The Sizzle

Issue 501 - Tuesday, 17th October 2017


More details on KRACK, the WPA2 wi-fi vuln
The full extent of KRACK, the WPA2 wi-fi vulnerability I mentioned yesterday, is now out and about. It's honestly not as bad as I thought it would be. Sure, it's not good, but it's not exactly easy for some script kiddie to exploit and join your network on demand. At least not yet. What KRACK highlights is the ability for anyone within range of your network to view the data flowing around in it. If you have unencrypted data traversing the network (i.e: a plaintext password from your smartphone to an IoT device), that'll be visible. Krebs on Security has a decent overview of the risks KRACK has introduced. Motherboard's TLDR is easy to read too.
Discuss - Share

So wi-fi is cooked, what should I do?
Fixing KRACK will be a slow process. It requires updates on both the access point and the client side. Apple has a patch in the latest beta of iOS and its variants that'll be out in a few weeks. Google hasn't said anything yet. Microsoft's already released a patch for Windows. ZDNet has a pretty comprehensive list of who's doing what. If you've got an old wi-fi device, there's a good chance it won't get updated. If you're concerned in the meantime, you can use a VPN to protect all your internet traffic - this is something you should be doing on any public wi-fi anyways. At home, well, use a VPN there too and make sure any local traffic (i.e: device to device on your LAN) is encrypted then apply the patches to all your wi-fi devices.
Discuss - Share

Popular RSA key generation library is also stuffed
The infosec bad news train doesn't stop there - a group of Czech researchers found a flaw in the 1024-bit and 2048-bit encryption key generation algorithm found in Infineon's RSA library, which is used in "national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers". Apparently, the way Infineon's RSA library was generating encryption keys meant it's relatively easy to "factorize", allowing an attacker to find the private key via the public key. Not cool. According to Arstechnica, it'd take about 17 days, $40,000 and 1,000 instances on AWS to bust a 2048-bit key. Well within the capability of someone determined to fuck shit up.
Discuss - Share

Google is flying burritos around the NSW/ACT border
Here's something a bit more fun to lighten the mood - burritos via drone in the Australian bush. Google's Project Wing is flying drones around Royalla, loaded with burritos from Guzman y Gomez, a Mexican food chain, and medicine from Chemist Warehouse. Google's aim here is to fine tune drone deliveries to people's backyards and a rural setting is ideal for this. Testers use their smartphone to order items via an app and the drone lands on their property with the goods. It's still a long way off becoming the norm, but it's certainly not sci-fi bullshit, drone deliveries of small time-critical items could legitimately be a thing for these communities sooner rather than later.
Discuss - Share

Facebook buys popular with teens app, tbh
Facebook's purchased tbh (To Be Honest), yet another app I've never heard of that's been sitting in the top 10 iOS apps for a while and is super popular with kids. The app itself sounds horrible, as it "allows users to anonymously answer multiple choice questions about friends, who then receive the poll results as compliments". The co-creator of tbh actually reckons the app a way to improve the mental health of teens. Okay buddy, keep telling yourself that whilst you sleep on a big sack of Facebook's blood money. This comment on Hacker News succinctly explains how Facebook bought tbh (FB owns Onavo, which tracks the fuck out of its users and can pick up on trends before others, so FB gets in early to buy these viral apps before they challenge Facebook's dominance).
Discuss - Share


The Mac Mini hasn't been updated in 3 years
Three years have passed since Apple gave the Mac Mini any love. Sure, maybe the raw CPU performance between a 4th-Gen Intel CPU and the 8th-Gen CPUs aren't that bad, and maybe a Mac Mini user's requirements don't warrant the latest and greatest, but come on, at least make the bastard cheaper to justify its old specs. I really wish Apple would simply take Intel's NUC, put it in a fancy case, slap an Apple logo on it and sell it for a 30% markup over the non-Apple NUC. Is it really that hard to just keep the Mac Mini updated with Intel's latest platforms? I could write a 30,000 word manifesto about this bullshit that Ted Kaczynski would be proud of.
Discuss - Share

New EFA chairs elected
Electronic Frontiers Australia has elected a new leadership team. "Lyndsey Jackson was elected unopposed as the new chair of EFA and Katherine Phelps was elected as the new vice-chair". If, like me, you don't know who Lyndsey is, she posted on her blog why she wanted to be involved with the EFA and after getting elected posted what she plans to do now that she's the boss. From her posts, she's definitely asking the right questions to get the EFA back on track (it's a mess) and has the right frame of mind about what the EFA should be focussing on (being the go-to source for info about the latest computer related shitstorm in AU). I wish her well.
Discuss - Share

PLUG20 eBay sale
eBay sale. 20% off tech. Use the code PLUG20. You know the drill.

Discuss - Share

Here endeth the sizzle (until tomorrow!)

Want an NBN ISP that doesn't suck? Sign up for Aussie Broadband using my referral code: 1001031 and I get a free month of internet access! You get nothing except the warm fuzzy feeling of supporting The Sizzle.

The Sizzle is curated by Anthony "@decryption" Agius and emailed every weekday afternoon. Join us on Slack and chat with other Sizzle subscribers.