Last month, Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists invited to the event were given a press kit containing a bottle of water, various paper goods, and a fan that plugs into a USB port.
Understandably, the computer security crowd on Twitter had a great laugh. You shouldn’t plug random USB devices into a computer, especially if you’re a journalist, especially if you’re in a foreign country, and especially if you’re reporting on the highest profile international summit in recent memory. Doing so is just foolhardy.
This is not a story about a USB fan, the teardown thereof, or of spy agencies around the world hacking journalists’ computers. This a story of the need for higher awareness on what we plug into our computers. In this case nothing came of it — the majority of USB devices are merely that and nothing more. One of the fans was recently torn down (PDF) and the data lines are not even connected. (I’ll dive into that later on in this article). But the anecdote provides an opportunity to talk about USB security and how the compulsion to plug every USB device into a computer should be interrupted by a few seconds of thoughtfulness first.
Continue reading “Teardown Of USB Fan Reveals Journalists’ Lack Of Opsec”
This year’s LayerOne conference is May 25-27 in Los Angeles and Hackaday will be there! Hurry and get your ticket now as today is the last day for pre-registration.
As the InfoSec community takes over the Pasadena Hilton next weekend you’ll wish you had a week instead of just three days to take part in all that is offered. There are organized talks and workshops on pen testing, being the bad guy, and DevOps Security. Learn or improve on your lockpicking skills in the Lockpicking Village. The conference hardware badge will be hacking in every direction in the Hardware Village, and new this year is an Internet of Things Village.
If you ask us, the L1 Demo Party is where it’s at. We love seeing what kind of audio and video demos can be squeezed out of a microcontroller board. If you want one of your own, LayerOne is selling the L1 Demoscene Board on Tindie, and you can dig into the hardware on the Hackaday.io page. Take a look back at the results of the 2015 Demo Party for some of the highlights.
This con has an incredible community supporting it, many of the people you’ll meet have been at every LayerOne since it started back in 2004. Supplyframe, Hackaday’s parent company, has been a sponsor since 2015 and is once again proud to support the event and sponsor the hardware badge. Members of the Hackaday and Tindie crew will be on site so come say hello and don’t be afraid to bring a hack to show off!
The United States Department of Defense just launched the world’s first government-funded bug bounty program named HackThePentagon. Following the example of Facebook, Google, and other big US companies, the DoD finally provides “a legal avenue for the responsible disclosure of security vulnerabilities”.
However, breaking into the Pentagon’s weapon programs will still get you in trouble. This pilot program has a very limited scope of
the Pentagon’s cafeteria menu some non-critical systems and is open only between April 18 and May 12 this year. In total, about $150,000 of bounties may be rewarded to responsible hackers.
Anyone can take part in the program, but to receive financial rewards, you need to fulfill a list of criteria. Your profile will undergo a criminal background check and certain restrictions based on your country of residence may apply. Also, to hack into the government’s computer system and get a tax return, you must be a US taxpayer in the first place.
Even though this framework turns the initiative more into one-month hacking contest than a permanently installed bug bounty program, it is certainly a good start. The program itself is hosted on HackerOne, a platform that aims to streamline the process of distributing bug bounties.