Notices by Dan Goodin (dangoodin@infosec.exchange)

@GossiTheDog

I dunno. I think they were going to provide some sort of explanation or account of what happened (likely whitewashy or handwavy).

@GossiTheDog

When I asked Oracle for comment, a PR person responded and offered a comment on the condition I not attribute it in any way to Oracle. When I said no, the PR person said Oracle was declining to comment.

#radicalopacity

Here's the latest on XiaoFeng Wang, the a distinguished computer scientist who was summarily fired on Friday from his tenured position at Indiana University, where he had spent 20 years racking up accolades for his research in cryptography, privacy and cybersecurity. It comes from Alexander Tanford, president of the Bloomington chapter of the AAUP, the union representing IU professors, and colleagues of Wang's.

In February, an anonymous person filed a complaint alleging research misconduct against Wang. "The charge seemed trivial -- that he had failed to properly disclose who was principal investigator on a grant application and had not fully listed all his co-authors on an article," Tanford told me.

On March 13 or 14, IU temporarily suspended Wang, banned him from his office and denied access to his computer, research and data while the investigation continued. This is permitted under IU's research misconduct policy. The reasons, though, aren't publicly known.

On March 28, Provost Rahul Shrivastav informed Wang he was being terminated immediately. Shrivastav provided no reason (he mentioned Wang taking a job at a university in Singapore, but this is permitted and not grounds for dismissal). What's more, policy ACA-52, approved by the IU Board of Trustees, prohibits summarily firing a tenured professor.

Also on March 28, homes that Wang owns in Bloomington and Carmel, Indiana, were raided by the FBI. The FBI says the raids were court approved, but so far no one has seen a warrant. The US Attorney's Office for the Southern District of Indiana will neither confirm nor deny an investigation.

Indiana University has steadfastly refused to provide any reason for the termination or its failure to follow its own policy. Students and fellow faculty remain in the dark. His PhD students are frantically scrambling to find new advisors. One such student learned of Wang's firing only a few weeks before his PhD defense.

I reached out to Wang's attorneys 24 hours ago, and still haven't heard back.

We really need answers here. IU is tarnishing its reputation for academic independence. The lack of transparency here, both by IU and the FBI, truly sucks.

https://arstechnica.com/security/2025/03/computer-scientist-goes-silent-after-fbi-raid-and-purging-from-university-website/

The American Association of University
Professors is reminding Indiana University's provost that as a tenured professor, XiaoFeng Wang is entitled to due process. The university, meanwhile, is maintaining radio silence, which isn't a good look to prospective students considering attending.

https://aaup.sitehost.iu.edu/reports/AAUP_March_31_Letter_Shrivastav.pdf

@taoeffect

Google specifically says keys are not stored on their server.

https://support.google.com/a/answer/14328489#zippy=%2Chow-is-cse-different-from-end-to-end-ee-encryption%2Chow-do-users-encrypt-data-using-cse%2Care-there-any-limitations-for-users-when-using-cse%2Cwhich-partner-key-management-services-can-i-use-with-cse%2Ccan-i-use-google-as-my-key-management-service%2Ccan-i-use-multiple-key-services%2Ccan-i-use-smart-cards-with-cse%2Ccan-i-use-both-a-key-service-and-hardware-encryption-keys-for-gmail

Can anyone with deep knowledge of end-to-end encryption help me unpack Google's new E2EE offering for Workspace users?

First of all, how is it true E2EE if it's using Google's Client Side Encryption?

Second, how does it work? Sounds like organization stores keys in a cloud service, and when an employee in said organization wants to send an encrypted email, their browser downloads a public key from the cloud service, encrypts the message, and then it's sent to the recipient. Am I right so far?

It's not clear to me how the message gets decrypted on the other side. Is it decrypted on Google's server, in the recipient's browser or email client, something else?

All in all, how useful will this be to organizations? And might there be a way for individuals to use it someday?

TIA.

https://workspace.google.com/blog/identity-and-security/gmail-easy-end-to-end-encryption-all-businesses

A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer Indiana University, and had his homes raided by the FBI. No one knows why.

#XiaofengWang Xiaofeng Wang

https://arstechnica.com/security/2025/03/computer-scientist-goes-silent-after-fbi-raid-and-purging-from-university-website/

For the first time, academic researchers have devised a means to create computer-generated prompt injections against Gemini that have much higher success rates than manually crafted ones.

https://arstechnica.com/security/2025/03/gemini-hackers-can-deliver-more-potent-attacks-with-a-helping-hand-from-gemini/?comments-page=1#comments

@ryanc

🤣

Since there my past queries failed to find any viable alternatives to Slack (no, Zulip, PGP on top of Slack, Mattermost, Matrix, Signal, etc. aren't suitable replacements for my union; see thread for why) does anyone have suggestions for how I can minimize the risks and downsides of using it?

People knowledgeable about EVs: what brand/model is far superior to a Tesla and why? I've been showing up to the local dealership and trying to talk people going inside to reconsider. I want to step up my elevator pitch by giving them useful, accurate info about better alternatives.

@Infoseepage @ithoughtisawa2

Are you also calling out 404 media and several of its journalists for continuing to use the evil bird site?

@Infoseepage @ithoughtisawa2

I'm sure you think people who bought Tesla solar inverters and batteries should also rip those out and just go back to nonrenewables if they can't afford replacements from Enphase, right?

To follow up on yesterday's discussions about privacy implications of Cloudflare detecting the use of reused passwords in traffic passing through its infrastructure, Cloudflare has disclosed this practice previously. The protocol behind this check, known as Might I Get Pwned (in a nod to @troyhunt), was described in a 2022 Usenix paper called Might I Get Pwned:
A Second Generation Compromised Credential Checking Service. It devises what it claims is a privacy-preserving way to check for credential reuse. It involves comparing hashes. Cloudflare says passwords are never logged.

I'm home recovering from a Covid infection, so I don't have the energy to dig into this any deeper right now. I am interested in responses from people qualified to evaluate the privacy-preservation claims, including @benjojo @cR0w @Viss and @matthew_d_green

Relevant links:

https://arxiv.org/pdf/2109.14490

https://blog.cloudflare.com/helping-keep-customers-safe-with-leaked-password-notification/

https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/

Once again, the self-destructive stridency of lefties on full display. Threatening the lives of people who may or may not have bought a Tesla at some point is NOT the way you fight fascism.

https://www.404media.co/dogequest-site-claims-to-dox-tesla-owners-across-the-u-s/

Open-source software used by more than 23,000 organizations, some of them in large enterprises, was compromised with credential-stealing code after attackers gained unauthorized access to a maintainer account, in the latest open-source supply-chain attack to roil the Internet.

https://arstechnica.com/information-technology/2025/03/supply-chain-attack-exposing-credentials-affects-23k-users-of-tj-actions/

I think people are also making too much of the recent fall in the broader stock markets. Prices go down, and they go up. Yes, since the orange felon took office, the S&P 500, Dow Jones and NASDAQ are all down. But slumps like these happened under Biden, too, and they happened under other presidents. For instance, in November 2022, as the US was going into the midterm elections, the S&P was down by more than 1% since Biden had taken office more than 2 years earlier.

No matter our politics, we all live in bubbles. We make hay when things look bad for our opponents. We are more open-minded when things look bad for the people we support. If we on the left don't want to keep getting beat, we need to be smarter and more rigorous in our thinking.

Elmo critics: don't gloat too much about the recent declines in Tesla stock. Shares of this company have always been volatile, so a 32% drop since the beginning of the year says little. Share prices as of today are still 24% higher than 6 months ago, 44% higher than this time last year, and more than 5-fold higher over 5 years. Shares could surge again. It's way too early to declare any sort of victory or comeuppance.

@GossiTheDog

So, an attacker who gets access to a hypervisor in, say, GM's network also gets access in Ford's network? I don't think that's what you mean, but that's how it sounds to me.

@GossiTheDog

OK, thanks, Kevin. Is it fair to compare accessing the hypervisor to gaining control over an Active Directory?