Law, not technology, is the true battlefield in the War on General Purpose Computing, a subject I've been raising the alarm about for decades now:
https://memex.craphound.com/2012/01/10/lockdown-the-coming-war-on-general-purpose-computing/
The fact that there's no technical way to enforce these restrictions means that the companies that benefit from them have to pitch their arguments to lawmakers, not customers. If you have something that works, you use it in your sales pitch, like Signal, whose actual, working security is a big part of its appeal to users.
If you have something that doesn't work, you use it in your lobbying pitch, like Apple, who justify their 30% ripoff app tax – which they can only charge because it's a felony to reverse-engineer your iPhone so you can use a different app store – by telling lawmakers that locking down their platform is essential to the security and privacy of iPhone owners:
https://pluralistic.net/2024/01/12/youre-holding-it-wrong/#if-dishwashers-were-iphones
Google lost a brutal antitrust case brought by Epic Games, makers of Fortnite:
https://pluralistic.net/2023/12/12/im-feeling-lucky/#hugger-mugger
Epic's suit contended that Google had violated antitrust law by creating exclusivity deals with carriers and device makers that locked Android users into Google's app store, which meant that Epic had to surrender 30% of its mobile earnings to Google.
Google lost that case – badly. It turns out that judges don't like it when you deliberately destroy evidence:
They say that when you find yourself in a hole, you should stop digging, but Google can't put down the shovel. After the court ordered Google to open up its app store, the company just ignored the order, which is a thing that judges hate even more than destroying evidence:
https://www.justice.gov/atr/case/epic-games-inc-v-google-llc
So it was that last month, Google found itself with just two weeks to comply with the open app store order, or else:
https://www.theverge.com/news/717440/google-epic-open-play-store-emergency-stay
Google was ordered to make it possible to install new app stores as apps, so you could go into Google Play, search for a different app store, and, with a single click, install it on your phone, and switch to getting your apps from that store, rather than Google's.
That's what's behind Google's new ban on "sideloading": this is a form of malicious compliance with the court orders stemming from its losses to Epic Games. In fact, it's not even malicious compliance – it's malicious noncompliance
The Fast Identity Online (FIDO) Alliance developed passkeys several years ago, and the technology offers numerous benefits. For example, passkeys cannot be guessed or shared. Also, passkeys resist some phishing attempts because they're unique to the sites they're created for, so they won't work on fraudulent lookalikes. Most importantly, in the age of near-constant data breaches, your passkeys cannot be stolen by hacking into a company's server or database, making the stolen data far less valuable to criminals. //
Apps or websites store your unique public key. A private key is stored on your device, in your password manager, or, if you're an Apple user, in your iCloud keychain. After your device (or iCloud) authenticates your identity, the two keys combine to grant you access to your account. //
To learn how to set up passkeys for your online accounts, check out our guide to setting up and using passkeys.
https://www.pcmag.com/how-to/no-more-passwords-how-to-set-up-apples-passkeys-for-easy-sign-ins
You know the data privacy pop-up screens? Don't immediately tap "Accept." Instead, navigate to the "Cookies" or "User Data" sections and choose the shortest available session duration. That way, your cookies will expire automatically or whenever you close your browser window. //
Because the technologies became popular around the same time, many people seem to believe that 2FA options like biometric authentication, authenticator apps, and hardware security keys are the same as passkeys.
The difference? Passkeys perform multi-factor authentication. You will log into a website using only the passkey; there is no need to enter a password and username. Depending on your privacy and security settings, the iCloud account, device, or password manager where you've stored a passkey may require you to unlock it by using your face, fingerprint, or passcode.
TL;DR: The 2021 Infrastructure Investment and Jobs Act requires all new cars sold after September 2027 to include technology that monitors whether you're impaired or distracted—and can prevent you from driving. Infrared cameras will track your eyes, breath sensors will measure alcohol, and your car can refuse to start or limit its speed. Privacy advocates warn this biometric data could be shared with insurance companies, law enforcement, or sold to data brokers.
What's coming to your car
Tucked into the 2,702-page Infrastructure Investment and Jobs Act that President Biden signed in November 2021 was a provision that few Americans noticed. Section 24220 requires NHTSA to issue safety standards mandating "advanced drunk and impaired driving prevention technology" in all new passenger vehicles.
The law gave NHTSA until November 15, 2024 to finalize rules. Enforcement begins no later than September 2027. That deadline is now 18 months away.
FreeOTP is a two-factor authentication application for systems utilizing one-time password protocols. Tokens can be added easily by scanning a QR code. If you need to generate a QR code, try our QR code generator.
FreeOTP implements open standards: HOTP and TOTP. This means that no proprietary server-side component is necessary: use any server-side component that implements these standards. We recommend FreeIPA.
On March 23, 2026, the Hong Kong government changed the implementing rules relating to the National Security Law. It is now a criminal offense to refuse to give the Hong Kong police the passwords or decryption assistance to access all personal electronic devices including cellphones and laptops. This legal change applies to everyone, including U.S. citizens, in Hong Kong, arriving or just transiting Hong Kong International Airport. In addition, the Hong Kong government also has more authority to take and keep any personal devices, as evidence, that they claim are linked to national security offenses.
The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few of the Linux distributions had incorporated those fixes at the time the exploit was released.
A single script hacks all distros
The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.
“‘Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.”
It estimates there are over 100 million consumer routers currently in active use across the US, and the FCC's order impacts the replacement cycle for every one of these devices, as new models cannot be authorized unless they secure Conditional Approval and agree to onshoring requirements.
The existing channel inventory of previously authorized router models will absorb initial demand, but that buffer is finite, and if the Conditional Approval process cannot achieve sufficient throughput within 6 to 12 months, consumers and ISPs will face a constrained selection, the GEA says.
The upshot will be that many will not be able to replace aging and outdated routers, which is more likely to leave them vulnerable to attackers taking advantage of any security flaws in them.
Firms that make router silicon such as Qualcomm, MediaTek, and Broadcom operate on global roadmaps, the report states. If the US certification pathway becomes slower or less predictable than equivalent processes in Europe or Asia, then vendors will prioritize launches in those markets, the report claims. US consumers would see delayed availability of new Wi-Fi 7 models, reduced model selection, or higher prices as companies have to cover compliance costs across fewer units sold.
Speedtest.net data reveals the most popular Wi-Fi router brands in the US, many of which could face trouble licensing new models without an FCC exemption. //
according to Ookla, TP-Link comes in second, with its Wi-Fi routers appearing in only 9.9% of speed test samples. Instead, routers from Amazon-owned Eero lead the pack, although narrowly, with a 10% share. In third is US-based Netgear at 9.6%. //
To prevent harming consumers, the FCC’s order steers clear of banning any Wi-Fi routers currently in use or sold in the US. The Trump administration will also allow vendors to apply for an exemption under the implied pretext that the company will eventually move manufacturing to the US. Whether that process favors US companies over foreign brands is a big question.
Still, as it stands, the FCC is only permitting software updates to flow to existing foreign-made Wi-Fi routers for consumers until March 1, 2027. It's a pretty ironic and alarming deadline, considering software updates keep routers safe from serious vulnerabilities.
The TP-Link WR841N router is named by the NCSC as one of the models APT28 has been exploiting, likely using CVE-2023-50224, an unauthenticated information disclosure flaw that allows an attacker to retrieve credentials through an HTTP GET request. When the threat actor has the router’s credentials, a second GET request rewrites the DHCP DNS settings, setting the primary DNS to a malicious IP and the secondary to the original primary.
The advisory lists more than 20 additional TP-Link models targeted in the campaign, //
A second cluster of attacker infrastructure received DNS requests forwarded from compromised MikroTik routers as well as TP-Link gear, and was also used in interactive operations against a smaller set of MikroTik routers "often located in Ukraine" that the NCSC said were likely of intelligence value.
Modern adversary tooling executes what security researchers call a real-time phishing relay, sometimes referred to as an adversary-in-the-middle (AiTM) attack. The mechanics are precise.
An adversary builds a reverse proxy that sits between the victim and the legitimate service. When the victim enters credentials on the spoofed page, the proxy forwards those credentials to the real site in real time.
The real site responds with an MFA challenge. The proxy forwards that challenge to the victim. The victim responds — because the page looks legitimate and the MFA prompt is real. The proxy forwards the response. The adversary receives an authenticated session.
Push notification MFA, SMS one-time codes, and TOTP authenticator apps are all vulnerable to this relay. They authenticate the exchange of a code. They do not verify that the individual completing the exchange is the authorized account holder. They cannot distinguish a direct session from a proxied one. //
The deeper problem is that the authentication architecture most organizations have deployed was not designed to answer the question that actually matters in a post-breach environment: was the authorized individual physically present and biometrically verified at the moment of authentication?
Push notifications do not answer this question. SMS codes do not answer this question. TOTP does not answer this question. USB hardware tokens answer a related but different question — they prove the registered device was present, not the authorized person. //
FIDO2/WebAuthn gets cited frequently in this conversation, and it is a meaningful step forward — but it is not sufficient on its own. Standard passkey implementations bind the credential to a device or cloud account.
Cloud-synced passkeys inherit the vulnerabilities of the cloud account: SIM swap attacks against the recovery phone number, account takeover via credential phishing, recovery flow exploitation. Device-bound passkeys prove device possession. They do not prove human presence.
Phishing-resistant authentication that closes the relay attack vector requires three properties simultaneously:
- Cryptographic origin binding: the authentication credential is mathematically tied to the exact origin domain. A spoofed site cannot produce a valid signature because the domain does not match. The attack fails before any credential is transmitted.
- Hardware-bound private keys that never leave secure hardware: the signing key cannot be exported, copied, or exfiltrated. Compromise of the endpoint does not compromise the credential.
- Live biometric verification of the authorized individual: not a stored biometric template that can be replayed, but a real-time match that confirms the authorized person is physically present at the moment of authentication.
When all three properties are present, a relay attack has no viable path. The adversary cannot produce a valid cryptographic signature from a spoofed site. They cannot relay a session because the cryptographic binding fails the moment the origin changes.
They cannot use a stolen device because the biometric verification fails without the authorized individual. They cannot social-engineer an approval because there is no approval prompt — the authentication either completes with a live biometric match at the registered hardware, or it does not complete.
AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an application on demand—a spreadsheet, for example—and delete it when you’re done using it than to buy one commercially. Future systems could include a mix: both traditional long-term software and ephemeral instant software that is constantly being written, deployed, modified, and deleted.
AI is changing cybersecurity as well. In particular, AI systems are getting better at finding and patching vulnerabilities in code. This has implications for both attackers and defenders, depending on the ways this and related technologies improve.
In this essay, I want to take an optimistic view of AI’s progress, and to speculate what AI-dominated cybersecurity in an age of instant software might look like. There are a number of unknowns that will factor into how the arms race between attacker and defender might play out.
These are just individuals, they just use computers, and they just want to steal your data and make money. They're not mythical. They don't have superpowers. //
And thus, the Dark Web Roast was born. It's a regular blog complete with memes, mockery, and a Ricky Gervais' "they're just jokes" inspired disclaimer: "While these incidents are genuinely amusing, they represent real criminal activities causing significant harm. This content is for threat intelligence and educational purposes only."
The most recent edition features a ransomware gang that bulk-drafted and scheduled their extortion attempts like a content calendar: "Considering the sheer, numbing volume of their posts, it's a solid bet that their 'victims' are probably just fake sites they spun up themselves for content, because nothing screams legitimacy like inflating your stats with phantom compromises," the researchers wrote. //
But public mockery (as with LockBit), and infiltration like the FBI did with Hive's ransomware network, can fracture trust among cyberthieves. And this fragmentation can help defenders dismantle criminal operations and keep people and data safe. //
The video shows an administrator skimming the most valuable secrets and cryptocurrency keys for personal gain, while passing only less lucrative data to customers. Trellix learned about this incident during a briefing with Dutch police.
"They said to us, 'We found out that this admin is also stealing from his own customers,'" Fokker remembers. After the Europol press release came out, Trellix unleashed the snark in a Dark Web Roast.
"We basically said you're stupid if you work with him, because he's just getting rich, and we just make fun of him," Fokker said. "We don't know if the impact was measurable, but still, we had an opportunity to run with that story and make a complete fool out of this admin. So that's something." ®
The cost of high-performance GPUs, typically $8,000 or more, means they are frequently shared among dozens of users in cloud environments. Three new attacks demonstrate how a malicious user can gain full root control of a host machine by performing novel Rowhammer attacks on high-performance GPU cards made by Nvidia.
The attacks exploit memory hardware’s increasing susceptibility to bit flips, in which 0s stored in memory switch to 1s and vice versa. In 2014, researchers first demonstrated that repeated, rapid access—or “hammering”—of memory hardware known as DRAM creates electrical disturbances that flip bits. A year later, a different research team showed that by targeting specific DRAM rows storing sensitive data, an attacker could exploit the phenomenon to escalate an unprivileged user to root or evade security sandbox protections. Both attacks targeted DDR3 generations of DRAM. //
On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—and potentially much more consequential—territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. //
A separate mitigation is to enable Error Correcting Codes (ECC) on the GPU, something Nvidia allows to be done using a command line. //
Kevin G
Ars Scholae Palatinae
21y
1,483
Thursday at 2:54 PM
#12
New
The ECC functionality on nVidia cards can take a pretty big performance hit as they do not include extra DRAM for ECC. Thus on a 32 GB workstation GPU, the amount of usable memory is reduced down to a 28 GB. Thus if you were using that extra memory and flipped on ECC, performance tanks as the remaining 4 GB gets paged out to host CPU memory. Beyond that, the ECC algorithm itself as the where the parity data for ECC resides is some what configurable. If itis on the same memory controller (which generally means the same memory chip as often there is only one chip per memory channel), then the calculation is done inside the memory controller relatively quickly. This of course comes at the higher integrity risk of losing data if a memory chip fails but this does protect against random bit flips. The other ECC algorithm is more akin to software RAID5 which rotates where the parity data resides across the chip and across the various internal memory controllers. Thus to compute ECC, one memory controller has to wait for another control to read that information and pass it down which is big performance penalty.
What this article doesn't cover is HBM which can both have extra stacks of memory in a channel as well as extra bits of parity on each die in the stack. Most ECC leverage the extra memory on the die plus rotating where the parity data resides. The end result is effectively the same as having an extra DRAM chip on a DIMM. (For those who don't know, an 8 GB ECC DIMM will contain ten 1 GB memory chips but the extra 2 GB is used exclusively for ECC and does not alter the usable capacity.)
HBM controllers are rather complex and the reason why capacities like 141 GB exist is due to a single die failure in one of the many stacks. Instead of disabling a wholes stack and reducing the memory capacity down to 120 GB, only the explicitly broken die is disabled.
At Friday’s hearing of the Colorado Senate Business, Labor, and Technology committee, lawmakers voted unanimously to move Colorado state bill SB26-090—titled Exempt Critical Infrastructure from Right to Repair—out of committee and into the state senate and house for a vote.
The bill modifies Colorado’s Consumer Right to Repair Digital Electronic Equipment act, which was passed in 2024 and went into effect in January 2026. While the protections secured by that act are wide, the new SB26-090 bill aims to “exempt information technology equipment that is intended for use in critical infrastructure from Colorado’s consumer right to repair laws.” //
“I can point out at least five problems with the bill as drafted,” Gay Gordon-Byrne, the executive director at the Repair Association, said during the hearing. “The definition of critical infrastructure is completely inadequate. The definition that has been proposed in this bill is not even a definition.” //
Repair advocates also say that limiting this kind of repairability is the exact opposite of keeping devices secure. If something goes wrong with a critical piece of technology, the people using it need to fix it and not have to wait for manufacturer approval.
“There’s a general principle in cybersecurity that obscurity is not security,” iFixit CEO Kyle Wiens said in the hearing. “The money that’s behind the scenes, that’s what’s driving the bill.” //
DarthSlack Ars Legatus Legionis
12y
23,110
Subscriptor++
So critical infrastructure is, well, critical, right? Like you need it to keep working because if it stops you're in a world of hurt? So isn't that the stuff you really, really, really want to be able to repair when it breaks and not sitting on your ass waiting for some clownshoes to show up and charge you a small fortune to turn a screw or apply a patch?
Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography.
I am incredibly pleased to see them get this recognition. I have always thought the technology to be fantastic, even though I think it’s largely unnecessary. I wrote up my thoughts back in 2008, in an essay titled “Quantum Cryptography: As Awesome As It Is Pointless.” //
What about quantum computation? I’m not worried; the math is ahead of the physics. Reports of progress in that area are overblown. And if there’s a security crisis because of a quantum computation breakthrough, it’s because our systems aren’t crypto-agile. //
Ray Dillinger • March 31, 2026 2:43 PM
I don’t mean to diminish the work of Bennett and Brassard. They had some amazing insights and deserve their award.
At the same time I suppose that people affiliated with various three-letter-agencies may have been consulted as to the value of their work when the Turing Awards were being considered. Those agencies, if they are behind the Kleptographic attack that appears to be happening here, may have had an interest in promoting public awareness of Quantum Crypto as a threat. Promoting public awareness of a threat is absolutely a necessary step in any campaign to use that threat as a lever to get people to do something stupid out of FUD.
So I fear that the work of Bennett and Brassard, however good it may be, would likely have gone unrecognized if not for the input of people who are, despite all protestations, unlikely to be motivated by protecting people against it.
Ray Dillinger • March 31, 2026 2:43 PM
I don’t mean to diminish the work of Bennett and Brassard. They had some amazing insights and deserve their award.
At the same time I suppose that people affiliated with various three-letter-agencies may have been consulted as to the value of their work when the Turing Awards were being considered. Those agencies, if they are behind the Kleptographic attack that appears to be happening here, may have had an interest in promoting public awareness of Quantum Crypto as a threat. Promoting public awareness of a threat is absolutely a necessary step in any campaign to use that threat as a lever to get people to do something stupid out of FUD.
So I fear that the work of Bennett and Brassard, however good it may be, would likely have gone unrecognized if not for the input of people who are, despite all protestations, unlikely to be motivated by protecting people against it.
Secure Boot is a feature of UEFI, and it's a requirement for any computer that wants to run a modern version of Windows. It exists to protect us against malware that infects your computer's bootloader. There's a security certificate stored in the UEFI which your computer uses to check the Windows bootloader, to ensure it's legitimately signed by Microsoft, and not an imposter.
So far, so good, but what happens when the certificate in your UEFI expires? Well, we're all about to find out.
IanRS
Bigger problems
In my work as a security architect I occasionally get asked by an assurer or auditor why I think running AWS infrastructure in just two availability zones without a second region is enough. The latest was just earlier this week. It shows that they do not understand risk/impact balance outside their own little box. I have to point out that if something can take out two geographically separated data centres simultaneously then the impact is not restricted just to their website, and they probably have bigger problems to worry about. Some of them accept this. Some still think another region would help.
20 hrs
Anonymous Coward
Re: Bigger problems
I worked for a small public sector body. An auditor once asked what would happen if both our main and DR sites went dark. I said if that happened, something very big & bad was happening and no-one was going to care about our organisation.
Auditor ticked their box as we had clearly considered the possibility and we had a plan. (Do nothing is still a plan!)
Dachannien Ars Scholae Palatinae
16y
1,130
Subscriptor
OrvGull said:
Google has a quantum computing division. Implying they're close to some kind of breakthrough could absolutely juice their stock.
Maybe, but they actually explain the point in worrying now: Store-now-decrypt-later attacks can only really be mitigated by migrating systems to PQC. The sooner you do that, the smaller your data vulnerability surface is (in a timewise sense). If you get compromised in the future and your encrypted data gets exfiltrated, you're much better off if that data was protected with PQC. Your future vulnerability without PQC is by definition shorter if you implement now rather than later.
Based on that logic, the reason to pick, say, 2029 as a good must-implement date is because of the naturally decaying value of store-now-decrypt-later data. Even if QC isn't successful until 2039, deploying by 2029 means any vulnerable data would be 10 years old (and 10 years less valuable) by the time it gets cracked. The fact that they didn't pick a date even sooner just speaks to the monumental bulk of the task at hand.
The Federal Communications Commission yesterday announced it will no longer approve consumer-grade routers made outside of the US, citing a President Trump directive on reducing the use of foreign technology for national security reasons. The action will prevent foreign-made routers from being imported into or sold in the US.
Routers already approved for sale in the US can continue to be sold, and consumers can keep using any router they’ve previously obtained, the FCC said. But the FCC will not approve new device models made at least partly outside the US unless the Department of Defense or Department of Homeland Security determines that the router does not pose national security risks.
The prohibition applies to both US and foreign companies that produce routers outside the US. Foreign production includes “any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.”
“This action means that new models of foreign-produced routers will no longer be eligible for marketing or sale in the US,” FCC Chairman Brendan Carr wrote on X.