The word on why we got treated to a false alarm about missiles heading for Hawaii is this: (over-simplification alert!)
What was supposed to be an internal-only test message got misdirected to the live alert system
When presented with the much-maligned, “Are you sure?” prompt, the operator did what we all do reflexively.
They clicked Yes.
There’s a security lesson here. Stop and take a breath and read all these prompts. Clicking OK automatically is the road to ruin. So many security-sensitive things are prompted like this. You get this one chance to stay safe. Take it.
Email scams have been a problem almost as long as there has been email. Today’s joint is not about the basics of that, I have dealt with those before. Scambusters is a great source of detailed information about these scams, and how to avoid being taken in. But what I want to explore here is a practice that is a source of some consternation: scamming the scammers. People reply to email scams as if they were interested in the “offers” or “opportunities.”
Their motivation for doing this is wasting the scammers’ time, supposedly keeping their attention away from others who might be taken in, while they are responding to people who, in turn, are determined not to become victims.
If you explore 419 Eater, you will find a lot of material there about this practice, including a page of discussion about whether or not this is ethical. What is not well-treated on that page is, the fact that emailing lies intended to induce action based on false pretenses is exactly as illegal when it’s in reply to same.
419 Eater has been around for fifteen years. A more recent innovation has been, not surprisingly, to automate the process of scam busting. One example is Re:scam, a service of the New Zealand org NetSafe. Its purpose is also to drain profitability out of email scamming, by wasting the scammers’ time in unproductive conversations but here using bots posing as willing marks, not volunteer cyber-vigilantes.
Now for the bad news. I forwarded an email to Re:Scam and a reply came back telling me the service was on hiatus. A forward to another site publicized recently, email@example.com, simply bounced. No specific word on why these are not currently functioning. Possible reasons include, issues with the technology working well… issues with the resource requirements (i.e., costs), and issues with the legal authorities. Again I caution readers on the legality and ethicality of fighting fraud with fraud.
In a revelation that should surprise exactly nobody, security researchers have revealed that Western Digital MyCloud drives have a built-in backdoor. AI hard-coded username and password give privileged command line access to the device, which may then be compromised however the attacker sees fit.
This feature defect was disclosed responsibly enough to WD last July. After six months without a fix forthcoming, the researchers went public with it.
My usual handling of devices like this is to presume they are all similarly compromised. I do not, repeat, NOT connect them to their “cloud” services. In fact, I only use items like these if I can see how they can be used in a state where they are specifically forbidden from connecting to the Internet, and still be worthwhile to me.
With this one, at least, it turns out my level of paranoia is insufficient. A malicious webpage, visited from a machine on the same local area network as this MyCloud, can execute a script that pwns the device. Now I have to consider whether all such devices can reasonably be expected to have the same mode of possible compromise.
Randomness is important. You use it in the physical world when you shuffle a deck for a game of cards or roll a D12 for a result in Dungeons & Dragons. But you need it even more in the digital world, and it’s more difficult to come by. You need randomness to select one-time-use keys that you share for symmetrical encryption, to select strong passwords or passphrases, to run fair games at things like online poker and casino games.
The problem is, that for all the miraculous things it can do with random input, software is very bad at generating it. Algorithms are deterministic, even if they are designed to be difficult to predict. When you use a function like RAND() in Excel, or get randomized challenges in low-stakes gaming, you’re usually getting the output of what’s called a pseudo-random number generator (PRNG). The PRNG takes a numerical value, called a seed, and generates a series of new values from it. If the seed is known, then the new values are easy to predict. If the seed is not known, it’s a lot more difficult — but not impossible. If you reuse the same seed you get the same sequence. This property can be useful sometimes, for example, if you want to be able to reproduce a series of plays in a game. But mostly, it’s a very bad flaw in any process that needs randomness.
PRNGs are fine when it doesn’t matter. But when it matters you need to harness the unpredictability of the physical world. One great Internet resource, random.org, uses atmospheric noise to generate its random numbers. At that site, random bits are available anytime you want, in many forms. Some are free and some are available to paid members. It’s an important function for the safety of the Internet as a whole, and it’s worth supporting.
Another use of physical randomness is in EFF’s Dice passphrase scheme. If you read the instructions, you’ll see that they really don’t want you using a computer — which might be compromised — in any step of the selection of a password/passphrase that matters.
Internet companies have to generate thousands of strong keys per second for encrypted sessions. Cloudflare, for example, found a very groovy way to solve this problem: