An anonymous reader quotes a report from Wired: When thousands of security researchers descend on Las Vegas every August for what's come to be known as "hacker summer camp," the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room's gadgets, from its TV to its bedside VoIP phone. One team of hackers spent those days focused on the lock on the room's door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they're finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries. By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel -- say, by booking a room there or grabbing a keycard out of a box of used ones -- then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.

Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door. Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.

A bomb threat against Caesars Forum, the main venue for this week's DEF CON hacking convention, led to the halls being cleared on Saturday evening and the building searched by fire crews and police officers. The Register reports: The timing was very bad, coming in the evening of the main party night for the event. The conference Goons, the red-shirted volunteers who serve as guides and organizers, were praised by attendees for managing the evacuation with aplomb, but when it became clear that the search for the suspect device was going to be hard to find, the DEC CON team cancelled the evening's festivities at Caesars, to the disappointment of thousands.

"Last night we were asked to evacuate the building due to a report of a suspicious package. Local police and fire departments conducted a thorough investigation and ultimately determined that the package was safe," the organizers said. "They also conducted additional sweeps of the building as a precaution before allowing our team to return and prepare for today's con. We are working quickly to keep the original schedule on track, but please check here for additional updates before arriving at DEF CON." The event kicked off on August 10 and wrapped up by August 13.

Presumably the hoax caller thought of themselves as a merry prankster, rather than the selfish idiot who ruined everyone's night - particularly the timing for those in the Track Four hall who were enjoying 2001: A Space Odyssey and who were forced to miss the crucial last 10 minutes of the movie. While tricks and pranks are something of a tradition, they only get respect if they are clever and intricate, not some fool showing they could use a telephone. It's not like security at the show wasn't heavy enough. The event was patrolled regularly by security guards in body armor with handguns, tasers, the occasional police dog, and a host of other equipment that was a bit of an overkill for a bunch of peaceable hackers. Dubbed by some as "Gravy SEALs," by the end of the show they were visibly warming up, and this hack saw several of them accepting stickers from attendees.

One of the Mac's built-in malware detection tools may not be working quite as well as you think. From a report: At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company's recently added monitoring tool. There's no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.

Apple's Background Task Management tool focuses on watching for software "persistence." Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and "persist" on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious. With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a "persistence event" occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn't, you can investigate the possibility that you've been compromised.

Long-time Slashdot reader UnCivil Liberty writes: Following in the footsteps of three MIT students who were previously gagged from presenting their findings at Defcon 2008 are two Massachusetts teens (who presented at this year's Defcon without interference).

The four teens extended other research done by the 2008 hacker team to fully reverse engineer the "CharlieCard," the RFID touchless smart card used by Boston's public transit system. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives them unlimited free rides. "You name it, we can make it," says Campbell.

In August, white-hat hackers at the DEFCON hacker convention will compete to try and breach the computer systems on a satellite in orbit. It took four years, but "this year, we are in space for real," said Steve Colenzo, Technology Transfer Lead for the Air Force Research Laboratory's Information Directorate in Rome, New York, and one of the contest organizers. From a report: Hack-A-Sat 4, taking place live at DEFCON Aug. 10-13 in Las Vegas, will be the first-ever hacking contest staged on a vehicle in orbit. In previous years, the contests used genuine working satellite hardware, but running safely on the ground. [...] Hack-A-Sat 4 is an attack/defend contest in which teams compete to hack each other's systems while defending their own. It is being staged by the Air Force Research Laboratory and the U.S. Space Force. More than 380 teams signed up for the qualification round in April, and the eight top-scoring ones, which include contestants from Australia, Germany, Italy and Poland, as well as the U.S., will participate in the finals at DEFCON.

"We always knew our objective was to do this in space," Colenzo said. But when, back in 2020, organizers asked satellite operators if they could stage a hacking contest on their space assets, "The answer, and there was really no hesitation, the answer was always no." Hack-A-Sat organizers realized that, if they wanted to reach their objective of staging such a contest in space, they would have to launch their own satellite, Colenzo said. The Moonlighter satellite was launched on a SpaceX rideshare rocket to the International Space Station June 5 by the U.S. government-backed non-profit The Aerospace Corporation. It's a foot-long toaster-sized cubesat satellite with extendable solar panels.

If all goes according to plan, Moonlighter will be deployed into orbit early in July, Project leader Aaron Myrick told Newsweek. Moonlighter is designed to be hacked, he said, and there are numerous safety measures in place. "The first thing that we said was that propulsion was off the table," Moonlighter can't change its own orbit, which might make it a hazard to other satellites. And its ground controllers have the ability to reboot the system, kicking out any intruders and restoring their control.

An anonymous reader quotes a report from The Register: This year's DEF CON AI Village has invited hackers to show up, dive in, and find bugs and biases in large language models (LLMs) built by OpenAI, Google, Anthropic, and others. The collaborative event, which AI Village organizers describe as "the largest red teaming exercise ever for any group of AI models," will host "thousands" of people, including "hundreds of students from overlooked institutions and communities," all of whom will be tasked with finding flaws in LLMs that power today's chat bots and generative AI. Think: traditional bugs in code, but also problems more specific to machine learning, such as bias, hallucinations, and jailbreaks -- all of which ethical and security professionals are now having to grapple with as these technologies scale. DEF CON is set to run from August 10 to 13 this year in Las Vegas, USA.

For those participating in the red teaming this summer, the AI Village will provide laptops and timed access to LLMs from various vendors. Currently this includes models from Anthropic, Google, Hugging Face, Nvidia, OpenAI, and Stability. The village people's announcement also mentions this is "with participation from Microsoft," so perhaps hackers will get a go at Bing. We're asked for clarification about this. Red teams will also have access to an evaluation platform developed by Scale AI. There will be a capture-the-flag-style point system to promote the testing of "a wide range of harms," according to the AI Village. Whoever gets the most points wins a high-end Nvidia GPU. The event is also supported by the White House Office of Science, Technology, and Policy; America's National Science Foundation's Computer and Information Science and Engineering (CISE) Directorate; and the Congressional AI Caucus.

An anonymous reader shares a report from KrebsOnSecurity: KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about "juice jacking," a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.

The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who'd set up a mobile charging station designed to educate the unwary to the reality that many mobile devices were set up to connect to a computer and immediately sync data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place. On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks. [...]

How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023. "The FBI replied that its tweet was a 'standard PSA-type post' that stemmed from the FCC warning," Snopes reported. "An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on "juice-jacking," first issued in 2019 and later updated in 2021, was up-to-date so as to ensure 'the consumers have the most up-to-date information.' The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking." The best way to protect yourself from juice jacking is by using your own gear to charge and transfer data from your device(s) to another.

"Juice jacking isn't possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present," says security researcher Brian Krebs. "If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in."

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.

Long-time Slashdot reader drinkypoo writes: John Deere, current and historic American producer of farming equipment, has long been maligned for their DRM-based lockdowns of said equipment which can make it impossible for farmers to perform their own service. Now a new security bypass has been discovered for some of their equipment, which has revealed that it is in general based on outdated versions of Linux and Windows CE.

Carried out by Sick Codes, the complete attack involves attaching hardware to the PCB inside a touchscreen controller, and ultimately produces a root terminal.

In the bargain and as a result, the question is being raised about JD's GPL compliance.
Sick Codes isn't sure how John Deere can eliminate this vulnerability (beyond overhauling designs to add full disk encryption to future models). But Wired also notes that "At the same time, though, vulnerabilities like the ones that Sick Codes found help farmers do what they need to do with their own equipment."

Although the first thing Sick Codes did was get the tractor running a farm-themed version of Doom.

An anonymous reader quotes a report from Ars Technica: The US Department of Homeland Security is warning of vulnerabilities in the nation's emergency broadcast network that makes it possible for hackers to issue bogus warnings over radio and TV stations. "We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network)," the DHS's Federal Emergency Management Agency (FEMA) warned. "This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14."

Pyle told reporters at CNN and Bleeping Computer that the vulnerabilities reside in the Monroe Electronics R189 One-Net DASDEC EAS, an emergency alert system encoder and decoder. TV and radio stations use the equipment to transmit emergency alerts. The researcher told Bleeping Computer that "multiple vulnerabilities and issues (confirmed by other researchers) haven't been patched for several years and snowballed into a huge flaw."

"When asked what can be done after successful exploitation, Pyle said: 'I can easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message, have them valid / pre-empting signals at will. I can also lock legitimate users out when I do, neutralizing or disabling a response,'" Bleeping Computer added.

chicksdaddy shares a report from The Security Ledger: A lot has changed in the agriculture sector in the last decade. And farm country's cybersecurity bill has come due in a big way. A (virtual) presentation at the annual DEF CON hacking conference in Las Vegas on Sunday described a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case IH, The Security Ledger reports. Together, the security flaws and misconfigurations could have given nation-state hackers access to Deere's global product infrastructure, sensitive customer and third-party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain.

The talk is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws in the company's public-facing web applications set off a scramble by Deere and other agricultural equipment makers to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent.

In addition to a slew of common web flaws like Cross Site Scripting- and account enumeration bugs linked to Deere's web site and public APIs, the researchers discovered a vulnerability (CVE-2021-27653) in third-party software by Pega Systems, a maker of customer relationship management (CRM) software that Deere uses. A misconfiguration of that software gave the researchers administrative access to the remote, back end Pegasystems server. With wide ranging, administrative access to the production backend Pega server, the researchers were able to obtain other administrative Pegasystems credentials including passwords, security audit logs, as well as John Deere's OKTA signing certificate for the Pegasystems server, according to the presentation. In an email statement to The Security Ledger, a John Deere spokesperson said that "none of the claims -- including those identified at DEF CON -- have enabled access to customer accounts, agronomic data, dealer accounts, or sensitive personal information," though data included in the presentation as well as prior public disclosures make clear that sensitive data on Deere employees, equipment, customers and suppliers was exposed.

Slashdot reader ytene writes: As reported by The Intercept, U.S. Customs and Border Protection have just spent $456,063 for a package of technology specifically designed to access smartphone data via a motor vehicle. From the article:

"...part of the draw of vacuuming data out of cars is that so many drivers are oblivious to the fact that their cars are generating so much data in the first place, often including extremely sensitive information inadvertently synced from smartphones."

This data can include "Recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been, when and where a vehicle's lights are turned on, and which doors are opened and closed at specific locations" as well as "gear shifts, odometer reads, ignition cycles, speed logs, and more. This car-based surveillance, in other words, goes many miles beyond the car itself."

Perhaps the most remarkable claim, however, was, "We had a Ford Explorer we pulled the system out, and we recovered 70 phones that had been connected to it. All of their call logs, their contacts and their SMS."

Mohammad Tajsar, an attorney with the American Civil Liberties Union (ACLU), is quoted as saying, "Whenever we have surveillance technology that's deeply invasive, we are disturbed," he said. "When it's in the hands of an agency that's consistently refused any kind of attempt at basic accountability, reform, or oversight, then it's Defcon 1."

Last week came the news that Dan Kaminsky, security researcher (and popular speaker at security conferences), had passed away at the age of 42. In a half hour the DEF CON security convention will hold a special online memorial for Dan Kaminsky on Discord.

But interestingly, Kaminsky was also one of ICANN's "Trusted Community Representatives," part of a small community involved in a ceremonial root key generation, backup and signing process. (Since 2010 Kaminsky was one of the seven "Recovery Key Share Holders" entrusted with a fragment of a cryptographic key and reporting in for its annual inventory.)

So who will take Dan's place? Slashdot contacted ICANN's vice president of IANA Services, Kim Davies. His response? We maintain an open invitation for volunteers who believe they are qualified, and review those volunteers when a vacancy arises. The selection process is documented, but in essence means we try to maintain a balance of skills and geographic location so that in the aggregate the TCRs are diverse.

The selection is not in chronological order, and will not necessarily result in selecting someone who most matches Dan's attributes. Ultimately the replacement will be a volunteer that the evaluation panel feels best contrasts and complements the attributes of the remaining TCRs.
Davies also shared this remembrance of Dan Kaminsky: He played a critical role in the evolution of the DNS by bringing attention to the practical cache poisoning vulnerability he discovered. He was a greater collaborator who worked closely with us to rapidly address the issue in critical infrastructure, and then worked to promote technologies like DNSSEC that can mitigate it effectively in the long term. He really provided a significant catalyst that resulted in DNSSEC being put into widespread production in 2010.

His service as a Trusted Community Representative was just a part of his commitment to these issues, and while his work on the DNS is perhaps his most famous contribution, he has an amazing resume of accomplishments throughout his career.

Personally I found him a delight to work with and we are deeply mourning the loss.
Of course, there's another way to follow in Dan's footsteps. Long-time Slashdot reader destinyland writes: Jeff Moss, founder of DEF CON and Black Hat, has proposed nominating Kaminsky for the Internet Hall of Fame, or even creating a Kaminsky award to honor "the core ideals" of the security researcher. But there's another complementary direction to go in... Black Hat board member Matt Devost tweeted last weekend that, "No one that knew Dan Kaminsky well is talking about DNS today. They are talking about kindness, boundless energy and positivity, spontaneous adventures, and how hard he worked to lift others up. Want to emulate one of the greatest hackers of all time? Let that be your guide."

And last week a self-described hacker named Dr. Russ even tweeted, "In an effort to honor Dan Kaminsky's character and legacy, we should all make a random act of Kaminsky weekly. Make it a point to be kind and helpful to someone, friend or stranger. Legit helpful and kind, take it over the finish line. Be the persistent guide he was. Then do it again."

I propose we call that "pulling a Kaminsky."
Presumably in the way later generations in William Gibson's Count Zero talked of "pulling a Wilson...."

This year Amazon followed up its cylindrical Echo (and its hockey puck-shaped Echo Dot) with a cloth-wrapped sphere-shaped Echo device. And Fast Company reports that one significant change was to the light pipe, "that glowing ring on top of the Echo that signals it's talking or thinking.

"For the fourth generation, that light pipe has been moved to the bottom of the device, to reflect off tables or countertops, and provide a more ambient lighting experience that blends into one's environment — with a catch." Once you hit the privacy button on your Echo, deafening it from hearing your speech, the ring glows a DEFCON 2 red until you unmute it. (Note: Google uses an orange to convey mute for its Assistant, as does Sony's new PS5 controller that has a mic built in.) It's not just overt; it's borderline warlike, adding a Red October glow to your space. Echos have always glowed red when muted. Now your environment does, too.

When I mention this design decision, which seems to punish consumers who prefer privacy, Miriam Daniel, vice president of Echo and Alexa devices at Amazon, acknowledges, but brushes off, the criticism. "[Red] makes for a strong [statement]. There's always a tradeoff. Is it too bright? Annoying? Too in your face?" she muses. But she argues that the greater benefit is that "it gives people a sense of comfort knowing the mic isn't working."
The article notes that in 2019, Amazon announced it had already sold 100 million Alexa-powered devices.

At the end of September, Amazon debuted two especially futuristic products within five days of each other: a small autonomous surveillance drone, called Ring Always Home Cam, and a palm recognition scanner, called Amazon One. "Both products aim to make security and authentication more convenient -- but for privacy-conscious consumers, they also raise red flags," reports Wired. From the report: Amazon's latest data-hungry innovations are not launching in a vacuum. The company also owns Ring, whose smart doorbells have had myriad security issues and have been widely criticized for bringing unprecedented surveillance to traditionally semi-private spaces. Meanwhile, the biometric data that Amazon Go will collect is particularly sensitive, because unlike a password you can't simply change it if a hacker steals it or it gets unintentionally exposed. Amazon has a strong record for maintaining the security of its massive cloud infrastructure, but there have been lapses across the sprawling business. The stakes are already phenomenally high; the more data the company holds the more risk it takes on. "Amazon has a major genomics cloud platform, so maybe they hold your DNA and now they're going to have your palm as well? Plus all of these devices inside your house. And your purchase history on Prime. That's a lot of information. That's a lot of personal information," says Nina Alli, executive director of Defcon's Biohacking Village and a health care security researcher. "When you give away this data you're giving a company the ability to access and manage you, not the other way around."
[...]
Additionally, while companies like Apple and Samsung have brought biometric fingerprint and face scanners to the masses by making sure the data never leaves the device, Amazon One takes the opposite approach. Kumar writes that "palm images are never stored" on Amazon One itself. Instead they are encrypted and sent to a special high security area of Amazon's cloud to be converted into "palm signatures" based on the unique and distinctive features of a user's hand. Then the service compares that signature to the one on file in each user's account and returns a match or no match answer back down to the device. It makes sense that Amazon doesn't want to store databases of people's palm data locally on publicly accessible machines that could be manipulated. But the system could perhaps have been set up to generate a palm signature locally, delete the image of a person's hand, and send only the encrypted signature on for analysis. The fact that all of those palm images will be going for cloud processing creates a single point of failure. "I'm worried that people could read your palm vein pattern in other ways and construct an analog. It's only a matter of time," says Joseph Lorenzo Hall, a longtime security and privacy researcher and a senior vice president at the nonprofit Internet Society. "Both the home drone and the palm payment are going to rely heavily on the cloud and on the security provided by that cloud storage. That's worrying because it means all the risks -- rogue employees, government data requests, data breach, secondary uses -- associated with data collection on the server-side could be possible. I'm much more comfortable having a biometric template stored locally rather than on a server where it might be exfiltrated."

An Amazon spokesperson told WIRED, "We are confident that the cloud is highly secure. In addition, Amazon One palm data is stored separately from other personal identifiers, and is uniquely encrypted with its own keys in a secure zone in the cloud."

A few quintillion possible decryption keys stand between a man and his cryptocurrency. From a report: In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys -- and wanted Stay's help getting his $300,000 back. It wasn't a total surprise that The Guy, as Stay calls him, had found the former Google security engineer. Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in. In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.

[...] "If we find the password successfully, I will thank you," The Guy wrote with a smiley face. After an initial analysis, Stay estimated that he would need to charge $100,000 to break into the file. The Guy took the deal. After all, he'd still be turning quite the profit. "It's the most fun I've had in ages. Every morning I was excited to get to work and wrestle with the problem," says Stay, who today is the chief technology officer of the blockchain software development firm Pyrofex. "The zip cipher was designed decades ago by an amateur cryptographer -- the fact that it has held up so well is remarkable." But while some zip files can be cracked easily with off-the-shelf tools, The Guy wasn't so lucky. That's partly why the work was priced so high. Newer generations of zip programs use the established and robust cryptographic standard AES, but outdated versions -- like the one used in The Guy's case -- use Zip 2.0 Legacy encryption that can often be cracked. The degree of difficulty depends on how it's implemented, though. "It's one thing to say something is broken, but actually breaking it is a whole different ball of wax," says Johns Hopkins University cryptographer Matthew Green.

Annual Las Vegas hacker gathering DEF CON has officially called off its physical conference for this year due to the coronavirus pandemic. The Register reports: In what was pretty much a foregone conclusion, the organizing team today said the in-person event would not be held in 2020. It had been slated to take place in August. This comes after the more formal Black Hat USA event, usually scheduled to run the same week as DEF CON in Sin City, was shelved as an in-person shindig, due to the COVID-19 coronavirus pandemic forcing everyone to stay home where possible. Both shows will tentatively take place as web streaming affairs this summer. For DEF CON 28, this means a 'Safe Mode' online gathering, with video streams and a Discord server, between August 6 and 9. "Even if a vaccine were to be discovered tomorrow it would not be soon enough to test, manufacture, distribute and administer in time for people to safely to travel by August," explained Jeff "The Dark Tangent" Moss.

"Too many states have stayed open or are reopening, people partied for far too long, and the lack of federal coordination gives me no hope that things will get back to normal this year. I also worry that the conferences that postponed to later this year will be caught up in the 'second wave' after restrictions start to ease and they will end up having to cancel. Because of this, postponing for DEF CON was not an option."

The organizers of the DEF CON cyber-security conference have announced today that they are putting this year's China edition "on hold" due to the ongoing Wuhan coronavirus (2019-nCoV) outbreak. From a report: "China has announced a six-month hold on events like ours as part of the effort to combat the coronavirus outbreak," the DEF CON team said in a forum post today. DEF CON is one of the Top 3 most prestigious cyber-security conferences today. The conference is held each year in Las Vegas, in the month of August. The Chinese edition of the DEF CON conference, which would have reached its second edition this year, was set to take place in Beijing between April 17 and April 19. Organizers said they are currently putting the DEF CON China 2.0 conference on hold, but have not officially canceled the event.

An anonymous reader shares a report: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

Long-time Slashdot reader Artem S. Tashkinov quotes Wired: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.