Notices by Chester Wisniewski (chetwisniewski@securitycafe.ca)

What if AT&T had MFA enabled on their Snowflake... and were SIM swapped?

@GossiTheDog @campuscodi I did an analysis at RSA 6 years ago on who hosts the bad... https://youtu.be/FQLlt-7gsYI?si=iuXrCpLn1VVvgBfc

@GossiTheDog Yes, this happens a lot too.

@GossiTheDog we see the same last I checked. You don't need to believe me either, but I believe it is true.

@GossiTheDog This whole thing feels like a desperate ploy to explain to people why they should throw out their PCs to get a new one with an "NPU". Don't want, don't need. They have to include something that "requires" it, even though as already proven, it isn't even needed for this.

@GossiTheDog @Quinnypig Everyone gives me the side eye for running my own mail server, IRC, nextcloud, etc. I have seen this play before and it ends in tears. Trust no one.

@Techmeme Hadn't this already been debunked?

@GossiTheDog @metlstorm I'm surprised this was effective considering many more ransomware crews are doing "remote ransomware", effectively running the encryption on an unprotected device and connecting to the shares over the network. Would work against Netware shares as well as anything else...

Looks like Lush Cosmetics were victims of Akira as they have appeared on their leak site. Akira has exploited unpatched Cisco ASA VPNs in the past, wondering if the same here? They use them according to Shodan data.

It's getting harder and harder to not publicly say critical things about the competition...

Great! TransUnion, whom I have the pleasure of receiving free credit monitoring from due to the MGM Casino breach in Sept, has a policy of only allowing 15 characters or less. Not like anything important is on the line or anything. Oh, they get bonus points for letting me skip the password with a trivial security question! #InfoSec #NotAFeature @boblord @thorsheim

@atomicpoet @iameli It sounds good, but I don't see it being possible without compromising many people's safety. Suggesting it is safe without having studied the underlying risks is dangerous and irresponsible. (2/2)

@atomicpoet @iameli federation by definition will decrease security and privacy. We all want a pony, but it's just not possible. Side channel attacks, differential communication analysis, key distribution/generation and many other issues make federation a dangerous compromise.

We would all like CSAM to be eliminated, but it isn't possible to have secure & private communication and yet still scan for it. Similarly federation requires compromises that would put many people at risk. (1/2)

@atomicpoet @iameli I'm sure the women and minorities who will be stalked and harassed when their privacy is impacted by your proposed solution will find solace in the world being a more just place.

@atomicpoet @iameli I don't disagree, but you are making a decision for others. You are asking they sacrifice their safety and security to achieve some misinformed version of fairness. My 30 years of working in security and privacy tell me this is a very bad way to solve the problem you are trying to solve. You are trying to reinvent SMS, which we already have and is already terrible.

@atomicpoet @iameli Being a zealot helps no one. Understanding risks, benefits and politics are all important factors. Spreading misinformation and then insisting that people should work harder to achieve likely impossible goals is not helping anyone.

Is Meta evil? Absolutely. Is federation the answer to all problems? Absolutely not. Stick to what you know and work to help people make better choices.

@atomicpoet What? I'm quite sure that WhatsApp uses the Signal protocol these days.

@atomicpoet I don't think Federation is really possible with secure protocols like Signal. WhatsApp apparently completed the transition in 2016 https://signal.org/blog/whatsapp-complete/