April 11

Craig Newmark is throwing 50m into “cyber civil defense” which will be focusing on tools for the common civilian.

Jonathan Zittrain @zittrain

Welcome news from Craig Newmark, who has been doggedly identifying the gaps between public and private responsibility for cybersecurity, where new institutions and relationships need to take root and flourish. This will very much help that happen.

craig newmark @craignewmark

I've committed over 50M to what I'm calling Cyber Civil Defense, with a focus on tools and services for regular people. Working with @ConsumerReports @GlobalCyberAlln @RescueTaskForce @Shadowserver and more! https://t.co/A0ISjUuHeX

2:54 PM ∙ Apr 11, 2022

---

13Likes10Retweets

Impressive improvement in cracking passwords.

Ezra Bowman @ezrabowman

Check out the reduction in brute force attack time on passwords since last year. Looks like 16-18 characters should be the absolute minimum.

2:07 PM ∙ Apr 10, 2022

---

1,908Likes692Retweets

A little dive into the shitty world of Russian disinformation.

Benjamin Strick @BenDoBrown

Pro-Russian accounts and 'fake news' sites are trying to claim that satellite imagery from @Maxar, posted by @nytimes, showing bodies on the streets of Ukraine's Bucha are fake, but in this thread, you're going to see how silly pro-Russian disinformation attempts can be 🧵👇

9:24 AM ∙ Apr 10, 2022

---

9,013Likes3,235Retweets

Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels

Overall, our findings suggest that, while tracking individual users is more difficult now, the changes reinforce existing market power of gatekeeper companies with access to large troves of first-party data.

[2204.03556] Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels

Tracking is a highly privacy-invasive data collection practice that has been ubiquitous in mobile apps for many years due to its role in supporting advertising-based revenue models. In response, Apple introduced two significant changes with iOS 14: App Tracking Transparency (ATT), a mandatory opt-in system for enabling tracking on iOS, and Privacy Nutrition Labels, which disclose what kinds of data each app processes. So far, the impact of these changes on individual privacy and control has not been well understood. This paper addresses this gap by analysing two versions of 1,759 iOS apps from the UK App Store: one version from before iOS 14 and one that has been updated to comply with the new rules. We find that Apple's new policies, as promised, prevent the collection of the Identifier for Advertisers (IDFA), an identifier for cross-app tracking. Smaller data brokers that engage in invasive data practices will now face higher challenges in tracking users - a positive development for privacy. However, the number of tracking libraries has roughly stayed the same in the studied apps. Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting). We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple's policies. We find that Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring. We also find that the new Privacy Nutrition Labels are sometimes inaccurate and misleading. Overall, our findings suggest that, while tracking individual users is more difficult now, the changes reinforce existing market power of gatekeeper companies with access to large troves of first-party data and motivate a countermovement.

This cyberpunk future is both amazing and terrifying and, frankly, terrible. It’s not exactly the Off World Colonies, but…

Eric Feigl-Ding @DrEricDing

7) Of course, Chinese govt doesn’t condone balcony singing or & protesting. And of course, a govt drone appears: “Please comply with COVID rules. **Control your soul’s desire for freedom**. Do not open window to sing.” ➡️yes the drone actually said that.

3:03 AM ∙ Apr 10, 2022

---

3,515Likes1,432Retweets

Impressive progress in solving security. Looks like UAF memory corruptions will all be over by Christmas!

Jon Masters 🏴‍☠️ @jonmasters

Great progress! Worth noting that CHERI is still a research architecture. It’s a great concept, but it’s a little ways away. I’m very interested in the analysis of the overhead of real implementation

Ed Maste @ed_maste

That takes confidence: Prof. Robert Watson presenting a CHERI software brief at the Digital Security by Design conference, from an Arm Morello board prototype running CheriBSD with all userspace software running memory safe using CHERI capabilities https://t.co/rKbZzwRWTI

3:40 PM ∙ Apr 10, 2022

---

25Likes3Retweets

As we frequently discuss, there is a lot of soft power in having good opportunities and desirable lifestyles. For example, you can brain drain your adversaries.

Alec Stapp @AlecStapp

When one chart is worth a thousand words:

Russian emigration started to explode in 2012 after Putin began his third term as president.

Some sorta nginx 0day going about. Some initial reports of ITW exploitation and an older version being vulnerable? Is it the same issue as this one?

Gitworm @Gi7w0rm

Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission:

1:49 PM ∙ Apr 9, 2022

---

124Likes53Retweets

Additional info is available on GitHub.

GitHub - AgainstTheWest/NginxDay: Nginx 18.1 04/09/22 zero-day repo

Nginx 18.1 04/09/22 zero-day repo. Contribute to AgainstTheWest/NginxDay development by creating an account on GitHub.

And an interview with the person behind the exploit. Or at least part of the team. See next.

A Pro West hacking collective. They find and develop an nginx 0day. And then immediately report it via HackerOne. Just… what kind of hackers are these?

The sections on motivations and where they see themselves in the larger cyber conflict is interesting.

The Awesome OSINT list.

GitHub - jivoi/awesome-osint: :scream: A curated list of amazingly awesome OSINT

:scream: A curated list of amazingly awesome OSINT - GitHub - jivoi/awesome-osint: :scream: A curated list of amazingly awesome OSINT

%

The updates on this eBay listing. It is very funny and the storytelling is incredible

A bunch of semgrep rules for vuln hunting.

raptor @0xdea

I took some time to write 36 new rules for @r2cdev’s Semgrep. Enjoy!

Semgrep ruleset for C/C++ vulnerability research