Profile

Cover photo
Sean M
AboutPosts

Stream

Sean M

Shared publicly  - 
 
Signal vs WhatsApp vs Allo

Review of the pros and cons between three messaging apps.

Signal provides the best assurances but its adoption is small. 
Both Signal and WhatsApp are encrypted, but Signal takes extra steps to keep your chats private.
1
1
Gianmario Scotti (Mario)'s profile photoSean M's profile photo
2 comments
Sean M
+
1
2
1
 
The EFF should be releasing an updated messaging scorecard at some point.

Telegram seems like a decent option if you configure it properly.
http://www.relativisticramblings.com/ramblings/telegram-vs-signal/

Personally, I am waiting for the updated ChatSecure app to be released, along with their more user-friendly spinoff. It doesn't require a phone # so it provides a better level of "anonymity" and separation from a specific phone. 
Add a comment...

Sean M

Shared publicly  - 
 
 
Ken Thompson would be proud. Or mortified.
Reader edxwelch writes: Reddit user sammiesdog discovered recently that Visual Studio 2015 C++ compiler was inserting calls to a Microsoft telemetry function into binaries. "I compiled a simple program with only main(). When looking at the compiled binary in IDA, I see a call for telemetry_main_invo...
2 comments on original post
1
Add a comment...

Sean M

Shared publicly  - 
 
Project Fi: Now Includes US Cellular

US Cellular now apart of the Project Fi network.
3
Add a comment...

Sean M

Shared publicly  - 
 
Yubikey 4 is Closed Source

Unfortunately, the Yubikey NEO is the most recent option with open source and auditable software.

Use the Yubikey 4 at your own risk. I personally will not be expanding my +Yubico​ collection and will not recommend them to friends that need high security options.

Per +Dain Nilsson​​ (Yubico), we're supposed to trust their software review process.
 
For those of you that use the yubico key
Just learned that the @Yubico YK4 code isn't open source. Very disappointing, trust--. Heads up @tykeal/@zxiiro. https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 … GitHub. Support more key sizes · Issue #2 · Yubico/ykneo-openpgp. Currently the applet only supports RSA ...
View original post
1
1
Add a comment...

Sean M

Shared publicly  - 
 
Gaining CPU Supervisor Privileges Through Chip Design

Trusted computing is hard. This research demonstrates an attack that should really nullify any thoughts people may have about defending themselves against the super powers. If the super powers want in then they'll get in.
 
This is the most demonically clever computer security attack I've seen in years. It's a fabrication-time attack: that is, it's an attack which can be performed by someone who has access to the microchip fabrication facility, and it lets them insert a nearly undetectable backdoor into the chips themselves. (If you're wondering who might want to do such a thing, think "state-level actors")

The attack starts with a chip design which has already been routed -- i.e., it's gone from a high-level design in terms of registers and data, to a low-level design in terms of gates and transistors, all the way to a physical layout of how the wires and silicon will be laid out. But instead of adding a chunk of new circuitry (which would take up space), or modifying existing circuitry significantly (which could be detected), it adds nothing more than a single logic gate in a piece of empty space.

When a wire next to this booby-trap gate flips from off to on, the electromagnetic fields it emits add a little bit of charge to a capacitor inside the gate. If it just happens once, that charge bleeds off, and nothing happens. But if that wire is flipped on and off rapidly, it accumulates in the capacitor until it passes a threshold -- at which point it triggers that gate, which flips a target flip-flop (switch) inside the chip from off to on.

If you pick a wire which normally doesn't flip on and off rapidly, and you target a vulnerable switch -- say, the switch between user and supervisor mode -- then you have a modification to the chip which is too tiny to notice, which is invisible to all known forms of detection, and if you know the correct magic incantation (in software) to flip that wire rapidly, will suddenly give you supervisor-mode access to the chip. (Supervisor mode is the mode the heart of the operating system runs in; in this mode, you have access to all the computer's memory, rather than just to your own application's)

The authors of this paper came up with the idea and built an actual microchip with such a backdoor in it, using the open-source OR1200 chip as their target. I don't know if I want to guess how many three-letter agencies have already had the same idea, or what fraction of chips in the wild already have such a backdoor in them.

As +Andreas Schou said in his share, "Okay. That's it. I give up. Security is impossible."
190 comments on original post
6
2
Add a comment...

Sean M

Shared publicly  - 
 
Review Blocked Accounts

Google has released a central location for reviewing blocked accounts, so you no longer need to dig around to unblock someone.
 
We just recently rolled out a new section of My Account - a list of the accounts you've blocked.

No more jumping through hoops to find someone if you need to unblock them, or to check if you already have someone blocked. Just visit https://myaccount.google.com and click on "Your personal info" -> "Blocked users" to open the list.

Want to unblock someone? Find them in the list and click the 'X' next to their name.

Note that you can't create blocks from My Account. New blocks are created in the products where you interact with people. This helps avoid blocking the wrong account: as it turns out there are a lot of people with similar names out there. We put the 'create block' option in places like G+ post menus or Hangouts conversation options so you know exactly who you'll be blocking.
17 comments on original post
1
Add a comment...

Sean M

Shared publicly  - 
 
 
Today we're taking a stand against unchecked government hacking. Join us.
Join me. Tell Congress that U.S. government agents shouldn’t use an obscure loophole in the law to hack into our computers. https://noglobalwarrants.org
3 comments on original post
2
Add a comment...

Sean M

Shared publicly  - 
 
VM TLS Key Extraction by Hypervisors

Bitdefender researchers have developed the ability to extract encryption keys from virtualized machines. This means that even if a connection is secured using TLS the security the connection can be compromised if one or both ends of the connection are running on top of a hypervisor.

Bad day for proponents of the security of cloud services and virtualization.

Via +Adam Liss​​​
Bitdefender researchers have demonstrated a proof of concept that encrypted communications can be decrypted in real-time via new TeLeScope technique.
2
5
Sean M's profile photoMaxime Dor's profile photoJohn Bump's profile photo
9 comments
 
If you have physical access, you're generally screwed anyway, but memory randomization and encryption go quite a ways. (Interestingly, there are some hardware systems specifically designed to detect intrusion and scramble memory, including ones that target/sense cryogenic freezing.)
Add a comment...

Sean M

Shared publicly  - 
 
EU and "Privacy"

The EU is doing a lot to champion privacy but they keep going too far, and setting dangerous and unrealistic policy.

The Right to be Forgotten is turning into a tool for global censorship. Why should France be able to dictate US search results? Worse, if allowed to grow, repressive regimes, such as Turkey, Russia, or China, could dictate search results in the EU or US. A race to the bottom in freedom.
 
I find this short article about trends in data protection and privacy regulation in the EU very interesting, and highly worth reading and considering for anyone who cares about this subject.

(I will not be commenting on the body of this, but simply raise this to your attention)
47 comments on original post
1
Add a comment...

Sean M

Shared publicly  - 
 
Don't Paste into a Terminal

TL;DR safe way to behave is to "... paste anything you copy from a web page into something that can’t run commands, like NOTEPAD or TextEdit and examine it first."
Just when you thought it was safe to delve into your clipboard.
3
9
Add a comment...

Sean M

Shared publicly  - 
 
Haha! The Metric system is so confusing!
3
1
Add a comment...

Sean M

Shared publicly  - 
 
Android Media Server Hardening

Google is moving to breakup media server code into smaller chunks so that least privilege is easier to implement. The development team is moving from a monolithic codebase to smaller, more focused sandboxes that have less privileges.

It is good to see Google doing something about mediaserver which has excessive access to Android, and is open to so many attacks. 
2
1
Add a comment...
Work
Occupation
IT Guy
Links
YouTube
Basic Information
Gender
Male