Security and Proprietary Software

posted by Roy Schestowitz on Feb 03, 2023,
updated Feb 03, 2023

• Sanctioned Iranian hackers behind Charlie Hebdo breach, Microsoft says [Ed: Microsoft is to blame for loads of security breaches, not the expert to be approached for blame-shifting explanations (blaming nations rather than the holes)]

  U.S. officials sanctioned members of the hacking group after they attempted to interfere in the 2020 U.S. presidential election.

• Against risk-based authentication (or, why I wouldn't trust Google Cloud)

  Fundamentally, the issue here comes down to the fact that an accounts system for critical infrastructure needs to fulfill two objectives:

  It must be possible for authorized users to gain access.

  It must not be possible for unauthorized users to gain access.

  “Risk-based” authentication essentially tries too hard to fulfil the second objective in a way that compromises on the former.

• How Hype Will Turn Your Security Key Into Junk

  To understand the problem, we need to understand what a discoverable/resident key is.

  You have probably seen that most keys support an ‘unlimited’ number of accounts. This is achieved by sending a “key wrapped key” to the security key. When the Relying Party (Authentication Server) wants to authenticate your security key, it will provide you a “credential id”. That credential ID is an encrypted blob that only your security key can decrypt. If your security key can decrypt that blob it yields a private key that is specific to that single RP that you can use for signatures.

• It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure

  Last November, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept user video streams.

• This Week In Security: Github, Google, And Realtek

  GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

• Red Hat Launches Ansible Automation Platform on Google Cloud

  Red Hat says organisations can deploy Red Hat’s self-managed offering directly from the Google Cloud Marketplace to quickly start automating the management of their Google Cloud resources.