Lifeboat Foundation

The National Security Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.

No one’s better at hacking than the NSA. And now one of its powerful tools is available to everyone for free.

Apple’s FaceID authentication system started moving smartphone users away from relying on fingerprints to secure their mobile devices, which are arguably less secure. But researchers think they’ve come up with an even better biometric tool for protecting a device that uses a part of the body that’s nearly impossible to spoof: a user’s ear canals.

A team of researchers led by Zhanpeng Jin, an associate professor in the Department of Computer Science and Engineering in the University of Buffalo’s School of Engineering and Applied Sciences, created a new authentication tool called EarEcho, which is somewhat self-explanatory. The team modified a set of off the shelf earbuds with a tiny microphone that points inside the wearer’s ear, not out towards the world around them. It’s not there to pick up ambient sounds to facilitate a noise-canceling or feature, or even the wearer’s voice for making calls; the tiny mic is instead tuned to listen to the echo of sounds as they’re played and then propagate through the ear canal.

SHA-256 is a one way hashing algorithm. Cracking it would have tectonic implications for consumers, business and all aspects of government including the military.

It’s not the purpose of this post to explain encryption, AES or SHA-256, but here is a brief description of SHA-256. Normally, I place reference links in-line or at the end of a post. But let’s get this out of the way up front:

• Sept 11: Original disclosure
• Sept 11: Community skepticism
• Sept 12: Claim retracted: [announcement] [press]

One day after Treadwell Stanton DuPont claimed that a secret project cracked SHA-256 more than one year ago, they back-tracked. Rescinding the original claim, they announced that an equipment flaw caused them to incorrectly conclude that they had algorithmically cracked SHA-256.

“All sectors can still sleep quietly tonight,” said CEO Mike Wallace. “Preliminary results in this cryptanalytic research led us to believe we were successful, but this flaw finally proved otherwise.”

Continue reading “Was SHA-256 cracked? Don’t buy into retraction!” »

Biometric mobile wallets — payment technologies using our faces, fingerprints or retinas — already exist. Notable technology companies including Apple AAPL, +2.62% and Amazon AMZN, +0.26% await a day when a critical mass of consumers is sufficiently comfortable walking into a store and paying for goods without a card or device, according to Sinnreich, author of “The Essential Guide to Intellectual Property.”

Removing the last physical barrier — smartphones, watches, smart glasses and credit cards — between our bodies and corporate America is the final frontier in mobile payments. “The deeper the tie between the human body and the financial networks, the fewer intimate spaces will be left unconnected to those networks,” Sinnreich said.

The blockchain is public, yet a Bitcoin wallet can be created anonymously. So are Bitcoin transactions anonymous? Not at all…

Each transaction into and out of a wallet is a bread crumb. Following the trail is trivial. Every day, an army of armchair sleuths help the FBI. That’s how Silk Road was brought down.

The problem is that some of that money eventually interacts with the real world (a dentist is paid, a package shipped or a candy is purchased at a gas station). Even if the real-world transaction is 4 hops before or after hitting the “anonymous” wallet, it creates a forensic focal point. Next comes a tax man, an ex-spouse or a goon.

The first article linked below addresses the state of tumblers (aka “mixers”). They anonymize an open network by obfuscating the trail of bread crumbs.

Continue reading “Can Bitcoin Transactions be Made Private?” »

Just five months ago at the RSA conference, the NSA released Ghidra, a piece of open source software for reverse-engineering malware. It was an unusual move for the spy agency, and it’s sticking to its plan for regular updates — including some based on requests from the public.

In the coming months, Ghidra will get support for Android binaries, according to Brian Knighton, a senior researcher for the NSA, and Chris Delikat, a cyber team lead in its Research Directorate, who previewed details of the upcoming release with CyberScoop. Knighton and Delikat are discussing their plans at a session of the Black Hat security conference in Las Vegas Thursday.

Before the Android support arrives, a version 9.1 will include new features intended to save time for users and boost accuracy in reverse-engineering malware — enhancements that will come from features such as processor modules, new support for system calls and the ability to conduct additional editing, known as sleigh editing, in the Eclipse development environment.

Given that going viral on the Internet is often cyclical, it should come as no surprise that an app that made its debut in 2017 has once again surged in popularity. FaceApp applies various transformations to the image of any face, but the option that ages facial features has been especially popular. However, the fun has been accompanied by controversy; since biometric systems are replacing access passwords, is it wise to freely offer up our image and our personal data? The truth is that today the face is ceasing to be as non-transferable as it used to be, and in just a few years it could be more hackable than the password of a lifetime.

Our countenance is the most recognisable key to social relationships. We might have doubts when hearing a voice on the phone, but never when looking at the face of a familiar person. In the 1960s, a handful of pioneering researchers began training computers to recognise human faces, although it was not until the 1990s that this technology really began to take off. Facial recognition algorithms have improved to such an extent that since 1993 their error rate has been halved every two years. When it comes to recognising unfamiliar faces in laboratory experiments, today’s systems outperform human capabilities.

Continue reading “How to Hack a Face: From Facial Recognition to Facial Recreation” »

The government would never target innocent citizens much less whistleblowers, journalists or activists who are “inconvenient”, right? No history of heinous wrong-doing — right?

A new study scanned 22,484 pornography sites and found them riddled with trackers from major technology companies.