I'm the Ashleigh you're searching for. Tech writer ⌨️ Queer demi-ace & trans (she) 🏳️‍🌈 Happily autistic ✨ Unabashed love of justice ⚖️ Tying to do my part 💞
4475 stories
·
29 followers

Egads, You Can Now Use Wireless Headphones With Switch Thanks To The 4.0.0 Update

1 Comment

Article: Egads, You Can Now Use Wireless Headphones With Switch Thanks To The 4.0.0 Update

Music to our ears!

Read the whole story
Technicalleigh
6 hours ago
reply
USB, not Bluetooth, but STILL. It's baffling how they got this so wrong when they got so much else so right.
SF Bay area, CA (formerly ATL)
Share this story
Delete

KRACK Vulnerability: What You Need To Know

1 Comment

This week security researchers announced a newly discovered vulnerability dubbed KRACK, which affects several common security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2. This is a bad vulnerability in that it likely affects billions of devices, many of which are hard to patch and will remain vulnerable for a long time. Yet in light of the sometimes overblown media coverage, it’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack. For most people, the sanest thing to do is simply continue using wireless Internet access.

The limited privacy goals of WPA

It’s worth taking a step back and remembering why a cryptographic protocol like WPA was developed to begin with. Before the advent of Wi-Fi, computers typically connected to their local Internet access point (e.g. a modem) using a physical wire. Traditional protocols like Ethernet for carrying data on this wire (called the physical layer) were not encrypted, meaning an attacker could physically attach an eavesdropping device to the wire (or just another computer using the same wire) to intercept communications. Most people weren’t too worried about this problem; physically attaching a device is somewhat difficult, and important traffic should be encrypted anyways at a higher layer (most commonly a protocol like TLS at the transport layer). So Ethernet was unencrypted, and remains so today.

With wireless protocols it became much easier to eavesdrop on the physical layer. Instead of attaching a device to a specific wire, you just need an antenna somewhere within range. So while an unencrypted wireless network is theoretically no less secure than an unencrypted wired network, in practice it’s much easier to set up an eavesdropping device. For some it became a hobby to drive or bike around with an antenna looking for wireless networks to eavesdrop on (called wardriving). In response, the IEEE (a computer and electronics engineers’ professional organization) standardized an encryption protocol called WEP (Wired Equivalent Privacy). The name is telling here: the goal was just to get back to the relative privacy of a wired connection, by using encryption so that an eavesdropping device couldn’t read any of the traffic. WEP was badly broken cryptographically and has been supplanted by WPA and WPA2, but they have the same basic privacy goal.

Note that WPA’s privacy goals were always very limited. It was never intended to provide complete confidentiality of your data all the way to its final destination. Instead, protocols like TLS (and HTTPS) exist which protect your data end-to-end. In fact, WPA provides no protection against a number of adversaries:

  • At any point between the access point and the server you’re communicating with, an eavesdropper can read your data whether the first hop was WPA, Ethernet, anything else. This means your Internet provider or any Internet router on the network path between you and the destination server can intercept your traffic.
  • Your access point operator (e.g. the owner of your local coffee shop) can read your traffic.
  • Anybody who compromises your access point can read your traffic, and there is a long history of exploits against wireless routers.
  • Anybody who knows the access point’s password can perform a machine-in-the-middle attack and read your traffic. This includes anybody who cracks that password.

A secondary goal: access control

In addition to providing privacy against local eavesdroppers, WPA is commonly used to provide access control to the network by requiring the use of a “pre-shared key” to create sessions. This is the Wi-Fi access password or token which is familiar to most users when trying to connect to a new network. The goal here is simple: the owner of the wireless access point may want to prevent access by unauthorized devices, require new devices to jump through some hoops like watching an advertisement or agreeing to a terms of use agreement, or otherwise alter traffic for unauthorized guests. For years EFF has supported increased availability of open wireless access points, but certainly access point owners should have the ability to limit access if they want to.

How KRACK changes the picture

KRACK makes it possible for an adversary to completely undermine the privacy properties of WPA and WPA2 in many cases. The attack is somewhat complex in that it requires active broadcasting of packets and tricking a device into resetting its key, but it’s the kind of thing that will likely soon be automated in software. This means that, for now, data on many wireless access points may be vulnerable to interception or modification. Keep in mind two big caveats:

  • The attacker must be local and proactive. Carrying out this attack requires having an active antenna in range of the targeted wireless network and requires broadcasting many packets and intercepting or delaying others. This is all doable, but does not easily scale.
  • Important traffic should already be protected with HTTPS. As discussed above, there are already many potential attackers that WPA provides no security against. At worst, KRACK adds an additional one to the list, but with no more power than you ISP or any router on the Internet backbone already has (and those are much more scalable places to conduct surveillance or other mischief). We already have protocols to defend against these attackers, and thanks to the success of projects like EFF’s Encrypt The Web initiative more than half of all Internet traffic is already protected by HTTPS.

On the access control front, it’s unclear how much KRACK matters. It does not provide a new way to crack the pre-shared key or password of a wireless network. Some variants of KRACK enable recovering enough key material to hijack an existing connection and use it to gain unauthorized access, but this is probably not the easiest way to gain unauthorized access.

How did we get here?

Matt Green provides a great overview of the flawed process that led to KRACK being undiscovered for over a decade. The biggest single problem is that the protocol definitions were not easily available to security researchers, so none bothered to seriously look. This is another clear example of why important protocols like WPA and WPA2 should be open and free to the public: so that security researchers can investigate and catch these sorts of vulnerabilities early in the life of a protocol, before it’s embedded in billions of devices.

What you can do to protect your local network

Fortunately, while the KRACK vulnerability is baked into the WPA specification and deployed on billions of devices, it is relatively easy to patch in a backwards-compatible way. It requires patching both devices that connect to the Internet and access points. If you operate a wireless network, patching your router is a great step. Your Internet devices (your computer, phone or tablet) will also need to be patched. Many patches are already available and many devices will automatically be patched.

With that said, it’s a forgone conclusion that there will still be billions of unpatched devices for years (maybe even decades) to come. That’s because, as we’ve said before:

patching large, legacy systems is hard. For many kinds of systems, the existence of patches for a vulnerability is no guarantee that they will make their way to the affected devices in a timely manner. For example, many Internet of Things devices are unpatchable, a fact that was exploited by the Mirai Botnet. Additionally, the majority of Android devices are no longer supported by Google or the device manufacturers, leaving them open to exploitation by a "toxic hellstew" of known vulnerabilities.

So while we don’t think people should necessarily freak out about KRACK, it does demonstrate once again how important it is for industry to solve the patching problem.

Read the whole story
Technicalleigh
6 hours ago
reply
In other words, DON'T PANIC. :)
SF Bay area, CA (formerly ATL)
Share this story
Delete

“He’s Going to Wake Up”: Alabama Inmate May Have Suffered Excruciating Pain During Execution

1 Comment

Alabama executed Torrey McNabb Thursday night, and the effectiveness of lethal injection drugs is once again in question after McNabb appeared to be in pain before he died.

McNabb’s previous execution date had been on stayed on October 16 by a federal court, because he was part of a class action suit over the use of midazolam, a controversial sedative used in lethal injections, but the Supreme Court lifted that stay three days later. During the execution, McNabb reportedly moved his head, grimaced, and raised his arms after two consciousness checks. 

McNabb’s family members and attorneys who witnessed the execution were reportedly concerned that he was conscious. “He’s going to wake up,” one of his family members said, according to CBS News.

Alabama Department of Corrections Commissioner Jeff Dunn said the execution went as planned and suggested that McNabb was not in pain. “I’m confident he was more than unconscious at that point,” he said. “Involuntary movement is not uncommon.” There has been little research on how much pain inmates feel during execution by lethal injection, but a 2007 Public Library of Science study found that inmates may actually experience excruciating pain before dying. Last December, Alabama inmate Ronald Smith coughed and heaved for 13 minutes after he was administered the drug. 

McNabb—who was convicted for the 1997 murder of Anderson Gordon, a Montgomery, Alabama police officer—was one of several inmates suing Alabama over its use of midazolam. In a three-drug protocol for lethal injection, midazolam is administered first to render the inmate unconscious, the second drug causes paralysis, and the final drug stops the heart. The inmates are arguing that the sedative does not reliably render an inmate unconscious before the subsequent drugs, thus exposing him to excruciating pain.

McNabb’s lawyers said the state shouldn’t carry out the execution because of the pending class action lawsuit. Last month, a federal court stayed the execution of Jeffery Borden, another Alabama inmate in the class action suit over midazolam. The stay is still in effect. He had been scheduled to be put to death on October 5. 

On Thursday, the Alabama attorney general’s office appealed to lift the stay, arguing that McNabb and the other inmates were unlikely to prevail in their lawsuit because the state had previously successfully executed inmates using midazolam. The US Supreme Court lifted the stay just hours before his scheduled execution.

McNabb was pronounced dead at 9:38 p.m. He addressed the state of Alabama in his final words saying, “I hate you motherfucker, I hate you.”

Read the whole story
Technicalleigh
7 hours ago
reply
There is no reason for this. Justice can be served without executions, without creating new victims, without tormenting our fellow human beings.

If we ignore the humanity of those on death row - even if 100% of them are actually guilty, which is NOT the case - are we any better than they?
SF Bay area, CA (formerly ATL)
Share this story
Delete

Oakland health watchdog finds lead in Infowars diet supplements

1 Comment

Two of the dietary supplements that Alex Jones sells in his Infowars online shop are found to contain high levels of lead.

Read the whole story
Technicalleigh
8 hours ago
reply
Consider this a follow-up to John Oliver's Last Week Tonight segment. https://www.youtube.com/watch?v=WyGq6cjcc3Q
SF Bay area, CA (formerly ATL)
wreichard
7 hours ago
The lead literally makes InfoWars easier to understand.
Technicalleigh
7 hours ago
★ for wreichard's reply ^.^
acdha
5 hours ago
wreichard: 👏🏼👏🏼👏🏼
Share this story
Delete

This is important.

1 Share


This is important.

Read the whole story
Technicalleigh
4 days ago
reply
SF Bay area, CA (formerly ATL)
Share this story
Delete

Groundbreaking Legislation to Honor Dignity of Transgender People in Prison Is Signed Into Law by Governor Brown

1 Comment
(Sacramento, CA) – Last night, for the first time in California history, legislation written by currently and formerly incarcerated transgender people was signed into law. Senate Bill 310 (the Name and Dignity Act), authored by Senator Toni Atkins of San Diego and co-authored by Senator Beall, Senator Wiener, Assemblymember Chiu, Assemblymember Garcia, Assemblymember Gloria, and […]
Read the whole story
Technicalleigh
5 days ago
reply
This is huge, too.
SF Bay area, CA (formerly ATL)
Share this story
Delete
Next Page of Stories