Women's Romanization for Hong Kong
> This is not to say that this type of ad hoc, spontaneous Romanization of Cantonese has not already existed for some time. Indeed, young people have been using it extensively for texting, on social media, etc. for years. What’s new is that it is now consciously being employed to out fake protesters who do not know Hong Kong Cantonese and its informal writing system.
The scramble to secure America’s voting machines
> Paperless voting devices are a gaping weakness in the patchwork U.S. election system, security experts say. But among these 14 states and their counties, efforts to replace these machines are slow and uneven, a POLITICO survey reveals.
Very annoying scroll interaction at the top, but eventually some content appears.
Moxie Marlinspike on encryption bans
> Host Molly Wood spoke with Moxie Marlinspike, founder and CEO of the private chat app Signal Messenger, about what a ban on encryption — or giving law enforcement a back door to messages — might mean. The following is an edited transcript of their conversation.
Investigating sources of PII used in Facebook’s targeted advertising
> We develop a novel technique that uses Facebook’s advertiser interface to check whether a given piece of PII can be used to target some Facebook user, and use this technique to study how Facebook’s advertising service obtains users’ PII. We investigate a range of potential sources of PII, finding that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users. These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings.
How Hacking Works
In which xkcd teaches us about cred stuffing.
The Model Estonian Soldier Who Spied for Russia
> I spoke to Metsavas under the auspices of KAPO, which gave The Atlantic virtually unrestricted access to him, but not to his friends or family. Notably, I was not allowed to speak with his wife, his mother, or his father, the last of whom played an integral role in his son’s ordeal. The rules of engagement were simple: I could ask my subject anything I liked, but he had been instructed beforehand not to divulge information that might compromise KAPO’s counterintelligence investigation, particularly any details that would telegraph to the Russians what the Estonians knew about their tradecraft and the secrets they had stolen. “They don’t deserve it,” Toots said.
> For KAPO, the interview was an opportunity to publicize its already legendary reputation of catching Russian spies. For me, it was an unmissable chance to speak to a contemporary spy and raise the curtain on the inner workings of a Russian intelligence agency whose century-long history of skulduggery—from election tampering to dirty wars, from attempted coups to assassination plots—shows no sign of abating. And for Metsavas, it was a chance to atone for his high crimes against his country, his comrades in the army, his friends and family. I believe he had little apparent incentive to lie: Everything he said would be within earshot of at least one KAPO case officer, tasked with ensuring that he didn’t speak out of turn, or embellish or misrepresent his autobiography. I got the impression that Metsavas, as much as the men who had unmasked him, took such matters earnestly. In general, there was a strange camaraderie between Metsavas and the KAPO case officers who flitted in and out of the interrogation room as our interview wore on. All interacted with him not as an enemy of the state, but as an old acquaintance, with an intimacy born of close proximity and repetition. I asked Metsavas whether he felt compelled in any way to talk to me. He said he didn’t and insisted that this whole thing was his idea in the first place. I eventually saw why.
I was 7 words away from being spear-phished
> I reflexively did some basic security hygiene checks. The email was from an @cam.ac.uk email address. I hovered over the link in the email - people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. It pointed to the same URL that the email text claimed it did, and was located on a valid cam.ac.uk subdomain. It did strike me as a little odd that the page was hosted inside gh327’s personal directory instead of the main economics department’s site; but hey, it’s probably less bureaucracy that way. I clicked on the link and read a little about the history of the Adam Smith prize.
Patrolling The Cyber-Physical Security Border
> Are there any overlaps between the physical and cyber security fields? Are there certain corners of cyber security that can best be reached by physical security experts, and vice versa? Can the two fields benefit from more cross-pollination and professional cooperation?
Plus some more comments: https://medium.com/@thegrugq/security-turns-out-its-hard-e678c5350bc7
John Deere's Promotional USB Drive Hijacks Your Keyboard
> Tractor-maker John Deere distributed USB drives that hijacked users’ keyboards and loaded its official website onto the browser. While the John Deere USB drive didn’t do anything to compromise the security of devices it was connected to, it used a method that’s similar to a malicious attack.
I think the real story here is that people still plug in strange devices.
‘Nobody Cares!’ Rich Unknowns Try Celebrity Tricks to Hide House Hunting
> While high-profile figures like Mark Zuckerberg are known for making stealthy real-estate buys, some of the most extreme secrecy measures are demanded by people you’ve never heard of. “Sometimes I want to say, ‘Nobody cares!’” said Compass real-estate agent Cindy Scholz, of New York.
> The client wouldn’t send his financial documents because of Mr. Swierczewski’s laptop software. “He hated Windows,” said Mr. Swierczewski, who agreed to install a Linux operating system. It took two days to get it work, forcing Mr. Swierczewski to cancel appointments. “I almost threw my computer at the wall,” he said.
Sex and Psychological Operations
> Warning! These historical wartime images are sexually explicit.
> Would it surprise you to know that all the major combatants involved in World War II used pornography as part of their psychological operations (PSYOP) strategy?
How does Apple (privately) find your offline devices?
> A big caveat: much of this could be totally wrong. I’ll update it relentlessly when Apple tells us more.
> Since this is a security system, the first question you should ask is: who’s the bad guy? The answer in this setting is unfortunate: everyone is potentially a bad guy. That’s what makes this problem so exciting.
It’s the middle of the night. Do you know who your iPhone is talking to?
> On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.
What I Learned Trying To Secure Congressional Campaigns
> I don’t believe I accomplished much, but I made so many friends along the way! And I learned a lot about the idiosyncratic world of Congressional campaigns; knowledge that I want to now hand over to you, the next person willing to take a swing at this piñata of futility.
> The candidate was hardest person to secure. They were too busy to come to the training. They didn’t want to move off their Loudong SB250 phone because it had all their favorite Flash games from the Yahoo store on it. Three different antivirus programs competed for dominion over their Windows 7 laptop.
> Ideally, there would be a billing model where the training is free, but the campaign gets charged thousands of dollars for ignoring it.
SensorID Sensor Calibration Fingerprinting for Smartphones
> We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint.
Tracking Phones, Google Is a Dragnet for the Police
> The new orders, sometimes called “geofence” warrants, specify an area and a time period, and Google gathers information from Sensorvault about the devices that were there. It labels them with anonymous ID numbers, and detectives look at locations and movement patterns to see if any appear relevant to the crime. Once they narrow the field to a few devices they think belong to suspects or witnesses, Google reveals the users’ names and other information.
How to Maintain a Low Profile
> I think it’s perfectly obvious that I am skulking!
Cryptography During the French and American Wars in Vietnam
> After Vietnam’s Declaration of Independence on 2 September 1945, the country had to suffer through two long, brutal wars, first against the French and then against the Americans, before finally in 1975 becoming a unified country free of colonial domination. Our purpose is to examine the role of cryptography in those two wars. Despite the far greater technological resources of their opponents, the communications intelligence specialists of the Viet Minh, the National Liberation Front, and the Democratic Republic of Vietnam had considerable success in both protecting Vietnamese communications and acquiring tactical and strategic secrets from the enemy. Perhaps surprisingly, in both wars there was a balance between the sides. Generally speaking, cryptographic knowledge and protocol design were at a high level at the central commands, but deployment for tactical communications in the field was difficult, and there were many failures on all sides.
The Mail from Budapest
> This story of pre-war espionage and counterespionage has been summarized from records originating in Czechoslovakia and acquired by American intelligence after World War II. It has all the qualities of a classic except one: it is nearly unknown. It is our purpose here to pull it out, with its still useful lessons, from the shadows of the past.
Told U.S. security at risk, Chinese firm seeks to sell Grindr dating app
> Chinese gaming company Beijing Kunlun Tech Co Ltd is seeking to sell Grindr LLC, the popular gay dating app it has owned since 2016, after a U.S. government national security panel raised concerns about its ownership, according to people familiar with the matter.