GrayKey: The little box that unlocks iPhones

Thomas Reed, for MalwareBytes:

Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.

Nothing is safe. Encrypt and delete constantly.

How Defective Guns Became the Only Product That Can’t Be Recalled

An enraging story from Michael Smith and Polly Mosendz, for Bloomberg:

Taurus sold almost a million handguns that can potentially fire without anyone pulling the trigger. The government won’t fix the problem. The NRA is silent.

Gun manufacturers have long held an unassailable position in American business and politics. They need to be reminded that they aren’t above the law… and we can start by making them follow the same goddamn rules as everyone else.

KDE Bug Executes Arbitrary Code Based on Name of Thumb Drive

This is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:

When a vfat thumbdrive which contains “ or $() in its volume label is plugged
and mounted trough the device notifier, it’s interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is “$(touch b)” which will create a file called b in the
home folder.

It’s jaw-dropping.

The World’s Email Encryption Software Relies on One Guy, Who is Going Broke

Filed under Welcome To 2015:

“I’m too idealistic,” he told me in an interview at a hacker convention in Germany in December. “In early 2013 I was really about to give it all up and take a straight job.” But then the Snowden news broke, and “I realized this was not the time to cancel.”

Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.

The people who make important stuff get jack shit for their effort, but that how new Uber For Fart Sounds app gets millions.

Schneier on Security: Our Newfound Fear of Risk

Bruce Schneier:

We’re afraid of risk. It’s a normal part of life, but we’re increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren’t free. They cost money, of course, but they cost other things as well. They often don’t provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks.

I kind of just want to quote this entire piece, but I’ll let you head over to Bruce’s place for the rest.

Does Airport Security Really Make Us Safer?

Vanity Fair says no:

As you stand in endless lines this holiday season, here’s a comforting thought: all those security measures accomplish nothing, at enormous cost. That’s the conclusion of Charles C. Mann, who put the T.S.A. to the test with the help of one of America’s top security experts.

Experts like Bruce Schneier have been calling what the TSA does “security theater” for 10 years now. The mainstream press just now seem to be catching on.

The Pitfalls of Facebook’s “Social Authentication”

Dan Wineman shoves a hot poker up the ass of Facebook’s “social authentication”:

Captchas don’t verify identity. “Social authentication” challenges based on public information — especially information that the service itself provides, for free, to anyone who asks — don’t do that either.

The problem with “social authentication” is that second word, there. Facebook’s calling it an authentication method is dangerous because a false sense of security is… false. “Social captchas” just doesn’t have the same marketing chutzpah, I guess.

Link via @mrgan

A Waste of Money and Time

Security professional Bruce Schneier on what really makes plane travel safer, and the difference between theater and reality:

Of course not. Airport security is the last line of defense, and it’s not a very good one. What works is investigation and intelligence: security that works regardless of the terrorist tactic or target. Yes, the target matters too; all this airport security is only effective if the terrorists target airports. If they decide to bomb crowded shopping malls instead, we’ve wasted our money.

BlackSheep, the Firesheep countermeasure tool

Like the thing it acts against, it is a Firefox plugin. Were Firesheep a serious malicious tool, the race between BlackSheep countermeasures and Firesheep countercountermeasures would be endless, and Firesheep would always “win”. You can’t develop countermeasures until an attack has been successful. This was and is the message of Firesheep to begin with: The only solution to this kind of attack is to use HTTPS.