Real-time historian of the late cyber capitalist era
@TechCrunch
. Writing a book on Hacking Team and the industry of government spyware. ☎️ +1 917 257 1382
Hello y'all!
Here's an update on how you can contact me to share tips and stories on the wonderful world of cyber.
Find me here:
☎️ Signal: + 1 917 257 1382
🔒Keybase/Telegram: lorenzofb
🗝️SecureDrop:
Dorsey and his weird beard-shirt combo, Alex Jones, a congressional staffer wearing Google Glass, and a journalist wearing an 1980s Casio watch.
This has to be the most hilariously dystopian picture of the year.
NEW: A hacker took control and locked the chastity cages of several men, asking them for a ransom to unlock them.
"Your cock is mine now," the hacker told one of the victims.
NEW: Activision Blizzard workers are accusing the company of "union busting" and "intimidation."
A current employee said they are "scared" because they are seeing "retaliation," and some other workers who were outspoken before are now going "silent."
NEW: Facebook snooped on Snapchat users' encrypted network traffic to study how they behaved, unsealed court documents reveal.
This was part of a secret program called "Project Ghostbusters," and even inside the company, it was very controversial.
NEW: Elon Musk switched on X calling by default, which could potentially expose your IP address, and allow spam calls.
We tested how it works in different scenarios and even ran a network analysis test to break it all down.
And it's a real mess.
New: leaking collective
@DDoSecrets
published 270 gigabytes of internal sensitive files from police departments all over the US.
Hat tip to
@briankrebs
who verified the leak.
Uber: our drivers do not deserve health insurance nor other benefits.
Also Uber: please vaccinate them first so they can keep making money for our stockholders and board members.
I’m asking governors in all 50 states + DC to prioritize drivers & delivery people for early vaccine access. 👇 These frontline workers should get the vaccine before people like me.
"On January 25, hundreds of workers at an Amazon warehouse in Chicago were presented with a baffling choice: sign up for a ten-and-a-half-hour graveyard shift, or lose your job."
New: We found the supposed Facebook data breach that some people are claiming is somehow connected to the Facebook outage.
It's almost certainly not connected. And it's almost certainly not a data breach, but a scam.
NEW: Signal is asking people to set up proxy servers to help Iranians get around the government's block of the encrypted app.
I haven't tried but Signal says it's very easy to set up the proxies.
NEW: Media reports in Spain say John McAfee was found dead in his cell, hours after a court ruled in favor of his extradition to the United States.
McAfee was a antivirus-pioneer-turned-cryptocurrency-enthusiast, alleged murderer, and alleged tax evader.
NEW: Last week, hackers targeted 1,900 Signal users, specifically going after three of them.
I was one of those three, and the hackers were able to take over my Signal account for 13 hours. Here's how we responded to this incident.
NEW: Blizzard employees at a conference asked woman if she was lost and if she was there with her boyfriend.
"One of them asked me when was the last time I was personally penetrated, if I liked being penetrated, and how often I got penetrated," she said.
NEW: Google found a malicious Android app that was disguising as an app for Ukrainians to launch DDoS attacks against Russian sites.
In reality, the app was malware designed to indentify and track Ukrainians.
NEW: Apple says it will no longer give law enforcement and government agencies access to users' push notification data without a warrant.
Now Apple says it will now require a judge-approved order or search warrant, and not just a subpoena.
Today was my last day at VICE. I have nothing but good feelings about everyone
@motherboard
. For the last seven years I learned, grew up, and worked with great journalists and friends. We got some scoops, put out some kickass investigations, and had fun in the process.
Great moment in today's Senate hearing on the UnitedHealth Group's recent cyberattack.
Senator Thom Tillis takes out the "Cybersecurity for Dummies" book, not sure exactly why...
NEW: Facebook engineers admit the company's systems make it very hard to know where users' data ends up and how it's used.
"We can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’"
~ Personal news ~
I am joining TechCrunch to work with
@zackwhittaker
and the rest of the team covering the usual beats of cybersecurity, hacking, surveillance and privacy.
I'm really excited and look forward to being back on the beat starting Jan. 17.
New: Apple put USB Restricted Mode in both iOS 11.4.1 beta and iOS 12 beta. And now it's triggered after 1 HOUR of phone not being unlocked, not 1 week.
This is the feature that essentially kills iPhone unlocking tools made by Cellebrite and GrayShift.
Today is a good day, so it's time for a personal story.
Last year I became depressed. It's hard to explain *why* and that's part of the struggle with such an illness. I would routinely feel sad and demotivated. I felt like I was doing shitty work, and I thought about death.
NEW: This is the device that confused and concerned attendees at
@defcon
by triggering pop ups on their iPhones.
The researcher who created it explained how it works, and what are the risks iPhone users face when these spoofed messages pop up.
NEW: A researcher found traffic light controllers on the internet with no authentication at all, potentially allowing hackers to create traffic jams.
Researcher says that company who make the devices threatened legal action instead of working to fix.
NEW: CrowdStrike sent partners a $10 UberEats gift card to apologize for the outage.
"We send our heartfelt thanks and apologies for the inconvenience,” the email read. “To express our gratitude, your next cup of coffee or late night snack is on us!”
NEW: Apple paid five hackers a grand total of $51,500 for finding 55 bugs in three months.
One vuln could have allowed hackers to make a worm that could steal all iCloud data, another allowed the researcher to access an Apple source code repo.
NEW: 23andMe initially said its data breach hit 0.1% of customers (~14k).
23andMe now reveals that — actually — there were 6.9 million victims.
Number is so high because by hacking those ~14k accounts hackers then were able to get data from relatives.
I just recently discovered that "updating the Kaspersky" ("actualizar el Kasperspy") means "having sex" in Cuba.
For example, you meet a friend and you ask them about their date: "Did you update your Kaspersky?"
Truly one of the best discoveries I make in years.
If you read this it's clear that the culprits of VICE's current situation are the higher ups who for years were getting 6 or even 7 figures salaries.
The same people that every other year laid off hundreds of workers and blamed the economy or whatever.
NEW: I dove into the world of self-appointed independent investigators—some call them “vigilantes”—policing the web3 and crypto world.
“At the end of the day Jake Paul’s fans got screwed while he got rich.”
NEW: Someone emptied out one of the most valuable Bitcoin wallets in existence yesterday.
Whoever it was—and it's anybody's guess—they moved more than $960,000,000 in cryptocurrency last night.
🚨UPDATE: T-Mobile now says "encrypted passwords" were compromised in latest data breach.
We obtained a sample of one "encrypted password" and turns out it may be a Base64 string that decodes to a MD5 hash. In other words, it could potentially be cracked.
NEW: Kamala Harris is 100% right about Bluetooth. It is not worth the risk for her.
She isn't "Bluetooth-phobic," she understands her threat model and is acting accordingly.
NEW: DEF CON organizers issued a permanent ban against One America News for violating the conference's privacy policy.
OAN journalists "repeatedly taking photo and video showing people’s faces without the consent of those individuals."
There will never be a website like Motherboard.
A product of a time and place that will never be replicated. And for all its faults (and there were millions of them), Vice was smart enough to let us thrive on our own.
Motherboard forever. And fuck these clueless media execs.
Just incredible. The CEO of VICE is giving up on one of the most popular global media brands, firing its journalists and shutting down in order to "transition to a studio model" which means... what? Posting brand stuff to Instagram?
NEW: Meet Apple's "mole" in the jailbreak and leaks community.
For years, he advertised leaked data and iPhone prototypes online. Then he became an informant for Apple's Global Security team.
So making Facebook a central hub for authentication across the internet was a bad idea...and Facebook has one of the best security teams in the world.
Now imagine making AT&T, Verizon, Sprint and T-Mobile the gatekeepers of all your password and digital identity.
NEW: Researcher found evidence that a campaign against "critical reace theory" in New York City schools is actually run by infamous astroturfing right-wing lobby.
We confirmed lobby involvement. Campaign's official Twitter account is already suspended.
New: Governor wants to prosecute a journalist for clicking "View Source" on a government website.
The journalist found that a Missouri site was leaking 100,000 Social Security numbers. He reported the flaw and did not write about it until it was fixed.
NEW: Government hackers were using a zero-click zero-day in iMessage to hack iPhones.
Vulnerability was discovered by Citizen Lab when investigating a potential hack of a Saudi activists' iPhone. Apple just patched the bug.
NEW: Most online services (email, social media...) have mechanisms and tools for you to check if your account has been hacked and accessed by someone who shouldn't have.
We wrote a guide on how to do that on Gmail, Outlook, Facebook/Instagram, X, etc.
NEW: The Russian game developer Battlestate Games said it has banned 6,700 cheaters in a week from Escape from Tarkov.
The company has also taken the unusual step of publishing the nicknames and handles of all the cheaters.
Scoop: Syniverse, a cellphone network backbone provider for Verizon, AT&T, Vodafone and others got hacked.
Company refused to disclose details of the hack. Experts say hackers potentially accessed call metadata (callers ID, location) and SMS content.
NEW: Hackers say they stole 33 million cell phone numbers of users of two-factor app Authy.
Twilio (owner of Authy) confirmed "threat actors were able to identify" phone numbers, but didn't say how many.
The risk is better tailored phishing attacks.
Personal news: I am writing a book along with
@juanandres_gs
about Hacking Team and the history of the government spyware industry, from the late 1990s to today.
I have dreamed of this moment for a long time, and it's the culmination of years of work.
NEW: In a court hearing, Facebook engineers admit that the company's systems are so open and complex that they don't know where user data is stored.
“It would take multiple teams on the ad side to track down exactly the—where the [user] data flows.”
NEW: Hackers hacked a credit card hacking forum, exposing the data of 300,000 hackers.
The forum is Carding Mafia, and for now they haven't announced the breach to their users.
I love being a tech journalist because to do my job I only need the following messaging apps:
-Slack
-Twitter
-Signal
-Hangouts
-Wire
-Threema
-Wickr
-iMessage
-Google Voice
-Telegram
-Email
-Facebook Messengers
-WeChat
-JitsiMeet
-Jabber
-Discord
New: The way Jamie Spears spied on Britney's phone is horrifyingly simple and effective. It's the exact same way countless abusers spy on their loved ones.
Here we explain how it works and what you could do to mitigate the risks.
This is one of the news outlets part of the international investigation into surveillance abuses.
This is how India’s authorities are responding to the revelations.
Not just another day at the office for
@thewire_in
after
#PegasusProject
Policeman arrived today with inane inquiries. 'Who's Vinod Dua?' 'Who's Swara Bhaskar?' 'Can I see your rent agreement?' 'Can I speak to Arfa?'
Asked why he'd come: "Routine check for Aug 15"
Strange.
New: The co-founder of a multi-billion dollar cryptocurrency protocol was revealed to be a convicted criminal, who in the past founded an exchange that imploded and was revealed to be a Ponzi scheme.
Another normal day in cryptoland.
NEW: We finally know who moved all those bitcoins.
The US government just announced that it has seized almost $1 billion in Bitcoin from a hacker only known as "Individual X."
Bitcoins were allegedly stolen from Silk Road in 2012 or 2013.
Apple has notified people in 150 countries that they were infected with mercenary spyware (Intellexa, NSO...).
We knew spyware was global but this is next level. The market has grown tremendously since 2004, when Hacking Team was getting started.
NEW: The check-in computers at several hotels around the U.S. are running a consumer spyware app called pcTattletale.
The app stealthily and continually captures screenshots of the booking systems, which contain guest information and reservation details.
Incredible long con by the UAE.
First they outlawed and blocked WhatsApp, Skype, and other VoIP/chat apps.
Then they launch their own app, that of course EVERYONE instala because there’s no alternative.
This is the future of surveillance.
ToTok, a messaging app that as of last week was one of the most popular in the Apple and Google stores, is billed as a secure way to chat by video/text message with friends/family
But it turns out that it's actually a spying tool for Emirati intelligence
NEW: Hackers have scraped the new right-wing social media platform GETTR, getting 90,000 usernames and email addresses.
We verified by trying to create accounts with 5 email addressed in the database, which got us the error: "The email is taken."
New: Facebook helped the FBI hack a child predator and sextortionist.
The social media giant paid a cybersecurity firm six figures to develop a zero-day exploit to help the FBI unmask a serial child predator that was using Facebook to terrorize girls.
This is the same company that tracked Black Lives Matter protesters.
We found that Mobilewalla had extensive ties with the Republican party during the 2016 elections cycle.
I share this because I'm not the only one, especially in these trying times.
Take care of yourselves, and don't be afraid to ask for help. Don't feel shame, we're all struggling one way or the other. Realizing this literally saved my life.
New: a hacker has just released a jailbreak for up-to-date (iOS 12.4) iPhones, the first time anyone can jailbreak updated iPhones in years.
What's worse, the jailbreak was made possible by Apple reintroducing a bug it had already patched.
Call it...cyber art.
An artist infected an old Samsung netbook with WannaCry, BlackEnergy, ILOVEYOU, MyDoom, SoBig and DarkTequila and bidding for this piece of art is now over $1 million.
New: Hackers have breached Docker Hub, a popular programming tool used by major tech companies.
The impact of the breach is still unclear but hackers accessed private keys and tokens for GitHub and BitBucket, which is potentially really, really, bad.
NEW: Cybersecurity researchers have devised a way to pwn targets just using emojis. It's a proof-of-concept for now but nevertheless interesting research.
The image below is part of an exploit written only in emojis.
NEW: Apple's "extreme" privacy and security mode blocked a hacking attempt made with NSO's zero-day exploits, according to Citizen Lab.
First documented case where Lockdown Mode not only blocked the attempt, but also notified the target.
My least favorite reaction to a story is the "this isn't surprising!" This usually comes from someone who has paid a lot of attention to a topic and assumes the rest of the world has too.
Also, our job is to report facts and news. If you wanna be surprised go watch a magician.
VICE management is so incompetent they can't avoid embarrassing themselves in a meeting that was supposed to be for the remaining employees, but whose invite was shared with laid off people.
Remember, these people make ~800k a year.
NEW: Spanish police identified a pro-Catalan independence activist thanks to legal requests to Apple, and encrypted services Wire and Protonmail.
Story shows that using apps that encrypt content won't save you if there's personal info in the metadata.
Ex-NSA hacker
@emilymaxima
is building an AI to recognize and flag nazi and far-right symbols on social media. Here's my short profile of her and her project, which is all open source
New: The city of San Diego quietly installed 3,000 streetlights equipped with hidden spy cameras three years ago.
This summer, the cops used them to arrest BLM protesters.
New: a hacker broke into thousands of accounts of two GPS tracking apps, allowing him to monitor cars, and even kill their engines.
The key of the breach was that the two GPS tracking apps gave users the default password: "123456"
NEW: A hacker tried to poison a Florida city by increasing the level of sodium hydroxide in the water supply.
Worker who was monitoring levels from home caught it right away and avoided what would have been a disaster.
NEW: Activision Blizzard employees are walking out to protest working conditions.
They are also not happy about how the company has responded to the California lawsuit, which "fails to address critical elements at the heart of employee concerns."
New: Apple used the DMCA to take down a viral tweet that contained an iPhone encryption key. Then, it backtracked and asked Twitter to put it back up.
Meanwhile, jailbreakers are freaking out because some posts on Reddit have been taken down too.
Serious question: what are the best hacking video games?
By that I mean both games that illustrate hacking culture, and games that use hacking mechanics.
New: California police have nabbed a second suspect of a SIM swapping crime ring. This time it's a 19-year-old who apparently used stolen Bitcoin to buy luxury cars.
Kelly
@aloria
Lum passed away on Sunday.
She will be remembered for her hacking acumen, her courageous openness in speaking about mental health, her memorable memes, and unparalleled karaoke skills.