Bjarteblogg

https://www.schneier.com/blog/archives/2024/05/the-uk-bans-default-passwords.html

The UK is the first country to ban default passwords on IoT devices.

https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/?guccounter=1

In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers.

https://www.schneier.com/blog/archives/2024/03/hardware-vulnerability-in-apples-m-series-chips.html

Note that exploiting the vulnerability requires running a malicious app on the target computer. So it could be worse. On the other hand, like many of these hardware side-channel attacks, it’s not possible to patch.

https://arstechnica.com/security/2024/03/researchers-use-ascii-art-to-elicit-harmful-responses-from-5-major-ai-chatbots/

Researchers have discovered a new way to hack AI assistants that uses a surprisingly old-school method: ASCII art. It turns out that chat-based large language models such as GPT-4 get so distracted trying to process these representations that they forget to enforce rules blocking harmful responses, such as those providing instructions for building bombs.

https://www.tomshardware.com/networking/wi-fi-jamming-to-knock-out-cameras-suspected-in-nine-minnesota-burglaries-smart-security-systems-vulnerable-as-tech-becomes-cheaper-and-easier-to-acquire

Edina police suspect that nine burglaries in the last six months have been undertaken with Wi-Fi jammer(s) deployed to ensure incriminating video evidence wasn’t available to investigators.

…

Worryingly, Wi-Fi jamming is almost a trivial activity for potential thieves in 2024. KARE11 notes that it could buy jammers online very easily and cheaply, with prices ranging from $40 to $1,000. Jammers are not legal to use in the U.S. but they are very easy to buy online.

https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html

LexisNexis, which generates consumer risk profiles for the insurers, knew about every trip G.M. drivers had taken in their cars, including when they sped, braked too hard or accelerated rapidly.

https://mastodon.social/@simonbs/112045502577892427

With iOS 17.4 released, you can go to Settings → Face ID & Passcode → Stolen Device Protection and make the security delay required even when you are at a familiar location.

https://www.wired.com/story/here-come-the-ai-worms/

Security researchers created an AI worm in a test environment that can automatically spread between generative AI agents—potentially stealing data and sending spam emails along the way.

https://www.theguardian.com/world/2024/feb/16/air-canada-chatbot-lawsuit

Canada’s largest airline has been ordered to pay compensation after its chatbot gave a customer inaccurate information, misleading him into buying a full-price ticket.

Air Canada came under further criticism for later attempting to distance itself from the error by claiming that the bot was “responsible for its own actions”.

https://www.theguardian.com/world/2024/feb/05/hong-kong-company-deepfake-video-conference-call-scam

Police investigate after employee tricked into transferring money to fraudsters posing as senior officers of her firm

https://arstechnica.com/security/2024/01/hackers-can-id-unique-apple-airdrop-users-chinese-authorities-claim-to-do-just-that/

Chinese authorities recently said they’re using an advanced encryption attack to de-anonymize users of AirDrop in an effort to crack down on citizens who use the Apple file-sharing feature to mass-distribute content that’s outlawed in that country.

https://www.schneier.com/blog/archives/2024/01/tiktok-editorial-analysis.html

TikTok seems to be skewing things in the interests of the Chinese Communist Party.

https://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/

On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.

As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

https://www.schneier.com/blog/archives/2023/12/ai-and-trust.html

In this talk, I am going to make several arguments. One, that there are two different kinds of trust—interpersonal trust and social trust—and that we regularly confuse them. Two, that the confusion will increase with artificial intelligence. We will make a fundamental category error. We will think of AIs as friends when they’re really just services. Three, that the corporations controlling AI systems will take advantage of our confusion to take advantage of us. They will not be trustworthy. And four, that it is the role of government to create trust in society. And therefore, it is their role to create an environment for trustworthy AI. And that means regulation. Not regulating AI, but regulating the organizations that control and use AI.

https://www.schneier.com/blog/archives/2023/12/the-internet-enabled-mass-surveillance-ai-will-enable-mass-spying.html

https://www.theguardian.com/business/2023/dec/04/sellafield-nuclear-site-hacked-groups-russia-china

It is still not known if the malware has been eradicated. It may mean some of Sellafield’s most sensitive activities, such as moving radioactive waste, monitoring for leaks of dangerous material and checking for fires, have been compromised.

Sources suggest it is likely foreign hackers have accessed the highest echelons of confidential material at the site, which sprawls across 6 sq km (2 sq miles) on the Cumbrian coast and is one of the most hazardous in the world.

Sellafield covers 6 sq km on the Cumbrian coast and is one of the most hazardous nuclear sites in the world. Photograph: David Levene/The Guardian The full extent of any data loss and any ongoing risks to systems was made harder to quantify by Sellafield’s failure to alert nuclear regulators for several years, sources said.

https://www.theguardian.com/technology/2023/nov/13/white-faces-generated-by-ai-are-more-convincing-than-photos-finds-survey

However, the team said the results did not hold for images of people of colour, possibly because the algorithm used to generate AI faces was largely trained on images of white people.

Somewhat ironically, while humans seem unable to tell apart real faces from those generated by AI, the team developed a machine learning system that can do so with 94% accuracy.

https://www.bbc.com/news/world-asia-67354709

A man has been crushed to death by a robot in South Korea after it failed to differentiate him from the boxes of food it was handling, reports say.

https://www.forbrukerradet.no/siste-nytt/na-kan-du-reservere-deg-mot-dorsalg/

Forbrukere kan nå reservere seg mot dørsalg. Det er også innført forbud mot dørsalg på kvelden, i helger og på helligdager.

Forbrukerrådet anbefaler som hovedregel ingen å kjøpe noe på døra. Nå er det også kommet regler som begrenser denne type salg, og som gjør det mulig å reservere seg mot innpåslitne selgere.

Med det nye regelverket er det eneste du trenger å gjøre er å henge en lapp eller et skilt som sier «Nei takk til dørsalg» eller tilsvarende.

https://nrkbeta.no/2023/10/31/forbud-mot-meta-om-bruk-av-persondata-utvides-til-hele-eos/

Datatilsynet vant frem hos Personvernrådet i EU. Tilsynets forbud utvides til flere land. – Dette er en historisk dag for personvernet, skriver direktør i Datatilsynet Line Coll i en uttalelse til NRK.

Datatilsynet beordret i sommer Meta å stanse bruken av nordmenns persondata til adferdsbasert reklame.

Teknologikjempen, som eier Facebook og Instagram, har siden august fått én million i daglige bøter for å ikke følge vedtaket. Siden har tilsynet bedt Personvernrådet i EU (EDPB) om en bindende hastebeslutning. Denne beslutningen gjør tilsynets vedtak permanent og gjeldende for hele EØS-området. Tidligere gjaldt vedtaket kun for Norge og kun for en midlertidig periode.