Forum: Dock Sud BBS

C Pushwoosh says it does not collect sensitive informat=ion=2C and Reu

From ade push notifications from Pushwo@618:500/14 to sh servers.
On its website= on Thu Nov 30 00:00:00 2000

r data. Russi= an authorities=2C however=2C have <a href=3D"https://www.reuters.com/busin= ess/autos-transportation/russia-draws-up-law-force-taxi-firms-share-data-w=
ith-fsb-document-2022-03-29/">compelled local companies</a> to hand over u= ser data to <a href=3D"https://www.reuters.com/technology/how-crypto-giant=
-binance-built-ties-russian-fsb-linked-agency-2022-04-22/">domestic securi=
ty agencies</a>.</blockquote>

I have called supply chain security =E2=80=9Can insurmountably hard pro= blem=2C=E2=80=9D and this is just another example of that.

EDITED TO ADD (12/12): <a href=3D"https://internetsafetylabs.org/blog/n= ews-press/reuters-breaks-story-on-dangerous-sdk-pushwoosh-found-by-isl/">H= ere</a> is a list of apps that use the Pushwoosh SDK.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">F= ailures in Twitter=E2=80=99s Two-Factor Authentication System</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/failures-in-t= witters-two-factor-authentication-system.html">[2022.11.17]</stro= ng></a> Twitter is having <a href=3D"https://www.wired.com/story/twitter-t= wo-factor-sms-problems/">intermittent problems</a> with its two-factor aut= hentication system:

<blockquote>Not all users are having problems receiving SMS authenticat=
ion codes=2C and those who rely on an authenticator app or physical authen= tication token to secure their Twitter account may not have reason to test=
the mechanism. But users have been self-reporting issues on Twitter since=
the weekend=2C and WIRED confirmed that on at least some accounts=2C auth= entication texts are hours delayed or not coming at all. The meltdown come= s less than two weeks after Twitter <a href=3D"https://www.wired.com/story=
/musk-layoffs-twitter-management/">laid off about half of its workers</a>=
=2C roughly 3=2C700 people. Since then=2C engineers=2C operations speciali= sts=2C IT staff=2C and security teams have been stretched thin attempting=
to adapt Twitter=E2=80=99s offerings and build new features per new owner=
Elon Musk=E2=80=99s agenda.</blockquote>

On top of that=2C it seems that the system has a <a href=3D"https://www= =2Einforisktoday.com/twitter-two-factor-authentication-has-vulnerability-a-2= 0475">new vulnerability</a>:

<blockquote>A researcher contacted Information Security Media Group on=
condition of anonymity to reveal that texting =E2=80=9CSTOP=E2=80=9D to t=
he Twitter verification service results in the service turning off SMS two= -factor authentication.

=E2=80=9CYour phone has been removed and SMS 2FA has been disabled from=
all accounts=2C=E2=80=9D is the automated response.

The vulnerability=2C which ISMG verified=2C allows a hacker to spoof th=
e registered phone number to disable two-factor authentication. That poten= tially exposes accounts to a password reset attack or account takeover thr= ough password stuffing.</blockquote>

This is not a good sign.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">S= uccessful Hack of Time-Triggered Ethernet</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/successful-ha= ck-of-time-triggered-ethernet.html">[2022.11.18]</a> Tim= e-triggered Ethernet (TTE) is used in spacecraft=2C basically to use the s= ame hardware to process traffic with different timing and criticality. Res= earchers have <a href=3D"https://arstechnica.com/information-technology/20= 22/11/researchers-break-security-guarantees-of-tte-networking-used-in-spac=
ecraft/">defeated it</a>:

<blockquote>On Tuesday=2C researchers <a href=3D"https://web.eecs.umich= =2Eedu/~barisk/public/pcspoof.pdf">published findings</a> that=2C for the fi= rst time=2C break TTE=E2=80=99s isolation guarantees. The result is PCspoo= F=2C an attack that allows a single non-critical device connected to a sin= gle plane to disrupt synchronization and communication between TTE devices=
on all planes. The attack works by exploiting a vulnerability in the TTE=
protocol. The work was completed by researchers at the University of Mich= igan=2C the University of Pennsylvania=2C and NASA=E2=80=99s Johnson Space=
Center.

=E2=80=9COur evaluation shows that successful attacks are possible in s= econds and that each successful attack can cause TTE devices to lose synch= ronization for up to a second and drop tens of TT messages -- both of whic= h can result in the failure of critical systems like aircraft or automobil= es=2C=E2=80=9D the researchers wrote. =E2=80=9CWe also show that=2C in a s= imulated spaceflight mission=2C PCspooF causes uncontrolled maneuvers that=
threaten safety and mission success.=E2=80=9D</blockquote>

Much more detail in the article -- and the <a href=3D"https://web.eecs.= umich.edu/~barisk/public/pcspoof.pdf">research paper</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">F= irst Review of A Hacker=E2=80=99s Mind</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/first-review-= of-a-hackers-mind.html">[2022.11.18]</a> Kirkus <= a href=3D"https://www.kirkusreviews.com/book-reviews/bruce-schneier/a-hack= ers-mind-powerful/">reviews</a> A Hacker=E2=80=99s Mind:

<blockquote>A cybersecurity expert examines how the powerful game whate=
ver system is put before them=2C leaving it to others to cover the cost.</=

Schneier=2C a professor at Harvard Kennedy School and author of such bo=
oks as Data and Goliath and Click Here To Kill Everybody=2C=
regularly challenges his students to write down the first 100 digits of p= i=2C a nearly impossible task -- but not if they cheat=2C concerning which=
he admonishes=2C =E2=80=9CDon=E2=80=99t get caught.=E2=80=9D Not getting=
caught is the aim of the hackers who exploit the vulnerabilities of syste=
ms of all kinds. Consider right-wing venture capitalist Peter Thiel=2C who=
located a hack in the tax code: =E2=80=9CBecause he was one of the founde=
rs of PayPal=2C he was able to use a $2=2C000 investment to buy 1.7 millio= n shares of the company at $0.001 per share=2C turning it into $5 billion=
-- all forever tax free.=E2=80=9D It was perfectly legal -- and even if i=
t weren=E2=80=99t=2C the wealthy usually go unpunished. The author=2C a fl= uid writer and tech communicator=2C reveals how the tax code lends itself=
to hacking=2C as when tech companies like Apple and Google avoid paying b= illions of dollars by transferring profits out of the U.S. to corporate-fr= iendly nations such as Ireland=2C then offshoring the =E2=80=9Cdisappeared=
=E2=80=9D dollars to Bermuda=2C the Caymans=2C and other havens. Every sys=
tem contains trap doors that can be breached to advantage. For example=2C=
Schneier cites =E2=80=9Cthe Pudding Guy=2C=E2=80=9D who hacked an airline=
miles program by buying low-cost pudding cups in a promotion that=2C for=
$3=2C150=2C netted him 1.2 million miles and =E2=80=9Clifetime Gold frequ=
ent flier status.=E2=80=9D Since it was all within the letter if not the s= pirit of the offer=2C =E2=80=9Cthe company paid up.=E2=80=9D The companies=
often do=2C because they=E2=80=99re gaming systems themselves. =E2=80=9CA=
ny rule can be hacked=2C=E2=80=9D notes the author=2C be it a religious di= etary restriction or a legislative procedure. With technology=2C =E2=80=9C= we can hack more=2C faster=2C better=2C=E2=80=9D requiring diligent monito= ring and a demand that everyone play by rules that have been hardened agai= nst tampering.

An eye-opening=2C maddening book that offers hope for leveling a badly=
tilted playing field.</blockquote>

I got a starred review. Libraries make decisions on what to buy based o=
n starred reviews. Publications make decisions about what to review based=
on starred reviews. This is a big deal.

Book=E2=80=99s <a href=3D"https://www.schneier.com/books/a-hackers-mind= /">webpage</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">B= reaking the Zeppelin Ransomware Encryption Scheme</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/breaking-the-= zeppelin-ransomware-encryption-scheme.html">[2022.11.21]=
</a> Brian Krebs <a href=3D"https://krebsonsecurity.com/2022/11/researcher=
s-quietly-cracked-zeppelin-ransomware-keys/">writes</a> about how the Zepp= elin ransomware encryption scheme was broken:

<blockquote>The researchers said their break came when they understood=
that while Zeppelin used three different types of encryption keys to encr=
ypt files=2C they could undo the whole scheme by factoring or computing ju= st one of them: An ephemeral RSA-512 public key that is randomly generated=
on each machine it infects.

=E2=80=9CIf we can recover the RSA-512 Public Key from the registry=2C=
we can crack it and get the 256-bit AES Key that encrypts the files!=E2= =80=9D they wrote. =E2=80=9CThe challenge was that they delete the [publi=
c key] once the files are fully encrypted. Memory analysis gave us about a=
5-minute window after files were encrypted to retrieve this public key.= =E2=80=9D

Unit 221B ultimately built a =E2=80=9CLive CD=E2=80=9D version of Linux=
that victims could run on infected systems to extract that RSA-512 key. F=
rom there=2C they would load the keys into a cluster of 800 CPUs donated b= y hosting giant Digital Ocean that would then start cracking them. The com= pany also used that same donated infrastructure to help victims decrypt th= eir data using the recovered keys.</blockquote>

A company offered recovery services based on this break=2C but was relu= ctant to advertise because it didn=E2=80=99t want Zeppelin=E2=80=99s creat= ors to fix their encryption flaw.

Technical <a href=3D"https://blog.unit221b.com/dont-read-this-blog/0xde= ad-zeppelin">details</a>.

EDITED TO ADD (12/12): When BitDefender publicly advertised a decryptio=
n tool for a strain of DarkSide ransomware=2C DarkSide <a href=3D"https://= www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-b=
itdefender/amp/">immediately updated</a> its ransomware to render the tool=
obsolete. It=E2=80=99s hard to come up with a solution to this problem.</=

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">A= pple=E2=80=99s Device Analytics Can Identify iCloud Users</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/apples-device= -analytics-can-identify-icloud-users.html">[2022.11.22]<=

Researchers <a href=3D"https://www.macrumors.com/2022/11/21/apple-devi=

ce-analytics-identifying-user/">claim</a> that supposedly anonymous device=
analytics information can identify users:

<blockquote>On <a href=3D"https://twitter.com/mysk_co/status/1594515229= 915979776?s=3D61&t=3DrpR_X8V52MjKkTSK1fwzZg">Twitter</a>=2C security resea= rchers Tommy Mysk and Talal Haj Bakry have found that Apple=E2=80=99s devi= ce analytics data includes an iCloud account and can be linked directly to=
a specific user=2C including their name=2C date of birth=2C email=2C and=
associated information stored on iCloud.</blockquote>

Apple has long claimed otherwise:

<blockquote>On Apple=E2=80=99s device analytics and privacy <a href=3D"= https://www.apple.com/legal/privacy/data/en/device-analytics/">legal page<= /a>=2C the company says no information collected from a device for analyti=
cs purposes is traceable back to a specific user. =E2=80=9CiPhone Analytic= s may include details about hardware and operating system specifications=
=2C performance statistics=2C and data about how you use your devices and=
applications. None of the collected information identifies you personally= =2C=E2=80=9D the company claims.</blockquote>

Apple was <a href=3D"https://www.theregister.com/2022/11/14/apple_data_= collection_lawsuit/">just sued</a> for tracking iOS users without their co= nsent=2C even when they explicitly opt out of tracking.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">T=
he US Has a Shortage of Bomb-Sniffing Dogs</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/the-us-has-a-= shortage-of-bomb-sniffing-dogs.html">[2022.11.23]</a> No= thing beats a dog=E2=80=99s nose for detecting explosives. Unfortunately=
=2C there <a href=3D"https://www.wired.com/story/us-bomb-dog-shortage/">ar= en=E2=80=99t enough dogs</a>:

<blockquote>Last month=2C the US Government Accountability Office (GAO)=
released a nearly 100-page <a href=3D"https://www.gao.gov/assets/gao-23-1= 04489.pdf">report</a> about working dogs and the need for federal agencies=
to better safeguard their health and wellness. The GOA says that as of Fe= bruary the US federal government had approximately 5=2C100 working dogs=2C=
including detection dogs=2C across three federal agencies. Another 420 do=
gs =E2=80=9Cserved the federal government in 24 contractor-managed program= s within eight departments and two independent agencies=2C=E2=80=9D the GA= O report says.

The report also underscores the demands placed on detection dogs and th=
e potential for overwork if there aren=E2=80=99t enough dogs available.=
=E2=80=9CWorking dogs might need the strength to suddenly run fast=2C or=
to leap over a tall barrier=2C as well as the physical stamina to stand o=
r walk all day=2C=E2=80=9D the report says. =E2=80=9CThey might need to se= arch over rubble or in difficult environmental conditions=2C such as extre= me heat or cold=2C often wearing heavy body armor. They also might spend t= he day detecting specific scents among thousands of others=2C requiring in= tense mental concentration. Each function requires dogs to undergo special= ized training.=E2=80=9D</blockquote>

A decade and a half ago I was <a href=3D"https://www.schneier.com/blog/= archives/2005/12/bombsniffing_wa.html">optimistic</a> about bomb-sniffing=
bees and wasps=2C but nothing seems to have come of that.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">C= omputer Repair Technicians Are Stealing Your Data</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/computer-repa= ir-technicians-are-stealing-your-data.html">[2022.11.28]=
</a> Laptop technicians <a href=3D"https://arstechnica.com/information-tec=
hnology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-d= ata-study-finds/">routinely violate the privacy</a> of the people whose co= mputers they repair:

<blockquote>Researchers at University of Guelph in Ontario=2C Canada=2C=
recovered logs from laptops after receiving overnight repairs from 12 com= mercial shops. The logs showed that technicians from six of the locations=
had accessed personal data and that two of those shops also copied data o=
nto a personal device. Devices belonging to females were more likely to be=
snooped on=2C and that snooping tended to seek more sensitive data=2C inc= luding both sexually revealing and non-sexual pictures=2C documents=2C and=
financial information.

[...]

In three cases=2C Windows Quick Access or Recently Accessed Files had b=
een deleted in what the researchers suspect was an attempt by the snooping=
technician to cover their tracks. As noted earlier=2C two of the visits r= esulted in the logs the researchers relied on being unrecoverable. In one=
=2C the researcher explained they had installed antivirus software and per= formed a disk cleanup to =E2=80=9Cremove multiple viruses on the device.= =E2=80=9D The researchers received no explanation in the other case.

[...]

The laptops were freshly imaged Windows 10 laptops. All were free of ma= lware and other defects and in perfect working condition with one exceptio= n: the audio driver was disabled. The researchers chose that glitch becaus= e it required only a simple and inexpensive repair=2C was easy to create=
=2C and didn=E2=80=99t require access to users=E2=80=99 personal files.</p=

Half of the laptops were configured to appear as if they belonged to a=
male and the other half to a female. All of the laptops were set up with=
email and gaming accounts and populated with browser history across sever=
al weeks. The researchers added documents=2C both sexually revealing and n= on-sexual pictures=2C and a cryptocurrency wallet with credentials.</b= lockquote>

A few notes. One: this is a very small study -- only twelve laptop repa= irs. Two=2C some of the results were inconclusive=2C which indicated -- bu= t did not prove -- log tampering by the technicians. Three=2C this study w= as done in Canada. There would probably be more snooping by American repai= r technicians.

The moral isn=E2=80=99t a good one: if you bring your laptop in to be r= epaired=2C you should expect the technician to snoop through your hard dri= ve=2C taking what they want.

Research <a href=3D"https://arxiv.org/pdf/2211.05824.pdf">paper</a>.</p=

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >Charles V of Spain Secret Code Cracked</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/charles-v-of-= spain-secret-code-cracked.html">[2022.11.29]</a> Diploma= tic code <a href=3D"https://www.theguardian.com/world/2022/nov/24/emperor-= charles-vs-secret-code-cracked-after-five-centuries">cracked</a> after 500=
years:

<blockquote>In painstaking work backed by computers=2C Pierrot found=
=E2=80=9Cdistinct families=E2=80=9D of about 120 symbols used by Charles=
V. =E2=80=9CWhole words are encrypted with a single symbol=E2=80=9D and t=
he emperor replaced vowels coming after consonants with marks=2C she said=
=2C an inspiration probably coming from Arabic.

In another obstacle=2C he used meaningless symbols to mislead any adver= sary trying to decipher the message.

The breakthrough came in June when Pierrot managed to make out a phrase=
in the letter=2C and the team then cracked the code with the help of Cami=
lle Desenclos=2C a historian. =E2=80=9CIt was painstaking and long work bu= t there was really a breakthrough that happened in one day=2C where all of=
a sudden we had the right hypothesis=2C=E2=80=9D she said.</blockquot=

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >Facebook Fined $276M under GDPR</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/11/facebook-fine= d-276m-under-gdpr.html">[2022.11.30]</a> Facebook -- Met= a -- was <a href=3D"https://www.theverge.com/2022/11/28/23481786/meta-fine=
-facebook-data-leak-ireland-dpc-gdpr">just fined</a> $276 million (USD) fo=
r a data leak that included full names=2C birth dates=2C phone numbers=2C=
and location.

Meta=E2=80=99s total fine by the Data Protection Commission is over $70=
0 million. <a href=3D"https://www.enforcementtracker.com/?insights">Total=
GDPR fines</a> are over =E2=82=AC2 billion (EUR) since 2018.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >Sirius XM Software Vulnerability</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/sirius-xm-sof= tware-vulnerability.html">[2022.12.01]</a> This is <a hr= ef=3D"https://gizmodo.com/sirius-xm-bug-honda-nissan-acura-hack-1849836987=
">new</a>:

<blockquote>Newly revealed <a href=3D"https://twitter.com/samwcyo/statu= s/1597792097175674880">research</a> shows that a number of major car brand= s=2C including Honda=2C Nissan=2C Infiniti=2C and Acura=2C were affected b= y a previously undisclosed security bug that would have allowed a savvy ha= cker to hijack vehicles and steal user data. According to researchers=2C t= he bug was in the car=E2=80=99s Sirius XM telematics infrastructure and wo= uld have allowed a hacker to remotely locate a vehicle=2C unlock and start=
it=2C flash the lights=2C honk the horn=2C pop the trunk=2C and access se= nsitive customer info like the owner=E2=80=99s name=2C phone number=2C add= ress=2C and vehicle details.</blockquote>

Cars are just computers with four wheels and an engine. It=E2=80=99s no=
surprise that the software is vulnerable=2C and that everything is connec= ted.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"= >LastPass Security Breach</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/lastpass-secu= rity-breach.html">[2022.12.02]</a> The company <a href= =3D"https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-a= ccessed-customer-data-in-new-breach/">was</a> <a href=3D"https://www.there= gister.com/2022/12/01/lastpass/">hacked</a>=2C and customer information ac= cessed. No passwords were compromised.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >Existential Risk and the Fermi Paradox</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/existential-r= isk-and-the-fermi-paradox.html">[2022.12.02]</a> We know=
that complexity is the worst enemy of security=2C because it makes attack=
easier and defense harder. This becomes catastrophic as the effects of th=
at attack become greater.

In <a href=3D"https://www.schneier.com/books/a-hackers-mind/">A Hack= er=E2=80=99s Mind</a> (coming in February 2023)=2C I write:

<blockquote>Our societal systems=2C in general=2C may have grown fairer=
and more just over the centuries=2C but progress isn=E2=80=99t linear or=
equitable. The trajectory may appear to be upwards when viewed in hindsig= ht=2C but from a more granular point of view there are a lot of ups and do= wns. It=E2=80=99s a =E2=80=9Cnoisy=E2=80=9D process.

Technology changes the amplitude of the noise. Those near-term ups and=
downs are getting more severe. And while that might not affect the long-t=
erm trajectories=2C they drastically affect all of us living in the short=
term. This is how the twentieth century could -- statistically -- both be=
the most peaceful in human history and also contain the most deadly wars.=

Ignoring this noise was only possible when the damage wasn=E2=80=99t po= tentially fatal on a global scale; that is=2C if a world war didn=E2=80=99= t have the potential to kill everybody or destroy society=2C or occur in p= laces and to people that the West wasn=E2=80=99t especially worried about.=
We can=E2=80=99t be sure of that anymore. The risks we face today are exi= stential in a way they never have been before. The magnifying effects of t= echnology enable short-term damage to cause long-term planet-wide systemic=
damage. We=E2=80=99ve lived for half a century under the potential specte=
r of nuclear war and the life-ending catastrophe that could have been. Fas= t global travel allowed local outbreaks to quickly become the COVID-19 pan= demic=2C costing millions of lives and billions of dollars while increasin= g political and social instability. Our rapid=2C technologically enabled c= hanges to the atmosphere=2C compounded through feedback loops and tipping=
points=2C may make Earth much less hospitable for the coming centuries. T= oday=2C individual hacking decisions can have planet-wide effects. Sociobi= ologist Edward O. Wilson <a href=3D"https://www.nytimes.com/2019/12/05/opi= nion/digital-technology-brain.html">once described</a> the fundamental pro= blem with humanity is that =E2=80=9Cwe have Paleolithic emotions=2C mediev= al institutions=2C and godlike technology.=E2=80=9D</blockquote>

Technology could easily get to the point where the effects of a success=
ful attack could be existential. Think biotech=2C nanotech=2C global clima= te change=2C maybe someday cyberattack -- everything that people like Nick=
Bostrom <a href=3D"https://nickbostrom.com/existential/risks">study</a>.=
In these areas=2C like everywhere else in past and present society=2C the=
technologies of attack develop faster the technologies of defending again=
st attack. But suddenly=2C our inability to be proactive becomes fatal. As=
the noise due to technological power increases=2C we reach a threshold wh=
ere a small group of people can irrecoverably destroy the species. The six= -sigma guy can ruin it for everyone. And if they can=2C sooner or later th=
ey will. It=E2=80=99s possible that I have just explained the <a href=3D"h= ttps://en.wikipedia.org/wiki/Fermi_paradox">Fermi paradox</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >CAPTCHA</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/captcha.html"= >[2022.12.05]</a> This is an actual CAPTCHA I was shown=
when trying to log into PayPal.

<img decoding=3D"async" loading=3D"lazy" src=3D"https://www.schneier.co= m/wp-content/uploads/2022/12/bc5c9f8f-6e44-4dfc-b1a9-0bc888c1218f.jpg" alt= =3D"" width=3D"592" height=3D"872" class=3D"alignnone size-full wp-image-6= 6304" srcset=3D"https://www.schneier.com/wp-content/uploads/2022/12/bc5c9f= 8f-6e44-4dfc-b1a9-0bc888c1218f.jpg 592w=2C https://www.schneier.com/wp-con= tent/uploads/2022/12/bc5c9f8f-6e44-4dfc-b1a9-0bc888c1218f-204x300.jpg 204w= " sizes=3D"(max-width: 592px) 100vw=2C 592px">

As an actual human and not a bot=2C I had no idea how to answer. Is thi=
s a joke? (Seems not.) Is it a Magritte-like existential question? (It=E2= =80=99s not a bicycle. It=E2=80=99s a drawing of a bicycle. Actually=2C it= =E2=80=99s a photograph of a drawing of a bicycle. No=2C it=E2=80=99s real=
ly a computer image of a photograph of a drawing of a bicycle.) Am I overt= hinking this? (Definitely.) I stared at the screen=2C paralyzed=2C for way=
too long.

It=E2=80=99s probably the best CAPTCHA I have ever encountered; a compu=
ter would have just answered.

(In the end=2C I treated the drawing as a real bicycle and selected the=
appropriate squares...and it seemed to like that.)

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >CryWiper Data Wiper Targeting Russian Sites</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/crywiper-data= -wiper-targeting-russian-sites.html">[2022.12.06]</a> Ka= spersky is <a href=3D"https://www.kaspersky.com/blog/crywiper-pseudo-ranso= mware/46480/">reporting</a> on a data wiper masquerading as ransomware tha= t is targeting local Russian government networks.

<blockquote>The Trojan corrupts any data that=E2=80=99s not vital for t=
he functioning of the operating system. It doesn=E2=80=99t affect files wi= th extensions .exe=2C .dll=2C .lnk=2C .sys or .msi=2C and ignores several=
system folders in the C:\Windows directory. The malware focuses on databa= ses=2C archives=2C and user documents.

So far=2C our experts have seen only pinpoint attacks on targets in the=
Russian Federation. However=2C as usual=2C no one can guarantee that the=
same code won=E2=80=99t be used against other targets.</blockquote>

Nothing leading to an attribution.

News <a href=3D"https://arstechnica.com/information-technology/2022/12/= never-before-seen-malware-is-nuking-data-in-russias-courts-and-mayors-offi= ces/">article</a>.

Slashdot <a href=3D"https://it.slashdot.org/story/22/12/03/0044234/new-= crywiper-data-wiper-targets-russian-courts-mayors-offices">thread</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >The Decoupling Principle</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/the-decouplin= g-principle.html">[2022.12.07]</a> This is a <a href=3D"= https://conferences.sigcomm.org/hotnets/2022/papers/hotnets22_schmitt.pdf"=

really interesting paper</a> that discusses what the authors call the Dec= oupling Principle:

<blockquote>The idea is simple=2C yet previously not clearly articulate=
d: to ensure privacy=2C information should be divided architecturally and=
institutionally such that each entity has only the information they need=
to perform their relevant function. Architectural decoupling entails spli= tting functionality for different fundamental actions in a system=2C such=
as decoupling authentication (proving who is allowed to use the network)=
from connectivity (establishing session state for communicating). Institu= tional decoupling entails splitting what information remains between non-c= olluding entities=2C such as distinct companies or network operators=2C or=
between a user and network peers. This decoupling makes service providers=
individually breach-proof=2C as they each have little or no sensitive dat=
a that can be lost to hackers. Put simply=2C the Decoupling Principle sugg= ests always separating who you are from what you do.</blockquote>

Lots of interesting details in the paper.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >Leaked Signing Keys Are Being Used to Sign Malware</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/leaked-signin= g-keys-are-being-used-to-sign-malware.html">[2022.12.08]=
</a> A bunch of Android OEM <a href=3D"https://arstechnica.com/gadgets/202=
2/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-mal= ware/">signing keys</a> have been leaked or stolen=2C and they are activel= y being used to sign malware.

<blockquote>=C5=81ukasz Siewierski=2C a member of Google=E2=80=99s Andr=
oid Security Team=2C has a post on the Android Partner Vulnerability Initi= ative (AVPI) issue tracker detailing <a href=3D"https://bugs.chromium.org/= p/apvi/issues/detail?id=3D100">leaked platform certificate keys</a> that a= re actively being used to sign malware. The post is just a list of the key= s=2C but running each one through <a href=3D"https://www.apkmirror.com/">A= PKMirror</a> or Google=E2=80=99s <a href=3D"https://www.virustotal.com/gui=
/home/upload">VirusTotal</a> site will put names to some of the compromise=
d keys: <a href=3D"https://www.apkmirror.com/?post_type=3Dapp_release&sear= chtype=3Dapp&sortby=3Ddate&sort=3Ddesc&s=3D34df0e7a9f1cf1892e45c056b4973cd=
81ccf148a4050d11aea4ac5a65f900a42">Samsung</a>=2C <a href=3D"https://www.a= pkmirror.com/?post_type=3Dapp_release&searchtype=3Dapp&sortby=3Ddate&sort=
=3Ddesc&s=3D4274243d7a954ac6482866f0cc67ca1843ca94d68a0ee53f837d6740a81344= 21">LG</a>=2C and <a href=3D"https://www.virustotal.com/gui/file/19c84a238= 6abde0c0dae8661b394e53bf246f6f0f9a12d84cfc7864e4a809697/details">Mediatek<=

are the heavy hitters on the list of leaked keys=2C along with some sm=

aller OEMs like <a href=3D"http://www.revoview.com/gms/">Revoview</a> and=
Szroco=2C which makes <a href=3D"https://arstechnica.com/gadgets/2020/07/= the-100-tablet-shootout-amazon-fire-8-hd-plus-vs-walmart-onn-8-tablet-pro/= ">Walmart=E2=80=99s Onn tablets</a>.</blockquote>

This is a huge problem. The whole system of authentication rests on the=
assumption that signing keys are kept secret by the legitimate signers. O=
nce that assumption is broken=2C all bets are off:

<blockquote>Samsung=E2=80=99s compromised key is used for everything: S= amsung Pay=2C Bixby=2C Samsung Account=2C the phone app=2C and a million o= ther things you can find on the 101 pages of results for that key. It woul= d be possible to craft a malicious update for any one of these apps=2C and=
Android would be happy to install it overtop of the real app. Some of the=
updates are from today=2C indicating Samsung has still not changed=
the key.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >Security Vulnerabilities in Eufy Cameras</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/security-vuln= erabilities-in-eufy-cameras.html">[2022.12.09]</a> Eufy=
cameras claim to be local only=2C but <a href=3D"https://arstechnica.com/= gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-= feed-viewing/">upload</a> <a href=3D"https://www.theverge.com/2022/11/30/2= 3486753/anker-eufy-security-camera-cloud-private-encryption-authentication=
-storage">data</a> to the cloud. The company is basically lying to reporte= rs=2C despite being shown evidence to the contrary. The company=E2=80=99s=
behavior is so egregious that ReviewGeek is <a href=3D"https://www.review= geek.com/138235/why-review-geek-cant-recommend-wyze-or-eufy-cameras-anymor= e/">no longer</a> recommending them.

This will be interesting to watch. If Eufy can ignore security research=
ers and the press without there being any repercussions in the market=2C o= thers will follow suit. And we will lose public shaming as an incentive to=
improve security.

<a href=3D"https://www.theverge.com/2022/11/30/23486753/anker-eufy-secu= rity-camera-cloud-private-encryption-authentication-storage">Update</a>:</=

<blockquote>After further testing=2C we=E2=80=99re not seeing the VLC s= treams begin based solely on the camera detecting motion. We=E2=80=99re no= t sure if that=E2=80=99s a change since yesterday or something I got wrong=
in our initial report. It does appear that Eufy is making changes -- it a= ppears to have removed access to the method we were using to get the addre= ss of our streams=2C although an address we already obtained is still work= ing.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"= >Hacking Trespass Law</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/hacking-tresp= ass-law.html">[2022.12.09]</a> This <a href=3D"https://w= ww.nytimes.com/2022/11/26/business/hunting-wyoming-elk-mountain-access.htm=
l">article</a> talks about public land in the US that is completely surrou= nded by private land=2C which in some cases makes it inaccessible to the p= ublic. But there=E2=80=99s a hack:

<blockquote>Some hunters have long believed=2C however=2C that the publ= icly owned parcels on Elk Mountain can be legally reached using a practice=
called corner-crossing.

Corner-crossing can be visualized in terms of a checkerboard. Ever sinc=
e the Westward Expansion=2C much of the Western United States has been div= ided into alternating squares of public and private land. Corner-crossers=
=2C like checker pieces=2C literally step from one public square to anothe=
r in diagonal fashion=2C avoiding trespassing charges. The practice is nei= ther legal nor illegal. Most states discourage it=2C but none ban it.<=
/blockquote>

It=E2=80=99s an interesting ambiguity in the law: does checker trespass=
on white squares when it moves diagonally over black squares? But=2C of c= ourse=2C the legal battle isn=E2=80=99t really about that. It=E2=80=99s ab= out the rights of property owners vs the rights of those who wish to walk=
on this otherwise-inaccessible public land.

This particular hack will be adjudicated in court. State court=2C I thi= nk=2C which means the answer might be different in different states. It=E2= =80=99s not an example I discuss in my <a href=3D"https://www.schneier.com= /books/a-hackers-mind/">new book</a>=2C but it=E2=80=99s similar to many I=
do discuss. It=E2=80=99s the act of adjudicating hacks that allows system=
s to evolve.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >Apple Is Finally Encrypting iCloud Backups</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/apple-is-fina= lly-encrypting-icloud-backups.html">[2022.12.12]</a> Aft= er way too many years=2C Apple is finally <a href=3D"https://www.th= everge.com/2022/12/7/23498580/apple-end-to-end-encryption-icloud-backups-a=
dvanced-data-protection">encrypting iCloud backups</a>:

<blockquote>Based on a screenshot from Apple=2C these categories are co= vered when you flip on Advanced Data Protection: device backups=2C message= s backups=2C iCloud Drive=2C Notes=2C Photos=2C Reminders=2C Safari bookma= rks=2C Siri Shortcuts=2C Voice Memos=2C and Wallet Passes. Apple says the=
only =E2=80=9Cmajor=E2=80=9D categories not covered by Advanced Data Prot= ection are iCloud Mail=2C Contacts=2C and Calendar because =E2=80=9Cof the=
need to interoperate with the global email=2C contacts=2C and calendar sy= stems=2C=E2=80=9D according to its press release.

You can see the full list of data categories and what is protected unde=
r standard data protection=2C which is the default for your account=2C and=
Advanced Data Protection <a href=3D"https://support.apple.com/en-us/HT202= 303">on Apple=E2=80=99s website</a>.

With standard data protection=2C Apple holds the encryption keys for th= ings that aren=E2=80=99t end-to-end encrypted=2C which means the company c= an help you recover that data if needed. Data that=E2=80=99s end-to-end en= crypted can only be encrypted on =E2=80=9Cyour trusted devices wher= e you=E2=80=99re signed in with your Apple ID=2C=E2=80=9D according to App= le=2C meaning that the company -- or law enforcement or hackers -- cannot=
access your data from Apple=E2=80=99s databases.</blockquote>

Note that this system doesn=E2=80=99t have the backdoor that was in App= le=E2=80=99s previous proposal=2C the one put there under the guise of det= ecting CSAM.

Apple <a href=3D"https://www.wsj.com/articles/apple-plans-new-encryptio= n-system-to-ward-off-hackers-and-protect-icloud-data-11670435635">says</a>=
that it will roll out worldwide by the end of next year. I wonder how Chi=
na will react to this.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg22"><a name=3D"cg22"= >Obligatory ChatGPT Post</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/obligatory-ch= atgpt-post.html">[2022.12.13]</a> <a href=3D"https://one= usefulthing.substack.com/p/the-mechanical-professor">Seems</a> <a href=3D"= https://www.nytimes.com/2022/12/05/technology/chatgpt-ai-twitter.html">lik=
e</a> <a href=3D"https://www.theatlantic.com/technology/archive/2022/12/op= enai-chatgpt-writing-high-school-english-essay/672412/">absolutely</a> <a=
href=3D"https://theconversation.com/the-chatgpt-chatbot-is-blowing-people= -away-with-its-writing-skills-an-expert-explains-why-its-so-impressive-195= 908">everyone</a> <a href=3D"https://www.theatlantic.com/technology/archiv= e/2022/12/openai-chatgpt-chatbot-messages/672411/?utm_source=3Dnextdraft&u= tm_medium=3Demail">everywhere</a> <a href=3D"https://www.theatlantic.com/t= echnology/archive/2022/12/chatgpt-ai-writing-college-student-essays/672371=
/">is</a> <a href=3D"https://techcrunch.com/2022/12/05/chatgpt-shrugged/">= playing</a> <a href=3D"https://www.bleepingcomputer.com/news/technology/op= enais-new-chatgpt-bot-10-dangerous-things-its-capable-of/">with</a> <a hre= f=3D"https://chat.openai.com/chat">Chat GPT</a>.

So I did=2C too....

Write an essay in the style of Bruce Schneier on how ChatGPT will af= fect cybersecurity.

<blockquote>As with any new technology=2C the development and deploymen=
t of ChatGPT is likely to have a significant impact on the field of cybers= ecurity. In many ways=2C ChatGPT and other AI technologies hold great prom= ise for improving the ability of organizations and individuals to defend a= gainst cyber threats. At the same time=2C however=2C the use of these tech= nologies also raises important questions and concerns about the potential=
risks and challenges they may pose.

One of the key ways in which ChatGPT is likely to affect cybersecurity=
is by enabling organizations to more quickly and accurately identify pote= ntial security threats. With its ability to analyze vast amounts of data a= nd identify patterns and trends that might be difficult for humans to spot=
=2C ChatGPT could be a valuable tool for detecting and responding to cyber= attacks. This could be especially useful in the case of complex=2C coordin= ated attacks that might otherwise be difficult to identify and defend agai= nst.

Another potential benefit of ChatGPT in the realm of cybersecurity is i=
ts ability to improve communication and coordination among different organ= izations and agencies. By enabling these groups to more easily share infor= mation and work together to defend against cyber threats=2C ChatGPT could=
help to make the overall cybersecurity landscape more effective and effic= ient. This could be especially important in the case of large-scale attack= s that require a coordinated response from multiple organizations.

Of course=2C as with any new technology=2C there are also potential ris=
ks and challenges associated with the use of ChatGPT in the field of cyber= security. One key concern is the potential for ChatGPT to be used by malic= ious actors to conduct cyberattacks. By automating the process of planning=
and executing attacks=2C ChatGPT could make it easier for attackers to ca=
rry out sophisticated=2C coordinated attacks at a much faster pace than wo= uld be possible without AI. This could potentially make it more difficult=
for organizations and individuals to defend against such attacks.

Another potential risk is the possibility that ChatGPT could be used to=
create fake news or propaganda=2C which could be used to spread misinform= ation or confusion. In the context of cybersecurity=2C the spread of false=
information could potentially lead to confusion and panic=2C making it mo=
re difficult for organizations and individuals to respond effectively to c= yber threats. Additionally=2C the use of ChatGPT to create fake news or pr= opaganda could also undermine trust in information and communications syst= ems=2C potentially undermining the overall security of these systems.

Overall=2C the development and deployment of ChatGPT is likely to have=
a significant impact on the field of cybersecurity. While ChatGPT and oth=
er AI technologies hold great promise for improving the ability of organiz= ations and individuals to defend against cyber threats=2C it is important=
to carefully consider the potential risks and challenges they may pose=2C=
and to take appropriate measures to mitigate these risks. This may includ=
e implementing strict security protocols and safeguards to prevent unautho= rized access to ChatGPT and other AI systems=2C as well as ongoing monitor= ing and evaluation to ensure that these technologies are being used in a s= afe and responsible manner.</blockquote>

Not bad. I don=E2=80=99t think I can retire=2C but I probably can go on=
vacation for a few days. And=2C of course=2C it=E2=80=99s going to get be= tter...a lot better...and probably sooner than we expect. This is a big de= al.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg23"><a name=3D"cg23"= >Hacking Boston=E2=80=99s CharlieCard</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/hacking-bosto= ns-charliecard.html">[2022.12.14]</a> Interesting <a hre= f=3D"https://medium.com/@bobbyrsec/operation-charlie-hacking-the-mbta-char=
liecard-from-2008-to-present-24ea9f0aaa38">discussion</a> of vulnerabiliti= es and exploits against Boston=E2=80=99s CharlieCard.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg24"><a name=3D"cg24"= >Reimagining Democracy</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2022/12/reimagining-d= emocracy.html">[2022.12.14]</a> Last week=2C I hosted a=
two-day <a href=3D"https://www.schneier.com/iword/2022">workshop on reima= gining democracy</a>.

The idea was to bring together people from a variety of disciplines who=
are all thinking about different aspects of democracy=2C less from a =E2= =80=9Cwhat we need to do today=E2=80=9D perspective and more from a blue-s=
ky future perspective. My remit to the participants was this:

<blockquote>The idea is to start from scratch=2C to pretend we=E2=80=99=
re forming a new country and don=E2=80=99t have any precedent to deal with=
=2E And that we don=E2=80=99t have any unique interests to perturb our think= ing. The modern representative democracy was the best form of government m= id-eighteenth century politicians technology could invent. The twenty-firs= t century is a very different place technically=2C scientifically=2C and p= hilosophically. What could democracy look like if it were reinvented today=
? Would it even be democracy -- what comes after democracy?

Some questions to think about:

<li>Representative democracies were built under the assumption that tr= avel and communications were difficult. Does it still make sense to organi= ze our representative units by geography? Or to send representatives far a= way to create laws in our name? Is there a better way for people to choose=
collective representatives?</li>

<li>Indeed=2C the very idea of representative government is due to tec= hnological limitations. If an AI system could find the optimal solution fo= r balancing every voter=E2=80=99s preferences=2C would it still make sense=
to have representatives -- or should we vote for ideas and goals instead?= </li>

<li>With today=E2=80=99s technology=2C we can vote anywhere and any ti=
me. How should we organize the temporal pattern of voting -- and of other=
forms of participation?</li>

<li>Starting from scratch=2C what is today=E2=80=99s ideal government=
structure? Does it make sense to have a singular leader =E2=80=9Cin charg= e=E2=80=9D of everything? How should we constrain power -- is there someth= ing better than the legislative/judicial/executive set of checks and balan= ces?</li>

<li>The size of contemporary political units ranges from a few people=
in a room to vast nation-states and alliances. Within one country=2C what=
might the smaller units be -- and how do they relate to one another?</li>

<li>Who has a voice in the government? What does =E2=80=9Ccitizen=E2= =80=9D mean? What about children? Animals? Future people (and animals)? Co= rporations? The land?</li>

<li>And much more: What about the justice system? Is the twelfth-centu=
ry jury form still relevant? How do we define fairness? Limit financial an= d military power? Keep our system robust to psychological manipulation?</l=

</ul>
</blockquote>

My perspective=2C of course=2C is security. I want to create a system t=
hat is <a href=3D"https://www.schneier.com/books/a-hackers-mind/">resilien= t against hacking</a>: one that can evolve as both technologies and threat= s evolve.

The format was one that I have <a href=3D"https://www.schneier.com/blog= /archives/2022/05/security-and-human-behavior-shb-2022.html">used before</=

. Forty-eight people meet over two days. There are four ninety-minute pa= nels per day=2C with six people on each. Everyone speaks for ten minutes=

=2C and the rest of the time is devoted to questions and comments. Ten min= utes means that no one gets bogged down in jargon or details. Long breaks=
between sessions and evening dinners allow people to talk more informally=
=2E The result is a very dense=2C idea-rich environment that I find extremel=
y valuable.

It was amazing event. Everyone participated. Everyone was interesting.=
(Details of the event -- emerging themes=2C notes from the speakers -- ar=
e in the comments.) It=E2=80=99s a week later and I am still buzzing with=
ideas. I hope this is only the first of an ongoing series of similar work= shops.

** *** ***** ******* *********** *************<=

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.

You can also read these articles on my blog=2C <a href=3D"https://www.s= chneier.com">Schneier on Security</a>.

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do= zen books -- including his latest=2C <a href=3D"https://www.schneier.com/b= ooks/root/"><cite style=3D"font-style:normal">We Have Root</cite></a> -- a= s well as hundreds of articles=2C essays=2C and academic papers. His newsl= etter and blog are read by over 250=2C000 people. Schneier is a fellow at=
the Berkman Klein Center for Internet & Society at Harvard University; a=
Lecturer in Public Policy at the Harvard Kennedy School; a board member o=
f the Electronic Frontier Foundation=2C AccessNow=2C and the Tor Project;=
and an Advisory Board Member of the Electronic Privacy Information Center=
and VerifiedVoting.org. He is the Chief of Security Architecture at Inrup= t=2C Inc.

Copyright © 2022 by Bruce Schneier.

** *** ***** ******* *********** *************<=

Mailing list hosting graciously provided by <a href=3D"https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.
This email was sent to: thecivvie@gmail.com
 You are receiving this email because you subscribed to the Crypto-= Gram newsletter.

<a style=3D"display:inline-block" href=3D"https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3Dd6f5467f 83&c=3D39d832de42">unsubscribe from this list</a>   &nbs= p;<a style=3D"display:inline-block" href=3D"https://schneier.us18.list-man= age.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3Dd6f5467f83=
&c=3D39d832de42">update subscription preferences</a>
 Bruce Schneier · Harvard Kennedy School · 1 Brattle Squa=
re · Cambridge=2C MA 02138 · USA

</body></html>
--_----------=_MCPart_1654239436--

--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 - binkd.thecivv.ie (618:500/14)

Who's Online
Recent Visitors
- Ragnarok
  Sat Sep 13 04:32:13 2025
  from Dock Sud via Telnet
- Gus8027
  Sat Sep 13 03:35:28 2025
  from Buenos Aies via Telnet
- Ragnarok
  Sat Sep 13 01:51:04 2025
  from Dock Sud via HTTP
- Ragnarok
  Sat Sep 13 01:50:17 2025
  from Dock Sud via SSH
- Guest
  Sat Sep 13 00:25:47 2025
  from Linuxshell via Raw
- Damian Kleiman
  Fri Sep 12 22:55:56 2025
  from Rosario, Sf via Telnet
- Ragnarok
  Fri Sep 12 09:09:14 2025
  from Dock Sud via NNTP
- Ragnarok
  Thu Sep 11 20:41:27 2025
  from Dock Sud via SSH
- Damian Kleiman
  Thu Sep 11 00:01:30 2025
  from Rosario, Sf via Telnet
- Ragnarok
  Wed Sep 10 22:41:23 2025
  from Dock Sud via SSH

System Info

Sysop:	Ragnarok
Location:	Dock Sud, Bs As, Argentina
Users:	136
Nodes:	10 (0 / 10)
Uptime:	12:37:30
Calls:	15,171
Calls today:	4
Files:	19,857
D/L today:	58 files (6,877K bytes)
Messages:	1,691,643

C Pushwoosh says it does not collect sensitive informat=ion=2C and Reu

Who's Online

Recent Visitors

System Info