Jameson Lopp @lopp@lopp.social

#Google just announced that going forward, any account not logged into for two years gets deleted.

This means huge amounts of rare or unique #video is about to disappear from #YouTube as accounts get flagged as inactive, such as when the user dies. Families' #HomeMovies (often posted by an older relative for their family's benefit), historical footage, rare #television clips, etc. What an incalculable loss to human #history and culture!

If there are videos important to you on someone else's video channel, find a way to download them. And if you have rare #media of historical importance, consider leaving it to institutional #archives or lending it to archives for digital preservation.

My latest Post, available at:

https://arstechnica.com/information-technology/2023/05/how-the-fbi-pwned-turla-a-kremlin-jewel-and-one-of-worlds-most-skilled-apts/

FBI officials on Tuesday dropped a major bombshell: After spending years monitoring exceptionally stealthy malware that one of the Kremlin’s most advanced hacker units had installed on hundreds of computers around the world, agents unloaded a payload that caused the malware to disable itself.

The counter-hack took aim at Snake, the name of a sprawling piece of cross-platform malware that for more than two decades has been in use for espionage and sabotage. Snake is developed and operated by Turla, one of the world's most sophisticated APTs, short for advanced persistent threats, a term for long-running hacking outfits sponsored by nation-states.
Inside jokes, taunts, and mythical dragons

If nation-sponsored hacking was baseball, then Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of the US Department of Defense in 2008, and more recently the German Foreign Office and France's military. The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.

One of the most powerful tools in Turla’s arsenal is Snake, a digital Swiss Army knife of sorts that runs on Windows, macOS, and Linux. Written in the C programming language, Snake comes as a highly modular series of pieces that are built on top of a massive peer-to-peer network that covertly links one infected computer with another. Snake, the FBI said, has to date spread to more than 50 countries and infected computers belonging to NATO member governments, a US journalist who has covered Russia, and sectors involving critical infrastructure, communications, and education.

Snake is among the most sophisticated pieces of malware ever found, the FBI said. The modular design, custom encryption layers, and high-caliber quality of the code base have made it hard if not impossible for antivirus software to detect. As FBI agents continued to monitor Snake, however, they slowly uncovered some surprising weaknesses. For one, there was a critical cryptographic key with a prime length of just 128 bits, making it vulnerable to factoring attacks that expose the secret key. This weak key was used in Diffie-Hellman key exchanges that allowed each infected machine to have a unique key when communicating with another machine.

In another slipup, Snake developers forgot to scrub the finished code for a new version of programming artifacts. The failure provided important new insights into how the malware worked because it exposed function names, strings in clear text, and developer comments.

The perfect confirmation dialog does not exist…

Juice jacking, the frightening attack that hacks your phone when you do nothing more than plug it into a public charging station, has become the Halley's Comet of cybersecurity scares. This baseless superstition has circulated on and off for more than a decade, despite there not be a single documented case of it ever happening in the wild.

I'll post a detailed article about precisely what hackers can and can't do when you plug in your phone on Monday.

In the meantime, here's an interview I recently did with tech reporter @richontech about the echo chamber that allows this myth to fester and why people should instead focus on real threats. The segment begins at 18:15

https://www.podpage.com/richontech/015-rich-on-tech-radio-show-april-15-2023/

I’m terrified of dying before I’ve created enough content

I've only recommended one VPN service, ever (and no, I don't have any financial relationship to them): Mullvad. They have always seemed to be one of the few entities that practices the mantra, "You don't have to protect what you don't collect."

This quite a press release:

"Mullvad VPN was subject to a search warrant. Customer data not compromised
20 April 2023 NEWS

On April 18 at least six police officers from the National Operations Department (NOA) of the Swedish Police visited the Mullvad VPN office in Gothenburg with a search warrant.
They intended to seize computers with customer data.

In line with our policies such customer data did not exist. We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law. After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information.

If they had taken something that would not have given them access to any customer information.

Mullvad has been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant."

Source: https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/

https://krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/

Why is ‘Juice Jacking’ Suddenly Back in the News?

Since I was just asking about this earlier today, I thought I'd share the nice article @briankrebs posted about it.

Probably the best known example is the OMG cable, a $180 hacking device made for professional penetration testers that looks more or less like an Apple or generic USB charging cable. But inside the OMG cable is a tiny memory chip and a Wi-Fi transmitter that creates a Wi-Fi hotspot, to which the attacker can remotely connect using a smartphone app and run commands on the device.

Brian Markus is co-founder of Aries Security, and one of the researchers who originally showcased the threat from juice jacking at the 2011 DEFCON. Markus said he isn’t aware of any public accounts of juice jacking kiosks being found in the wild, and said he’s unsure what prompted the recent FBI alert.

“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”
What can you do to avoid juice jacking? Bring your own gear. A general rule of thumb in security is that if an adversary has physical access to your device, you can no longer trust the security or integrity of that device. This also goes for things that plug into your devices.
Juice jacking isn’t possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present. If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in.

#JuiceJacking

Did you know Tesla has cameras both on the outside of vehicles and the inside, and everything is uploaded to Tesla? Anyhoo they’ve been exporting the videos, making memes of customers and then posting them on chat rooms. https://www.reuters.com/technology/tesla-workers-shared-sensitive-images-recorded-by-customer-cars-2023-04-06/

Miniscript support fully merged in Bitcoin Core. Just for P2WSH now, but extending it to Taproot is being worked on.

https://x0f.org/@bitcoinmerges/109873838159047700

It's grant-seeking season for me, and I wrote up what I have been working on in 2022 and what I plan to work on this year: continuing my current Bitcoin network monitoring efforts.

https://b10c.me/blog/011-2022-review-and-2023-outlook/

I don't think mastodon has a great chance of gaining network effects so long as most of its content is just being mirrored from folks' tweets. Makes it seem like a waste of time for me to scroll through content I've already seen.