My mate Lars Klint shared this tweet the other day: Your password is not unique. pic.twitter.com/ga4GwxtzrQ— Lars Klint (@larsklint) April 16, 2017 Naturally, I passed it on because let's face it, that's some crazy shit going on right there. To which the Twitters responded with equal

To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.

Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing.

A huge cache of personal data from Dropbox that contains the usernames and passwords of nearly 70 million account holders has been discovered online.

Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leaked

Criticism of Dropbox centers around various forms of security and privacy controversies surrounding Dropbox, an American company specializing in cloud storage and file synchronization. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords, a July 2011 Privacy Policy update with language suggesting Dropbox had ownership of users' data, concerns about Dropbox employee access to users' information, July 2012 email spam with reoccurrence in February 2013, leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program, a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption, the leak of 68 million account passwords on the Internet in August 2016, and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings.

The meta-issue is pretty simple. If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext. For most people -- Gmail users, Google Docs users, Flickr users, and so on -- that's fine. For some people, it isn't. Those people should probably encrypt their files themselves before sending them into the cloud.

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

All malware is bad, but ransomware is particularly insidious—ask any ransomware victim. That's why a new attack scheme called “Pacman” has raised alarms, because it's even nastier than usual. Think of the classic Pac-Man game's voracious yellow ball, chomping up all of your files. It takes only one click to infect a vulnerable PC, and the attack gives victims only 24 hours to pay the ransom in Bitcoins or risk losing all of the compromised data.

Chinese, Russian and United States law enforcement agencies have the ability to eavesdrop on Skype conversations, as well as have access to Skype users' geographic locations. In many cases, simple request for information is sufficient, and no court approval is needed. This ability was deliberately added by Microsoft after they purchased Skype in 2011 for the law enforcement agencies around the world. This is implemented through switching the Skype client for a particular user account from the client-side encryption to the server-side encryption, allowing dissemination of an unencrypted data stream.

sites-using-cloudflare - :broken_heart: List of domains using Cloudflare (potentially affected by the CloudBleed HTTPS traffic leak)

Posted by Marc Stevens (CWI Amsterdam), Elie Bursztein (Google), Pierre Karpman (CWI Amsterdam), Ange Albertini (Google), Yarik Markov (Goog...

streisand - Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.