#Canada#Cybersecurity#Encryption#Backdoors#5G#Privacy: "Bill C-26 empowers government officials to secretly order telecommunications companies to install backdoors inside encrypted elements in Canada’s networks. This could include requiring telcos to alter the 5G encryption standards that protect mobile communications to facilitate government surveillance.
The government’s decision to push the proposed law forward without amending it to remove this encryption-breaking capability has set off alarm bells that these new powers are a feature, not a bug.
There are already many insecurities in today’s networks, reaching down to the infrastructure layers of communication technology. The Signalling System No. 7, developed in 1975 to route phone calls, has become a major source of insecurity for cellphones. In 2017, the CBC demonstrated how hackers only needed a Canadian MP’s cell number to intercept his movements, text messages and phone calls. Little has changed since: A 2023 Citizen Lab report details pervasive vulnerabilities at the heart of the world’s mobile networks.
So it makes no sense that the Canadian government would itself seek the ability to create more holes, rather than patching them. Yet it is pushing for potential new powers that would infect next-generation cybersecurity tools with old diseases."
The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn't used in production systems.
Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”
"The backdoor highlights open source software’s strengths and its weaknesses in that, well, everything is happening in the open.
While a malicious maintainer can commit code that introduces a backdoor, the community can also actively analyze the code and trace exactly what was introduced, when it was introduced, who did it, and what the code does. The project can (and is) rolling back its codebase to an earlier distribution before the vulnerability was introduced. The coding history and email arguments of that user can be traced over time, and the broader developer community can make educated guesses about how this all happened. As I’m writing this, coders are analyzing Jia Tan’s contributions to other projects and the political discussions in listservs that led to them becoming a trusted maintainer in the first place.
On the open source software security listserv, developers are trying to make sense of what happened, and are debating about how and when the discovery of the vulnerability should have been made public (the discovery was made one day before it was distributed to the broader listserv). Tavis Ormandy, a very famous white hat hacker and security researcher who works for Google, wrote on the listserv, “I would have argued for immediately discussing this in the open.”" https://www.404media.co/the-xz-backdoor-highlights-the-vulnerability-of-open-source-software-and-its-strengths/
RT @DevuanOrg
Devuan is not affected by the latest vulnerability caused by systemd. The malicious backdoor in xz/liblzma is a vector for remote exploitation of the ssh daemon due to a dependency on systemd for notifications and due to systemd's call to dlopen() liblzma library (CVE-2024-3094) https://twitter.com/DevuanOrg/status/1774029432979653069
Operation Triangulation: The last (hardware) mystery | …if this turns out to be an NSA-enabling backdoor, Apple’s security reputation will be toast
Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake. Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.
"We write as journalists, artists, authors, activists, technologists, and academics to warn of increasing international #censorship that threatens to erode centuries-old democratic norms. [...]"
@publicvoit People that call a law that forbids the denial of genocide as censorship are none that I want to pay attention. Also it's interesting what laws they don't mention: Americas states censor books in schools and libraries. German states censor Gender aware language in schools and even universities. Yes censorship is a growing problem, but these people seem to want to protect hate speech and disinformation rather than free speech and democracy.
@publicvoit Using the term ‘mainstream media’ says it all — it often reveals the author’s political leanings and implies a monolithic media landscape that doesn’t actually exist.
#Cybersecurity#Privacy#Encryption#Messaging#Backdoors: "Right now, we need more end-to-end encryption. There’s little evidence that weakening encryption will make much of a dent on the fentanyl trafficking on our streets. But after the US Supreme Court’s Dobbs decision, end-to-end encryption is now a critical means of thwarting attempts to prosecute women who seek abortions in states where politicians lay claim to their major life choices. Last year, Meta turned over private messages from a Facebook user to Nebraska police that led to felony charges against a mother who aided her daughter in ending a pregnancy by abortion pills. If those messages had been protected by end-to-end encryption—as WhatsApp and Signal messages are—authorities would not have been able to read them. If “deliberate blindness” is banned, watch out for widespread snooping to find out who might be seeking abortions."