Remember, kids: The “S” in “IoT” stands for safety.
I’ve just finished Yuval Harari’s “Nexus”, which I bought on a recommendation. I was not used to thinking of information networks in the way he describes. I think he’s constructed a useful framework for thinking about the topic and how social networks such as autocracies, religion and democracies are enabled by and deal with information flow and information technology. I’m a little disappointed in the analysis of the weaknesses of democracies in the face of social media and bots, and his working definition of “AI” is a little blinkered, IMO. I found the book a little thin on badly-needed feasible prescriptions.
Apropos that “surveillance state” story, Harari does highlight one major weakness of autocracies: when it comes to information management and analysis, they work in trees, consolidating information and controlling at the root. That makes them vulnerable at that root in ways they have manifest for millennia.
If “entrepreneurs” are busy selling data which the state has mandated be collected then that could eventually be a big threat to the power at the top. Not only could data be leaked that compromises Party control, but data could be contaminated to mislead Party strategy.
The breach happened on September 30 and the company didn’t notice until a full month and a half later. A lot of things can happen in a month and a half.
The techbros pushing back against regulations and security while promoting plans like these are probably counting on that (pun intended):
58,000 customer’s information.
They had that many customers???
Well, duh.
Companies that use toll by plate might start using other methods to compare the make/model of the car to the plate number to reduce billing errors caused by fraud. The systems that manage physical plate numbers need a lot of work for another reason, too. Billing (or mailing anything) should end after the plates are returned. It’s not that difficult to check the date when that happened:
Toll companies in multiple US regions have databases that link drivers to every plate number they’ve ever registered. With some states forcing more frequent replacement, this seems like a recipe for billing errors to increase.
Wow, this is a well executed social hack…
According to tripwire.com’s Graham Cluely, phishers will use Google Forms to create a security alert message, and then change the form’s settings to automatically send a copy of the completed form to any email address entered into the form. The attacker then sends an invitation to complete the form to themselves, not to their intended victim.
“So, the attacker receives the invitation to fill out the form – and when they complete it, they enter their intended victim’s email address into the form, not their own,” Cluely wrote in a December 2023 post. “The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It’s an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted en route by email-filtering solutions.”
Basically they are tricking Google Forms, AI and account recovery into complicity in the attack.
Another reason to work up the escape velocity to get out of the Google orbit.
Huh. Got some paypal phishes that managed to fool my DKIM plugin into thinking they were actually from paypal.
I always choose non-SMS based MFA when available, but so few companies seem to offer anything else. Apps are the best option, yet they aren’t available in most cases.
My Swiss bank, for all retail customers, in the 90’s, gave you a calculator. When you put your chip-and-PIN bank card in card reader of the calculator, you entered your PIN. You would then type in the challenge you got, after logging into the bank web site, and return the response.
A FIDO2 / Yubikey would be my first choice these days, at least for convenience. I would personally prefer one manufactured in the west. I assume that phones themselves are back-doored at the hardware or firmware level.
What?! Your paranoid!! Yes, but I’m usually right and since it’s possible, it will happen.
SMS authentication… I’ll have to dig through my notes but IIRC that’s been identified for a long time as a vulnerability.
Edit: I wish I could take the FBI notice back to ~ 1993 and rub a few noses in it.
Meanwhile my online-only bank just recently upgraded from single factor 6-digit PIN to 6-digit PIN + SMS authentication.
phones themselves are back-doored
This, of course, leads me to wonder how badly the got into the phone back doors that are probably there under the same CALEA mandate, or a related regulation.
As long as SIMjacking has been a thing, SMS has been a shitshow for 2FA. One-time password generators are better (TOTP has issues), challenge/response ones work better, and passkeys are super spiffy.
That’s still three factors, is the PIN functionality available in an app?
A PIN and a phone number capable of receiving a code is 2 factors. Where’s the third?