Even Cory Doctorow get credit card scammed. Eep!

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/

“How I got scammed”

Not surprising. The TPM doesn’t really do much to protect physical device attacks like this. It’s one of the immutable laws of security after all - once someone has physical access to your device, it’s no longer your device.

On the topic of TPMs, this is an interesting but very long read probably only interesting to security wonks:

Volt Typhoon works by exploiting vulnerabilities in small and end-of-life routers, firewalls and virtual private networks (VPNs), often using administrator credentials and stolen passwords, or taking advantage of outmoded tech that hasn’t had regular security updates…
“Every organisation running these devices absolutely needs to assume targeting and assume compromise.”

And this is just the stuff that the FBI is telling us about because they got a warrant.

Back to my old rule of “imagine the worst that could happen, then assume a lack of imagination.”

North Korea running malware-laden gambling websites as-a-service

You don’t make enough from the first grift - gambling. You have to stack the grifts?

Double whammy.

Holy shit.

The Home Office says … New measures in the Criminal Justice Bill will ban electronic devices used in vehicle theft.

Ban radios? Let me know how that turns out. /s

The paper mentioned in the article"Vehicle remote keyless entry systems and engine immobilisers: Do not believe the insurer that this technology is perfect" (2012) by Stephen Mason is available from his web site, updated in 2019.

He identifies the closed source approach and confidential assessment system (ye olde Security thru Obscurity) as a major weakness. One manufacturer of keyless systems is quoted:

“If everything, except the key, is known, a car would become unsecure very soon due to the fast growing computing power of IT technology compared to automotive technology and their life cycle.”

One struggles to find a starting point to address such an implicitly circular, self-defeating, ultimately incoherent argument.

Yeah… maybe. I was out at lunch with a quantum guy late last year who described the field as having lots of well studied applications, but still waiting for the hardware to catch up so they can implement them. To which another individual at the table replied: “ah, so you are here looking for a new job.”

Right? To these people it’s the devices that are the problem. Never mind the shitty security car makers have.

The big scapegoat right now is the Flipper Zero which can technically unlock cars with rolling key style security but it’s more of a party trick than serious hacking threat since you need access to the actual remote for it to even work in the first place.

The real big problem right now is with some Kia and Hyundai vehicles where the vehicle can be hacked by splicing into the main CAN bus, which is easily accessible through the headlights. (As to why the headlights are part of the main CAN bus rather than being in a separate control plane… ) Splice into it and you can take over the vehicle with a computer.

Are they going to ban laptops next?

I’m glad to see the Ministry’s continuing its tradition of recruiting the brightest and best.

You think you’re joking.

You’re making me feed like an idiot for this conscience of mine and not turning my skills to crime…

The paper blames the move to enforced repairability as well; too many hands on too many technical manuals etc. etc. It seems to me that a system whereby the owner has the signing key to allow a device onto the CAN bus would be the obvious technical side of the solution, no? (IIRC nothing per se is stopping CAN bus coms from being encrypted, but they usually are not, correct me if I’m wrong there… ) A separate “owners card” based on FIDO2 and a bit of software ought to do the trick.