Author: Dan Wallach
-
Android WebView security and the mobile advertising marketplace
Freedom to Tinker readers are probably aware of the current controversy over Google’s handling of ongoing security vulnerabilities in its Android WebView component. What sounds at first like a routine security problem turns out to have some deep challenges. Let’s start by filling in some background and build up to the big problem they’re not…
-
Striking a balance between advertising and ad blocking
In the news, we have a consortium of French publishers, which somehow includes several major U.S. corporations (Google, Microsoft), attempting to sue AdBlock Plus developer Eyeo, a German firm with developers around the world. I have no idea of the legal basis for their case, but it’s all about the money. AdBlock Plus and the closely…
-
Your TV is spying on you, and what you can do about it
A recent UK observer with a packet sniffer noticed that his LG “smart” TV was sending all his viewing habits back to an LG server. This included filenames from an external USB disk. Add this atop observations that Samsung’s 2012-era “smart” TVs were riddled with security holes. (No word yet on the 2013 edition.) What’s…
-
Engineering an insider-attack-resistant email system and why you wouldn't want to use it
Earlier this week, Felten made the observation that the government eavesdropping on Lavabit could be considered as an insider attack against Lavabit users. This leads to the obvious question: how might we design an email system that’s resistant to such an attack? The sad answer is that we’ve had this technology for decades but it…
-
Lavabit and how law enforcement access might be done in the future
The saga of Lavabit, the now-closed “secure” mail provider, is an interesting object of study. They’re in the process of appealing a court order to produce their SSL private keys, with which a government eavesdropper would then have access to the entirety of all traffic going in and out of Lavabit. You can read Lavabit’s…
-
On the NSA's capabilities
Last Thursday brought significant new revelations about the capacities of the National Security Agency. While the articles in the New York Times, ProPublica, and The Guardian skirted around technical specifics, several broad themes came out. NSA has the capacity to read significant amounts of encrypted Internet traffic. NSA has some amount of cooperation from vendors…
-
Let's stop Nigerian scams once and for good
A personal friend of mine’s Yahoo account was recently hacked by a Nigerian scammer. I know this because the email I got (“I’m stuck in the Philippines and need you to wire money”) had an IP address in a “Received” header that pointed squarely at Lagos, Nigeria. The modus operandi of these scammers is well…
-
Uncertified voting equipment
(Or, why doing the obvious thing to improve voter throughput in Harris County early voting would exacerbate a serious security vulnerability.) I voted today, using one of the many early voting centers in my county. I waited roughly 35 minutes before reaching a voting machine. Roughly 1/3 of the 40 voting machines at the location…
-
IEEE blows it on the Security & Privacy copyright agreement
Last June, I wrote about the decision at the business meeting of IEEE Security & Privacy to adopt the USENIX copyright policy, wherein authors grant a right for the conference to publish the paper and warrant that they actually wrote it, but otherwise the work in question is unquestionably the property of the authors. As…
-
Tinkering with the IEEE and ACM copyright policies
It’s historically been the case that papers published in an IEEE or ACM conference or journal must have their copyrights assigned to the IEEE or ACM, respectively. Most of us were happy with this sort of arrangement, but the new IEEE policy seems to apply more restrictions on this process. Matt Blaze blogged about this…