security

Bruce Schneier links to an terrifying new research paper: In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.

Amazon introduced several new photo features for Prime members. The first big one is a new family sharing option. This looks to be a really convenient way for family members to share the unlimited Amazon Drive storage and also keep shared albums. The semantic search looks great. Similar to Apple and Google, Amazon is attempting to recognize the context of photos and surface the perfect result from a text search. In my very brief testing, it works as described.

For those unaware, one of the highest profile security researchers and bloggers was hit with the largest DDoS attack in history. It was so massive that it impacted Akamai and they removed support for his website, which is a dramatic accomplishment that may portend an unwelcome future for the internet and free speech. Today, he has a follow up post The Democratization of Censorship: John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.

From Charl Botha: Fast forward to July 15, 2016 (there’s that lab journal again…) when, after receiving an email from Google asking me to indicate how exactly I would like them to use my data to customise adverts around the web, and after thinking for a bit about what kind of machine learning tricks I would be able to pull on you with 12 years of your email, I decided that I really had to make alternative plans for my little email empire.

From the OmniFocus blog: But, with our latest updates today (OmniFocus 2.6 for Mac and OmniFocus 2.15 for iOS), your data will be completely encrypted before it leaves your device so that it’s encrypted on the server itself. This is a major improvement for me. I’ve always given the OmniSync server a side-eye for tracking tasks with sensitive information in them. This was especially true of tracking work tasks.

David Batty at The Guardian has an interesting piece about using social media to bust rich deadbeats: Hall, a former lawyer turned corporate investigator, said most investigations were more complex, and involved using social media to map a target’s family and business networks. For example, they might use the metadata embedded in an Instagram post to identify their location, or use a Facebook “like” or tag to track down a proxy company.

Facebook is now using location to suggest potential “Friends” which just sounds like a terrible idea: Last week, I met a man who suspected Facebook had tracked his location to figure out who he was meeting with. He was a dad who had recently attended a gathering for suicidal teens. The next morning, he told me, he opened Facebook to find that one of the anonymous parents at the gathering popped up as a “person you may know.

From the amazing Cryptography Engineering summary: A much more promising approach is not to collect the raw data at all. This approach was recently pioneered by Google to collect usage statistics in their Chrome browser. The system, called RAPPOR, is based on an implementation of the 50-year old randomized response technique. Randomized response works as follows: When a user wants to report a piece of potentially embarrassing information (made up example: “Do you use Bing?

From Malwarebytes Not so fast. Enter Dylan Ayrey, who discovered a way to use JavaScript to inject malicious commands into a copied shell script. On his proof-of-concept webpage, copying the following innocuous shell command and pasting it into the Terminal results in something completely different Browsers ruin everything.

The developers of Day One are making a bold move. A recent blog post outlines their current plans for end to end encryption but also puts outs a plea to critique the designs. I used Day One for all of my text journaling. It was one of my favorite apps for a very long time. But I don’t want them holding my information. I’m happy to see them developing in the open.