Amazon wants to sell “surveillance as a service”
Amazon has filed a patent to use delivery drones as mobile surveillance cameras. These cameras will then be used as part of "surveillance as a service" to take pictures as they approach their delivery points. Customers could also request regular fly-bys of the drones.
In case Amazon’s surveillance capabilities weren’t extensive enough with its Echo, Ring, and Key products, not to mention all the data Amazon routinely collects on its customers, the company recently received a US patent to provide “surveillance as a service.”
The patent is for an “unmanned aerial vehicle”—the technical term for a drone—that “may perform a surveillance action at a property of an authorized party” and could “image the property to generate surveillance images.” Amazon suggests in its patent, filed June 12, 2015, and granted June 4 of this year, that drone-based surveillance would be superior to traditional video-camera installations that have limited range, are liable to miss things, and can be manipulated or damaged by an intruder.
https://qz.com/1648875/amazon-receives-us-patent-for-surveillance-as-a-service/
And
https://telegra.ph/Amazon-drones-could-be-used-to-spy-on-your-home-and-spot-intruders-patent-reveals-06-21
#DeleteAmazon #surveillance #cameras #drones #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Amazon has filed a patent to use delivery drones as mobile surveillance cameras. These cameras will then be used as part of "surveillance as a service" to take pictures as they approach their delivery points. Customers could also request regular fly-bys of the drones.
In case Amazon’s surveillance capabilities weren’t extensive enough with its Echo, Ring, and Key products, not to mention all the data Amazon routinely collects on its customers, the company recently received a US patent to provide “surveillance as a service.”
The patent is for an “unmanned aerial vehicle”—the technical term for a drone—that “may perform a surveillance action at a property of an authorized party” and could “image the property to generate surveillance images.” Amazon suggests in its patent, filed June 12, 2015, and granted June 4 of this year, that drone-based surveillance would be superior to traditional video-camera installations that have limited range, are liable to miss things, and can be manipulated or damaged by an intruder.
https://qz.com/1648875/amazon-receives-us-patent-for-surveillance-as-a-service/
And
https://telegra.ph/Amazon-drones-could-be-used-to-spy-on-your-home-and-spot-intruders-patent-reveals-06-21
#DeleteAmazon #surveillance #cameras #drones #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Quartz
Amazon wants to sell “surveillance as a service”
Drone-based surveillance is a logical next step for Amazon, which has invested heavily in both parts of that equation.
Facebook usage falling after privacy scandals, data suggests
Actions such as shares and likes down nearly 20%, though user numbers still growing
Since the Cambridge Analytica scandal in April 2018, the number of likes, shares and posts has fallen by about a fifth, according to estimates by the consulting firm Mixpanel. Facebook nevertheless states that the number of its daily users* has since clearly risen to 1.56 billion people worldwide. This indicates that although many people no longer actively use Facebook, they are reluctant to leave the platform altogether - not least because of Facebook's messenger services.
Facebook usage has plummeted over the last year, according to data seen by the Guardian, though the company says usage by other measures continues to grow.
Since April 2018, the first full month after news of the Cambridge Analytica scandal broke in the Observer, actions on Facebook such as likes, shares and posts have dropped by almost 20%, according to the business analytics firm Mixpanel.
Taking that month as a baseline, total actions fell by more that 10% within a month, recovered a bit over the summer and then fell again over the autumn and winter of 2018, except for a brief rally over the period of the US midterm elections.
Likes, shares and posts on Facebook have plummeted since the Cambridge Analytica scandal of spring 2018
The decline coincided with a series of data, privacy and hate speech scandals. In September the company discovered a breach affecting 50m accounts, in November it admitted that an executive hired a PR firm to attack the philanthropist George Soros, and it has been repeatedly criticised for allowing its platform to be used to fuel ethnic cleansing in Myanmar.
Facebook’s own statistics show increases in daily and monthly active users (DAUs and MAUs), the numbers logging on to the site at least once in the respective periods, during the year ending March 2019.
In the company’s latest quarterly earnings report, published in April, it said it averaged 1.56bn DAUs in March up 8% on March 2018, and MAUs were also up 8% year on year.
The two sets of numbers can be reconciled. Anecdotal reports over the past year have suggested that while few users have deleted their Facebook accounts or stopped logging on since the scandals, many have reduced their usage.
This month a market research firm, eMarketer, reported a decline in Facebook usage in the US, saying the typical Facebook user spent 38 minutes a day on the site, down from 41 minutes in 2017.
“On top of that, Facebook has continued to lose younger users, who are spreading their time and attention across other social platforms and digital activities,” eMarketer said.
https://www.theguardian.com/technology/2019/jun/20/facebook-usage-collapsed-since-scandal-data-shows
#DeleteFacebook #analysis
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Actions such as shares and likes down nearly 20%, though user numbers still growing
Since the Cambridge Analytica scandal in April 2018, the number of likes, shares and posts has fallen by about a fifth, according to estimates by the consulting firm Mixpanel. Facebook nevertheless states that the number of its daily users* has since clearly risen to 1.56 billion people worldwide. This indicates that although many people no longer actively use Facebook, they are reluctant to leave the platform altogether - not least because of Facebook's messenger services.
Facebook usage has plummeted over the last year, according to data seen by the Guardian, though the company says usage by other measures continues to grow.
Since April 2018, the first full month after news of the Cambridge Analytica scandal broke in the Observer, actions on Facebook such as likes, shares and posts have dropped by almost 20%, according to the business analytics firm Mixpanel.
Taking that month as a baseline, total actions fell by more that 10% within a month, recovered a bit over the summer and then fell again over the autumn and winter of 2018, except for a brief rally over the period of the US midterm elections.
Likes, shares and posts on Facebook have plummeted since the Cambridge Analytica scandal of spring 2018
The decline coincided with a series of data, privacy and hate speech scandals. In September the company discovered a breach affecting 50m accounts, in November it admitted that an executive hired a PR firm to attack the philanthropist George Soros, and it has been repeatedly criticised for allowing its platform to be used to fuel ethnic cleansing in Myanmar.
Facebook’s own statistics show increases in daily and monthly active users (DAUs and MAUs), the numbers logging on to the site at least once in the respective periods, during the year ending March 2019.
In the company’s latest quarterly earnings report, published in April, it said it averaged 1.56bn DAUs in March up 8% on March 2018, and MAUs were also up 8% year on year.
The two sets of numbers can be reconciled. Anecdotal reports over the past year have suggested that while few users have deleted their Facebook accounts or stopped logging on since the scandals, many have reduced their usage.
This month a market research firm, eMarketer, reported a decline in Facebook usage in the US, saying the typical Facebook user spent 38 minutes a day on the site, down from 41 minutes in 2017.
“On top of that, Facebook has continued to lose younger users, who are spreading their time and attention across other social platforms and digital activities,” eMarketer said.
https://www.theguardian.com/technology/2019/jun/20/facebook-usage-collapsed-since-scandal-data-shows
#DeleteFacebook #analysis
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
NASA hacked because of unauthorized Raspberry Pi connected to its network
NASA described the hackers as an "advanced persistent threat," a term generally used for nation-state hacking groups.
A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the
agency's network and stole approximately 500 MB of data related to Mars missions.
The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.
Hackers stole Mars missions data
According to a 49-page OIG report, the hackers used this point of entry to move deeper inside the JPL network by hacking a shared network gateway.
The hackers used this network gateway to pivot inside JPL's infrastructure, and gained access to the network that was storing information about NASA JPL-managed Mars missions, from where he exfiltrated information.
The OIG report said the hackers used "a compromised external user system" to access the JPL missions network.
"The attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission," the NASA OIG said.
The Mars Science Laboratory is the JPL program that manages the Curiosity rover on Mars, among other projects.
Hackers also breached NASA's satellite dish network
NASA's JPL division primary role is to build and operate planetary robotic spacecraft such as the Curiosity rover, or the various satellites that orbit planets in the solar system.
In addition, the JPL also manages NASA's Deep Space Network (DSN), a worldwide network of satellite dishes that are used to send and receive information from NASA spacecrafts in active missions.
Investigators said that besides accessing the JPL's mission network, the April 2018 intruder also accessed the JPL's DSN IT network. Upon the dicovery of the intrusion, several other NASA facilities disconnected from the JPL and DSN networks, fearing the attacker might pivot to their systems as well.
PDF:
https://oig.nasa.gov/docs/IG-19-022.pdf
https://www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/
#pdf #nasa #hack #raspberry
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
NASA described the hackers as an "advanced persistent threat," a term generally used for nation-state hacking groups.
A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the
agency's network and stole approximately 500 MB of data related to Mars missions.
The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.
Hackers stole Mars missions data
According to a 49-page OIG report, the hackers used this point of entry to move deeper inside the JPL network by hacking a shared network gateway.
The hackers used this network gateway to pivot inside JPL's infrastructure, and gained access to the network that was storing information about NASA JPL-managed Mars missions, from where he exfiltrated information.
The OIG report said the hackers used "a compromised external user system" to access the JPL missions network.
"The attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission," the NASA OIG said.
The Mars Science Laboratory is the JPL program that manages the Curiosity rover on Mars, among other projects.
Hackers also breached NASA's satellite dish network
NASA's JPL division primary role is to build and operate planetary robotic spacecraft such as the Curiosity rover, or the various satellites that orbit planets in the solar system.
In addition, the JPL also manages NASA's Deep Space Network (DSN), a worldwide network of satellite dishes that are used to send and receive information from NASA spacecrafts in active missions.
Investigators said that besides accessing the JPL's mission network, the April 2018 intruder also accessed the JPL's DSN IT network. Upon the dicovery of the intrusion, several other NASA facilities disconnected from the JPL and DSN networks, fearing the attacker might pivot to their systems as well.
PDF:
https://oig.nasa.gov/docs/IG-19-022.pdf
https://www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/
#pdf #nasa #hack #raspberry
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Epic privacy fail: WeTransfer shared its users' files with the wrong people
Sharing files using the cloud is very convenient, but understandably, some people are hesitant to do so with sensitive or private information. These privacy-conscious folks may be looked at as "paranoid" by some, but you know what? As more and more breaches occur, it is becoming harder to trust the cloud with files. And so, the "tinfoil hat" wearers start to look quite sensible.
As an example, popular cloud-based file-sharing service WeTransfer has failed in epic fashion. You see, the company not only shared files with the intended recipients, but with random strangers too! Yes, that private information you didn't want seen by anyone other than your intended audience may have been viewed by the wrong person. Good lord.
The file sharing service sent the following email to impacted users:
"Dear WeTransfer user,
We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened.
We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.
As your email address was also included in the transfer email, please keep an eye out for any suspicious or unusual emails you receive.
We understand how important your data is and never take your trust in our service for granted. If you have any questions or concerns, just reply to this email to contact our support team.
The WeTransfer Team"
Well, it doesn't get much worse than that, folks. I mean, look, WeTransfer had one job -- share files with the correct friggin' people! Moving forward, it will be very hard for users to trust the company. Hell, they even exposed the sender's email address, which can lead to spam and phishing attempts too. Sigh.
Are you a WeTransfer user? Will you stop using the service as a result of this blunder?
UPDATE: After BetaNews broke this news, WeTransfer shared more details on their website here. The company says it has forced some users to change passwords, meaning login credentials may have been stolen, but not definitely. They have also contacted authorities, signaling this may not be an accident, but a criminal breach.
https://wetransfer.pr.co/178267-security-notice
https://betanews.com/2019/06/21/wetransfer-fail/
#WeTransfer #sharing #cloud #privacy #breach
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Sharing files using the cloud is very convenient, but understandably, some people are hesitant to do so with sensitive or private information. These privacy-conscious folks may be looked at as "paranoid" by some, but you know what? As more and more breaches occur, it is becoming harder to trust the cloud with files. And so, the "tinfoil hat" wearers start to look quite sensible.
As an example, popular cloud-based file-sharing service WeTransfer has failed in epic fashion. You see, the company not only shared files with the intended recipients, but with random strangers too! Yes, that private information you didn't want seen by anyone other than your intended audience may have been viewed by the wrong person. Good lord.
The file sharing service sent the following email to impacted users:
"Dear WeTransfer user,
We are writing to let you know about a security incident in which a number of WeTransfer service emails were sent to the wrong people. This happened on June 16th and 17th. Our team has been working tirelessly to correct and contain this situation and find out how it happened.
We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show those files have been accessed, but almost certainly by the intended recipient. Nevertheless, as a precaution we blocked the link to prevent further downloads.
As your email address was also included in the transfer email, please keep an eye out for any suspicious or unusual emails you receive.
We understand how important your data is and never take your trust in our service for granted. If you have any questions or concerns, just reply to this email to contact our support team.
The WeTransfer Team"
Well, it doesn't get much worse than that, folks. I mean, look, WeTransfer had one job -- share files with the correct friggin' people! Moving forward, it will be very hard for users to trust the company. Hell, they even exposed the sender's email address, which can lead to spam and phishing attempts too. Sigh.
Are you a WeTransfer user? Will you stop using the service as a result of this blunder?
UPDATE: After BetaNews broke this news, WeTransfer shared more details on their website here. The company says it has forced some users to change passwords, meaning login credentials may have been stolen, but not definitely. They have also contacted authorities, signaling this may not be an accident, but a criminal breach.
https://wetransfer.pr.co/178267-security-notice
https://betanews.com/2019/06/21/wetransfer-fail/
#WeTransfer #sharing #cloud #privacy #breach
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Cyber Attacks, MAGMA, FaceBorgCoin – New World Next Week
This week on the New World Next Week: cyber warfare heats up as US cyber attacks on Russia exposed; Trump streamlines GMO regulatory approval with a new executive order; and Facebook announces FedbookGlobalistShillCoin.
📺 New World Next Week #CyberAttacks #MAGMA #FaceBorgCoin – New World Next Week #Corbettreport #DeleteFacebook #video #podcast
https://www.corbettreport.com/cyber-attacks-magma-faceborgcoin-new-world-next-week/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This week on the New World Next Week: cyber warfare heats up as US cyber attacks on Russia exposed; Trump streamlines GMO regulatory approval with a new executive order; and Facebook announces FedbookGlobalistShillCoin.
📺 New World Next Week #CyberAttacks #MAGMA #FaceBorgCoin – New World Next Week #Corbettreport #DeleteFacebook #video #podcast
https://www.corbettreport.com/cyber-attacks-magma-faceborgcoin-new-world-next-week/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Contemporary Code: GRaB - Growing as Building
GrAB - Growing As Building takes growth patterns and dynamics from nature and
applies them to architecture with the goal of creating a new living architecture.
GrAB has brought an interdisciplinary team from the fields of architecture, biology, art, mechatronics
and robotics to the University of Applied Arts Vienna, in order to initiate a process of biomimetic transfer in which models
from nature are applied to architecture and art.
📺 #GRaB - Growing as Building #video
https://www.growingasbuilding.org/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
GrAB - Growing As Building takes growth patterns and dynamics from nature and
applies them to architecture with the goal of creating a new living architecture.
GrAB has brought an interdisciplinary team from the fields of architecture, biology, art, mechatronics
and robotics to the University of Applied Arts Vienna, in order to initiate a process of biomimetic transfer in which models
from nature are applied to architecture and art.
📺 #GRaB - Growing as Building #video
https://www.growingasbuilding.org/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
No new Bitcoin: Don't touch Facebooks Libra!
Facebook wants to become the central bank with Libra and profit from the Bitcoin hype. But the blockchain is primarily a facade, Libra is neither decentralized nor a crypto currency.
If Facebook is the answer, Libra will develop into a world currency. But the Facebook coin has little in common with Bitcoin and other crypto currencies. Libra is a digital currency that resembles Wechat Pay rather than Bitcoin. The question of whether Libra is a crypto currency is directly related to considerations of privacy and user trust.
Crypto currencies vs. central banks
With the blockchain as a technology and especially with crypto currencies, a lot revolves around trust. In principle, this is very similar to conventional currencies such as the euro, which also work solely because we trust, for example, that the state and the central bank will not devalue them. In the case of fiat currencies, i.e. uncovered money, recent history - actually only from the 20th century onwards - has shown that this trust in the state is not always justified. Replacing this blind trust in a central authority that controls the monetary system has been one of the core promises of crypto currencies from the outset and can be found in Bitcoin's first announcement, written by Satoshi Nakamoto.
Facebook also wants to give the impression that its digital currency is decentralized, so that users do not have to rely on a central authority. Libra is to be controlled by the Libra Association based in Switzerland, which includes many other companies such as Paypal, Visa, Uber and Mastercard. The mere fact that many well-known companies are on board - and have each paid at least ten million US dollars for it - combined with the ambitious goal of creating a global financial network, is causing a lot of hype. If you then stick the label "Blockchain" on such an ambitious project, you can be sure that everyone is talking about it.
Decentralised, my ass: Libra Association acts as central bank
"[The new blockchain for the global currency] is a decentralized, programmable database designed to support a low-volatility crypto currency that acts as a medium of exchange for billions of people," the Libra white paper says. Admittedly, there are many superficial technical reminiscences of Ethereum or Bitcoin in Libra: Smart Contracts, Dapps, Move, a programming language of its own, and all that even faster and better. The Libra blockchain is to be used by around 2.7 billion people who have a Facebook profile and can process up to 1,000 transactions per second. Bitcoin processes around seven transactions per second.
Unlike Bitcoin or Ethereum, the Libra Blockchain is not a public blockchain, but a Consortium Blockchain in which only paying members of the Libra Association are involved in mining. According to Facebook, this is necessary in order to avoid problems such as high energy consumption, slow transactions and other difficulties that plague Bitcoin, for example. For this reason alone, the Libra Association acts as a sort of central bank. According to Facebook, this will change after five years and the Libra blockchain will open, but one can be sceptical about this.
https://t3n.de/news/libra-ist-keine-kryptowaehrung-kein-bitcoin-1172551/
#DeleteFacebook #libra #CryptoCurrency #decentralized #paypal #visa #uber #mastercard #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Facebook wants to become the central bank with Libra and profit from the Bitcoin hype. But the blockchain is primarily a facade, Libra is neither decentralized nor a crypto currency.
If Facebook is the answer, Libra will develop into a world currency. But the Facebook coin has little in common with Bitcoin and other crypto currencies. Libra is a digital currency that resembles Wechat Pay rather than Bitcoin. The question of whether Libra is a crypto currency is directly related to considerations of privacy and user trust.
Crypto currencies vs. central banks
With the blockchain as a technology and especially with crypto currencies, a lot revolves around trust. In principle, this is very similar to conventional currencies such as the euro, which also work solely because we trust, for example, that the state and the central bank will not devalue them. In the case of fiat currencies, i.e. uncovered money, recent history - actually only from the 20th century onwards - has shown that this trust in the state is not always justified. Replacing this blind trust in a central authority that controls the monetary system has been one of the core promises of crypto currencies from the outset and can be found in Bitcoin's first announcement, written by Satoshi Nakamoto.
Facebook also wants to give the impression that its digital currency is decentralized, so that users do not have to rely on a central authority. Libra is to be controlled by the Libra Association based in Switzerland, which includes many other companies such as Paypal, Visa, Uber and Mastercard. The mere fact that many well-known companies are on board - and have each paid at least ten million US dollars for it - combined with the ambitious goal of creating a global financial network, is causing a lot of hype. If you then stick the label "Blockchain" on such an ambitious project, you can be sure that everyone is talking about it.
Decentralised, my ass: Libra Association acts as central bank
"[The new blockchain for the global currency] is a decentralized, programmable database designed to support a low-volatility crypto currency that acts as a medium of exchange for billions of people," the Libra white paper says. Admittedly, there are many superficial technical reminiscences of Ethereum or Bitcoin in Libra: Smart Contracts, Dapps, Move, a programming language of its own, and all that even faster and better. The Libra blockchain is to be used by around 2.7 billion people who have a Facebook profile and can process up to 1,000 transactions per second. Bitcoin processes around seven transactions per second.
Unlike Bitcoin or Ethereum, the Libra Blockchain is not a public blockchain, but a Consortium Blockchain in which only paying members of the Libra Association are involved in mining. According to Facebook, this is necessary in order to avoid problems such as high energy consumption, slow transactions and other difficulties that plague Bitcoin, for example. For this reason alone, the Libra Association acts as a sort of central bank. According to Facebook, this will change after five years and the Libra blockchain will open, but one can be sceptical about this.
https://t3n.de/news/libra-ist-keine-kryptowaehrung-kein-bitcoin-1172551/
#DeleteFacebook #libra #CryptoCurrency #decentralized #paypal #visa #uber #mastercard #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Audio
🎧 Dating App Privacy and NASA Cyberattack
* A ransomware webinar hosted by Threatpost editor Tara Seals, which included experts from Recorded Future, Malwarebytes and Moss Adams. The webinar looked at the top ransomware trends and threats, and outlined how enterprises can protect themselves.
* A Florida city hit three weeks ago by a ransomware attack voted this week to pay the hackers a ransom of $600,000.
* A Threatpost feature, that looked at top dating apps like Match.com and Tinder, found that the services are collecting and sharing a disturbing range of data, from chat messages to sexual orientation.
* Rampant security-operations bungling allowed cyberattackers to infiltrate NASA’s JPL network, which carries human mission data.
📻 #DatingApp #Privacy and #NASA #Cyberattack #podcast
https://threatpost.com/podcast-dating-app-privacy-and-nasa-cyberattack/145902/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
* A ransomware webinar hosted by Threatpost editor Tara Seals, which included experts from Recorded Future, Malwarebytes and Moss Adams. The webinar looked at the top ransomware trends and threats, and outlined how enterprises can protect themselves.
* A Florida city hit three weeks ago by a ransomware attack voted this week to pay the hackers a ransom of $600,000.
* A Threatpost feature, that looked at top dating apps like Match.com and Tinder, found that the services are collecting and sharing a disturbing range of data, from chat messages to sexual orientation.
* Rampant security-operations bungling allowed cyberattackers to infiltrate NASA’s JPL network, which carries human mission data.
📻 #DatingApp #Privacy and #NASA #Cyberattack #podcast
https://threatpost.com/podcast-dating-app-privacy-and-nasa-cyberattack/145902/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Can’t Fight the Future, Suckers! #PropagandaWatch
Don’t want an Alexa in your home spying on everything you say? Well too bad, suckers! It’s the way of the future. Can’t argue with that, right?
Who would have ever guessed that the creepy spy gadget that’s listening to everything you do is listening to everything you do? Anyone with half a brain, that’s who.
❗️ Don’t buy this garbage, and don’t let your friends buy it, either.
📺 #Corbettreport #alexa #why #video #podcast
https://www.corbettreport.com/cant-fight-the-future-suckers-propagandawatch/
📺 Don’t Be An Idiot! Get Rid of Alexa!
https://www.corbettreport.com/dont-be-an-idiot-get-rid-of-alexa/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Don’t want an Alexa in your home spying on everything you say? Well too bad, suckers! It’s the way of the future. Can’t argue with that, right?
Who would have ever guessed that the creepy spy gadget that’s listening to everything you do is listening to everything you do? Anyone with half a brain, that’s who.
❗️ Don’t buy this garbage, and don’t let your friends buy it, either.
📺 #Corbettreport #alexa #why #video #podcast
https://www.corbettreport.com/cant-fight-the-future-suckers-propagandawatch/
📺 Don’t Be An Idiot! Get Rid of Alexa!
https://www.corbettreport.com/dont-be-an-idiot-get-rid-of-alexa/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Insider Blows Whistle & Exec Reveals Google Plan to Prevent “Trump situation” in 2020 on Hidden Cam
Project Veritas has released a new report on Google which includes undercover video of a Senior Google Executive, leaked documents, and testimony from a Google insider. The report appears to show Google’s plans to affect the outcome of the 2020 elections and “prevent” the next “Trump situation.”
“Elizabeth Warren is saying we should break up Google. And like, I love her but she’s very misguided, like that will not make it better it will make it worse, because all these smaller companies who don’t have the same resources that we do will be charged with preventing the next Trump situation, it’s like a small company cannot do that.”
📺 https://www.projectveritas.com/2019/06/24/insider-blows-whistle-exec-reveals-google-plan-to-prevent-trump-situation-in-2020-on-hidden-cam/
📡 @BlackBox
#whistleblower #google #DeleteGoogle #HiddenCam #undercover #insider #why
Project Veritas has released a new report on Google which includes undercover video of a Senior Google Executive, leaked documents, and testimony from a Google insider. The report appears to show Google’s plans to affect the outcome of the 2020 elections and “prevent” the next “Trump situation.”
“Elizabeth Warren is saying we should break up Google. And like, I love her but she’s very misguided, like that will not make it better it will make it worse, because all these smaller companies who don’t have the same resources that we do will be charged with preventing the next Trump situation, it’s like a small company cannot do that.”
📺 https://www.projectveritas.com/2019/06/24/insider-blows-whistle-exec-reveals-google-plan-to-prevent-trump-situation-in-2020-on-hidden-cam/
📡 @BlackBox
#whistleblower #google #DeleteGoogle #HiddenCam #undercover #insider #why
For Police, Social Media Is Now Part of the Job
🎧 For Police, Social Media Is Now Part of the Job
When police officer David Gomez was first stationed at a school in rural Idaho, he thought he’d spend his time breaking up fights in bathrooms and scanning the hallways for weed. Instead, he found that almost every problem was either happening on social media or started there. This week on Decrypted, reporter Shelly Banjo explores how age-old dangers like drugs, child predators and school shooters have shifted onto new platforms, and how one school has tried to adapt.
📻 #Bloomberg #podcast
https://www.bloomberg.com/news/audio/2019-06-24/for-police-social-media-is-now-part-of-the-job-podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
When police officer David Gomez was first stationed at a school in rural Idaho, he thought he’d spend his time breaking up fights in bathrooms and scanning the hallways for weed. Instead, he found that almost every problem was either happening on social media or started there. This week on Decrypted, reporter Shelly Banjo explores how age-old dangers like drugs, child predators and school shooters have shifted onto new platforms, and how one school has tried to adapt.
📻 #Bloomberg #podcast
https://www.bloomberg.com/news/audio/2019-06-24/for-police-social-media-is-now-part-of-the-job-podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
4 Times the US Threatened to Stage an Attack and Blame it on Iran
The US has threatened to stage an attack and blame it on Iran over and over in the last few years. Don’t let a war based on false pretenses happen again. Please share this video.
📺 #corbettreport #video #podcast
https://www.corbettreport.com/iranfalseflag/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The US has threatened to stage an attack and blame it on Iran over and over in the last few years. Don’t let a war based on false pretenses happen again. Please share this video.
📺 #corbettreport #video #podcast
https://www.corbettreport.com/iranfalseflag/
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Witness Speaks Out on Organ Harvesting Taking Place in China
A former intern at a #military #hospital in #Shenyang witnessed the #crime firsthand and spoke with NTD about his harrowing experience.
https://news.ntd.com/witness-speaks-out-on-organ-harvesting-taking-place-in-china_347497.html
📺 An independent people’s #tribunal has unanimously concluded that #prisoners of #conscience have been—and continue to be #killed in #China for their #organs “on a significant scale,” after a year-long #investigation
https://www.youtube.com/watch?v=nM1ZzWeshFk
#HumanRights #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
A former intern at a #military #hospital in #Shenyang witnessed the #crime firsthand and spoke with NTD about his harrowing experience.
https://news.ntd.com/witness-speaks-out-on-organ-harvesting-taking-place-in-china_347497.html
📺 An independent people’s #tribunal has unanimously concluded that #prisoners of #conscience have been—and continue to be #killed in #China for their #organs “on a significant scale,” after a year-long #investigation
https://www.youtube.com/watch?v=nM1ZzWeshFk
#HumanRights #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
🇪🇸 El reto de computar en la nube con datos cifrados sin descifrarlos.
Como todo en la vida, la nube tiene sus ventajas y sus inconvenientes. Las ventajas las conocemos todos: reducción de costes, nulo mantenimiento, enorme flexibilidad, total disponibilidad, alta escalabilidad, etc. Sus problemas de seguridad son igualmente evidentes: un servidor comprometido supone el compromiso de los datos alojados.
La contramedida inmediata que a todos se nos ocurre para proteger los datos almacenados en la nube consiste en cifrarlos. El cifrado resulta satisfactorio siempre y cuando los datos permanezcan en reposo y no se necesite realizar operaciones sobre ellos. Pero ¿y si hay que realizar cálculos en la nube? ¿Cómo hacerlo sin descifrarlos ni revelar las claves de cifrado al software en ejecución en la nube?
El reto es formidable. Se está impulsando un potente esfuerzo de investigación para desarrollar métodos criptográficos que permitan la computación con datos cifrados sin descifrarlos, como, por ejemplo:
✳️ El cifrado totalmente homomórfico (FHE), que busca abordar este problema requiriendo que un cliente cifre los datos antes de enviarlos a la nube y proporcione además un código que se ejecute sobre esos datos sin descifrarlos. Los resultados se devuelven cifrados al cliente. Dado que solo el cliente controla la clave de descifrado, nadie más puede descifrar los datos originales ni los resultados, lo que garantiza la seguridad de esa información. Por desgracia, si bien el cálculo con datos cifrados es teóricamente posible, este cálculo se ralentiza en casi 10 órdenes de magnitud, lo que lo hace inviable con los algoritmos disponibles hoy.
✳️ Otra estrategia consiste en la computación multi-parte segura (SMPC, Secure Multi-Party Computation), en la cual múltiples entidades pueden realizar cálculos de manera conjunta y al mismo tiempo mantener la privacidad de los datos de cada entidad. Al igual que con FHE, estos protocolos añaden una sobrecarga computacional considerable, de dos órdenes de magnitud.
✳️ Por último, la criptografía con umbral exige que para descifrar un mensaje cifrado o para firmar un mensaje, varias partes (que superen un umbral predeterminado) deben cooperar en el protocolo de descifrado o firma. El mensaje se cifra mediante una clave pública y la clave privada correspondiente se comparte entre los participantes.
En este artículo veremos con más detalle el funcionamiento de FHE, mientras que en un segundo artículo profundizaremos en las otras dos estrategias.
El cifrado totalmente homomórfico (FHE).
El cifrado homomórfico sería el «Santo Grial» de la seguridad en la nube. Se define como la capacidad de realizar operaciones sobre datos cifrados cuyo resultado, una vez descifrado, es idéntico al resultado de esas mismas operaciones sobre los datos en claro.
Aunque a primera vista puede parecer mágico, lo cierto es que a nuestro alrededor abundan algoritmos criptográficos de uso cotidiano que soportan parcialmente el cifrado homomórfico, como por ejemplo los de clave pública. Se les dice «parcialmente» homomórficos porque sólo son homomórficos para una operación, como la suma o la multiplicación, pero no para cualquier otra operación algebraica. Un ejemplo con el archiconocido RSA hará que todo quede más claro.
Imagina que en el servidor guardas dos cantidades, x1 y x2, cifradas con tu clave pública RSA (n y e), de manera que nadie más que el legítimo poseedor de la clave privada correspondiente, o sea, tú, podrá descifrarlas. Ahora bien, RSA (sin padding y sin las modificaciones que se le añaden para aumentar su robustez) es parcialmente homomórfico respecto de la multiplicación, ya que:
Como todo en la vida, la nube tiene sus ventajas y sus inconvenientes. Las ventajas las conocemos todos: reducción de costes, nulo mantenimiento, enorme flexibilidad, total disponibilidad, alta escalabilidad, etc. Sus problemas de seguridad son igualmente evidentes: un servidor comprometido supone el compromiso de los datos alojados.
La contramedida inmediata que a todos se nos ocurre para proteger los datos almacenados en la nube consiste en cifrarlos. El cifrado resulta satisfactorio siempre y cuando los datos permanezcan en reposo y no se necesite realizar operaciones sobre ellos. Pero ¿y si hay que realizar cálculos en la nube? ¿Cómo hacerlo sin descifrarlos ni revelar las claves de cifrado al software en ejecución en la nube?
El reto es formidable. Se está impulsando un potente esfuerzo de investigación para desarrollar métodos criptográficos que permitan la computación con datos cifrados sin descifrarlos, como, por ejemplo:
✳️ El cifrado totalmente homomórfico (FHE), que busca abordar este problema requiriendo que un cliente cifre los datos antes de enviarlos a la nube y proporcione además un código que se ejecute sobre esos datos sin descifrarlos. Los resultados se devuelven cifrados al cliente. Dado que solo el cliente controla la clave de descifrado, nadie más puede descifrar los datos originales ni los resultados, lo que garantiza la seguridad de esa información. Por desgracia, si bien el cálculo con datos cifrados es teóricamente posible, este cálculo se ralentiza en casi 10 órdenes de magnitud, lo que lo hace inviable con los algoritmos disponibles hoy.
✳️ Otra estrategia consiste en la computación multi-parte segura (SMPC, Secure Multi-Party Computation), en la cual múltiples entidades pueden realizar cálculos de manera conjunta y al mismo tiempo mantener la privacidad de los datos de cada entidad. Al igual que con FHE, estos protocolos añaden una sobrecarga computacional considerable, de dos órdenes de magnitud.
✳️ Por último, la criptografía con umbral exige que para descifrar un mensaje cifrado o para firmar un mensaje, varias partes (que superen un umbral predeterminado) deben cooperar en el protocolo de descifrado o firma. El mensaje se cifra mediante una clave pública y la clave privada correspondiente se comparte entre los participantes.
En este artículo veremos con más detalle el funcionamiento de FHE, mientras que en un segundo artículo profundizaremos en las otras dos estrategias.
El cifrado totalmente homomórfico (FHE).
El cifrado homomórfico sería el «Santo Grial» de la seguridad en la nube. Se define como la capacidad de realizar operaciones sobre datos cifrados cuyo resultado, una vez descifrado, es idéntico al resultado de esas mismas operaciones sobre los datos en claro.
Aunque a primera vista puede parecer mágico, lo cierto es que a nuestro alrededor abundan algoritmos criptográficos de uso cotidiano que soportan parcialmente el cifrado homomórfico, como por ejemplo los de clave pública. Se les dice «parcialmente» homomórficos porque sólo son homomórficos para una operación, como la suma o la multiplicación, pero no para cualquier otra operación algebraica. Un ejemplo con el archiconocido RSA hará que todo quede más claro.
Imagina que en el servidor guardas dos cantidades, x1 y x2, cifradas con tu clave pública RSA (n y e), de manera que nadie más que el legítimo poseedor de la clave privada correspondiente, o sea, tú, podrá descifrarlas. Ahora bien, RSA (sin padding y sin las modificaciones que se le añaden para aumentar su robustez) es parcialmente homomórfico respecto de la multiplicación, ya que:
Por lo tanto, el servidor podría multiplicar tus dos cantidades cifradas y entregarte el resultado cifrado sin conocer los valores de x1 ni x2. Cuando descifres el resultado devuelto obtendrás el mismo valor que si hubieras multiplicado las dos cantidades originales sin cifrar. Impresionante, ¿no?
Existen otros muchos algoritmos criptográficos que al igual que RSA son parcialmente homomórficos, como ElGamal también para la multiplicación o Paillier para la suma.
Las cosas se complican enormemente cuando se busca el cifrado «totalmente» homomórfico (FHE), capaz de soportar tanto la suma como el producto. Aunque existen muchas propuestas en la literatura científica sobre FHE, la más destacada es la planteada por Craig Gentry en 2009 y evolucionada por él mismo y por otros autores a lo largo de los años. Su propuesta se basa en un concepto algebraico abstracto conocido como “celosía“. Seguro que has visto cientos de celosías en ventanas y balcones. Las que te venden en tiendas de bricolaje son celosías bidimensionales: listones de madera o de metal que se cruzan en ciertos puntos. Ahora imagina esa misma celosía en 3D. Y ahora añade otra dimensión. Y otra. Y otra. Y así hasta n dimensiones. Bien, ¿tienes ya una celosía n-dimensional en tu cabeza? Complicada, ¿verdad? Puedes creer que encontrar el punto más cercano a otro en esa celosía no es tarea fácil. De hecho, es tan difícil que se conoce como el Problema del Vector Más Corto (Shortest Vector Problem, SVP) y constituye precisamente el problema matemático “intratable” del cifrado basado en celosías. De hecho, este criptosistema representa una de las alternativas criptográficas más serias para la era post-cuántica.
Lo mejor de todo es que, con las variantes adecuadas, las celosías también sirven para el cifrado homomórfico completo. Pero, y aquí aparece un gran, gran PERO, estos algoritmos resultan tremendamente ineficientes. Operar con los datos cifrados puede volverse hasta 10 órdenes de magnitud más lento que con los datos en claro (o sea, 1010 veces más lento o, lo que es lo mismo, un uno seguido de diez ceros: 10.000.000.000). En definitiva, son inservibles para aplicaciones prácticas reales. Hasta que no alcancen velocidades aceptables, no veremos un despliegue a gran escala en servicios en la nube. Mientras tanto, la investigación en este campo continúa intensamente.
Mientras tanto, los criptógrafos no se cruzan de brazos. Si operar sobre los datos cifrados constituye un reto formidable, ¿por qué no acometer versiones más sencillas del problema? Tal vez no confíes en tu proveedor en la nube. ¿Se podría repartir la carga entre los dos? Otros esquemas criptográficos persiguen que varias partes que no confían mutuamente puedan operar sobre los datos sin tener que revelárselos unas partes a otras.
https://empresas.blogthinkbig.com/computacion-segura-en-la-nube-datos-cifrados-sin-descifrarlos-parte-1/
#nube #seguridad #cifrado
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Existen otros muchos algoritmos criptográficos que al igual que RSA son parcialmente homomórficos, como ElGamal también para la multiplicación o Paillier para la suma.
Las cosas se complican enormemente cuando se busca el cifrado «totalmente» homomórfico (FHE), capaz de soportar tanto la suma como el producto. Aunque existen muchas propuestas en la literatura científica sobre FHE, la más destacada es la planteada por Craig Gentry en 2009 y evolucionada por él mismo y por otros autores a lo largo de los años. Su propuesta se basa en un concepto algebraico abstracto conocido como “celosía“. Seguro que has visto cientos de celosías en ventanas y balcones. Las que te venden en tiendas de bricolaje son celosías bidimensionales: listones de madera o de metal que se cruzan en ciertos puntos. Ahora imagina esa misma celosía en 3D. Y ahora añade otra dimensión. Y otra. Y otra. Y así hasta n dimensiones. Bien, ¿tienes ya una celosía n-dimensional en tu cabeza? Complicada, ¿verdad? Puedes creer que encontrar el punto más cercano a otro en esa celosía no es tarea fácil. De hecho, es tan difícil que se conoce como el Problema del Vector Más Corto (Shortest Vector Problem, SVP) y constituye precisamente el problema matemático “intratable” del cifrado basado en celosías. De hecho, este criptosistema representa una de las alternativas criptográficas más serias para la era post-cuántica.
Lo mejor de todo es que, con las variantes adecuadas, las celosías también sirven para el cifrado homomórfico completo. Pero, y aquí aparece un gran, gran PERO, estos algoritmos resultan tremendamente ineficientes. Operar con los datos cifrados puede volverse hasta 10 órdenes de magnitud más lento que con los datos en claro (o sea, 1010 veces más lento o, lo que es lo mismo, un uno seguido de diez ceros: 10.000.000.000). En definitiva, son inservibles para aplicaciones prácticas reales. Hasta que no alcancen velocidades aceptables, no veremos un despliegue a gran escala en servicios en la nube. Mientras tanto, la investigación en este campo continúa intensamente.
Mientras tanto, los criptógrafos no se cruzan de brazos. Si operar sobre los datos cifrados constituye un reto formidable, ¿por qué no acometer versiones más sencillas del problema? Tal vez no confíes en tu proveedor en la nube. ¿Se podría repartir la carga entre los dos? Otros esquemas criptográficos persiguen que varias partes que no confían mutuamente puedan operar sobre los datos sin tener que revelárselos unas partes a otras.
https://empresas.blogthinkbig.com/computacion-segura-en-la-nube-datos-cifrados-sin-descifrarlos-parte-1/
#nube #seguridad #cifrado
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Telefónica Tech
El gran reto de la computación segura en la nube: usando datos cifrados sin descifrarlos (I)
Tomás dirige una asesoría fiscal y lleva la contabilidad de docenas de clientes. Almacena toda la información de sus clientes en la nube, de esta mane
La computación multi-parte segura (SMPC).
Imagínate que estás charlando con otros dos compañeros de trabajo. De repente sale el tema de los bonus que cobráis. A los tres os gustaría saber quién es el que cobra el bonus más alto, pero ninguno queréis revelar el importe de vuestro bonus. ¿Cómo podéis averiguarlo? Una solución consiste en confiar en una tercera parte a quien cada uno le reveláis el importe de vuestro bonus y, una vez conocidos todos, anuncia quién gana el bonus mayor.
Imagina ahora que trabajas en el servicio de inteligencia de una empresa de ciberseguridad. Se ha producido un ataque y tienes una lista de sospechosos. Los servicios de inteligencia de otras empresas también tienen sus propias listas de sospechosos. Os gustaría conocer qué sospechosos aparecen en todas las listas, pero ni tu empresa ni las demás queréis revelar vuestra lista completa. ¿Cómo podéis calcular la intersección de estas listas? Una vez más, una solución inmediata sería que cada empresa entregue su lista a una tercera parte confiable y que ésta obtenga el conjunto intersección de todas las listas de sospechosos.
En ambos escenarios se recurre a una tercera parte de confianza. Pero ¿y si no te fías de esta tercera parte? Después de todo, asumir que una parte es de confianza es mucho asumir. ¿De qué otra manera podrían resolverse estos dilemas sin recurrir a terceras partes y con la misma garantía de seguridad?
Precisamente, la computación multi-parte segura propone protocolos que emulan a la tercera parte de confianza. Permiten calcular una función con varios valores de entrada, de manera que sólo se revela el resultado de la evaluación de la función, manteniendo privados los valores de las entradas.
Expresado matemáticamente: reunidos un número n de participantes, p1, p2, …, pn, cada uno de los cuales posee datos privados, respectivamente d1, d2, …, dn, desean calcular el valor de una función pública sobre esos datos privados: F(d1, d2, …, dn), manteniendo sus propias entradas en secreto.
Volvamos al ejemplo de los bonus. Si las entradas x, y, z representan vuestros bonus, queréis conocer el más alto de los tres, sin revelar el valor de ninguno. En otras palabras, queréis calcular:
F(x, y, z) = max (x, y, z)
Se espera que estos protocolos garanticen una serie de requisitos de seguridad:
✳️ Corrección: aunque alguna de las partes engañe, el resultado final será correcto.
✳️ Privacidad: solo se conoce el resultado de la evaluación de la función, pero no el valor de las entradas evaluadas (salvo la propia de cada uno, claro está).
✳️ Independencia de las entradas: ninguna parte puede elegir su entrada como función de la entrada de otra parte.
✳️ Justicia: si una parte conoce el resultado de la evaluación, entonces todas las partes conocerán el mismo resultado.
✳️ Entrega garantizada del resultado: si una parte tiene acceso al resultado, entonces las demás partes también lo tendrán.
Existen diferentes protocolos criptográficos para realizar esta computación segura distribuyéndola entre las partes. El más conocido es el protocolo de Circuito Confuso de Yao. La idea de este protocolo consiste en simular cualquier función matemática con un circuito booleano utilizando exclusivamente puertas lógicas, concretamente AND y XOR. Para funciones muy sencillas, estos circuitos pueden diseñarse incluso a mano. Obviamente, a medida que se vuelven más y más complejas, los circuitos crecen paralelamente en complejidad. Puedes imaginar que simular AES mediante puertas lógicas AND y XOR no es precisamente tarea sencilla, aunque sí posible con ¡32.000 puertas! De hecho, las implantaciones más recientes alcanzan velocidades muy eficientes, de unos pocos milisegundos.
Imagínate que estás charlando con otros dos compañeros de trabajo. De repente sale el tema de los bonus que cobráis. A los tres os gustaría saber quién es el que cobra el bonus más alto, pero ninguno queréis revelar el importe de vuestro bonus. ¿Cómo podéis averiguarlo? Una solución consiste en confiar en una tercera parte a quien cada uno le reveláis el importe de vuestro bonus y, una vez conocidos todos, anuncia quién gana el bonus mayor.
Imagina ahora que trabajas en el servicio de inteligencia de una empresa de ciberseguridad. Se ha producido un ataque y tienes una lista de sospechosos. Los servicios de inteligencia de otras empresas también tienen sus propias listas de sospechosos. Os gustaría conocer qué sospechosos aparecen en todas las listas, pero ni tu empresa ni las demás queréis revelar vuestra lista completa. ¿Cómo podéis calcular la intersección de estas listas? Una vez más, una solución inmediata sería que cada empresa entregue su lista a una tercera parte confiable y que ésta obtenga el conjunto intersección de todas las listas de sospechosos.
En ambos escenarios se recurre a una tercera parte de confianza. Pero ¿y si no te fías de esta tercera parte? Después de todo, asumir que una parte es de confianza es mucho asumir. ¿De qué otra manera podrían resolverse estos dilemas sin recurrir a terceras partes y con la misma garantía de seguridad?
Precisamente, la computación multi-parte segura propone protocolos que emulan a la tercera parte de confianza. Permiten calcular una función con varios valores de entrada, de manera que sólo se revela el resultado de la evaluación de la función, manteniendo privados los valores de las entradas.
Expresado matemáticamente: reunidos un número n de participantes, p1, p2, …, pn, cada uno de los cuales posee datos privados, respectivamente d1, d2, …, dn, desean calcular el valor de una función pública sobre esos datos privados: F(d1, d2, …, dn), manteniendo sus propias entradas en secreto.
Volvamos al ejemplo de los bonus. Si las entradas x, y, z representan vuestros bonus, queréis conocer el más alto de los tres, sin revelar el valor de ninguno. En otras palabras, queréis calcular:
F(x, y, z) = max (x, y, z)
Se espera que estos protocolos garanticen una serie de requisitos de seguridad:
✳️ Corrección: aunque alguna de las partes engañe, el resultado final será correcto.
✳️ Privacidad: solo se conoce el resultado de la evaluación de la función, pero no el valor de las entradas evaluadas (salvo la propia de cada uno, claro está).
✳️ Independencia de las entradas: ninguna parte puede elegir su entrada como función de la entrada de otra parte.
✳️ Justicia: si una parte conoce el resultado de la evaluación, entonces todas las partes conocerán el mismo resultado.
✳️ Entrega garantizada del resultado: si una parte tiene acceso al resultado, entonces las demás partes también lo tendrán.
Existen diferentes protocolos criptográficos para realizar esta computación segura distribuyéndola entre las partes. El más conocido es el protocolo de Circuito Confuso de Yao. La idea de este protocolo consiste en simular cualquier función matemática con un circuito booleano utilizando exclusivamente puertas lógicas, concretamente AND y XOR. Para funciones muy sencillas, estos circuitos pueden diseñarse incluso a mano. Obviamente, a medida que se vuelven más y más complejas, los circuitos crecen paralelamente en complejidad. Puedes imaginar que simular AES mediante puertas lógicas AND y XOR no es precisamente tarea sencilla, aunque sí posible con ¡32.000 puertas! De hecho, las implantaciones más recientes alcanzan velocidades muy eficientes, de unos pocos milisegundos.
Por supuesto, la computación multi-parte segura es muchísimo más complicada. El adversario puede ser pasivo o activo, las funciones a evaluar pueden ser más o menos complicadas, pueden soportar mayor o menor número de adversarios activos, pueden imponerse mayores o menores restricciones de seguridad, pueden requerir más o menos tiempo de computación, pueden exigir que todos los nodos de la red estén conectados entre sí o basta que exista un camino cualquiera entre cualesquiera dos nodos, pueden comunicarse síncrona o asíncronamente, etc.
Algunas empresas han comenzado a comercializar soluciones de SMPC en escenarios reales: aplicaciones de Datos Privados como Servicio (Private Data as a Service), tales como las bases de datos de Sharemind o de Jana; aplicaciones de gestión de claves, como los productos de Sepior o de Unbound; y aplicaciones de solución puntual, como la de Partisia.
En suma, la computación multi-parte segura es un campo en continua expansión, con multitud de protocolos, escenarios y casos de uso, en el que todavía estamos muy lejos de haber escuchado la última palabra.
La criptografía con umbral
La criptografía se ha transformado en un estándar tecnológico para proteger la confidencialidad de los datos. En criptografía, una regla básica de diseño se conoce como Principio de Kerckhoffs: de un criptosistema se conoce todo menos la clave.
La cuestión es: si guardas los datos cifrados, ¿dónde guardas la clave de cifrado? En última instancia, la seguridad de un sistema de cifrado reside en la gestión de sus claves. Las claves pasan a ser el talón de Aquiles de la criptografía. De hecho, no están seguras ni en la memoria del ordenador: Heartbleed, Spectre y Meltdown vienen a la cabeza como ejemplos recientes de vulnerabilidades que permitían leer espacios privados de la memoria y obtener, entre otros datos, claves de cifrado. A su vez, los ataques de canal lateral pueden filtrar información sobre claves gracias a variaciones electromagnéticas o de consumo de energía. Más aún, las claves pueden quedarse grabadas en una memoria DRAM incluso después de apagar el equipo. ¿No existe forma entonces de garantizar la seguridad de las claves?
Una solución pasa por dividir la clave en dos o más partes, de manera que la información cifrada no pueda descifrarse a menos que se junten todas (o un número mínimo de) las partes de la clave. Por ejemplo, para dividir la clave K en tres partes, K1, K2 y K3, se seleccionan dos claves aleatoriamente, K1 y K2, de la misma longitud que K. La tercera parte de la clave se calcula como K3 = K1 Å K2 Å K, donde Å es la operación OR exclusiva. No hay dos partes que proporcionen ninguna información sobre la clave secreta: las tres partes son necesarias para recuperar K (dejamos como ejercicio al lector comprobar que efectivamente así sucede).
El esquema descrito exhibe la propiedad «3 de 3». Generalizando, un esquema de intercambio de secretos es «k de n» (siendo n ≥ k ≥ 1) si juntando k partes puede recuperarse un secreto compartido entre n partes, pero juntando k − 1 partes no se sabe nada sobre el secreto.
Y así es como llegamos a la criptografía con umbral. Ya no se trata simplemente de dividir la clave en varias partes, como en el sencillo ejemplo anterior, sino de realizar operaciones criptográficas con cada parte de la clave de manera que, al juntarlas todas, el resultado sea el mismo que si se hubiera realizado con la clave completa. RSA nos ayudará nuevamente a entenderlo con mayor claridad.
Hemos visto en la entrega anterior que la clave pública está formada por dos números: un exponente, e; y un módulo, n, que a su vez es el producto de dos primos, n = p · q. Por otro lado, la clave privada está formada por un número d, tal que e · d = 1 mod (p − 1) · (q − 1).
Para firmar un mensaje m con RSA, se realiza el cálculo s = md mod n. Verificar la firma es muy sencillo por cualquier persona que conozca la clave pública, realizando la operación se = med = m mod n.
Algunas empresas han comenzado a comercializar soluciones de SMPC en escenarios reales: aplicaciones de Datos Privados como Servicio (Private Data as a Service), tales como las bases de datos de Sharemind o de Jana; aplicaciones de gestión de claves, como los productos de Sepior o de Unbound; y aplicaciones de solución puntual, como la de Partisia.
En suma, la computación multi-parte segura es un campo en continua expansión, con multitud de protocolos, escenarios y casos de uso, en el que todavía estamos muy lejos de haber escuchado la última palabra.
La criptografía con umbral
La criptografía se ha transformado en un estándar tecnológico para proteger la confidencialidad de los datos. En criptografía, una regla básica de diseño se conoce como Principio de Kerckhoffs: de un criptosistema se conoce todo menos la clave.
La cuestión es: si guardas los datos cifrados, ¿dónde guardas la clave de cifrado? En última instancia, la seguridad de un sistema de cifrado reside en la gestión de sus claves. Las claves pasan a ser el talón de Aquiles de la criptografía. De hecho, no están seguras ni en la memoria del ordenador: Heartbleed, Spectre y Meltdown vienen a la cabeza como ejemplos recientes de vulnerabilidades que permitían leer espacios privados de la memoria y obtener, entre otros datos, claves de cifrado. A su vez, los ataques de canal lateral pueden filtrar información sobre claves gracias a variaciones electromagnéticas o de consumo de energía. Más aún, las claves pueden quedarse grabadas en una memoria DRAM incluso después de apagar el equipo. ¿No existe forma entonces de garantizar la seguridad de las claves?
Una solución pasa por dividir la clave en dos o más partes, de manera que la información cifrada no pueda descifrarse a menos que se junten todas (o un número mínimo de) las partes de la clave. Por ejemplo, para dividir la clave K en tres partes, K1, K2 y K3, se seleccionan dos claves aleatoriamente, K1 y K2, de la misma longitud que K. La tercera parte de la clave se calcula como K3 = K1 Å K2 Å K, donde Å es la operación OR exclusiva. No hay dos partes que proporcionen ninguna información sobre la clave secreta: las tres partes son necesarias para recuperar K (dejamos como ejercicio al lector comprobar que efectivamente así sucede).
El esquema descrito exhibe la propiedad «3 de 3». Generalizando, un esquema de intercambio de secretos es «k de n» (siendo n ≥ k ≥ 1) si juntando k partes puede recuperarse un secreto compartido entre n partes, pero juntando k − 1 partes no se sabe nada sobre el secreto.
Y así es como llegamos a la criptografía con umbral. Ya no se trata simplemente de dividir la clave en varias partes, como en el sencillo ejemplo anterior, sino de realizar operaciones criptográficas con cada parte de la clave de manera que, al juntarlas todas, el resultado sea el mismo que si se hubiera realizado con la clave completa. RSA nos ayudará nuevamente a entenderlo con mayor claridad.
Hemos visto en la entrega anterior que la clave pública está formada por dos números: un exponente, e; y un módulo, n, que a su vez es el producto de dos primos, n = p · q. Por otro lado, la clave privada está formada por un número d, tal que e · d = 1 mod (p − 1) · (q − 1).
Para firmar un mensaje m con RSA, se realiza el cálculo s = md mod n. Verificar la firma es muy sencillo por cualquier persona que conozca la clave pública, realizando la operación se = med = m mod n.
¿Cómo conseguir que un grupo de personas coopere para firmar un mensaje? En lugar de firmar el mensaje una sola persona con la clave privada d, se puede separar esta clave en varias, por ejemplo, en tres: d1, d2, d3, tales que d1 + d2 + d3 = d mod (p − 1) · (q − 1).
Ahora, cada una de las partes puede firmar por su cuenta el mismo mensaje m: s1 = md1, s2 = md2, s3 = md3, de manera que la firma total será el producto de las tres firmas: s = s1 · s2 · s3. Es fácil verificar que s1 · s2 · s3 = md1 + d2 + d3 = md mod n. En otras palabras, sólo puede crearse una firma completa si cada una de las partes firma el mensaje con su parte de la clave privada. Así se protege la clave privada, d, ya que no se almacena completa en ningún servidor ni en ninguna memoria. Ni siquiera es necesario reunir las tres partes de la clave, ya que cada operación de cifrado de cada parte es independiente del resto. Podría comprometerse una parte de la clave o incluso dos y, aun así, la clave completa se mantendría segura.
Los esquemas de criptografía con umbral más sofisticados poseen la propiedad «k de n» ya mencionada. Esta propiedad aporta tolerancia a fallos: una parte de la clave podría perderse o verse comprometida y, aun así, se podría realizar la operación criptográfica con la parte restante. Además, exige la cooperación: ninguna parte podrá realizar la operación criptográfica completa; al menos k partes han de ponerse de acuerdo. Desde la perspectiva de un atacante, comprometer una parte de la clave no le servirá de nada: necesitará comprometer al menos k partes.
Como vemos, la criptografía con umbral elimina los puntos únicos de fallo en criptografía, permitiendo redistribuir la responsabilidad de la custodia de las claves. Y no vayas a creer que todo queda en ejercicios matemáticos para cursos de postgrado: los productos de gestión de claves de Sepior y de Unbound constituyen los ejemplos más avanzados de soluciones basadas en criptografía con umbral de la actualidad. Como los otros campos de estudio, está en constante expansión y veremos nuevos resultados próximamente.
https://empresas.blogthinkbig.com/computacion-segura-en-la-nube-datos-cifrados-sin-descifrarlos-parte-2/
#nube #seguridad #cifrado
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Ahora, cada una de las partes puede firmar por su cuenta el mismo mensaje m: s1 = md1, s2 = md2, s3 = md3, de manera que la firma total será el producto de las tres firmas: s = s1 · s2 · s3. Es fácil verificar que s1 · s2 · s3 = md1 + d2 + d3 = md mod n. En otras palabras, sólo puede crearse una firma completa si cada una de las partes firma el mensaje con su parte de la clave privada. Así se protege la clave privada, d, ya que no se almacena completa en ningún servidor ni en ninguna memoria. Ni siquiera es necesario reunir las tres partes de la clave, ya que cada operación de cifrado de cada parte es independiente del resto. Podría comprometerse una parte de la clave o incluso dos y, aun así, la clave completa se mantendría segura.
Los esquemas de criptografía con umbral más sofisticados poseen la propiedad «k de n» ya mencionada. Esta propiedad aporta tolerancia a fallos: una parte de la clave podría perderse o verse comprometida y, aun así, se podría realizar la operación criptográfica con la parte restante. Además, exige la cooperación: ninguna parte podrá realizar la operación criptográfica completa; al menos k partes han de ponerse de acuerdo. Desde la perspectiva de un atacante, comprometer una parte de la clave no le servirá de nada: necesitará comprometer al menos k partes.
Como vemos, la criptografía con umbral elimina los puntos únicos de fallo en criptografía, permitiendo redistribuir la responsabilidad de la custodia de las claves. Y no vayas a creer que todo queda en ejercicios matemáticos para cursos de postgrado: los productos de gestión de claves de Sepior y de Unbound constituyen los ejemplos más avanzados de soluciones basadas en criptografía con umbral de la actualidad. Como los otros campos de estudio, está en constante expansión y veremos nuevos resultados próximamente.
https://empresas.blogthinkbig.com/computacion-segura-en-la-nube-datos-cifrados-sin-descifrarlos-parte-2/
#nube #seguridad #cifrado
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Telefónica Tech
El gran reto de la computación segura en la nube: usando datos cifrados sin descifrarlos (II)
La nube plantea grandes retos de seguridad. El más importante tal vez sea garantizar la privacidad de los datos. Es de cultura general que cifrando lo
NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative
The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”
Can The NSA Be Trusted With Such Low-Level Code?
NSA has worked on security projects embraced by the public before, including Security-Enhanced Linux, a security module for Linux. More recently, the NSA released the Ghidra reverse engineering tool as open source, which has also been adopted by Coreboot developers so that they can more easily reverse-engineer hardware firmware.
Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.
In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.
This wouldn’t be completely out of the question for an agency like the NSA. After all, the NSA succeeded in pushing a backdoor through the NIST standardization process years ago. The agency was also accused by EFF co-founder John Gilmore of sabotaging the IPsec protocol by making it too complex to ever be secure (something that would benefit an espionage agency).
More recently, it also tried to push two encryption algorithms through the ISO standardization process, but the reviewers overwhelmingly rejected the algorithms based on trust concerns and NSA’s failure to answer some technical questions.
Read more:
https://www.tomshardware.com/news/nsa-contributes-low-level-stm-coreboot,39704.html
#nsa #code #UEFI #BIOS #coreboot
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”
Can The NSA Be Trusted With Such Low-Level Code?
NSA has worked on security projects embraced by the public before, including Security-Enhanced Linux, a security module for Linux. More recently, the NSA released the Ghidra reverse engineering tool as open source, which has also been adopted by Coreboot developers so that they can more easily reverse-engineer hardware firmware.
Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.
In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.
This wouldn’t be completely out of the question for an agency like the NSA. After all, the NSA succeeded in pushing a backdoor through the NIST standardization process years ago. The agency was also accused by EFF co-founder John Gilmore of sabotaging the IPsec protocol by making it too complex to ever be secure (something that would benefit an espionage agency).
More recently, it also tried to push two encryption algorithms through the ISO standardization process, but the reviewers overwhelmingly rejected the algorithms based on trust concerns and NSA’s failure to answer some technical questions.
Read more:
https://www.tomshardware.com/news/nsa-contributes-low-level-stm-coreboot,39704.html
#nsa #code #UEFI #BIOS #coreboot
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
I was 7 words away from being spear-phished
Three weeks ago I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics:
"Dear Robert,
My name is Gregory Harris. I’m one of the Adam Smith Prize Organizers.
Each year we update the team of independent specialists who could assess the quality of the competing projects:
We need your assistance in evaluating several projects for Adam Smith Prize.
Looking forward to receiving your reply.
Best regards, Gregory Harris"
I wouldn’t say I’m an “expert” in economics exactly, but the university’s request wasn’t that surprising. I do have a subscription to The Economist, and I do understand - very roughly - how and why central banks set interest rates. I’ve read “Capital in the Twenty-First Century” and basically got the gist of the first half. I’ve written a few blog posts that I’ve generously tagged as “economics”, and perhaps there’s a new discipline of computational economics that I might be able to shed some software industry insight onto. Overall it felt perfectly plausible that the organizers of the Adam Smith prize would want my perspective. I assumed that being a judge for the Adam Smith Prize would be a lot of work and would not be paid, but it would still be great fuel for the ole ego.
All of this said, in my heart of hearts I knew that some wires had probably got crossed somewhere. There was no doubt a Professor Hobert Reaton at UC San Diego, expert in Heckscher-Ohlin trade theory, who was patiently waiting for the chance to further his career through a Transatlantic collaboration. Nonetheless, I judged this a thread worth pulling and a mild fantasy worth entertaining.
I reflexively did some basic security hygiene checks. The email was from an
If “Gregory” had added just 7 extra words to this page - “THIS PAGE MUST BE VIEWED IN FIREFOX” - I would have been screwed. More on that later.
Next I think I visited the root
I remember thinking that Gregory’s email seemed very curt and poorly phrased, and that he could use a few lessons on how to most effectively ask strangers on the internet to do free work for him. He was lucky that I didn’t care about such trivialities. He was also lucky that I didn’t care that he’d missed a “the” in We need your assistance in evaluating several projects for Adam Smith Prize. Apparently I further didn’t care that he’d unnecessarily capitalized the word Organizers in Adam Smith Prize Organizers, or that he didn’t seem to understand that a paragraph can contain more than a single sentence.
At the time I just thought he wasn’t a very good writer.
I sent Gregory a short reply, expressing preliminary interest and asking for more information.....
Read more:
https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/
#pishing #firefox #zeroday
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Three weeks ago I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics:
"Dear Robert,
My name is Gregory Harris. I’m one of the Adam Smith Prize Organizers.
Each year we update the team of independent specialists who could assess the quality of the competing projects:
https://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize
Our colleagues have recommended you as an experienced specialist in this field.We need your assistance in evaluating several projects for Adam Smith Prize.
Looking forward to receiving your reply.
Best regards, Gregory Harris"
I wouldn’t say I’m an “expert” in economics exactly, but the university’s request wasn’t that surprising. I do have a subscription to The Economist, and I do understand - very roughly - how and why central banks set interest rates. I’ve read “Capital in the Twenty-First Century” and basically got the gist of the first half. I’ve written a few blog posts that I’ve generously tagged as “economics”, and perhaps there’s a new discipline of computational economics that I might be able to shed some software industry insight onto. Overall it felt perfectly plausible that the organizers of the Adam Smith prize would want my perspective. I assumed that being a judge for the Adam Smith Prize would be a lot of work and would not be paid, but it would still be great fuel for the ole ego.
All of this said, in my heart of hearts I knew that some wires had probably got crossed somewhere. There was no doubt a Professor Hobert Reaton at UC San Diego, expert in Heckscher-Ohlin trade theory, who was patiently waiting for the chance to further his career through a Transatlantic collaboration. Nonetheless, I judged this a thread worth pulling and a mild fantasy worth entertaining.
I reflexively did some basic security hygiene checks. The email was from an
@cam.ac.uk email address. I hovered over the link in the email - https://people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. It pointed to the same URL that the email text claimed it did, and was located on a valid cam.ac.uk subdomain. It did strike me as a little odd that the page was hosted inside gh327’s personal directory instead of the main economics department’s site; but hey, it’s probably less bureaucracy that way. I clicked on the link and read a little about the history of the Adam Smith prize.If “Gregory” had added just 7 extra words to this page - “THIS PAGE MUST BE VIEWED IN FIREFOX” - I would have been screwed. More on that later.
Next I think I visited the root
cam.ac.uk website to make sure that this really was the domain of the University of Cambridge. I did a quick Google for gregory harris cambridge to see how much of a big deal he was. I couldn’t find much - I vaguely remember turning up only a very sparse LinkedIn account. But that’s fine; not everyone has to have a Twitter profile or a cooking blog.I remember thinking that Gregory’s email seemed very curt and poorly phrased, and that he could use a few lessons on how to most effectively ask strangers on the internet to do free work for him. He was lucky that I didn’t care about such trivialities. He was also lucky that I didn’t care that he’d missed a “the” in We need your assistance in evaluating several projects for Adam Smith Prize. Apparently I further didn’t care that he’d unnecessarily capitalized the word Organizers in Adam Smith Prize Organizers, or that he didn’t seem to understand that a paragraph can contain more than a single sentence.
At the time I just thought he wasn’t a very good writer.
I sent Gregory a short reply, expressing preliminary interest and asking for more information.....
Read more:
https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/
#pishing #firefox #zeroday
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN