There's a good chance that the US Congress will allow the FBI to secretly eavesdrop on our browsing data and break encryption

(newrepublic.com)

While the country is facing a daily Covid-19 death toll in the thousands and the coronavirus outbreak snakes its way inside the executive branch, Congress is currently considering a vast expansion of the Justice Department’s power over online platforms and the people who use them. Should these measures pass, Americans’ web searching and browsing histories could be collected by the FBI without a warrant. But that’s just the preeminent concern. Should Congress grant the DOJ all the power it is seeking, users may also lose access to apps that use end-to-end encryption (like Signal and Facebook Messenger), and the kinds of content they can currently post online may find themselves subject to additional moderation and monitoring.

“Together, EARN It and Mitch McConnell’s Patriot Act amendments would give the most corrupt attorney general of our lifetime unprecedented ability to pry into everything Americans do and say online,” Wyden told The New Republic in a statement. “It would be an unconscionable mistake for Democrats to hand Donald Trump and Attorney General Barr these sprawling powers, especially during the Covid-19 crisis, when Americans are spending more and more time on our devices.”

A potential huge double blow to our freedoms while no one is paying attention.

UPDATE: The Senate has voted to allow the FBI to snoop on Americans' browsing history

Profile and behind-the-scenes story of Marcus “MalwareTech” Hutchins, who helped stop the WannaCry attack and pled guilty to selling the Kronos banking malware

(www.wired.com)

At 22, Marcus Hutchins put a stop to the worst cyberattack the world had ever seen. Then he was arrested by the FBI. This is his untold story.

This is a must-read story that everyone needs to have the time to listen to Marcus' incredible journey. I have been a supporter of his for a long time now and this is great detail.

According to Dutch researchers, computers with Thunderbolt ports made before 2019 have an unpatchable flaw letting hackers with physical access circumvent data safeguards.

(www.wired.com)

On Sunday, Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he's calling Thunderspy. On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer—and even its hard disk encryption—to gain full access to the computer's data. And while his attack in many cases requires opening a target laptop's case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an "evil maid attack," the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there's no easy software fix, only disabling the Thunderbolt port altogether.

Ruytenberg points out that the flaws he found extend to Intel's hardware and can't be fixed with a mere software update. "Basically they will have to do a silicon redesign," he says. Nor can users change the security settings of their Thunderbolt port in their operating system to prevent the attack, given that Ruytenberg discovered how to turn those settings off. Instead, he says that paranoid users may want to disable their Thunderbolt port altogether in their computer's BIOS, though the process of doing so will be different for every affected PC. On top of disabling Thunderbolt in BIOS, users will also need to enable hard disk encryption and turn their computers off entirely when they leave them unattended, in order to be fully protected.

Yikes, this looks bad. Can check to see if you have this flaw here

The plan is to have no plan

(pressthink.org)

The plan is to have no plan, to let daily deaths between one and three thousand become a normal thing, and then to create massive confusion about who is responsible— by telling the governors they’re in charge without doing what only the federal government can do, by fighting with the press when it shows up to be briefed, by fixing blame for the virus on China or some other foreign element, and by “flooding the zone with shit,” Steve Bannon’s phrase for overwhelming the system with disinformation, distraction, and denial, which boosts what economists call “search costs” for reliable intelligence.

Stated another way, the plan is to default on public problem solving, and then prevent the public from understanding the consequences of that default. To succeed this will require one of the biggest propaganda and freedom of information fights in U.S. history, the execution of which will, I think, consume the president’s re-election campaign.

Jay Rosen truly gets it people.

Defcon 28 will be online-only this year

(defcon.org)

The ‘DEF CON is canceled’ meme has crossed over into real life, courtesy of COVID-19. In early March we had hopes that things would be stable by August. That is no longer realistic. Currently there’s no way to gather everyone together and keep them safe, so The Dark Tangent has decided to cancel the in-person event.

Not surprising but the right move to make.

Zoom buys Keybase

(www.cnbc.com)

The acquisition of the 25-person start-up is the latest move in a 90-day plan that Zoom announced on April 1 to fix its security flaws. Zoom CEO Eric Yuan told CNBC the company needed a solution for users who are demanding the highest level of privacy and certainty that uninvited participants have no access to their conversations.

When Keybase is implemented, the Zoom user who schedules a meeting will be able to choose end-to-end encryption. That setting will prevent anyone from calling in by phone, which is one way people can access meetings, and will disable cloud-based recording of the chat. Yuan said it’s critical that users know that the encryption key is not on Zoom’s servers, so the company has no access to the contents of the call.

Glad I deleted my Keybase account as soon as the announcement was made. Can't trust Zoom really especially they privacy and security scandals.

GitHub announces new features, including Codespaces, a free cloud-based developer environment now in beta that's based on Microsoft's Visual Studio Code editor

(techcrunch.com)

The highlight of GitHub’s announcement is surely the launch of GitHub Codespaces, which gives developers a full cloud-hosted development environment in the cloud, based on Microsoft’s VS Code editor. If that name sounds familiar, that’s likely because Microsoft itself rebranded Visual Studio Code Online to Visual Studio Codespaces a week ago — and GitHub is essentially taking the same concepts and technology and is now integrating it directly inside its service. If you’ve seen VS Online/Codespaces before, the GitHub environment will look very similar.

The tight integration with their boss Microsoft has fully begun, and it's bad news as I predicted. Self-host or GitLab are the way to go these days.

Nintendo has reportedly suffered a significant legacy console leak

(www.videogameschronicle.com)

According to various sources archived on Resetera and Reddit, over 2 terabytes of data was allegedly leaked onto the anonymous forum 4chan over the weekend, including the original source code for Nintendo 64, GameCube and Wii.

The leaks also reportedly contain internal documentation related to GameCube, Nintendo DS, Nintendo 64 (and its 64DD add-on), Wii and the China-only iQue, showing how the systems work and the development processes behind them.

Nintendo's legal team are going to have a long week…

ICANN finally halts $1.1bn sale of .org registry, says it's 'the right thing to do' after months of controversy

(www.theregister.co.uk)

The billion-dollar deal set off alarm bells from the very beginning: no one in the domain name industry had ever heard of Ethos Capital, and it only had two named employees. It quickly emerged it had been secretly created by a former CEO of ICANN, and he had registered the company one day after ICANN made clear it was going to lift price caps on the 10 million .org domains, instantly making the registry worth tens of millions more.

The truth however is that ICANN’s staff and CEO were happy to bless the deal, as were several key board members, and it took the repeat intervention of other board members to stop the sale from being pushed through.

I have to give all the props to Kieren McCarthy, who has been all over this since the start of this roller coaster. As I said, even though the internet community has scored a huge win, it's far from over.

Nintendo says up to 160,000 Nintendo Accounts may have been accessed by hacks

(www.polygon.com)

Nintendo has disabled the ability to log into a Nintendo Account using a Nintendo Network ID (NNID) after approximately 160,000 accounts were compromised by unauthorized parties. Nintendo’s statement, originally published in Japanese, says that ID and password information for NNIDs was “obtained illgally by some means other than our service” from the beginning of April.

Nicknames, date of birth, country/region, email address, and gender associated with the NNIDs and Nintendo Accounts that were compromised as part of the breach may have been exposed, Nintendo warns. Some accounts may have been used for fraudulent purchases, including large amounts of Fortnite’s in-game currency, V-Bucks, according to reports from affected users.

Yikes, time to create very strong passwords and app-based 2FA (if available). No excuse not to do so.