Tag: security

  • Daring to Imagine Cyberwarfare

    Daring to Imagine Cyberwarfare

    Disclaimer: this article is meant to prevent the hostile use of technology by encouraging transparency and highlighting the major risks that await us during the coming years. I live on a planet where I don’t want to have nuclear weapons and especially not nuclear weapons that can be hacked^.

    Computer viruses and hacking have been around since the dawn of the Internet. But while some time ago the platform was used almost exclusively by academics and the tech-savvy, the Internet is now quickly becoming one of the central technological pillars of our society. Particularly in developed countries, countless vital social systems are now connected to it, ranging from the run-of-the-mill residential heating system to critical infrastructure such as hospitals, public transport and even military.

    In the same time, the skills and tools in the cyber-soldier’s arsenal have greatly increased in potency. Even more importantly, the interest and will to compromise connected systems has increased exponentially in the past decade. Some years ago, the Internet was home to mostly petty crime and the occasional larger security breach. Now-a-days, state actors such as the United States^, North Korea^, and pretty much all major powers and nation-states involved in military conflicts, train and make use of cyber-hacking squads.

    Independent hackers (not aligned with any nation-state or political cause) and hacktivists^ (hackers with a presumably ethical agenda) have also evolved. They’ve become very well organized and armed, sometimes using digital weapons acquired from state agencies. One of the biggest vulnerabilities of cyber-weaponry is that it can be copied and distributed in a matter of seconds.

    In 2017, the NSA was humiliatingly robbed^ by hackers. Immediately after, the agency’s arsenal was distributed and sold^ to organizations across the globe. Some major^ security incidents^ followed. I’m sure that what was made public so far only scratches the surface^ of the damage done. The increasing popularity of ransomware^ will lead to many more such attacks in the future^. After all, it appears like North Korea got itself quite a bit of money using WannaCry^.

    Judging by the trend of the past decade, it sure looks like things will get worse before they get better. As more and more devices come online, the risks will only increase. The cyber-arsenal of the 2020s is beginning to look very scary, especially when considering the exponentially increasing number of targets. Combined with the way technology permeates our lives (and how much of our personal information is in the hands of companies that profit from selling data^), a country could find itself brought to its knees before a single shot was fired.

    Throughout the past few years I’ve been compiling a list of cyber-attack methods ranging from the mundane to the most interesting and devious. Later in the article I’m going to present you with a few scenarios showing how these methods could be used against a nation-state. I do this in the hope that governments will take the necessary steps to protect their citizens (and, in fact, the entire world) from what I consider to be the blitzkrieg of the 21st century.

    Means of Cyberattack

    This list is by no means exhaustive and I aim to regularly maintain it. It’s important to also keep in mind that none of the items on this list is particularly devastating by itself. The power of today’s cyber-attacker lies in mastering the art of combining several attacks to reach the desired result, something that will be covered in the second part of the article.

    • Worms^ and viruses are the oldest means of cyberattack. Despite the popularity of antivirus programs, these old acquaintances of ours can still wreak havoc long before antivirus makers can issue the required countermeasures. The omnipresence of the Internet has allowed viruses and worms to maintain their feasibility.
    • Spyware^ is commonly perceived as a tool employed by shady organizations in order to acquire user data (with the purpose of monetizing it). It’s much more dangerous than that. I’m unsure if espionage saved more lives than it destroyed, but through the use of spyware, people with little foresight (for example script kiddies^) can gain access to information that can destabilize a fragile geo-political and economic balance. What’s even more dangerous is that influential leaders can be blackmailed using data grabbed by spyware. And this sort of attack has been evolving as of late. Check this one about ultrasound tracking^.
    • Exploits^ are another very old acquaintance in security circles. All software has bugs. Vulnerability scanners^ are a means of automatically and easily discovering ways to deliver attack payloads such as trojan horses^. It became much worse in the past few years because various technology companies started giving remote access “features” to their devices^ – in fact, these “features” have quickly turned into messy back-doors. I suspect governments have played quite a role in motivating device manufacturers to install these back-doors. Perhaps I can entrust a government to spy only for fighting crime, but unfortunately these same tools quickly get into the hands of the same category of people the government is presumably trying to reduce. However, I think that the privacy compromises made in the name of “fighting crime” are causing more damage than they prevent.
    • Social engineering^ and phishing^ are newer additions to the cyber-arsenal. These means of obtaining private information and gaining access to restricted systems have become popular thanks to the Internet, and particularly when millions of less tech-savvy people started using it.
    • And now onto more inventive means of attack. In 2017, students demonstrated that sonic attacks^ can be used to disrupt vehicle steering systems. This is just the tip of the iceberg though.
    • As far back as 2016 (which is ages ago in technology), researchers have proven that a Skype call’s sound^ can be scraped to detect up to 41.89% of the keystrokes somebody presses during the call. The ratio goes up to 91.7% if there is knowledge about the keyboard model being used and the user’s typing behavior. With the advent of machine learning^, I’m quite sure that these numbers can be greatly improved. Given enough data, a program can recognize the model of the keyboard being used after analyzing the sound of a couple of sentences being typed, and then be able to map every sound to the appropriate key. When in doubt, the same program can employ a dictionary of common words and phrases to figure out the gaps.
    • Hacking robots is quickly becoming a serious threat. One of the most famous cyberweapons ever employed was the Stuxnet^ worm, which was responsible back in 2009^ for damaging Iran’s nuclear program. Legal experts have actually concluded that, despite the worm’s “good intentions”, its use was illegal^. Despite my opposition to nuclear weapons, I find it hypocritical when one country forbids another to build them through dehumanizing excuses such as “you are irresponsible warmongers”.
    • Continuing with robot hacking, we’re living in an age when more and more of the technology we use becomes “smart” (read: exploitable). Enter “smart” cars (read: hackable cars^). And this Internet of Things^ thing is gaining momentum despite all the warnings out there^. As internet pioneer Bruce Schneier recently pointed^ out, “it might be that the internet era of fun and games is over, because the internet is now dangerous.”
    • Last but not least, here’s my absolute favorite cyber-attack. Hardware backdoors^! As the Wiki article points out, “China is the world’s largest manufacturer of hardware which gives it unequaled capabilities for hardware backdoors”. A well-hidden back-door^ may never be discovered until too late. This is one of the most effective and most expensive weapons in the cyber-arsenal; only nation-states or large corporations can afford deploying it. And I’m quite sure that almost all of our devices are ridden with such crafty points of entry.

    Cyberwarfare

    So now that the little list of doom is more or less complete, let’s see what attack vectors combinations are likely to be used in a major confrontation where the target is a technologically-developed country. Here, the imagination’s the limit, so I’ll just give a few scary examples to make a point and leave the rest of the inventing to those that have more time (and money) for it.

    • A country can be very easily thrown into chaos by a well-orchestrated cyberattack. Just suppress the invasion alert system^, shut down the power grid^, overload the communication networks^, mess with the self-driving traffic and other robots, disrupt stock markets and, of course, invade with conventional troops that have a better knowledge of the invaded country than the defending army does. Sounds difficult? Not for a nation-state that does its homework. There is so much personal data and so many vulnerabilities out there! A secret agency can work its way into the system by blackmailing the right people and ask them to do seemingly harmless favors at just the right time. Slowly but surely, foreign software is everywhere and plenty of vulnerabilities have been created and exploited.
    • How about taking over an armed outpost with no casualties on the attacking side? It can be done by taking out all the guards, silently and quickly. It’s easy when the attacker knows their patrol routes^ by heart. The article I linked shows how a seemingly harmless app reveals such information because some soldiers use it to track their fitness. Hilarious and dangerous in the same time. Because of the hardware backdoors most likely present in our devices, it’s fairly safe to assume that at least some countries on Earth can probably activate GPS tracking on seemingly harmless mobile devices in case of war. Even if measures are taken to counteract this, we’re talking 21st century technology here: conventional weapons have evolved and, used in conjunction with various surprise elements, can win a war faster than nukes. This is because nukes simply destroy everything, whereas a well-orchestrated attack can result in hostages, hijacked equipment and most importantly, access to secure data systems.
    • One of the most awful attacks I’ve ever read about was when an epileptic journalist was sent into a seizure^ after somebody sent him a strobing image using social media. This led to an arrest. It shows not just what our technology allows, but also how deviously inventive people can be. The attacks combined here are knowing something about somebody and then employing a means of delivery (social media) for sending a dangerous payload (an image causing an epileptic seizure).
    • And we can’t forget meddling into politics. It’s already well-known that Russia interfered^ in the 2016 election over in the USA. And guess what: they still interfere in daily life there^. It’s already turning into a fashion, and probably other countries are taking notes and getting ready to follow suit. Now-a-days not a single shot needs to be fired to push a country over the brink. A clever use of cyber-weapons can give a nation-state a solid advantage in a trade or cultural war. Divide et impera.
    • Some time ago, somebody deactivated Trump’s Twitter account^. Even though hopefully nobody would believe a nuclear war declaration from a Twitter account, such a security breach could be coupled with fake radar signals or other misleading information. A paranoid adversary might be quick to pull the trigger and in the aftermath, there won’t be many winners.
    • As our technology evolves, so will our use of various robots. Self-driving cars, fully automated factories and countless jobs that will soon be given to robots. It’s not hard to imagine the amount of damage that can be done to a country’s infrastructure and population by a well-orchestrated cyberattack.
    • Last but not least, let’s talk machine learning. As I pointed out before, AI is not really intelligent yet^. Many developed countries make use of machine learning for all sorts of things, such as super-fast trading on the stock market. As the years pass, we will see more systems being automated, but not able to discern right from wrong. And what will happen when such systems are hijacked? What would a terrorist do with an AI? This is a door that my imagination doesn’t want to open.

    Countermeasures

    Security needs to be taken much more seriously. In 2017, a bunch of big names got together with the purpose of securing the Internet of Things^. At least once in a while, it’s good that corporations seem capable of actually cooperating. Or can they?

    The website of the famed alliance looks deserted^; there are very few resources there and it seems like it hasn’t been updated since its launch in early 2017. Unfortunately, in the age of hyper-consumerism^, such a publicity stunt is probably enough to keep people thinking that these companies actually care about security (they don’t seem to). So, the majority keeps buying insecure devices that can eventually be used against them (and their countries).

    Shortly after writing this article (12 days, to be precise), a new, fancier alliance between tech behemoths launched the Cybersecurity Tech Accord^ with great fanfare. Let’s wait and see if their website^ will still be around in about a year from now…

    I believe the only way for society to protect itself from online threats is to:

    • Use open source software exclusively and thoroughly verify it, line by line.
    • Rely on open source hardware designs or come up with them itself (it’s not so difficult now-a-days – several countries already do this).
    • Build all critical hardware in-house (local factories, local employees).
    • Secure communication endpoints with encrypted routers using multiple layers and fallback endpoints, similar to TOR^ but with additional layers of redundancy (similar to two people having to turn the same key at the same time in order to launch a missile).

    And last but certainly not least, we have… quantum cryptography^. This could be a savior but it remains to be seen if nation-states and corporations will ever allow its use by the general public. China has been making great strides^ when it comes to this technology. Yes, the same China that manufactures most of our electronics. I wonder why they’re so interested in secure communication…

    Version history:

    2018-04-06 – 1.0 – Written.

    [ax_meta fbimgurl=’http://mentatul.com/wp-content/uploads/2018/05/002835-Cyberwarfare-Share.jpg’ lnimgurl=’http://mentatul.com/wp-content/uploads/2018/05/002835-Cyberwarfare-Thumb.jpg’ fbimgw=’1170′ fbimgh=’350′ lnimgw=’250′ lnimgh=’250′ title=’Daring to Imagine Cyberwarfare’ desc=’The skills and tools in the cyber-soldier's arsenal have greatly increased in potency. Even more importantly, the interest and will to compromise connected systems has increased exponentially in the past decade.’]

  • The Spectre of Meltdown

    The Spectre of Meltdown

    Security vulnerabilities are a dime a dozen now-a-days. But, when a couple of months ago we learned about Spectre^ and Meltdown^, it finally started to dawn on people just how insecure all our “high tech” really is. We’re using hole-ridden, bug-infested products.

    If the Wikipedia articles above are too boring, here’s a relatively more layman-friendly breakdown of what happened:

    https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers^

    https://www.wired.com/story/meltdown-and-spectre-patches-take-toll/^

    I don’t know if the constant deluge^ of security exploits has resulted from the challenges that arise from working with highly complex technology or is caused by some sort of surveillance conspiracy. What’s certain is that this shows just how weak our technology is and how easily it can be overcome.

    I will definitely not allow my home to be controlled by “smart devices” based on closed-source technology. And this includes closed-source hardware designs manufactured in factories under the control of expansionist governments:

    http://mentatul.com/2016/06/15/cyber-warfare-is-scary/^

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2018/03/02754-SpectreOfMeltdown-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’The Spectre of Meltdown’ desc=’After Spectre and Meltdown, it finally started to dawn on people just how insecure all our "high tech" really is.’]

  • Why It’s Not Surprising That Smartphone Privacy Is Going from Bad to Worse

    Why It’s Not Surprising That Smartphone Privacy Is Going from Bad to Worse

    Throughout the past years there have been several high-profile occasions when apps were in the news for questionable tracking strategies. Even applications that do not use novel means of compromising our privacy are gobbling up increasing amounts of data while their creators cash in on the profits obtained from selling the user’s digital life^ to the highest bidder. At the receiving end of this deluge of spyware are we, the people.

    Even for those of us that do read the list of permissions an app requests upon installation, it is hard to avoid installing certain apps because they come with other features that we need. It’s an old trick that is akin to the Trojan horse. This is how these dubious app creators get in our back yard: by offering something that is 90% useful and 10% spyware, but which must be accepted as a whole.

    Devious solutions for the same old need

    Smartphone espionage has gotten very clever as of late. Check these two^ stories^ about ultrasonic tracking. According to one research, hundreds of Android apps with an install base in the millions include a library that is used for this purpose. The way this works is by listening to ultrasonic audio “beacons” implanted in advertisements. Humans can’t normally hear sound in this range, but smartphones’ microphones can.

    When a user has one such application running and an advertisement that includes an ultrasonic marker plays on TV or anywhere around the user (for example radio or an ultrasound-emitting advertisement panel in a shopping mall), the app can make an association between the user and the played content. This can be used for simple tasks such as sending a unique ID back to a service which then sends a shop’s deals to a user, but it can just as well include a lot of other information about the device and its owner.

    Some of the things this system can achieve are rather worrying. For example, it can be used for determining a user’s (approximate) location even if the GPS is turned off or out of range. This can be done by having a particular advertisement panel emit a unique ultrasound beacon. This can later be used to determine when the user is in its proximity. The system can also be used to track a user’s TV-watching habits without consent. Some of these uses are legitimate though, like pushing advertisement and coupons to somebody that has given their consent for using this “feature”. A few such apps disclose the tracking prominently. But this is usually not the case.

    More recently, the Uber app was found to be capable to record portions of the iPhone screen^. The company defended itself saying that this was done in order to send images with maps to the iWatch (using the iPhone to render the map because the iWatch lacked the required performance). There’s a gazillion ways this can go wrong not if but when hackers manage to leverage this capability in order to steal passwords and other sensitive information. The feature was reportedly removed but it still shows exactly what the smartphone really is. And there’s no way to sugar coat this…

    The smartphone is a surveillance device

    Economically, it is used by corporations to mine data^ out of people and use it to manipulate them into buying products. The smartphone grew into a fascinating tool for mass surveillance because it comes with a bunch of features that users really want. I mean, it’s really nice to have a browser and a video camera available at all times, right? Except that all these “free” apps are just a gateway for companies that are tracking users ever since advertisers figured how to use our digital lives against us and our vulnerable minds.

    Currently, the goal most of these companies have is to get us online for as much time as possible. As for the camera and the other (many) sensors inside a phone, we might end up not being the only ones controlling them. There are innumerable cases of this technology being used with criminal intent. There’s only need for one backdoor to take control of our devices and that backdoor’s existence is ensured by the producers of these devices.

    Governments will of course not oppose this (they’ll even encourage it^) because the greatest concern of a government is to maintain its appearance as a legitimate organization. Investigative journalists^ and whistle-blowers^ have greatly damaged governments^ and corporations as of late. By increasing surveillance capabilities under various pretexts, governments and corporations hope to prevent the next public relations scandal. I’m not even blaming them; they’re just trying to survive^. But people who realize they’ve been sold behind closed doors won’t remain the loyal followers that these entities need in order to justify their existence.

    To make things easier for themselves, governments will make sure they also have access^ to whatever technologies are deployed on these devices. One problem, however, is that the citizens of one country may use devices produced in another country. What is the percentage of electronics we manufacture in Asia? And then there’s this thing about hardware backdoors^.

    Innocent bystanders

    A few days ago I was waiting in line for an old lady that wanted to change the battery of her phone. It was a keypad phone of the kind considered modern 15 years ago. The image of her sitting there in front of the cashier will stay with me for a long time because, in an instant, my mind ran through the entire planned obsolescence racket^ and understood the inevitable verdict that will be given by the system this woman fell prey to.

    In the past years I’ve become increasingly aware of the hideousness of hyper-consumerism^. But this situation has put a face on it. Of course, the shop couldn’t help her. The only option for the old lady was to switch to some other phone, most probably with a non-replaceable battery, so she can be forced to change it every few years. Not to mention she must adapt to new software every time it happens and probably be at the receiving end of automatic updates that will change features in her phone, which is exactly what an old lady wants from her device (not!).

    With corporations making money from data and with governments drooling over the private lives of its citizens, it’s no wonder that phones with replaceable batteries have disappeared off the market (using “water resistance” as a cheap excuse). Yes, there is a likely connection between forcing people to upgrade their phones and the need to make sure that those people voluntarily carry around the latest and greatest in spying technology in their pocket. Hey, some people will even queue for days and pay outrageous amounts for these things.

    Reasons & solutions

    But why is it like this? The answer is terrible in its cruel simplicity. These are the rules of the Human Game^ at this point in time. What’s terrible is that even though we are directly responsible for creating and tolerating these rules, we also face an extremely powerful opposition to change them. The machine has grown into a huge, lumbering beast whose behavior harks back to our most ancient instincts, such as the imperious need to survive. Corporations need to earn money. They exist for this purpose and this purpose alone. So it is no wonder they buy governments and do whatever it takes in order to survive in the jungle of a (stock) market^ that is the very heart of the machine.

    Can this all change? Of course it can. And the solution is wonderful in its beautiful simplicity. We just need to change the criteria with which we purchase goods and services and with which we vote. It’s as simple as that. We need to change the rules of the Human Game. Stock market processes can be changed to encourage responsible and long-term investment. Governments can be encouraged to invest into research and education. Corporations will have no alternative but to transform themselves into entities that value the environment and respect their customers. Because otherwise, nobody will purchase what they’re peddling. There’s only need for one commercial entity in every field to prove that this works. This will generate a mass extinction of the old business model. And it’s us, the consumers, who can trigger and sustain this.

    The very reason I write these words is because I strongly believe in this change. And what’s beautiful is that the change doesn’t even need to be sudden (and therefore potentially violent). Actually, it can’t be sudden because this modification in people’s mentality will not occur overnight. It will take time until more of us are ready to champion this cause and for it to spread. But it will happen. Of that, I am sure. I just wish that it will happen before another disaster strikes our civilization.

    A lovely (even if sad) wordplay
    A lovely (even if sad) wordplay

    In closing, here are a few other factoids from the war against privacy (I noticed that ZDNet has a pretty good section about all this):

    http://www.zdnet.com/article/snoopers-charter-expansive-new-spying-powers-becomes-law/^

    http://www.zdnet.com/article/inside-the-global-terrorism-blacklist-secretly-shadowing-millions-of-suspects/^

    http://www.zdnet.com/article/meet-the-shadowy-tech-brokers-that-deliver-your-data-to-the-nsa/^

    http://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/^

    http://www.zdnet.com/article/one-federal-wiretap-order-recorded-millions-phone-calls/^

    [ax_meta fbimgurl=’http://mentatul.com/wp-content/uploads/2018/01/02596-NotSurprisingSmartphonePrivacy-Share.jpg’ lnimgurl=’http://mentatul.com/wp-content/uploads/2018/01/02596-NotSurprisingSmartphonePrivacy-Thumb.jpg’ fbimgw=’1170′ fbimgh=’350′ lnimgw=’250′ lnimgh=’250′ title=’Why It's Not Surprising That Smartphone Privacy Is Going from Bad to Worse’ desc=’Throughout the past years there have been several high-profile occasions when apps were in the news for questionable tracking strategies.’]

  • Hackers all around Us!

    Hackers all around Us!

    Whenever news comes in about some sort of data breach or hacked service, we’re often treated with pictures of the assumed perpetrators and how their office (bedroom? garage?) looks. Mentatul managed to get in touch with some of these unique people. They were happy that somebody is interested in their private lives and difficult working conditions.

    Let us begin with Paul, a young man from Edinburgh who started hacking banks when he was 15 years old.

    Paul
    Paul

    We asked Paul about why he decided to become a hacker and about his daily routine:

    “I knew I am destined to be a hacker when I realized that simply by looking at a computer screen I could see zeros and ones fly out of it, along with words such as “password”, “identity theft” and “data security”. I then turned to the Hacker Fraternity and they told me only precious few have this talent, which they call The Gift. They told me I’m a natural.”

    “But even with such talent, my job is very difficult. I always have to dress in a menacing yet stylish outfit. Wearing gloves makes typing difficult. The sunglasses force me to crank the screen brightness for my laptop all the way to the max. It seriously impacts battery life.”

    Another interesting story is that of m4~, a housewife from Kansas who started hacking out of boredom.

    m4~
    m4~

    “Watching cats and dogs videos on Facebook gets old after a while, so I took a course in hacking. Suddenly, whenever I was looking at computer screens, a blue mist enveloped me, and I could see passwords fly through it. After winning a recipe website hacking contest, the Hacker Fraternity awarded me with this special hoodie that makes me disappear when I’m hacking. The dramatic effect is important for online success. The only problem is that my son got scared a couple of times when he saw mommy disappear in a dark blue haze when she turned on her laptop.”

    And then there’s Ulf, the boy-wonder from Switzerland who makes a living by stealing Bitcoins from rich.

    Ulf
    Ulf

    “One day I found this special magnet that attracts Bitcoin straight from the wireless networks of the rich. During the usual two-hour ride in my black van throughout the priciest neighborhoods in central Switzerland, I make about $4000.”

    Through our correspondent in New Zealand we got to know The Grewsome Crew, two siblings from Auckland. We asked them to tell us if they know of any good hackers that are able to do their job without this natural gift of seeing ones, zeros and cryptic symbols when they touch a keyboard.

    The Grewsome Crew
    The Grewsome Crew

    “Not really, no. Only those with The Gift can make it out there,” said the brother using a vocal distortion filter. His sister filled in: “It’s very tough competition. Sometimes the only thing that makes the difference is the hoodie. It also helps if you have a map of the Earth in your secret bunker. It’s good for geotagging victims.”

    Then there are those that, in addition to The Gift, have additional Gifts, such as p00r 0wn3r. He called us through a network of crypted relays and refused to give his location but judging by his English accent, we can safely assume he’s from a French-speaking area of the world.

    p00r own3r
    p00r own3r

    “You see, I was born with a severe eyesight handicap, so I learned Braille. Soon after finishing gymnasium I realized that I can come up with the correct password simply by touching text boxes on the screen. It’s called “tactic decryption” and there are very few of us that have this gift.”

    Concluding our series of interviews, we discussed with one of the unfortunate hackers who do not have The Gift. Meet Ovidiu from Moldavia.

    Ovidiu
    Ovidiu

    “Not having The Gift complicates my life. I must always use fancy lights and a fog machine to be even able to bypass the simplest security measures. If I wear an expensive suit in combination with a thick balaclava I can look threatening enough to manage some simple weekend heists. I’ve been kinda depressed due to all this.”

    S3Kr3T
    Mentatul, be careful what you’re writing. This is your first warning from S3Kr3T. I uploaded a picture of me to warn you that I can own this website whenever I want.

    That’s all folks, a glimpse into the unique lives of those that force you to change passwords every now and then, and sometimes even manage to siphon money from your bank accounts.

    If you want to see more pictures with hackers, just follow this simple Google search:

    https://www.google.com/search?q=hacker&newwindow=1&dcr=0&source=lnms&tbm=isch&sa=X&ved=0ahUKEwim3syFlOTXAhWBB5oKHSofDrUQ_AUICigB&biw=2560&bih=1305^

     

     

     

    This text has been published in the “Satire” category for a good reason.

    P.S.: if you want to understand more about hackers than what the silly stereotypes online show, you can start from this Wikipedia entry:

    https://en.wikipedia.org/wiki/Hacker^

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2018/01/02583-HackersAllAroundUs-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’Hackers all around Us!’ desc=’Mentatul managed to get in touch with some of these unique people.’]

  • The Danger Posed by Vehicles with Tinted Windows

    The Danger Posed by Vehicles with Tinted Windows

    Quote: “the need for the eye contact is something hard to do with tinted windows. As a pedestrian, before you step off a curb when you arrive at a four-way stop, the interaction with a driver requires a degree of not just acknowledgment, but trust. I have to know what you intend to do, and I have to know that you’ve seen me. Think of how often you respond differently because you see someone on the phone or texting. You need this information, and dark tinting obscures it.”

    I don’t normally start my recommendations with a quote from the article I’m recommending, but sometimes I make exceptions. This time, the reason is that the quote I started with is exactly what made me feature this article. The same quote also got me thinking about how will pedestrians interact with self-driving vehicles. Food for thought…

    There’s quite a lot of regional information in the article (pertaining to Canada). But once we get thinking about the dangers of tinted windows, a lot of risks will immediately pop into a driver’s mind: dangers of changing lanes in the dark, parking in an insufficiently lit garage and so on. Conclusion? Don’t tint your windows.

    http://driving.ca/chrysler/300/auto-news/news/the-dark-side-of-tinted-windows^

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2016/09/01040-DarkWindowTinting-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’The Danger Posed by Vehicles with Tinted Windows’ desc=’Window tinting removes trust between driver and pedestrian and brings in more risks.’]

  • China Invests in Quantum Cryptography and Not a Moment Too Late

    China Invests in Quantum Cryptography and Not a Moment Too Late

    In the past years, a steady stream of revelations has shown the extent at which governments spy on us. This shocked nobody in the know. We’ve suspected it all along. When it comes to nation-states, however, it’s a different story. Countries don’t like it when other nations are snooping around in their backyard. Enter quantum cryptography^.

    Edward Snowden along with WikiLeaks and other organizations have exposed parts of America’s cyber-espionage program. Now, we finally see some of the rewards coming from those revelations. China is moving towards ensuring secure and private communications for itself and, I suspect in the near future, for any entity that pays a hefty fee. Large corporations will definitely be interested in having access to a spy-proof communications network:

    http://www.bbc.com/news/world-asia-china-37091833^

    Well played China, well played!

    Update 2016-09-21: important new developments in quantum teleportation will undoubtedly pave the way for secure communication: http://phys.org/news/2016-09-quantum-internet-teleport-particle-kilometres.html^

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2016/09/01030-ChinaQuantumSatellite-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’China Invests in Quantum Cryptography and Not a Moment Too Late’ desc=’China is moving towards ensuring secure and private communications for itself and, I suspect in the near future, for any entity that pays a hefty fee.’]

  • All Your Computers Are Belong to Us

    All Your Computers Are Belong to Us

    In recent years, Intel has moved towards integrating some pretty nifty remote administration features into its CPUs. While this may be a good idea for certain enterprises, it may quickly turn into a nightmare as soon as exploits and vulnerabilities are found. And guess what^?

    Software has bugs. Hey, it happens, everybody makes mistakes. But in this case, the mistakes can’t be corrected in time (before an attacker exploits them). That’s because, in typical monopolist corporation fashion, Intel is obscuring the process by not allowing the security community to analyze whatever code the company decides to shove into our machines. The same argument stands true regarding any proprietary code, especially Microsoft’s Windows, which after 20 years of fixes is still the most vulnerable mainstream operating system.

    The following article describes the problem pretty well:

    http://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/^

    It’s probably only a matter of time until a clever attacker will compromise the company’s buggy code. Of course, Intel will eventually patch its security holes, but given that the company’s CPUs are used across the world in some pretty sensitive contexts, there’s no telling how much damage such attacks can cause.

    As for us mortals, we are at risk of having our privacy compromised even by petty criminals. This is because there’s a large window of opportunity between the time when a security hole is found and the time that Intel moves to fix it for less prioritized customers.

    And don’t even get me started on how governments across the world can (and probably will) force Intel’s hand into giving over political dissidents on a silver platter. Privacy? What privacy?

    If you want to learn more, here’s another article on the same topic:

    http://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html^

    I wrote this hot on the heels of a Dissected News piece about Cyber-Warfare^. There’s additional interesting information to be found there.

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2016/07/00759-AllYourComputersAreBelongToUs-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’All Your Computers Are Belong to Us’ desc=’It's probably only a matter of time until a clever attacker will compromise Intel's buggy code.’]

  • Cyber-Warfare is Scary

    Cyber-Warfare is Scary

    When we read in the press about “hacking”, it’s mostly about software-based attacks. It may be about exploiting a vulnerability to reveal passwords or attacking an insecure computer. Then there’s the entire social-engineering aspect to it, which is basically hacking a person’s mind (can also be seen as a person’s software).

    Cyber-warfare^ has been defined as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption”. Serious confrontations are also going on between corporations, with industrial espionage being one of the main drivers. Unlike in real war, because a single individual can take on an entire nation through the use of clever hacking, the boundaries between these “size categories” are blurred.

    In addition to the myriad ways a target can be hacked through software, there’s something far more insidious and dangerous that can happen. Hardware-based attacks:

    https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip/^

    What the article above explains is how tiny hardware back-doors can be baked inside any integrated circuit. It’s not news that this is doable, but what is news is that it’s way too easy to achieve and almost impossible to detect. Even in the case of the highly advanced computer processors that are inside all our devices. Apparently it can be done by a single (well trained) person working inside the factory that manufactures the chip.

    Such modifications are extremely hard to detect. It’s quite tempting to go a bit paranoid when thinking about how many of our mission-critical processors are manufactured in Asia. China has lately started to re-assert itself technologically and militarily. There was an age when airplanes and bombs would decide the fate of a war. That age is slowly fading away.

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2016/06/00730-CyberWarfareIsScary-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’Cyber-Warfare is Scary’ desc=’A single (well trained) person working inside a factory that manufactures electronics can bake a hardware back-door inside any integrated circuit.’]

  • The Vehicles of the Future and Our Security

    The Vehicles of the Future and Our Security

    As the world becomes increasingly connected, so are all the devices that we’re using. Vehicles, of course, are no exception. But while a hacked phone or refrigerator won’t be immediately life-threatening, a compromised vehicle can endanger the lives of many.

    Nissan found itself in hot water after security researchers managed to hack its electric cars through a web link:

    http://www.tomshardware.com/news/nissan-leaf-hacked-web-link,31275.html^

    The auto-maker shuttered the faulty software application^, but according to the article above, this might not have been enough since “attackers don’t even need to use the NissanConnect app, because they can deliver the attack through a web browser by spoofing the app.”

    With self-driving cars heading our way fast, this is not my idea of a software ecosystem that I would trust with my life. In addition to all the immense challenges that companies involved in researching automated driving will have to overcome, the security aspect will have to be handled in an extremely careful way. Check what they did to this jeep^.

    Self-driving vehicles will, through their very nature, rely on a wealth of external information. When they will go mainstream, we will already be talking about automatically negotiating traffic lights, combining more vehicles into trains for optimal fuel efficiency or tragedy-prevention ethics^ (I highly recommend reading the linked article).

    Companies have proved time and again that they care about little else than their profit margins. There is very little regard for safety and quality. In a recent posting^, I wrote that we’re perhaps partially to blame for this. Unless the situation changes both we and our environment will suffer because of these companies’ neglect.

    At least some sort of relief comes from the fact that some governments will make hacking vehicles a very serious criminal offense. Michigan, for example, proposes to go as far as life in prison^. But what about the companies that allow their applications to be hacked (due to rushing the development process)? I believe those entities should face equally serious punishments.

    [ax_meta lnimgurl=’http://mentatul.com/wp-content/uploads/2016/05/00547-VehiclesOfFutureAndOurSecurity-Thumb.jpg’ lnimgw=’250′ lnimgh=’250′ title=’The Vehicles of the Future and Our Security’ desc=’As the world becomes increasingly connected, so are all the devices that we're using. Vehicles, of course, are no exception.’]