Security and privacy Q&A

“Nice try, FBI!” :slight_smile:


The Mac freedom from ransomware danger might be ending, alas.

I’ve never understood the argument that Apple has such a low percentage of the market that it is a less likely target when ALL the studies show they have the most affluent user base. I would think they’d be prime targets.

1 Like

Interesting, Google is working on a feature that will warn if your private info is being traded on “the dark web” :notes: (ominous sound plays).

One of the latest breach /hack methods. As an engineer I’m very impressed with the skills deployed to surface this.

It is potentially significant in a Tom Clancy novel sort of way, but too soon IMHO to get a gauge of real world impacts…

Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away | Ars Technica


This is such a (checks dictionary) pernicious threat. Apps that you trust which later go rogue. I’m afraid the same thing could happen with the Windows equivalent.


So today on Reddit someone said “Look how old the files are on this USB stick I found!”, and basically every single comment is “congratulations, now you have a virus/trojan”.

I guess at some point I forgot that USB sticks are a point of concern. Is it really that easy to get hacked on Windows 11 just by plugging in a usb stick? As in “even if you don’t preview or open any files”?

Edit: Whelp… I guess I forgot about some of this. According to Bing:

I totally forgot about the trick of making a USB stick report as a keyboard, which is still (right?) allowed without any admin prompt confirmation, which means once it’s plugged in and auto-installed as a device, it can now send keystrokes. Scary stuff! Man… new phobia unlocked.


The government is terrified of USB sticks. Over the years, I have tried to submit information to the Courts and to Administrative Agencies on a thumb drive and have always been greeted with the same distain normally reserved for public enemies.


With good reason.

In operating environments subject to DoD and Nuclear Regulatory Commission regulations, plugging an unauthorized device into a secured system can lead to imprisonment.

I am familiar with situations in which foreign nationals were given tours of secure facilities at the request of US agencies. Security sweeps after the visit ended found thumb drives scattered in bathrooms, break rooms and parking lots. The thumb drives even had the facility’s company logo on them. Subsequent forensic analysis confirmed the presence of self loading malware that would’ve attempted to open firewalls and “phone home”.


Isn’t that how the Stuxnet virus was delivered?

1 Like

I heard that somewhere.


FBI’s Most Wanted Thumb Drive List
#3 Bronsky


Yeah on the commercial side our support folks see the majority of infected systems were caused by a USB stick.

In one case at a big insurer, 18 systems were infected by the same shared USB stick, which to make things worse, came from one of their vendors.

We here know they can be dangerous, but I’d venture to say the large majority generally are unaware.


Here we go again…

What’s doubly bad is that a couple of these flaws came to be from Intel microcode mitigations for the other James Bond themed flaws, Spectre…

Downfall Vulnerability Affects Millions of Intel CPUs With Strong Data Leak Impact (

PS: Yes this is almost a month old , but it flew under the radar for many, including me. :frowning:


I Think we will have to wait for the newest architecture and instructions released in the 15th gen and the advent of the new AVX10 and APX instruction set to advance toward a solution to the speculative execution problems :

Extract :

« APX also undoes many risky performance-improvement features that Intel has implemented in previous chips.

The company uses a feature called “speculative executive” to anticipate processor behavior. By predicting behavior, the chip was able to reduce delays and run some applications much faster.

But speculative execution has its own issues and was at the center of the Meltdown vulnerability detected on Intel chips in 2018.

The APX instructions have provided an opportunity to remove branch prediction, which typically assigns a task for execution based on “true” and “false” values.

“We can remove that and turn it into a conditional move. If that condition is this, then move this or that? No branch needed,” Singhal said. »


And it doesn’t help things that more and more the companies are spending more time hiding flaws than preventing them in the first place.

Libwebp is used in tons of custom/vertical market apps as well…

Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters | Ars Technica

1 Like