At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought:

In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale. The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit. Compromising our telecommunications infrastructure is now little different from performing any other kind of computer intrusion or data breach, a well-known and endemic cybersecurity problem. To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made.

This is the access that the Chinese threat actor Salt Typhoon used to spy on Americans:

The Wall Street Journal first reported Friday that a Chinese government hacking group dubbed Salt Typhoon broke into three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access systems they use for facilitating customer data to law enforcement and governments. The hacks reportedly may have resulted in the “vast collection of internet traffic”; from the telecom and internet giants. CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.

This is the kind of information that all the sites you visit, as well as their advertisers and any embedded widget, can see and collect about you.

anon-l6yk
3 hours ago
My take is that this signal app was used extensively during the “Biden” administration and they created the original list of regular participants. How much do you want to bet that Goldberg was a regular participant in those classified briefings during the Biden years and this was a result of an incomplete purge of the unauthorized participants?

Rapid Response 47 @RapidResponse47
·
.@CIADirector: "One of the first things that happened when I was confirmed as CIA director was Signal was loaded onto my computer ... One of the things that I was briefed on very early was ... the use of Signal as a permissible work use — it is."

11:03 AM · Mar 25, 2025. //

RATCLIFFE: It is permissible to use to communicate and coordinate for work purposes, provided — provided, Senator — that any decisions that are made are also recorded through formal channels. So, those were procedures that were implemented — my staff implemented those processes, followed those processes, complied with those processes, and finally — just please — so, my communications, to be clear, in a Signal message group, were entirely permissible and lawful — and did not include classified information. //

As Bonchie rightly noted earlier, Goldberg's inclusion on the chat was an unforced error, and frankly, none of the administration should be in contact with him — ever — given his previous bad-faith reporting.

But as Ratcliffe's testimony clearly demonstrates, the use of the app itself by officials for non-classified communication and coordinating for work purposes is both allowed and legal — just as it was under the Biden administration. Hopefully, this will serve as a valuable lesson and help underscore the importance of mindfulness as to proper channels and participants when officials communicate with one another.

It’s hard to have a conversation with anyone in Washington these days without using Signal. I hate the app. It’s just one more messaging app that must be checked. Everyone in Washington, it seems, has Signal. Government officials use it. Reporters use it. Politicians on Capitol Hill use it. Hillary Clinton used an insecure email server. Everyone else just uses Signal, which, at least, is end-to-end encrypted.

With China thoroughly infiltrating our telecom system, no officials in DC are using built in phone messaging apps or voice to communicate important information now. Apple’s iMessage is robust and secure if the bubbles are blue. But someone may have their iCloud backup turned on, which would capture the chat. What’s App is fine and secure. But, again, someone might have a backup. Signal is secure and once a message is deleted, it is deleted. It is the preferred app.

For members of the Trump Administration, which last term saw rogue embedded progressives leaking classified information and even now has seen ICE raid information leak, bypassing government approved means of communications for Signal makes sense — the rogue bureaucrats provided the incentive.

But that is no excuse to add a reporter to a secure group chat trading information related to bombing the Houthis as the Trump national security team did. //

• This whole mess really does suggest that the Trump Administration, like the Biden Administration, has no clue how to get the Chinese out of our telecom networks.

Clive Robinson • March 20, 2025 12:38 PM

@ For those “new to the game”

CI/CD Secrets is liberaly spread across the articles, but none explain what they are in layman’s terms.

The first step is to understand what “Continuous Intergration”(CI) “Continuous Development/Deployment”(CD) Pipeline is. Gitlab has a reasonable description at,

https://about.gitlab.com/topics/ci-cd/cicd-pipeline/

However it says nothing about “secrets”

Put overly simply in our modern environments much is “done in the cloud” or in older parlance “across multiple servers” for which “Authorization”(AuthZ) and “Authentication”(AuthN) is required.

At the simplest that is a user has to have “an account” that once would have been a “user name” and was considered “public knowledge”, and “a password” or “passphrase” or other “secret” known only to the user and verifiable by the server.

However when you “automate” things it gets more complicated and it gets to the point where even the user does not know what is used for AuthZ and AuthN as they are “embedded in some way” into the automated pipeline.

It is these that form the basis for “CI/CD Secrets” and whilst they could be “dynamic” and “random” by “challenge and response” or “Zero Knowledge Proof” they generally are “static” and put as “plaintext in files”.

Thus if static “once leaked” anyone who has access to the leak can impersonate the valid user(s).

It’s actually a really bad security design for an automated system and should be replaced with something that is not vulnerable to being recorded and replayed, but still does not need user(s) to be actively involved.

Unfortunately by the way this attack works it can get around the “security advise” given online with articles like,

https://blog.gitguardian.com/handle-secrets-in-ci-cd-pipelines/

Who? • March 20, 2025 12:25 PM

@ Clive Robinson

Years ago I sent an email to DISA about some obvious “errors” in some networking-related STIGs that made those technical implementation guides dangerous if followed as published. They replied, in a somewhat unpolited way, noting the obvious (that I am not affiliated with the U.S. army); these technical implementation guides about some well-known routing devices remain unfixed yet.

Same happened again some time later, this time about some CTR and CSIs published by NSA. No answer at all, something I appreciate when compared to DISA reply, but they continue recommending a setup that opens widely known attacks against shared caches in certain processor architectures. Not to say, these documents have been updated at least one time but continue suggesting the insecure settings.

To be honest, I do not trust on what CISA/DISA/NSA may publish.

The current U.S. administration may continue degrading the country cybersecurity and international alliances. If U.S. citizens accept it this way, who am I to disagree?

Clive Robinson • March 20, 2025 12:58 PM

@ Who?, ALL,

With regards,

“To be honest, I do not trust on what CISA/DISA/NSA may publish.”

And so you should not. Likewise you should not trust the word of anyone including me 😉

It’s why I do not like the idea of “Best Practice” that every man and his dog took as an idea from the legal profession. Because there is no such thing as “best practice” and anything written in that regard almost certainly become “out of date” very shortly there after.

What people should do, and few have time to do so is learn what a system does and how and what it’s interactions, strengths, weaknesses and Non Obvious Flaws are.

From time to time, security issues are found within software. The FreeBSD package management system relies upon pkg-audit and the Vulnerability database to alert system administrators that attention is required.

The U.K. government appears to have quietly scrubbed encryption advice from government web pages, just weeks after demanding backdoor access to encrypted data stored on Apple’s cloud storage service, iCloud.

Once the backdoor exists, others will attempt to surreptitiously use it. A technical means of access can’t be limited to only people with proper legal authority. Its very existence invites others to try. In 2004, hackers—we don’t know who—breached a backdoor access capability in a major Greek cellphone network to spy on users, including the prime minister of Greece and other elected officials. Just last year, China hacked U.S. telecoms and gained access to their systems that provide eavesdropping on cellphone users, possibly including the presidential campaigns of both Donald Trump and Kamala Harris. That operation resulted in the FBI and the Cybersecurity and Infrastructure Security Agency recommending that everyone use end-to-end encrypted messaging for their own security. //

It’s a question of security vs. security. Yes, we are all more secure if the police are able to investigate and solve crimes. But we are also more secure if our data and communications are safe from eavesdropping. A backdoor in Apple’s security is not just harmful on a personal level, it’s harmful to national security. We live in a world where everyone communicates electronically and stores their important data on a computer. These computers and phones are used by every national leader, member of a legislature, police officer, judge, CEO, journalist, dissident, political operative, and citizen. They need to be as secure as possible: from account takeovers, from ransomware, from foreign spying and manipulation. Remember that the FBI recommended that we all use backdoor-free end-to-end encryption for messaging just a few months ago.

Securing digital systems is hard. Defenders must defeat every attack, while eavesdroppers need one attack that works. Given how essential these devices are, we need to adopt a defense-dominant strategy. To do anything else makes us all less safe. //

Stéphan • February 26, 2025 7:37 AM

It will be interesting to see if the UK Govt is satisfied with the disabling of ADP, because that would confirm the backdoor is already in place for non-ADP iCloud accounts. Which would mean it is likely also in place for non-E2E-encrypted cloud services like Google and MS365 accounts. With this move Apple came up with a clever canary about the true underlying situation.

What that means is that multiple systems inside Bybit had been hacked in a way that allowed the attackers to manipulate the Safe wallet UI on the devices of each person required to approve the transfer. That revelation, in turn, has touched off something of a eureka moment for many in the industry.

“The Bybit hack has shattered long-held assumptions about crypto security,” Dikla Barda, Roman Ziakin, and Oded Vanunu, researchers at security firm Check Point, wrote Sunday. “No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets.”

Bad actors can now digitally impersonate someone you love, and trick you into doing things like paying a ransom.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

1. Two people, Person A and Person B, sit in front of the same computer and open this page;
2. They input their respective names (e.g. Alice and Bob) onto the same page, and click "Generate";
3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Note that this depends on both Alice's and Bob's phones being secure. If somebody steals Bob's phone and manages to bypass the fingerprint or PIN or facial recognition of Bob's phone, then all bets are off.

Researchers have uncovered a sustained and ongoing campaign by Russian spies that uses a clever phishing technique to hijack Microsoft 365 accounts belonging to a wide range of targets, researchers warned. //

Advisories from both security firm Volexity and Microsoft are warning that threat actors working on behalf of the Russian government have been abusing this flow since at least last August to take over Microsoft 365 accounts. The threat actors masquerade as trusted, high-ranking officials and initiate conversations with a targeted user on a messenger app such as Signal, WhatsApp, and Microsoft Teams.

"An official website of the United States government," reads small text atop the Department of Government Efficiency (DOGE) website that Elon Musk's team started populating this week with information on agency cuts.

But you apparently don't have to work in government to push updates to the site. A couple of prankster web developers told 404 Media that they separately discovered how "insecure" the DOGE site was, seemingly pulling from a "database that can be edited by anyone."

One coder couldn't resist and pushed two updates that, as of this writing, remained on the DOGE site. "This is a joke of a .gov site," one read. "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN," read another.

houdini1984
8 hours ago
In a perfect world, Snowden would have been able to report the IC's violation of Americans' rights to Congress. He should have attempted to do so. But is he a traitor? Hardly.

Here's the thing. We're talking about a Congress that failed to punish the intelligence community for... wait for it... spying on Congress. Yes, that's right. The IC was literally spying on our representatives, and forced to admit to those activities. And what did Congress do? They continued to renew all the powers that the IC regularly abuses.

Anyone who's paying attention understands that our elected representatives are, almost to a man and woman, scared to death of this country's intelligence community. They are terrified that their own secrets may be used against them by a vengeful IC. They are willing to sacrifice your liberties to maintain some semblance of peaceful coexistence between themselves and the forces of the deep state.

So, yeah. Snowden's actions are easy to criticize. And they were illegal, in the purest sense of that word. But was he wrong to distrust Congress? Was he right to believe that the American people deserve to know that their government is violating their rights on a daily basis? Did he have an obligation to choose between going to prison or remaining silent?

Personally, I am glad that the truth came out. And I don't blame Tulsi one bit for refusing to be nagged into calling the man a traitor. That nagging is just designed to distract from the real issue, which is that our government has long been weaponized against us.

anon-w8wg houdini1984
5 hours ago edited
Snowden was kind of simultaneously hero and traitor. His actions absolutely threw a wrench in America's military and intelligence gears (I was in the military at the time). However, he brought to light things that the people needed to know, things that never should have been approved. Personally, I don't have a problem calling him traitor. I have no problem with Tulsi Gabbard not calling him a traitor, though, as long as she notes what was bad about his actions. She did this, which makes her more qualified than most intelligence directors, IMHO.

In fact, now that I think of it, Snowden might have helped put us on the MAGA track. So, maybe there's more good to him than I've given him credit for.

Random US Citizen
11 hours ago
What Snowden did was illegal and punishable by law. On the other hand, Gabbard is right—he also exposed a lot of domestic spying by the U.S. government against its own citizens. It’s interesting—in a sort of horrifying way—that so-called conservative Republicans are more upset that Gabbard opposes Patriot Act overreach than any other issue that came up at her confirmation hearing.

anon-bjec NightStalker
9 hours ago
I doubt we would have had one Trump presidency, much less two, without Snowden. Who would have believed the massive duplicity with which the deep state acts? A lot of us might have actually bought into the RUSSIA RUSSIA RUSSIA RUSSIA nonsense, not believed it was even possible for Obama to weaponize the IC against a political opponent. A lot fewer people would have been aware of just how bad the IC and deep state are when operating domestically.

People like Schifty Schiff see Russians under every rock without stepping back to see the big picture. Snowden exposed sources and methods alright. Sources: massive domestic spying apparatus weaponized against Americans. Methods: outrageous violations of every basic tenet of the Constitution and founding principles.

We needed to know.

Feb. 1 is Change Your Password Day, and you may think that good cyber hygiene means creating new, robust passwords every few months. Not so fast.

There was a time that whenever I wrote something related to security passwords, I'd use these words: "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.

I haven't done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the "should do frequently" part is now outdated advice.

When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."

The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords if they have forced "composition rules," such as including a symbol, an uppercase letter, a numeral, etc.

"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.

The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)

Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.

Here are a few ways to securely erase your hard drive:

DBAN (Darik's Boot and Nuke) – Use this free tool that overwrites data multiple times, making recovery impossible.
Windows Secure Erase (for SSDs) – If you're wiping an SSD, use the manufacturer's secure erase tool (e.g., Samsung Magician, Crucial Storage Executive).
Command Prompt (for HDDs) – Run cipher /w:C: to overwrite deleted files on the selected drive.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.

Contec is a China-based company that specializes in healthcare technology, offering a range of medical devices including patient monitoring systems, diagnostic equipment, and laboratory instruments.

What is a GUID?
A GUID is a globally unique identifier that can be generated through several different algorithms. The GUIDs on this site are generated using a secure random number generator.

Given the number of people working for tech startups (6 million), the failure rate of said startups (90 percent), their usage of Google Workspaces (50 percent, all by Ayrey's numbers), and the speed at which startups tend to fall apart, there are a lot of Google-auth-connected domains up for sale at any time. That would not be an inherent problem, except that, as Ayrey shows, buying a domain with a still-active Google account can let you re-activate the Google accounts for former employees.

With admin access to those accounts, you can get into many of the services they used Google's OAuth to log into, like Slack, ChatGPT, Zoom, and HR systems. Ayrey writes that he bought a defunct startup domain and got access to each of those through Google account sign-ins. He ended up with tax documents, job interview details, and direct messages, among other sensitive materials.

You have to close up shop, not just abandon it
Reached for comment, a Google spokesperson provided a statement:

We appreciate Dylan Ayrey’s help identifying the risks stemming from customers forgetting to delete third-party SaaS services as part of turning down their operation. As a best practice, we recommend customers properly close out domains following these instructions to make this type of issue impossible. Additionally, we encourage third-party apps to follow best-practices by using the unique account identifiers (sub) to mitigate this risk.

Google's instructions note that canceling a Google Workspace "doesn't remove user accounts," which remain until an organization's Google account is deleted.

Notably, Ayrey's methods were not able to access data stored inside each re-activated Google account, but on third-party platforms. While Ayrey's test cases and data largely concern startups, any domain that used Google Workspace accounts to authenticate with third-party services and failed to delete their Google account to remove its domain link before selling the domain could be vulnerable.