Week6 Links
Mar 7, 2017
2 minutes read

Events and Conferences

Videos from Enigma 2017 are posted. I plan on watching Secrets at Scale: Automated Bootstrapping of Secrets & Identity in the Cloud,

turtles

Turtles all the way down” as the presentation quips.

Application Security

Wikileaks: CIA Hacking Tools Revealed received a strange reception. Top comments on the New York Times coverage seemed to be “spies are paid to spy, this is why we have the CIA, why is anyone surprised?”

The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.

In one revelation that may especially trouble the tech world if confirmed, WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones. […] By penetrating the user’s phone, the agency can make the encryption irrelevant by intercepting messages and calls before their content is encrypted, or, on the other end, after messages are decrypted.

A reminder that breaking encryption on the wire may not be the most direct route to discovering “clear-text” communications.

If anyone here has ever used a “web-based jailbreak kit” on an older generation iPhone, this was surely leveraging a remote code execution (RCE) vulnerability of the sorts that are suggested here.

The EFF points out that vuln-hoarding means software remains insecure:

The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices—including Android phones, iPhones, and Samsung televisions—that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we’re all made less safe by the CIA’s decision to keep – rather than ensure the patching of – vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

EPIC has more about VEP.


Attacking machine learning with adversarial examples is an unsettling survey of techniques that can really screw with machine learning software.

Adversarial examples have the potential to be dangerous. For example, attackers could target autonomous vehicles by using stickers or paint to create an adversarial stop sign that the vehicle would interpret as a ‘yield’ or other sign…

This was also presented at Enigma



Back to posts