Podcasts about nadim kobeissi

For several years, CryptoHack has been a free platform for learning modern cryptography through fun and challenging programming puzzles. From toy ciphers to post-quantum cryptography, CryptoHack has a wide-ranging and ever increasing library of puzzles for both the aspiring and accomplished cryptographer. On this episode, Nadim and Lucas are joined by Giacomo Pope and Laurence Tennant, the founders of CryptoHack, to discuss how the platform came to be, and how it evolved, as well as how to improve cryptographic pedagogy more broadly. Special Guests: Giacomo Pope and Laurence Tennant.

On April 19th 2022, Neil Madden disclosed a vulnerability in many popular Java runtimes and development kits. The vulnerability, dubbed "Psychic Signatures", lies in the cryptography for ECDSA signatures and allows an attacker to bypass signature checks entirely for these signatures. How are popular cryptographic protocol implementations in Java affected? What's the state of Java cryptography as a whole? Join Neil, Nadim and Lucas as they discuss. Music composed by Yasunori Mitsuda. Special Guest: Neil Madden.

Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. Prominent users of Threema include the Swiss Government and the Swiss Army, as well as the current Chancellor of Germany, Olaf Scholz. Threema has been widely advertised as a secure alternative to other messengers. Kenny, Kien and Matteo from the ETH Zurich Applied Cryptography Group present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice. Links and papers discussed in the show: * Three Lessons from Threema (https://breakingthe3ma.app/) Special Guests: Kenny Paterson, Kien Tuong Truong, and Matteo Scarlata.

It had to happen: “Blogchain” - that's blog, not block-chain - is a decentralized Substack competitor seeking to combine Web3 infrastructure with good writing. Built using IPFS and NEAR, the system hopes to free writers from the problems that have bedeviled Web2 creator platforms: politicization, unfair algorithms or writing for ad revenue, and not customers. Even getting paid will hopefully be easier, with crypto wallets. Of course the debate surrounding digital publishing isn't simply technical. It's also political and ideological. Will the blockchain empower free speech, or will communities find new architecture to moderate themselves? If centralized platforms are a thing of the past, what does the future of publishing look like? Nadim Kobeissi is a former adjunct professor in computer security at NYU Paris. After completing a PHD in cryptography, Kobeissi founded Capsule Social to explore what he calls “decentralized discourse.”

On this week's episode of The Encrypted Economy, our guests are Nadim Kobeissi, Co-founder of Capsule.Social and Anastasia Sazonova, Ukrainian Blogger. We explore Nadim's platform Capsule.Social, and the decentralized, censorship-resistant “Blogchain.” Be sure to subscribe to The Encrypted Economy for more insight on the innovations in Web 3.0 and tools that reinforce the free exchange of perspectives across the globe.Topics Covered:·       Introduction·       Nadim's Background·       Developing a Passion for Privacy Advocacy·       Defining Web 3.0·       Why Web 3.0 Matters·       Use Cases for Censorship Resistant Discourse on Web 3.0·       An Introduction to Capsule.Social  ·       Anastasia's background·       Discussing Anastasia's involvement in Blogchain   Resource List:·       Nadim's Website·       Capsule.Social Twitter·       Capsule.Social·       Blogchain·       Apple Photo Scanning Controversary ·       Z-Cash and Zero-Knowledge Proofs·       Ukraine Migrant Program ·       Mirror.XYZ·       Anastasia's Posts·       Resources for Understanding the Conflict in UkraineFollow The Encrypted Economy on your favorite platforms! Twitter LinkedIn Instagram Facebook 

Benjamin Wesolowski talks about his latest paper in which he mathematically proved that the two fundamental problems underlying isogeny-based cryptography are equivalent. Links and papers discussed in the show: * The supersingular isogeny path and endomorphism ring problems are equivalent (https://eprint.iacr.org/2021/919) * Episode 5: Isogeny-based Cryptography for Dummies! (https://www.cryptography.fm/5) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guest: Benjamin Wesolowski.

La démarche adoptée par Forbidden Stories et Amnesty International pour formuler les accusations d'espionnage est-elle valide d'un point de vue scientifique et technique ? Dans Le Scan, le podcast d'actualité, interview du cryptographe Nadim Kobeissi.

A team of cryptanalysits presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, they show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time 240 GEA-1 evaluations and using 44.5 GiB of memory. The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design. Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2 (https://eprint.iacr.org/2021/819) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Gaëtan Leurent and Håvard Raddum.

TLS is an internet standard to secure the communication between servers and clients on the internet, for example that of web servers, FTP servers, and Email servers. This is possible because TLS was designed to be application layer independent, which allows its use in many diverse communication protocols. ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. Links and papers discussed in the show: * ALPACA Attack Website (https://alpaca-attack.com/) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Marcus Brinkmann and Robert Merget.

Nadim talks with Peter Schwabe and Matthias Kannwischer about the considerations — both in terms of security and performance — when implementing cryptographic primitives for low-level and embedded platforms. Links and papers discussed in the show: * Optimizing crypto on embedded microcontrollers (https://cryptojedi.org/peter/data/coins-20170830.pdf) * Implementing post-quantum cryptography on embedded microcontrollers (https://cryptojedi.org/peter/data/graz-20190917.pdf) * Optimizing crypto on embedded microcontrollers (ASEC 2018) (https://cryptojedi.org/peter/data/asec-20181210.pdf) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Matthias Kannwischer and Peter Schwabe.

Wi-Fi is a pretty central technology to our daily lives, whether at home or at the office. Given that so much sensitive data is regularly exchanged between Wi-Fi devices, a number of standards have been developed to ensure the privacy and authentication of Wi-Fi communications. However, a recent paper shows that every single Wi-Fi network protection standard since 1997, from WEP all the way to WPA3, is exposed to a critical vulnerability that allows the exfiltration of sensitive data. How far does this new attack go? How does it work? And why wasn't it discovered before? We'll discuss this and more in this episode of Cryptography FM. Links and papers discussed in the show: * Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation (https://papers.mathyvanhoef.com/usenix2021.pdf) * Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd (https://papers.mathyvanhoef.com/dragonblood.pdf) * Release the Kraken: New KRACKs in the 802.11 Standard (https://papers.mathyvanhoef.com/ccs2018.pdf) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guest: Mathy Vanhoef.

Contact discovery is a core feature in popular mobile messaging apps such as WhatsApp, Signal and Telegram that lets users grant access to their address book in order to discover which of their contacts are on that messaging service. While contact discovery is critical for WhatsApp, Signal and Telegram to function properly, privacy concerns arise with the current methods and implementations of this feature, potentially resulting in the exposure of a range of sensitive information about users and their social circle. Do we really need to rely on sharing every phone number on our phone in order for mobile messengers to be usable? What are the privacy risks, and do better cryptographic alternatives exist for managing that data? Joining us are researchers looking exactly into this problem, who will tell us more about their interesting results. Links and papers discussed in the show: All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Alexandra Dmitrienko, Christian Weinert, and Christoph Hagen.

Nadim Kobeissi of the Capsule decentralised social media project describes the need for an alternative to the existing big-tech offerings and the reason the Internet Computer was chosen as a hosting layer. capsule.social Cycle_DAO.xyz

Secure multi-party computation is a fascinating field in cryptography, researching how to allow multiple parties to compute secure operations over inputs while keeping those inputs private. This makes multi-party computation a super relevant technology in areas such as code signing, hospital records and more. But what does it take to bring secure multi-party computation from the blank slate of academia and into the messiness of the real world? Today on Cryptography FM, we're joined by Dr. Yehuda Lindell and Dr. Nigel Smart, from Unbound Security, to tell us about their research, their experiences with real world secure multiparty computation, and more. Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guests: Nigel Smart and Yehuda Lindell.

On March 1st, 2021, a curious paper appeared on the Cryptology ePrint Archive: senior cryptographer Claus Peter Schnorr submitted research that claims to use lattice mathematics to improve the fast factoring of integers so much that he was able to completely “destroy the RSA cryptosystem” -- certainly a serious claim. Strangely, while the paper’s ePrint abstract did mention RSA, the paper itself didn’t. Two days later, Schnorr pushed an updated version of the paper, clarifying his method. Does Schnorr’s proposed method for “destroying RSA” hold water, however? Some cryptographers aren’t convinced. Joining us today is Leo Ducas , a tenured researcher at CWI, Amsterdam who specialises in lattice-based cryptography, to help us understand where Schnorr was coming from, whether his results stand on their own, and how the influence of lattice mathematics in applied cryptography has grown over the past decade. Links and papers discussed in the show: * Schnorr's ePrint submission (https://eprint.iacr.org/2021/232) * Leo Ducas's implementation of Schnorr's proposed algorithm in Sage (https://github.com/lducas/SchnorrGate) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guest: Léo Ducas.

Zero-Knowledge proofs have broadened the realm of use cases for applied cryptography over the past decade, from privacy-enhanced cryptocurrencies to applications in voting, finance, protecting medical data and more. In 2018, Dr. Eli Ben-Sasson and his team introduced ZK-STARKs, a new zero-knowledge construction that functions without trusted setup, thereby broadening what zero-knowledge systems are capable of. We’ll talk about ZK-STARKs and more with Eli in this episode of Cryptography FM. Links and papers discussed in the show: * Scalable, transparent, and post-quantum secure computational integrity (https://eprint.iacr.org/2018/046.pdf) * Cairo Language (https://www.cairo-lang.org) * Cairo Workshop, 14-15 March 2021! (https://www.eventbrite.com/e/cairo-101-workshop-i-tickets-142918738795) Music composed by Toby Fox and performed by Sean Schafianski (https://seanschafianski.bandcamp.com/). Special Guest: Eli Ben-Sasson.

Hello and welcome to Sustain! On today's episode, we have special guest, Nadim Kobeissi, who runs a small company in Paris called Symbolic Software. We are going to find out how Nadim got into doing security and cryptography and all about his new project called Verifpal. We will also learn more about PEPP-PT effort, RustTLS's code, Cure53, and we discuss the effectiveness of the Code of Conduct. Download this episode to find out all this and much more! [00:00:45] Nadim tells us what Symbolic Software does and how he got into doing security and cryptography. He also tells us he's working on another project called Verifpal. [00:06:28] On the topic of Verifpal, Nadim tells if he plans on building services around that with his consultancy or if it's strictly use it at your own discretion. [00:08:45] Richard asks Nadim to talk about what's been going on in the world of cryptographically analyzing contract tracing apps and how they deal with privacy and what his thoughts are. He explains the PEPP-PT effort. [00:19:47] Richard talks about contact apps being very useful for authoritarian regimes and privacy issues with Zoom. Nadim has a story about what they are doing in China with drones. [00:25:20] Justin wants to know what Nadim did for RustTLS, how did he get paid, and what is Cure53? [00:31:02] Nadim tells us his thoughts of the effectiveness of COC (Code of Conduct). [00:40:17] Nadim has a great story about being approached while walking on the street by a Green Peace guy and Red Cross. [00:42:32] Nadim talks about technology and it doesn't have to be tribal and maybe it could be political. [00:43:40] Nadim lets us know where we could find him on the internet. Spotlight: [00:44:17] Justin's spotlight Youper-a pocket AI therapist. [00:44:35] Eric's spotlight is the resume.io. [00:45:00] Richard's spotlight is Moxie Marlinspike's website, specifically his yacht stories. [00:45:58] Nadim's spotlight is a book called, Database Internals: A Deep Dive into How Distributed Data Systems Work by Alex Petrov. Panelists: Richard Littauer Justin Dorfman Eric Berry Guest: Nadim Kobeissi Quotes: [00:02:41] "What government told you…no, no, no, I was just poking fun at the fact that we had really severe security vulnerabilities and the Australian government at one point issued an advisory." [00:18:29] "It confirms a lot of my worst fears in a way that's very visceral and dramatized with a multimillion-dollar budget behind it." [00:18:48] "There's a saying at Google that in order to get promoted at Google you have to create a chat app." [00:19:58] "A friend of mine was saying it looks like China has been particularly good at dealing with their population and COVID, and I'm like yeah, it's been really good at dealing with it if you only qualify certain amounts of people as citizens." [00:29:00] "Personally, I don't think I could have written code this good myself." [00:31:32] "The code of conduct, I don't think there's anything bad about them." [00:33:55] "As a maintainer of my own open source project, I would love to have a code of conduct for contributors." [00:35:38] "Putting a code into your repo doesn't do anything by itself most of the time." [00:39:53] "One final thing I feel that is a bit problematic is that you find yourself in a position where by simply having any criticism at all, you already have to defend yourself as not being morally in a gray area or criticizing some sort of greater good." [00:42:48] "There's a lot of tribalism that's entering open source software." *Links: * Nadim Kobeissi-Website (https://nadim.computer/) Cure53 (https://cure53.de/) Symbolic Software (https://symbolic.software/) Verifpal (https://verifpal.com/) DP3T-Decentralized Privacy-Preserving Proximity Tracing (https://github.com/DP-3T/documents) Pan-European Privacy-Preserving Proximity Tracing (https://en.wikipedia.org/wiki/Pan-European_Privacy-Preserving_Proximity_Tracing) Exposure Notification (https://en.wikipedia.org/wiki/Exposure_Notification) RustTLS (https://github.com/ctz/rustls) Youper (https://www.youper.ai/) Resume.io (https://resume.io/) Moxie Marlinspike Stories-Website (https://moxie.org/stories.html) Database Internals: A Deep Dive into How Distributed Data Systems Work by Alex Petrov (https://www.amazon.com/s?k=database+internals+a+deep+dive+into+how+distributed+data+systems+work&crid=2XN4QPC62PNB4&sprefix=database+internals%2Cfashion%2C153&ref=nb_sb_ss_i_4_18) Black Mirror-Netflix (https://www.netflix.com/title/70264888) Special Guest: Nadim Kobeissi.

Nadim Kobeissi is a researcher in applied cryptography and the director of Symbolic Software, a small applied cryptography research office in Paris where Nadim and his team develop new scientific analysis tools and perform security audits for the private sector. Previously, Nadim taught computer security at NYU Paris. Nadim obtained his Ph.D. in December 2018 after doing research at Inria Paris while being accredited by ENS Paris. Relevant links: Personal website: www.nadim.computer An Investigation Into PEPP-PT: https://nadim.computer/posts/2020-04-17-pepppt.html Twitter: https://twitter.com/kaepora Support the channel: Ko-Fi: https://ko-fi.com/decafquest Patreon: https://www.patreon.com/decafquest Twitter: https://twitter.com/Decafquest

Disclaimer: I'm not at my best today since been feeling a bit sick. I focused on bringing the episode out, so sorry for this weeks poor quality. This week Daniel and David talk about the code review of the SPN cryptography module. The auditor is Cure53 who already has reviewed big players in the scene, such as Bitwarden, Mullvad or OpenPGP. First hints of the result are also included. Enjoy the listen. Links - Auditor: Cure53 - https://cure53.de/ - Nadim Kobeissi - https://twitter.com/kaepora - Formal verification software by Nadim: https://verifpal.com/ - Our Crypto Library: Jess - https://github.com/safing/jess Participate What could we do better? Let us know how we can improve our podcast on reddit: - r/safing: https://reddit.com/r/safing Daniels Handles - https://twitter.com/dehaavi/ - https://github.com/dhaavi/ - https://reddit.com/user/dhaavi Davids Handles - https://twitter.com/davegson/ - https://github.com/davegson/ - https://reddit.com/u/davegson/

Nadim Kobeissi, a professor at NYU and director of a cryptography consulting firm, tells Jonathan Kay about the risks posed by Libra, Facebook's new cryptocurrency.

Nadim Kobeissi, a professor at NYU and director of a cryptography consulting firm, tells Jonathan Kay about the risks posed by Libra, Facebook's new cryptocurrency.

Show notes for Security Endeavors Headlines for Week 5 of 2019Check out our subreddit to discuss this week's headlines!​InfoSec Week 6, 2019 (link to original Malgregator.com posting)The Zurich American Insurance Company says to Mondelez, a maker of consumer packaged goods, that the NotPetya ransomware attack was considered an act of cyber war and therefore not covered by their policy.According to Mondelez, its cyber insurance policy with Zurich specifically covered “all risks of physical loss or damage” and “all risk of physical loss or damage to electronic data, programs or software” due to “the malicious introduction of a machine code or instruction.” One would think that the language in the cyber insurance policy was specifically designed to be broad enough to protect Mondelez in the event of any kind of cyber attack or hack. And NotPetya would seem to fit the definition included in the cyber insurance policy – it was a bit of malicious code that effectively prevented Mondelez from getting its systems back up and running unless it paid out a hefty Bitcoin ransom to hackers.Originally, Zurich indicated that it might pay $10 million, or about 10 percent of the overall claim. But then Zurich stated that it wouldn't pay any of the claim by invoking a special “cyber war” clause. According to Zurich, it is not responsible for any payment of the claim if NotPetya was actually “a hostile or warlike action in time of peace or war.” According to Zurich, the NotPetya cyber attack originated with Russian hackers working directly with the Russian government to destabilize the Ukraine. This is what Zurich believes constitutes "cyber war."https://ridethelightning.senseient.com/2019/01/insurance-company-says-notpetya-is-an-act-of-war-refuses-to-pay.html Reuters reports that hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients. According to investigators at cyber security firm Recorded Future, the attack was part of what Western countries said in December is a global hacking campaign by China’s Ministry of State Security to steal intellectual property and corporate secrets. Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.https://www.reuters.com/article/us-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUSKCN1PV141 A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards.Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols.This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks.The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.Current IMSI-catcher devices target vulnerabilities in this protocol to downgrade AKA to a weaker state that allows the device to intercept mobile phone traffic metadata and track the location of mobile phones. The AKA version designed for the 5G protocol --also known as 5G-AKA-- was specifically designed to thwart IMSI-catchers, featuring a stronger authentication negotiation systemBut the vulnerability discovered last year allows surveillance tech vendors to create new models of IMSI-catchers hardware that, instead of intercepting mobile traffic metadata, will use this new vulnerability to reveal details about a user's mobile activity. This could include the number of sent and received texts and calls, allowing IMSI-catcher operators to create distinct profiles for each smartphone holder. https://www.zdnet.com/article/new-security-flaw-impacts-5g-4g-and-3g-telephony-protocols/ The Debian Project is recommending the upgrade of golang-1.8 packages after a vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in the “go get” command, which could result in the execution of arbitrary shell commands.https://www.debian.org/security/2019/dsa-4380 It is possible to trick user’s of the Evolution email application into trusting a phished mail via adding a forged UID to a OpenPGP key that has a previously trusted UID. It's because Evolution extrapolates the trust of one of OpenPGP key UIDs into the key itself. The attack is based on using the deficiency of Evolution UI when handling new identifiers on previously trusted keys to convince the user to trust a phishing attempt. More details about how the flaw works, along with examples are included in the article, which is linked in the show notes. Let’s take a minute to cover a bit of background on Trust Models and how validating identities work in OpenPGP and GnuPG:The commonly used OpenPGP trust models are UID-oriented. That is, they are based on establishing validity of individual UIDs associated with a particular key rather than the key as a whole. For example, in the Web-of-Trust model individuals certify the validity of UIDs they explicitly verified.Any new UID added to the key is appropriately initially untrusted. This is understandable since the key holder is capable of adding arbitrary UIDs to the key, and there is no guarantee that new UID will not actually be an attempt at forging somebody else's identity.OpenPGP signatures do not provide any connection between the signature and the UID of the sender. While technically the signature packet permits specifying UID, it is used only to facilitate finding the key, and is not guaranteed to be meaningful. Instead, only the signing key can be derived from the signature in cryptographically proven way.GnuPG (as of version 2.2.12) does not provide any method of associating the apparent UID against the signature. In other words, from e-mail's From header. Instead, only the signature itself is passed to GnuPG and its apparent trust is extrapolated from validity of different UIDs on the key. Another way to say this is that the signature is considered to be made with a trusted key if at least one of the UIDs has been verified.https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html If you’re up for some heavy reading about manipulation and deceit being perpetrated by cyber criminals, it may be worth checking out a piece from buzzfeednews. It tells a woeful and dark tale that does not have a happy ending. A small excerpt reads: “As the tools of online identity curation proliferate and grow more sophisticated, so do the avenues for deception. Everyone’s familiar with the little lies — a touch-up on Instagram or a stolen idea on Twitter. But what about the big ones? Whom could you defraud, trick, ruin, by presenting false information, or information falsely gained? An infinite number of individual claims to truth presents itself. How can you ever know, really know, that any piece of information you see on a screen is true? Some will find this disorienting, terrifying, paralyzing. Others will feel at home in it. Islam and Woody existed purely in this new world of lies and manufactured reality, where nothing is as it seems.”https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go Security researchers were assaulted by a casino technology vendor Atrient after responsibly disclosed critical vulnerabilities to them. Following a serious vulnerability disclosure affecting casinos globally, an executive of one casino technology vendor Atrient has allegedly assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. The article covers the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed.https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ Article 13, the new European Union copyright law is back and it got worse, not better. In the Franco-German deal, Article 13 would apply to all for-profit platforms. Upload filters must be installed by everyone except those services which fit all three of the following extremely narrow criteria:Available to the public for less than 3 yearsAnnual turnover below €10 millionFewer than 5 million unique monthly visitorsCountless apps and sites that do not meet all these criteria would need to install upload filters, burdening their users and operators, even when copyright infringement is not at all currently a problem for them.https://juliareda.eu/2019/02/article-13-worse/ Researchers from Google Project Zero evaluated Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS. There are bypasses possible, but the conclusion says it is still a worthwhile exploitation mitigation technique.Among the most exciting security features introduced with ARMv8.3-A is Pointer Authentication, a feature where the upper bits of a pointer are used to store a Pointer Authentication Code (PAC), which is essentially a cryptographic signature on the pointer value and some additional context. Special instructions have been introduced to add an authentication code to a pointer and to verify an authenticated pointer's PAC and restore the original pointer value. This gives the system a way to make cryptographically strong guarantees about the likelihood that certain pointers have been tampered with by attackers, which offers the possibility of greatly improving application security.There’s a Qualcomm white paper which explains how ARMv8.3 Pointer Authentication was designed to provide some protection even against attackers with arbitrary memory read or arbitrary memory write capabilities. It's important to understand the limitations of the design under the attack model the author describes: a kernel attacker who already has read/write and is looking to execute arbitrary code by forging PACs on kernel pointers.Looking at the specification, the author identifies three potential weaknesses in the design when protecting against kernel attackers with read/write access: reading the PAC keys from memory, signing kernel pointers in userspace, and signing A-key pointers using the B-key (or vice versa). The full article discusses each in turn.https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html There is a dangerous, remote code execution flaw in the LibreOffice and OpenOffice software. While in the past there have been well documented instances where opening a document would result in the executing of malicious code in paid office suites. This time LibreOffice and Apache’s OpenOffice are the susceptible suites. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event.To exploit this vulnerability, the researcher created an ODT file with a white-colored hyperlink (so it can't be seen) that has an "onmouseover" event to trick victims into executing a locally available python file on their system when placing their mouse anywhere on the invisible hyperlink.According to the researcher, the python file, named "pydoc.py," that comes included with the LibreOffice's own Python interpreter accepts arbitrary commands in one of its parameters and execute them through the system's command line or console.https://thehackernews.com/2019/02/hacking-libreoffice-openoffice.html Nadim Kobeissi is discontinuing his secure online chat Cryptocat. The service began in 2011 as an experiment in making secure messaging more accessible. In the eight ensuing years, Cryptocat served hundreds of thousands of users and developed a great story to tell. The former maintainer explains on the project’s website that other life events have come up and there’s no longer available time to maintain things. The coder says that Cryptocat users deserve a maintained secure messenger, recommends Wire.The Cryptocat source code is still published on GitHub under the GPL version 3 license and has put the crypto.cat domain name up for sale, and thanks the users for the support during Cryptocat's lifetime.https://twitter.com/i/web/status/1092712064634753024 Malware For Humans is a conversation-led, independent documentary about fake news, big data, electoral interference, and hybrid warfare. Presented by James Patrick, a retired police officer, intelligence analyst, and writer, Malware For Humans covers the Brexit and Trump votes, the Cambridge Analytica scandal, Russian hybrid warfare, and disinformation or fake news campaigns.Malware For Humans explains a complex assault on democracies in plain language, from hacking computers to hacking the human mind, and highlights the hypocrisy of the structure of intelligence agencies, warfare contractors, and the media in doing so. Based on two years of extensive research on and offline, Malware For Humans brings the world of electoral interference into the light and shows that we are going to be vulnerable for the long term in a borderless, online frontier. A complete audio companion is available as a separate podcast, which can be found on iTunes and Spotify as part of The Fall series and is available for free, without advertisements.https://www.byline.com/column/67/article/2412 Security Endeavors Headlines is produced by SciaticNerd & Security Endeavors with the hope that it provides value to the wider security community. Some sources adapted for on-air readability.Special thanks to our friends at malgregator dot com, who allow us to use their compiled headlines to contribute to show’s content. Visit them at Malgregator.com. Additional supporting sources are also be included in our show notesWhy not start a conversation about the stories from this week on our Subreddit at reddit.com/r/SEHLMore information about the podcast is available at SecurityEndeavors.com/SEHL Thanks for listening and we'll see you next week!

This week, Gabriella Gricius reached out to two experts, James Gong and Nadim Kobeissi, to get their insights on what the Chinese Firewall is. We answer your questions on how it affects you, the population of China and what that means for the Internet of Things. If you enjoyed our podcast, please subscribe via Apple Podcasts, Stitcher, or Soundcloud and leave us reviews and comments at dosageofrepartee@gmail.com or on our website at www.sub-stances.com

La surveillance à l'ère Trump, AdultFriendFinder compromis et le marché des faux Likes sur Facebook

Datassette presents a series of mixes intended for listening while programming to focus the brain and inspire the mind (also compatible with other activities).

Datassette presents a series of mixes intended for listening while programming to aid concentration and increase productivity (also compatible with other activities).