(From the Register article) DeFi stands for decentralised finance. Protocols like Poly Network allow cryptocurrency traders to exchange digicash across various blockchains; they can be used to swap Bitcoin for Ethereum, for example.

Hmmm… :thinking:

Bruce Schneier in Disrupting Ransomware by Disrupting Bitcoin

First, the criminal needs to take efforts to conceal the bitcoin.

Modern bitcoin tracing tools make [simple bitcoin] money laundering trick[s] ineffective. Instead, the modern criminal does something called “chain swaps.”

In a chain swap, the criminal transfers the bitcoin to a shady offshore cryptocurrency exchange.

Once on this alternate exchange, the criminal sells his bitcoin and buys some other cryptocurrency like Ethereum, Dogecoin, Tether, Monero, or one of dozens of others. They then transfer it to another shady offshore exchange and transfer it back into bitcoin. Voila ­ — they now have “clean” bitcoin.

Dots connected… I thought this whole DeFi thing had a niff to it.

1 Like

Thief hands back at least a third of $600m in crypto-coins stolen from Poly Network


Poly Network said the crook was able to interfere with the execution of smart contracts – typically, small programs that automatically run to fulfill agreements between parties – that are used by the platform to exchange people’s tokens and coins. Funds were not extracted directly from digital wallets.

You can find more technical detail here by security analysts Slowmist, and here by blockchain watchers Chainalysis.


I was offered $500k as a thank-you bounty for pilfering $600m from Poly Network, says crypto-thief

The mysterious miscreant who exploited a software vulnerability in Poly Network to drain $600m in crypto-assets, claims the Chinese blockchain company offered them $500,000 as a reward for discovering the weakness.





adventure time table flip GIF


Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers’ details stolen after downplaying reports


Apple’s NeuralHash Algorithm Has Been Reverse-Engineered - Schneier on Security

Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.


Not “reverse engineered” as such. It has been extracted from iOS 14.3, where it was already, unannounced, and put in a test harness. The investigators demonstrated two images, quite distinct, with the same hash, which means Bad Guys can launch DOS attacks by generating n → ∞ matching images and overloading the manual verification.

From the blog Comments:

One wonders if Apple’s client-side scanning isn’t ultimately intended for markets where false positives are even less of an issue than in the US and the technology is merely being labelled as anti-pedophilia for western consumption.

:bell::bell::bell: … well duh … there are major “markets” in jurisdictions where not having a back door would be considered “obstruction of justice”.

One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.

Edit: Apple claims to have mitigation strategies. I suspect the hashes of images of interest will leak eventually. Cross posted to “Apple Privacy Issues”.


One is also led to suspect that Apple announced its Neural Hash/CSAM protection thing as cover when they knew the algorithm was about to be outed.

Further thought: it would be interesting to find out if any other Apple sub-systems send a quiet, probably well hashed, note to the Mother Ship when they encounter text of interest (the ghost, no doubt, of the old NSA Line Eater of days of yore).

Again, assume that anything that is technically feasible and deemed to be of sufficient value is actually being done, if not by Our Team then almost certainly by Their Team. Moral/legal/security judgments or personal feelings on said activity are a separate issue.


I really do not feel like learning how to do deep packet inspection against “myself”.



I find the whole situation with state and commercial surveillance, NSO and friends, beyond egregious. We’re left trying to secure our lives and our businesses against an infrastructure fundamentally designed with the goal of making us vulnerable, be it to commercial suasion for profit, or to state oversight in the name of preventing Bad Things.

Pluralistic July 27, 2021: The infosec apocalypse is nigh. Edit: No, re-read CD’s piece, he’s right.

The few times I’ve talked to our :canada: Privacy Commissioner’s office, it appears there is little will to reign it all in. The idea that surveillance shouldn’t be a business model seems hard for them to swallow, probably in part because it is feeding (functionally sacrosanct) state surveillance, but also because it is employing a lot of people and there’s no political will to use that human potential in more useful ways.


We’re left trying to secure our lives and our businesses against an infrastructure fundamentally designed with the goal of making us vulnerable

…which, to no-one’s surprise, is a blade with two edges…

Bloomberg, Cybersecurity
Hackers Release Data Trove From Belarus in Bid to Overthrow Lukashenko Regime
Pilfered data includes lists of alleged police informants and information on government spies.
By Ryan Gallagher
August 24, 2021, 8:37 a.m. EDT

(via Pluralistic)


Microsoft Azure cloud vulnerability is the ‘worst you can imagine’

“We are not aware of any customer data being accessed because of this vulnerability.”
- says company unaware for two years of massive vulnerability.


Bumble fumble: Dude divines definitive location of dating app users despite disguised distances

Up until this year, dating app Bumble inadvertently provided a way to find the exact location of its internet lonely-hearts, much in the same way one could geo-locate Tinder users back in 2014.

In a blog post on Wednesday, Robert Heaton, a security engineer at payments biz Stripe, explained how he managed to bypass Bumble’s defenses and implement a system for finding the precise location of Bumblers.

“Revealing the exact location of Bumble users presents a grave danger to their safety, so I have filed this report with a severity of ‘High,’” he wrote in his bug report.



Azure’s now-fixed Cosmos DB flaw could have been exploited to read, write any database

Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.




If you store anything important in Azure, you should consider it compromised.


Leaked Guntrader firearms data file shared. Worst case scenario? Criminals plot UK gun owners’ home addresses in Google Earth

The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.

As an exercise in amplifying a data theft to levels that endanger public safety, the latest evolution of the Guntrader database break-in is likely to become an infosec case study in how security breaches can become worse over time as stolen information is put to ever more intrusive uses.

Leaked online last week via an animal rights activist’s blog, the stolen reformatted Guntrader database was explicitly advertised as being importable into Google Earth so randomers could “contact as many [owners] as you can in your area and ask them if they are involved in shooting animals.”

Names, home addresses, postcodes, phone numbers, email addresses and IP addresses are included in the Google Drive-hosted CSV file – along with precise geographic coordinates for a large number of the 111,295 people listed in the breach.



If you want to see change, you need to incentivize change. For example, if you want to see Microsoft have a heart attack, talk about the idea of defining legal liability for bad code in a commercial product. If you want to give Facebook nightmares, talk about the idea of making it legally liable for any and all leaks of our personal records that a jury can be persuaded were unnecessarily collected. Imagine how quickly Mark Zuckerberg would start smashing the delete key.


Personally, I think private information storage in electronic form should be permitted only in support of a substantial commercial transaction or ongoing commercial relationship with a contract and significant payment involved. Otherwise, the system enabling surveillance for the legitimate will always turn into surveillance by criminals or by the enemy.


Zero-click … so if you get the text message, you’re hacked.

Starting in February 2021, we began to observe NSO Group deploying a new zero-click iMessage exploit that circumvented Apple’s BlastDoor feature. We refer to the exploit as FORCEDENTRY , because of its ability to circumvent BlastDoor . Amnesty Tech also observed zero-click iMessage exploitation activity around the same time, and referred to the activity they observed as “Megalodon.”