By timothy from Slashdot's best-hanging-from-rearview-mirror department
According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle:It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says
he’s now proven those hypotheses; previous attacks via dongles either didn’t name the OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for maintenance and safety purposes. ... He started by extracting the firmware from the dongle, reverse engineering it and determining how to exploit it. It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies basically it uses no security technologies whatsoever.”Read Replies (0)
By timothy from Slashdot's you'll-also-want-a-drone-hunting-drone-hunting-drone department
writes, "Are paparazzi flying drones over your garden to snap you sunbathing? You may need the Rapere
, the drone-hunting drone which uses 'tangle-lines' to quickly down its prey
From The Telegraph's article: It has been designed to be faster and more agile than other drones to ensure that they can't escape - partly by limiting flight time and therefore reducing weight.
“Having worked in the UAS industry for years, we've collectively never come across any bogus use of drones. However it's inevitable that will happen, and for people such as celebrities, where there is profit to be made in illegally invading their privacy, there should be an option to thwart it,” the group say on their website.
This seems more efficient than going after those pesky paparazzi drones with fighting kites
(video), but it should also inspire some skepticism: CNET notes that the team behind it is anonymous, and that "Rapere works in a lab setting, however there aren't any photos or videos of the killer drone in action
. The website instead has only a slideshow of the concept."Read Replies (0)
By timothy from Slashdot's problem-with-authority department
A story at Ars Technica describes yet another Federal database of logged call details maintained by the Federal government which has now come to light, this one maintained by the Department of Justice rather than the NSA, and explains how it came to be discovered: [A] three-page partially-redacted affidavit from a top Drug Enforcement Agency (DEA) official, which was filed Thursday, explained that the database was authorized under a particular federal drug trafficking statute. The law allows the government to use "administrative subpoenas" to obtain business records and other "tangible things." The affidavit does not specify which countries records were included, but specifically does mention Iran. ... This database program appears to be wholly separate from the National Security Agency’s metadata program revealed by Edward Snowden, but it targets similar materials and is collected by a different agency. The Wall Street Journal, citing anonymous sources, reported Friday that this newly-revealed program began in the 1990s and was shut down in August 2013.
From elsewhere in the article:
"It’s now clear that multiple government agencies have tracked the calls that Americans make to their parents and relatives, friends, and business associates overseas, all without any suspicion of wrongdoing," [said ACLU lawyer Patrick Toomey]. "The DEA program shows yet again how strained and untenable legal theories have been used to secretly justify the surveillance of millions of innocent Americans using laws that were never written for that purpose."Read Replies (0)