The Weekly Ink #6
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
This in-depth article about The (widely used) Onion Router delves deeply into its history and development. Although often seen as a grassroots response to a growing privacy concerns, Tor, much like the internet itself, started out as a DARPA seedling project. Over the years, the researchers and developers associated with the project have been funded and supported by various US government agencies, including the Navy and the NSA. Though the Tor Project claims no current association with these agencies, the article seriously questions whether these agencies and Tor could ever be completely disentangled.
Exodus Intelligence showing everyone how it's done with a succinct informative blog post on exploiting the l33t Tails OS. The researchers were able to de-anonymize Tails users. Be sure to check out their video and note on responsible disclosure. One quote that really stands out:
"We publicized the fact that we’ve discovered these issues for a very simple reason: no user should put full trust into any particular security solution."
Amen to that!
Is it unethical to create diagnostic backdoors in encryption without alerting customers? Apple has come under fire following allegations by Jonathan Zdziarskin that the NSA widely exploited iOS vulnerabilities.
Our friends over at 1 Infinite Loop have issued a fierce rebuttal to critics who've speculated that Apple explicitly shared this backdoor with intelligence agencies. Apple claims that these security holes were meant to be used as diagnostic tools and their potential for exploitation had been accepted as an acceptable tradeoff. There's one thing to be sure of: in a system with 600 million users, any security-usability tradeoffs should be made under intense scrutiny.
A fun, straightforward walkthrough of a crossdomain.xml exploitation. Using the ever maligned Bing search engine, Seth Art shows how a malicious actor could retrieve a user's search history and which links they followed. This is another good example of a simplified bug writeup.
Sometimes it feels good to be put in your place by your coworkers. Today's slice of intern Humble Pie comes courtesy of the excellent Security Reactions Tumblr. Remember to keep your interns in check.