TechLetters #54 - Extracting keys from hardware; protesting DPA pace of enforcing GDPR; NSO sued, bans some customers; ban on targeted political ads?
Éditorial
This week, political targeted ads are the most important. I analyse the case. Also more about it below.
Security
GoDaddy breach. “Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.” (link)
DFA vs Nintendo. This Nvidia TSEC encryption/decryption (AES) key extraction from Nintendo Switch console is really impressive technically, even if the writeup and scripting are presented as “simple”. Nice demonstration of Differential Fault Analysis. Implications: the console will be able to run any executable. Relevant keys: 8745f02b86bbf722654e43b1fef32ac22c740d10aa4432b93d5b2035523c2c94, 43449338c1bc8ceb1b3232a611f955f9095254f492117a158528589cd16f2930, cefe01c9e3eeef1a73b8c10d742ae386279b7dff30a2fbc0aabd058c1f135833
NSO sued by Apple. NSO, creator of hacking-surveillance tool Pegasus, sued by Apple. Previously: by Facebook, and with sanctions of US government. Strategy of offering such a product overtly is backfiring? Of course this does not mean that security vulnerabilities will magically disappear. They will be present. They will be found. They will be exploited. Court action is a powerful tool (but needed here?), but it works for reputation, policy/politics, organisation and a signal.
NSO clicks “off”. NSO slashed the list of countries they will provide their Pegasus hacking-surveillance tool. Some State cyber capabilities will return to "none" instantly. Reminds that purchasing a tool may not suffice as an investment in cyber capabilities?
Cyberpolitics. German coalition agreement is about cybersecurity strategy! Opposition to hack-backs as a response to cyberattacks. The first such coalition agreement in the world ... Also about quantum computers. In the coalition agreement! "Parliamentary control of the Bundeswehr's [army] use of cybercapabilities must be guaranteed."
Apple informs about state-hacking victims. “Apple threat notifications inform and assist users who may have been targeted by state-sponsored attackers”. Some notifications already delivered in a few countries. They popped out in other countries too, for example in Poland. Some people who’re most likely compromised (with Pegasus) did not get the notification, though. You can manually check yourself with mvt.
Privacy
RTB. Paper on Real-Time Bidding, legal & litigation side. The work is thorough (it also cites my privacy research works).
Protest against DPA slowness. Ordinary citizens held a protest in front of the French DPA (CNIL) building. They (Uber drivers) are unhappy that the privacy complaint is processed (too) slowly. The GDPR complaint mechanism slowed it down further: CNIL had to hand over the case to the Dutch DPA. It’s probably first in history process in front of a data protection authority? Vive la France, anyhow.
AdTech privacy. UK DPA is sending a warning in an opinion to adtech companies: "they must comply with data protection law and stop the excessive collection and use of people’s data". The opinion heavily references W3C work, specifically the "Self-Review Questionnaire: Security and Privacy" which I maintained/edited while in the W3C Technical Architecture Group. It is me who included the recommendation to make a "privacy impact assessment", now noted by ICO. Good!
EU non-ban on targeted political ads. European Union unveiled its ideas to curb amplification and (micro)targeting of political ads/content. I analyse it, describing the opportunities, risks, failed opportunities, too. In many respects it is weak and easy to bypass. It is not really curbing political ads. Maybe requires some additional paperwork (also, more salary for consultants). Maybe technical transparency (which are very easy to do). Undefined fines for breaching.
Technology Policy
Quantum policy. "Some quantum computing and communications technologies are available for limited uses, but will likely require extensive development before providing significant commercial value" "10+ years and cost billions, but such estimates are highly uncertain". “Developing a quantum internet could take decades”. (report).
Australia to fight online defamation. You know, trolls, haters, etc. Platforms will be forced to disclose their identities… "If the companies refuse *or are unable to identify* who made the defamatory comments, then they will have to pay the defamation costs". Result: Australia to force online platforms to ban the use of Tor and other anonymising services?
Other
Quantum link-layer. Progress in quantum information communication networks. Apart from the typical physical layer (low-level hardware) this work is the first demonstration of a quantum link-level layer. The meaning? Could this signal a path to scalable quantum communication?
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: