Source: Hacker News
Source: Schneier on Security
My personal definition of a brilliant idea is one that is immediately obvious once it’s explained, but no one has thought of it before. I can’t believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet design, but the ideas are more general. Ittay points out that a key—or an account, or anything similar—can be in one of four states:
safe Only the user has access,
loss No one has access,
leak Both the user and the adversary have access, or
theft Only the adversary has access.
Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. It’s a truly elegant way of conceptualizing the problem.
Source: Ars Technica
Enlarge / FTC Chair Lina Khan said the commission intends to act on commercial data collection, which happens at "a massive scale and in a stunning array of contexts." (credit: Getty Images)
The Federal Trade Commission has kicked off the rulemaking process for privacy regulations that could restrict online surveillance and punish bad data-security practices. It's a move that some privacy advocates say is long overdue, as similar Congressional efforts face endless uncertainty.
The Advanced Notice of Proposed Rulemaking, approved on a 3-2 vote along partisan lines, was spurred by commercial data collection, which occurs at "a massive scale and in a stunning array of contexts," FTC Chair Lina M. Khan said in a press release. Companies surveil online activity, friend networks, browsing and purchase history, location data, and other details; analyze it with opaque algorithms; and sell it through "the massive, opaque market for consumer data," Khan said.
Companies can also fail to secure that data or use it to make services addictive to children. They can also potentially discriminate against customers based on legally protected statuses like race, gender, religion, and age, the FTC said. What's more, the release said, some companies make taking part in their "commercial surveillance" required for service or charge a premium to avoid it, employing dark patterns to keep the systems in place.
Source: Engadget
Meta has long been working on end-to-end encryption for its messaging products, but so far, only WhatsApp has switched on the privacy feature by default. In its latest update about its efforts, Meta said it will start testing default end-to-end encrypted chats for select users on Messenger. Those chosen to be part of the test will find that some of their most frequent chats have been automatically end-to-end encrypted. That means there's no reason to start "Secret Conversations" with those friends anymore.
The company is also testing secure storage for encrypted chats, which gives users access to their conversation history in case they lose their phone or want to restore it on a new device. To be able to access their backups through security storage, users will have to create a PIN or generate codes that they'll then have to save. Those two are end-to-end encrypted options and provide another layer of protection. That said, users can also opt to use cloud services to restore conversations — those with iOS devices, for instance, can use iCloud to store the secret key needed to access their backups. Meta will also begin testing secure storage this week, but only on Android and iOS. It's still not available for Messenger on the web or for unencrypted chats.
The other tests Meta is rolling out in the coming weeks include bringing regular Messenger features to end-to-end encrypted chats. It will test the ability to unsend messages and to send replies to Facebook Stories as encrypted chats, and it's also planning to bring end-to-end encrypted calls to the Calls Tab on Messenger. Ray-Ban Stories users will be able to send encrypted hands-free messages through Messenger, as well.
In addition, Meta is launching a new security feature called Code Verify, which is an open-source browser extension for Chrome, Firefox and Microsoft Edge. As its name implies, it can verify the authenticity of the Messenger website's web code and ensure that it hasn't been tampered with. As for Instagram, the company is retiring the app's vanish mode chats, which aren't encrypted, while also expanding ongoing tests for opt-in end-to-end encrypted messages and calls on the service.
All of these are part of Meta's preparations as it works its way towards the global rollout of default end-to-end encryption for messages and calls on its services. It plans to launch even more tests and updates before its target rollout sometime in 2023.
Source: Hacker News
Last summer I posted about some tiny stepper motors from the internet, thinking about them as an alternative to mechatronic standbys like those terrible SG90 type servos or larger and differently terrible 28BYJ-48 geared steppers driven through a ULN2003.
At the time, I tried one with an A4988 stepstick from the top of my parts bin, and it didn’t work, so I figured there was some limitation and stuck to directly driving with H-bridges.
…it turns out the “limitation” was that the cheap current-setting potentiometer on that particular stepstick was broken so it was driving no output current.
Discoveries:
Source: Hacker News
Source: Hacker News
I’ve been biking a fair amount lately after a 20-odd year hiatus; I decided last year that I wanted to start biking, bought a Giant Escape 3 Disc near the end of summer, but didn’t get confident enough riding to use it around campus last year among the students texting their way to their first (next?) vehicular manslaughter charge before they flocked back.
This summer, I’ve been dong my commute into campus on it, plus a significant amount of fun/exercise riding, and the top fixable annoyance has become getting sprayed at the slightest hint of wet. I did some hackin’ that I haven’t seen on the interwebs to fit the fenders I picked to the frame, which is the point of this post.
Continue readingSource: Ars Technica
Enlarge (credit: Intel)
Intel’s latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company’s software guard extensions, the advanced feature that acts as a digital vault for security users’ most sensitive secrets.
Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.
SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a “general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus.”
