Press

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley.

Your Phone May Soon Replace Many of Your Passwords
May 7, 2022 | Brian Krebs, Krebs on Security

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

Google Reportedly Bans Dozens Of Apps Containing Spyware
April 6, 2022 | Zachary Snowdon Smith, Forbes

Popular apps that contained the secret data-harvesting software include Speed Camera Radar, Al-Moazin Lite (Prayer Times) and WiFi Mouse(remote control PC), each with over 10 million downloads, and QR & Barcode Scanner and Qibla Compass - Ramadan 2022, each with over 5 million downloads, according to a report published Friday by University of Calgary researcher Joel Reardon and Serge Egelman, a researcher at the International Computer Science Institute of the University of California, Berkeley.

Google Bans Apps With Hidden Data-Harvesting Software
April 6, 2022 | Byron Tau and Robert McMillan, Wall Street Journal

Google has yanked dozens of apps from its Google Play store after determining that they include a software element that surreptitiously harvests data.

As Berkeley security researcher Nicholas Weaver put it in an interview with Krebs, “It’s a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale.”

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”
March 29, 2022 | Brian Krebs, Krebs on Security

Nicholas Weaver, a security specialist and lecturer at the University of California, Berkeley, said one big challenge to combating fraudulent EDRs is that there is fundamentally no notion of global online identity.

"If an adversary has a specialized plane aloft, it can detect [a satellite] signal and home in on it," Nicholas Weaver, a security researcher at the University of California at Berkeley, said via email. "It isn't necessarily easy, but the Russians have a lot of practice on tracking various signal emitters in Syria and responding. Starlink may work for the moment, but anyone setting a [Starlink] dish up in Ukraine needs to consider it as a potential giant target."

Someone Made a “COVID NFT” and Sent It to 96,000 People Without Asking
February 28, 2022 | Dylan Mulvin and Cait McKinney, Slate

And while crypto itself may not put us at risk of biological infection, it is instrumental in the growing number of ransomware attacks on hospitals. “The Ransomware Problem Is a Bitcoin Problem,” computer security researcher Nicholas Weaver argues, stating that the anonymity and lack of oversight of crypto markets, make cryptocurrency especially useful for ransom payment.

Who Is Policing the Location Data Industry?
February 24, 2022 | Alfred Ng and Jon Keegan, The Markup

“The only thing the app store can detect is whether the app contains various SDKs or, when you run it, does it send the data to various third-party servers,” Serge Egelman, a researcher at UC Berkeley’s International Computer Science Institute, said. “That’s pretty much the extent to what anyone can detect using technology. The rest comes down to a policy issue.”

No, Hillary Clinton Did Not ‘Infiltrate’ or Hack Donald Trump, Experts Say
February 16, 2022 | Lorenzo Franceschi-Bicchierai, Vice

Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, told Motherboard in an email that “the data was almost certainly from one of the general-purpose DNS security feeds, you don't ‘infiltrate’ any particular servers to get it and it includes a gazillion institutions.”

Pages