistake.
On Monday, a file was discovered that had been published by the FCC, and republished by FCCID.IO. The file in question was a 163-page PDF showing the electrical schematics for the iPhone 16e, described as the A3212, A3408, A3409, and A3410.
The problem with the document's release is that it seems that it was a mistake by the FCC itself.
https://www.404media.co/landlords-demand-tenants-workplace-logins-to-scrape-their-paystubs/
Giving a corporate login to anyone, is a fire-able offense at any job.
https://archive.is/uv4Yk
Giving a corporate login to anyone, is a fire-able offense at any job.
Last edited:
Yet, it is commonly requested by entities in the financial industry, which amazes me, since these are the same institutions that generally scream the loudest about the importance of never, ever, ever sharing your login credentials with anyone, ever.
When linking an account on one bank to another bank, you need to verify that you have access to the account. A common way of doing this is for one institution to make two small deposits into the account and then have you tell them the amount of the deposits. Initially, those deposits were yours, since the third party could deposit money into your account, but they couldn't withdraw from it without a greater level of authorization. This seemed reasonable -- in most places (for a long time, but I think that's changed or is changing) you ccould walk into a bank and deposit money, particularly modest amounts of cash, into an account as long as you have the account number, whether you are on the account or not. But, of course, you couldn't withdraw a penny from the account. In the early days of electronically-linked accounts at different institutions, the cost of these lost deposits was seen as an acceptable cost of doing business -- after all, it was a cost generally less than the cost of the paper, envelope, and postage associated with sending a customer something in the mail. But, naturally, as the scale ramped up, they wanted the ability to claw those deposits back and to do so without having to bother with the pesky need to get your authorization (well, you actually authorized them to, in the fine print, when you initiated the process of linking the accounts).
But, this process is clunky, as it requires that the person wait until the transactions post, which can take a few days, and then they have to log into the receiving account, record the amounts, and then jump through the hoops with the initiator to complete the verification. So, not surprisingly, an instant-verification mechanism was developed. So applications like Plaid are used in which you have to provide your login credentials to the other account and it accesses your account. This is becoming increasingly common. I absolutely refuse to use it. So far, except for once, I've been able to opt for the two-small-deposits approach. But one time the institution insisted that I had to use Plaid. Well, I chose not to do business with them.
Although Plaid (and a handful of other, similar, aggregation services) has a strong reputation as being trustworthy, I still think this is a very bad idea. There is always the possibility of them being compromised, either internally or externally. Even worse, in my opinion, is that these services groom the public into being more willing to give up account access credentials, making it easier for malicious actors to prey upon them by spoofing them.
Imagine someone sending out millions of e-mails to people claiming to be Plaid and telling them that their recent attempt to link accounts must be re-verified to establish a permanent link. For security purposes, of course, the names of the institutions being linked has not been included, but you know which account you provided credentials for, so just re-enter them here. Like all scams, the overwhelming majority of people that get that e-mail will know that it's a scam. But, by chance, they are going to send it to some number of people that, in fact, have recently linked accounts using Plaid, and some (possibly not so small) fraction of them will be duped.
https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
Why Quantum Cryptanalysis is Bollocks
https://eprint.iacr.org/2025/1237.pdf
Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog
Why Quantum Cryptanalysis is Bollocks
https://eprint.iacr.org/2025/1237.pdf
Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog
https://www.dexerto.com/entertainme...ds-to-overheat-and-get-stuck-upright-3272251/
AWS crash causes $2,000 Smart Beds to overheat and get stuck upright
You are the product.
AWS crash causes $2,000 Smart Beds to overheat and get stuck upright
You are the product.
https://www.forbes.com/sites/daveyw...d-as-part-of-183-million-account-data-breach/
It's not clear if the scraped passwords are encrypted or plain text. Anyone with additional details?
It's not clear if the scraped passwords are encrypted or plain text. Anyone with additional details?
https://www.theguardian.com/world/2...e-security-loophole-in-chinese-electric-buses
Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
...
Their investigations found that remote deactivation could be prevented by removing the buses’ sim cards, but they decided against this because it would also disconnect the bus from other systems.
Ruter said it planned to bring in stricter security requirements for future procurements. Jenssen said it must act before the arrival of the next generation of buses, which could be even “more integrated and harder to secure”.
Movia, Denmark’s largest public transport company, has 469 Chinese electric buses in operation – 262 of which were manufactured by Yutong.
Jeppe Gaard, Movia’s chief operating officer, said he was last week made aware that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access”. He added: “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in.”
Authorities in Denmark are urgently studying how to close an apparent security loophole in hundreds of Chinese-made electric buses that enables them to be remotely deactivated.
...
Their investigations found that remote deactivation could be prevented by removing the buses’ sim cards, but they decided against this because it would also disconnect the bus from other systems.
Ruter said it planned to bring in stricter security requirements for future procurements. Jenssen said it must act before the arrival of the next generation of buses, which could be even “more integrated and harder to secure”.
Movia, Denmark’s largest public transport company, has 469 Chinese electric buses in operation – 262 of which were manufactured by Yutong.
Jeppe Gaard, Movia’s chief operating officer, said he was last week made aware that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access”. He added: “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in.”
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
|
Privacy and security tips for windows android and ios | Off-Topic | 0 | |
| B | Kindle privacy issue. | Off-Topic | 16 | |
|
Indeed and California's latest privacy law | Jobs & Career Advising | 0 | |
| S | Is this a wi-fi system? | General Electronics Chat | 5 | |
|
Internet Privacy Repeal, For or Against? | Off-Topic | 35 |
