Google today launched a new Chrome extension that will simplify the process of reporting a malicious site to the Google Safe Browsing team so that it can be analyzed, reviewed, and blacklisted in Chrome and other browsers that support the Safe Browsing API. From a report: Named the Suspicious Site Reporter, this extension adds an icon to the Google Chrome toolbar that when pressed, opens a popup window from where users can file an automatic report for the current site they're on, and which they suspect might be up to no good. "If the site is added to Safe Browsing's lists, you'll not only protect Chrome users but users of other browsers and across the entire web," said Emily Schechter, Chrome Product Manager. The Safe Browsing API is implemented not only in the mobile and desktop versions of Chrome but also in the mobile and desktop versions of Mozilla Firefox and Apple's Safari.

Artem S. Tashkinov writes: The Register reports that it is possible to crash network-facing Linux servers, PCs, smartphones and tablets, and gadgets, or slow down their network connections, by sending them a series of maliciously crafted packets. It is also possible to hamper FreeBSD machines with the same attack. Patches and mitigations are available, and can be applied by hand if needed, or you can wait for a security fix to be pushed or offered to your at-risk device. A key workaround is to set /proc/sys/net/ipv4/tcp_sack to 0. At the heart of the drama is a programming flaw dubbed SACK Panic aka CVE-2019-11477: this bug can be exploited to remotely crash systems powered by Linux kernel version 2.6.29 or higher, which was released 10 years ago.

Cloudflare, along with a group of individual and academic partners, is forming a new coalition that will provide truly random, unpredictable numbers for a variety of applications, including election systems and lotteries. From a report: The problem of producing truly random numbers on a consistent basis has been a thorny one for cryptographers for many years. There have been plenty of efforts to establish sources of randomness, with some success, but one of the drawbacks is that any single randomness generator can be a target for abuse by privileged insiders or outside attackers. This is especially true in high-value applications that require random numbers, such as lottery or election systems. Also, if a given source of random numbers fails for any reason, the applications that rely on it can be crippled, as well.

To help address this problem, Cloudflare has teamed up with the University of Chile, the Ecole polytechnique federale de Lausanne, and several individual researchers to form a consortium of randomness beacons distributed around the world. The system is based on the drand randomness beacon developed by Nicholas Gailly, a researcher at Protocol Labs, a research lab for network protocols, and the aim is to have a distributed network of beacons that will always be available. "Our founding members are contributing their individual high-entropy sources to provide a more random and unpredictable beacon to generate publicly verifiable random values every sixty seconds. The fact that the drand beacon is decentralized and built using appropriate, provably-secure cryptographic primitives, increases our confidence that it possesses all the aforementioned properties," Dina Kozlov, a product manager at Cloudflare, said.

"This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers. Even if one or two of the servers or their entropy sources were to be compromised, the rest will still ensure that the jointly-produced entropy is fully unpredictable and unbiasable." Random numbers are vital to many kinds of systems and there are plenty of hardware and software-based random number generators. But more than one RNG has been found to have a bias, whether intentional or accidental, so randomness beacons emerged.

Microsoft has released To-Do for Mac, finally giving Apple users access to the task management tool on their desktops. The Mac app will allow users to work offline, view their upcoming tasks under "My Day," share to-do lists with friends and colleagues and see flagged emails. From a report: "Today, we'd like to announce the arrival of a new family member -- that's right, the moment many of you have been waiting for is here -- say hello to the Mac app. If you've already been using our app on Android, iOS, Windows, or web, then the Mac app will feel very familiar. Sign in and all your tasks will be waiting for you, ready to be checked off. You can work offline, add tasks to My Day, see your flagged email in your Flagged email list, and share your lists with colleagues or friends and family. The Planner integration isn't available yet, but we're already working on bringing the Assigned to Me list to you," says Polly Davidson, Social Media Strategist, Microsoft.

Over a quarter of all the major content management systems (CMSs) use the old and outdated MD5 hashing scheme as the default for securing and storing user passwords. From a report: Some of the projects that use MD5 as the default method for storing user passwords include WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, X3cms, and Composr. The MD5 algorithm has been cracked for years now, meaning all passwords stored in this format can be reversed back to their plaintext version. This means that unless website owners changed these default settings by modifying the CMS source code, most websites built on top of these CMSs puts user passwords at risk in the case a hacker steals the site's database. This revelation is just one of the many observations that came out of an extensive academic research project at the University of Piraeus, in Greece. Academics examined 49 commonly used CMSs and 47 popular web application frameworks and looked at their default password storage mechanism, namely their password hashing schemes.

Apple CEO Tim Cook said Sunday in a commencement address at Stanford University that technology companies need to take responsibility for the "chaos" they create. From a report: He did not name specific companies in his speech, but referenced several reasons that tech firms, particularly social media platforms, have come under scrutiny in recent months. He also made an apparent reference to embattled health startup Theranos. "Lately it seems this industry is becoming better known for a less noble innovation -- the belief you can claim credit without accepting responsibility," Cook said, according to videos posted online of his speech. "We see it every day now with every data breach, every privacy violation, every blind eye turned to hate speech, fake news poisoning out national conversation, the false miracles in exchange for a single drop of your blood," he added. "Too many seem to think that good intentions excuse away harmful outcomes, but whether you like it or not, what you build and what you create define who you are. It feels a bit crazy that anyone should have to say this, but if you built a chaos factory, you can't dodge responsibility for the chaos."

Researchers from Austria's Graz University of Technology "have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware," reports The Register.

The researchers recently presented a paper titled "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," which The Register says "calls into question the effectiveness of anonymized browsing and browser privacy extensions... "

Long-time Slashdot reader Artem S. Tashkinov shared their report: One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior. The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.

The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects. And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed -- have more data points -- than they are now.

The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.

"The U.S. military's Cyber Command has gotten more aggressive than ever against Russia in the past year, placing 'potentially crippling malware' in systems that control the country's electrical grid," according to CNET, citing a report in the New York Times: Made possible by little-noticed legal authority granted last summer by Congress, Cyber Command's strategy shift from a defensive to offensive posture is meant in part as a warning shot, but it's also designed to enable paralysing cyberattacks in the event of a conflict, The New York Times said Saturday, quoting unnamed officials... [T]he recent moves appear to have taken place under a military authorization bill Congress passed in 2018 that gives the go-ahead for "clandestine military activity" in cyberspace to "deter, safeguard or defend against attacks or malicious cyberactivities against the United States...."

The Times said Cyber Command is concerned Russia could trigger selective power outages in key states during the 2020 election and that it needs a way to discourage such attacks. But the agency and the U.S. have to consider their moves carefully in this international game of cyberchess. "The question now is whether placing the equivalent of land mines in a foreign power network is the right way to deter Russia," the Times report says. "While it parallels Cold War nuclear strategy, it also enshrines power grids as a legitimate target...."

In related news, Bloomberg reported Friday that a Russia-linked hacking group that shut down an oil and gas facility in Saudi Arabia in 2017 has been probing utilities in the U.S. since late last year.

ZDNet reports: Internet-connected security cameras account for almost half of the Internet of Things devices that are compromised by hackers even as homes and businesses continue to add these and other connected devices to their networks. Research from cybersecurity company SAM Seamless Network found that security cameras represent 47 percent of vulnerable devices installed on home networks.

According to the data, the average U.S. household contains 17 smart devices while European homes have an average of 14 devices connected to the network... Figures from the security firm suggest that the average device is the target of an average of five attacks per day, with midnight the most common time for attacks to be executed -- it's likely that at this time of the night, the users will be asleep and not paying attention to devices, so won't be witness to a burst of strange behavior.
The anonymous reader who submitted this story suggests a possible solution: government inspectors should examine every imported IoT device at the border.

"The device gets rejected if it has non-essential ports open, hard-coded or generic passwords, no automated patching for at least four years, etc."

JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution...

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline."

"Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.

An anonymous reader quotes a report from Wired: On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago. Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9. No other law enforcement contractor has made such broad claims about a single product, at least not publicly. The move signals not only another step in the cat and mouse game between smartphone makers and the government-sponsored firms that seek to defeat their security, but also a more unabashedly public phase of that security face-off. "Cellebrite is proud to introduce #UFED Premium! An exclusive solution for law enforcement to unlock and extract data from all iOS and high-end Android devices," the company wrote on its Twitter feed for the UFED product. On a linked web page, the company says the new tool can pull forensic data off any iOS device dating back to iOS 7, and Android devices not just from Samsung but Huawei, LG, and Xiaomi.

An anonymous reader shares a report: Firefox users are reporting that their saved passwords have been lost, with the problem seemingly caused by antivirus software rather than being an issue with Firefox itself. Antivirus software such as Avast and AVG appear to be corrupting the file in which Firefox stores passwords, rendering it unreadable. Thankfully, passwords can be recovered, but -- for the time being --- they will be corrupted again when you restart your computer.

Earlier this week, Dropbox introduced a new desktop application that brings a new look to the file-sharing service as well as new capabilities. With this release, Dropbox has changed the underlying structure of its desktop application to operate just like any other desktop application, rather than its previous incarnation, which was tied very closely to desktop file systems like Windows File Explorer or Apple's Finder. Dropbox adds: It's a single workspace to organize your content, connect your tools, and bring everyone together, wherever you are. The first thing you'll notice is an all-new Dropbox desktop app that we're introducing today through our early access program. It's more than an app, though -- it's a completely new experience. That all sounds great, until you attempt to use it. John Gruber, writing for Daring Fireball: I don't want any of this. All I want from Dropbox is a folder that syncs perfectly across my devices and allows sharing with friends and colleagues. That's it: a folder that syncs with sharing. And that's what Dropbox was. Now it's a monstrosity that embeds its own incredibly resource-heavy web browser engine. In a sense Steve Jobs was right -- the old Dropbox was a feature not a product. But it was a feature well-worth paying for, and which made millions of people very happy.

The Microsoft Edge developer team held an AMA (Ask Me Anything) session on Reddit this week where they revealed some of their plans on current and upcoming features. From a report: The biggest tease the company dropped was its apparent willingness to release an Edge version for Linux -- a move that was once considered inconceivable. "We don't have any technical blockers to keep us from creating Linux binaries, and it's definitely something we'd like to do down the road. That being said, there is still work to make them 'customer ready' (installer, updaters, user sync, bug fixes, etc.) and something we are proud to give to you, so we aren't quite ready to commit to the work just yet. Right now, we are super focused on bringing stable versions of Edge first to other versions of Windows (as well as macOS), and then releasing our Beta channels," Edge devs said.

Cloudflare's Project Galileo, which offers free high-tier DDoS protection service to journalists, dissidents, civil liberties groups and other at-risk groups, turned 5 years old this week. From a report: The project currently serves over 600 accounts. An LGBT protection group in the Middle East, for example, does important work on a shoestring budget and cannot possibly afford to block the outsized number of attacks it could face from governments and even citizens. Project Galileo isn't the only commercial cybersecurity service offered to at-risk groups, but it is one of the first and the most successful. "Project Galileo originally started from a failure to live up to what was originally our mission to make a better internet," Cloudflare CEO Matthew Prince told Codebook. Further reading: Cloudflare's Five-Year Project to Protect Nonprofits Online (Wired).

Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices. From a report: Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS). According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation.

This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer. This means that for a short period after booting up YubiKey FIPS Series devices with the affected 4.4.2 and 4.4.4 versions will generate keys that can be either recovered partially, or in full, depending on the cryptographic algorithm the key is working with for a particular authentication operation.

Slashdot reader Meg Whitman shares a report from The Register: A "highly skilled IT professional" has lost his fight to be paid his unused vacation days as well as a non-trivial bonus, after a judge stuck to a law he admitted was outdated. Matthew White joined Hewlett-Packard in 2013 and left in July 2015, just months before the company split into HP and Hewlett Packard Enterprise (HPE). After quitting, he was stunned when the U.S. mega-corp, citing HPE's new policies, refused to hand over extra pay he felt was contractually due. Hewlett-Packard had enticed White with a sweet contract that offered a signing bonus, base salary, regular bonuses, and a benefits program. But after he quit, he was left without his unused vacation pay and a $10,000 bonus he felt he was entitled to. [...]

HPE decided that, under the law, White could only get hold of the relevant policies if he turned up, in person, to the company's official human resources headquarters -- which is on the other side of America in California, roughly 2,500 miles away. White felt this was ridiculous given that HP, sorry, HPE is not only a massive organization with HR people all over the United States, but that it was a technology company with countless employees working across the world, often at home, and that the policies are likely readily available in an internal cloud. The judge had some sympathy for that view. "This part of the statute may indeed need reworking for today's world where cloud-based digital records are replacing physical file folders located in a physical location, where employees work at home -- sometimes remotely from any head office or regional office -- and where worldwide companies like HP assign HP personnel for an entire country or region, or even outsource various HP responsibilities." Yet the judge still decided against the techie.

Facebook obtained personal and sensitive device data on about 187,000 users of its now-defunct Research app, which Apple banned earlier this year after the app violated its rules. TechCrunch reports: The social media giant said in a letter to Sen. Richard Blumenthal's office -- which TechCrunch obtained -- that it collected data on 31,000 users in the U.S., including 4,300 teenagers. The rest of the collected data came from users in India. "We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users," said Timothy Powderly, Apple's director of federal affairs, in his letter. Facebook said the app dated back to 2016.

These "research" apps relied on willing participants to download the app from outside the app store and use the Apple-issued developer certificates to install the apps. Then, the apps would install a root network certificate, allowing the app to collect all the data out of the device -- like web browsing histories, encrypted messages and mobile app activity -- potentially also including data from their friends -- for competitive analysis. In Facebook's case, the research app -- dubbed Project Atlas -- was a repackaged version of its Onavo VPN app, which Facebook was forced to remove from Apple's App Store last year for gathering too much device data. Just this week, Facebook relaunched its research app as Study, only available on Google Play and for users who have been approved through Facebook's research partner, Applause. Facebook said it would be more transparent about how it collects user data.

The Intercept: Operatives at a controversial cybersecurity firm working for the United Arab Emirates government discussed targeting The Intercept and breaching the computers of its employees, according to two sources, including a member of the hacking team who said they were present at a meeting to plan for such an attack. The firm, DarkMatter, brought ex-National Security Agency hackers and other U.S. intelligence and military veterans together with Emirati analysts to compromise the computers of political dissidents at home and abroad, including American citizens, Reuters revealed in January. The news agency also reported that the FBI is investigating DarkMatter's use of American hacking expertise and the possibility that it was wielded against Americans.

The campaign against dissidents and critics of the Emirati government, code-named Project Raven, began in Baltimore. A 2016 Intercept article by reporter Jenna McLaughlin revealed how the Maryland-based computer security firm CyberPoint assembled a team of Americans for a contract to hone UAE's budding hacking and surveillance capabilities, leaving some recruits unsettled. Much of the CyberPoint team was later poached by DarkMatter, a firm with close ties to the Emirati government and headquartered just two floors from the Emirati equivalent of the NSA, the National Electronic Security Authority (which later became the Signals Intelligence Agency).

An anonymous reader shares a report: In April, Google announced a groundbreaking technology that could allow Android users to use their smartphones as hardware security keys whenever logging into Google accounts on their laptops or work PCs. Initially, the technology was made available for Chrome OS, macOS, and Windows 10 devices. Today, Google announced it is expanding this technology to iOS as well. Today's news means that iPhone and iPad users can now use their (secondary) Android smartphones as a security key whenever logging into their Google accounts on an iOS device. The technology works basically the same, as Google explained in April, at the Cloud Next 2019 conference.

A distributed denial of service attack may sound like hacker talk, but there's a simple explanation behind it. Secure messaging app Telegram said it had to endure one Wednesday, and it gave an explanation that almost anyone could understand. From a report: Telegram tweeted Wednesday morning that it was dealing with a DDoS attack. The app was down for many users across the globe, according to DownDetector. The downtime period was just a little over an hour, and while it was going on, Telegram explained how a DDoS attack works.

"Imagine that an army of lemmings just jumped the queue at McDonald's in front of you -- and each is ordering a whopper," Telegram tweeted. "The server is busy telling the whopper lemmings they came to the wrong place -- but there are so many of them that the server can't even see you to try and take your order." The tweets then went on to describe how hackers accomplish a DDoS attack. "To generate these garbage requests, bad guys use 'botnets' made up of computers of unsuspecting users which were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa," the company said in another tweet.

Troy Hunt, the owner and founder of the well-known and respected data breach notification website "Have I Been Pwned," announced today that he's actively looking for a buyer.

"To date, every line of code, every configuration and every breached record has been handled by me alone. There is no 'HIBP team,' there's one guy keeping the whole thing afloat," Hunt wrote. "It's time for HIBP to grow up. It's time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own." Motherboard reports: Over the years, Have I Been Pwned has become the repository for data breaches on the internet, a place where users can search for their email address and see whether they have been part of a data breach. It's now also a service where people can sign up to get notified whenever their accounts get breached. It's perhaps the most useful, free, cybersecurity service in the world. Hunt said he's already had informal conversations with some organizations that might be interested in buying the service. Hunt said he's engaged the financial consulting firm KPMG to look for a buyer.

In the post, Hunt shared some staggering numbers that explain just how big Have I Been Pwned has become: 8 billion breached records, nearly 3 million people subscribed to notifications, who have been emailed about a breach 7 million times, 150,000 unique visitors to the site on a normal day, 10 million on an abnormal day. Regardless of who buys the site, Hunt made a series of commitments on the future of Have I Been Pwned: searches should remain free for consumers, the platform should expand and grow, and, finally, he wants to stay involved in some capacity.

A team of academics from the US, Austria, and Australia, has published new research today detailing yet another variation of the Rowhammer attack. From a report: The novelty in this new Rowhammer variety -- which the research team has named RAMBleed -- is that it can be used to steal information from a targeted device, as opposed to altering existing data or to elevate an attacker's privileges, like all previous Rowhammer attacks, have done in the past. [...] In a research paper [PDF] published today, academics unveiled RAMBleed, the first Rowhammer attack that can actively deduce and steal data from a RAM card. To do this, researchers had to come up and combine different techniques, which, when assembled, would permit a RAMBleed attack to take place.

An anonymous reader shares a report: Web blog hosting platform WordPress.com is currently facing a significant technical issue that has resulted in premium blogs going down or reverting to using default themes. Impacted sites include major news outlets like BBC America, TechCrunch, 9to5Mac, 9to5Google, VentureBeat, DroneDJ, and Electrek; but also many companies that were using the WordPress.com's VIP offering to host corporate blogs, such as Facebook, the Wikimedia Foundation, and others. Automattic, the company behind the WordPress.com service has admitted to the technical issue in a series of tweets and a blog post from its engineering staff.

Radiohead have released a vast collection of unreleased tracks made during the sessions for 1997 album OK Computer, after a MiniDisc archive owned by frontman Thom Yorke was hacked last week by an unnamed person, who reportedly held the recordings to ransom for $150,000. From a report: The band have now made the 18 MiniDisc recordings, most of them around an hour in length, available on Bandcamp for $23. Proceeds will go to climate activists Extinction Rebellion. The band's guitarist Jonny Greenwood confirmed the hack, and said: âoeInstead of complaining -- much -- or ignoring it, we're releasing all 18 hours on Bandcamp in aid of Extinction Rebellion. Just for the next 18 days. So for $23 you can find out if we should have paid that ransom. Never intended for public consumption (though some clips did reach the cassette in the OK Computer reissue) it's only tangentially interesting. And very, very long. Not a phone download." Thom Yorke wrote of the 1.8 gigabyte collection: "It's not v interesting. There's a lot of it 0... as it's out there it may as well be out there until we all get bored and move on."

An anonymous reader quotes a report from TechCrunch: U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States. The photos were stolen from a subcontractor's network through a "malicious cyberattack," a CBP spokesperson told TechCrunch in an email. "CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," said an agency statement. "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," the statement read. he agency first learned of the breach on May 31. When asked, a spokesperson for CBP didn't say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn't name the subcontractor. The database that the agency maintains includes traveler images, as well as passport and visa photos. Congress has been notified and the CBP said it is "closely monitoring" CBP-related work by the subcontractor.

Election Systems & Software has championed electronic voting machines in the US. Now it has had a change of heart about the need for paper records of votes. From a report: TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws. ES&S chief executive Tom Burt's op-ed said voting machines "must have physical paper records of votes" to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines. The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program. Burt's remarks are a sharp turnaround from the company's position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.

"Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week," ZDNet reported Monday, "in what appears to be a coordinated wave of attacks."

SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card. The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts....

[D]espite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week... Some candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.

"If you're a cryptocurrency startup, would you face a huge backlash by hacking your own customers to keep their funds safe if you know that a hacker is about to launch an attack and steal their funds?" asks ZDNet: This is exactly what happened yesterday when the Komodo Platform learned about a backdoor in one of its older wallet apps named Agama. Knowing they had little time to act, the Komodo team said it used the same backdoor to extract users' funds from all impacted wallets and move them to a safe location, out of the hacker's reach.

The tactic paid off, and 8 million Komodo coins and 96 bitcoins, worth nearly $13 million, were taken from users' vulnerable accounts before the hacker could get a chance to abuse the backdoor and steal users' funds... While initially, it did not make any sense for a library with a very limited feature-set to contain such an advanced functionality, after investigating the issue, npm staffers realized they were dealing with a supply-chain attack aimed at another app downstream, which was using the now-backdoored library... The npm team said the malicious code would work as intended and collect Agama wallet app seeds and passphrases, and upload the data to a remote server.
These malicious-payload updates are "becoming more and more popular," according to a post on the official npm blog (a point they later emphasized in a press release).

"After being notified by our internal security tooling of this threat we responded by notifying and coordinating with Komodo to protect their users as well as remove the malware from npm."

The Internet Storm Center reports: RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability (CVE-2019-0708). While the reporting around this "Bluekeep" vulnerability focused on patching vulnerable servers, exposing RDP to the Internet has never been a good idea. Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them.

The latest example of such a botnet is an ongoing malicious campaign we are refering to as "GoldBrute". This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet... Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.
Long-time Slashdot reader UnderAttack writes: Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.

A new strain of malware intercepts and tampers with internet traffic on infected Apple Macs to inject Bing results into users' Google search results. The Register reports: A report out this month by security house AiroAV details how its bods apparently spotted a software nasty that configures compromised macOS computers to route the user's network connections through a local proxy server that modifies Google search results. In this latest case, it is claimed, the malware masquerades as an installer for an Adobe Flash plugin -- delivered perhaps by email or a drive-by download -- that the user is tricked into running. This bogus installer asks the victim for their macOS account username and password, which it can use to gain sufficient privileges to install a local web proxy and configure the system so that all web browser requests go through it. That proxy can meddle with unencrypted data as it flows in and out to and from the public internet.

A root security certificate is also added to the Mac's keychain, giving the proxy the ability to generate SSL/TLS certs on the fly for websites requested. This allows it to potentially intercept and tamper with encrypted HTTPS traffic. This man-in-the-middle eavesdropping works against HTTP websites, and any HTTPS sites that do not employ MITM countermeasures. When the user opens their browser and attempts to run a Google search on an infected Mac, the request is routed to the local proxy, which injects into the Google results page an HTML iframe containing fetched Bing results for the same query, weirdly enough. As for why, "it's believed the Bing results bring in web ads that generate revenue for the malware's masterminds," the report says.

Russian telecoms watchdog Roscomnadzor will start blocking major VPNs including NordVPN, ExpressVPN, IPVanish and HideMyAss, following through with its threat back in March. At the time, ten major VPN providers were ordered to begin blocking sites present in the country's national blacklist -- but almost all of them didn't comply. TorrentFreak reports: When questioned on the timeline for blocking, Roscomnadzor chief Alexander Zharov said that the matter could be closed within a month. If that happens, the non-compliant providers will themselves be placed on the country's blacklist (known locally as FGIS), meaning that local ISPs will have to prevent their users from accessing them. It is not yet clear whether that means their web presences, their VPN servers, or both. In the case of the latter, it's currently unclear whether there will be a battle or not. TorGuard has already pulled its servers out of Russia and ExpressVPN currently lists no servers in the country. The same is true for OpenVPN although VyprVPN still lists servers in Moscow, as does HideMyAss. Even if Roscomnadzor is successful in blocking any or all of the non-compliant services, there are still dozens more to choose from, a fact acknowledged by Zharov.

An anonymous reader quotes a report from ZDNet: For more than two hours on Thursday, June 6, a large chunk of European mobile traffic was rerouted through the infrastructure of China Telecom, China's third-largest telco and internet service provider (ISP). The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP. But instead of ignoring the BGP leak, like most ISPs, China Telecom re-announced Safe Host's routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host's network and other nearby European telcos and ISPs. "But if any other ISP would have caused this incident, it would have likely been ignored," the reader adds. "Alas, it was China Telecom, and there's a backstory, as this is the same Chinese ISP that was accused last year in an academic paper of 'hijacking the vital internet backbone of western countries' for intelligence gathering purposes."

Sony will increase salaries by up to 20% for new recruits with high-tech skills in fields such as artificial intelligence, moving away from the traditional Japanese emphasis on seniority to better compete in a battle for talent that crosses industries and international borders. From a report: Traditionally, new graduates hired by Sony all receive the same entry-level salary, then are assigned a pay grade after more than a year based on their role. Starting this year, grades can be set for standout hires in as little as three months, resulting in annual salaries as much as 20% higher than colleagues'. Japanese companies have a deep-rooted tendency to pay new employees equally regardless of individual qualifications. But global competition for top talent -- particularly in the tech industry, where big American players like Google and Apple dominate -- has made it increasingly important to offer new graduates compensation in line with their abilities from the time they enter the company.

Technology services provider Probrand has carried out a study at a cyber expo attended by UK security professionals, where attendees voluntarily shared sensitive data including their name, date of birth and favourite football team -- all to get their hands on a free donut. From a report: "We wanted to put this theory to the test and see just how willing people were to give up their data," says Mark Lomas, technical architect at Probrand. "We started by asking conversational questions such as 'How are you finding the day? Got any plans for after the event?' If someone happened to mention they were collecting their kids from school, we then asked what their names and ages were. One individual even showed a photograph of their children." As part of the task, Probrand also asked more direct questions such as, 'Which football team do you support?', 'What type of music are you into?' and 'What is your favourite band?' Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, they were alarmed to find how easy it was to obtain personal data -- which many people may be using as the basis of their passwords.

An anonymous reader quotes a report from Ars Technica, written by Wired's . Andy Greenberg: In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they're offline, allowing nearby Apple devices to relay their location to the cloud. That should help you locate your stolen laptop even when it's sleeping in a thief's bag. And it turns out that Apple's elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours.

In a background phone call with WIRED following its keynote, Apple broke down that privacy element, explaining how its "encrypted and anonymous" system avoids leaking your location data willy nilly, even as your devices broadcast a Bluetooth signal explicitly designed to let you track your device. The solution to that paradox, it turns out, is a trick that requires you to own at least two Apple devices. Each one emits a constantly changing key that nearby Apple devices use to encrypt and upload your geolocation data, such that only the other Apple device you own possesses the key to decrypt those locations. That system would obviate the threat of marketers or other snoops tracking Apple device Bluetooth signals, allowing them to build their own histories of every user's location. In fact, Find My's cryptography goes one step further than that, denying even Apple itself the ability to learn a user's locations based on their Bluetooth beacons. That would represent a privacy improvement over Apple's older tools like Find My iPhone and Find Friends, which don't offer such safeguards against Apple learning your location.

An anonymous reader shares a report: The German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country. Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones. The BSI said the phones' firmware contained a backdoor trojan named Andr/Xgen2-CY.

An anonymous reader quotes a report from ZDNet: A critical remote command execution (RCE) security flaw impacts over half of the Internet's email servers, security researchers from Qualys have revealed today. The vulnerability affects Exim, a mail transfer agent (MTA), which is software that runs on email servers to relay emails from senders to recipients. According to a June 2019 survey of all mail servers visible on the Internet, 57% (507,389) of all email servers run Exim -- although different reports would put the number of Exim installations at ten times that number, at 5.4 million.

In a security alert shared with ZDNet earlier today, Qualys, a cyber-security firm specialized in cloud security and compliance, said it found a very dangerous vulnerability in Exim installations running versions 4.87 to 4.91. The vulnerability is described as a remote command execution -- different, but just as dangerous as a remote code execution flaw -- that lets a local or remote attacker run commands on the Exim server as root. Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account. lBut the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems. The vulnerability was patched with Exim 4.92, on February 10, 2019, "but at the time the Exim team released v4.92, they didn't know they fixed a major security hole," reports ZDNet.

"This was only recently discovered by the Qualys team while auditing older Exim versions. Now, Qualys researchers are warning Exim users to update to the 4.92 version to avoid having their servers taken over by attackers."

When you type in a URL to your browser and press "enter," your browser sends that name to a network of computers called the Domain Name System (DNS), which converts it into IP addresses. These numbers are what allow your browser to find the right server on the internet and connect to it. When you navigate to a website, you are trusting a handful of organizations that have been charged with keeping the DNS working and secure.

"To people like Steven McKie, a developer for and investor in an open-source project called the Handshake Network, this centralized power over internet naming makes the internet vulnerable to both censorship and cyberattacks," reports MIT technology review. "Handshake wants to decentralize it by creating an alternative naming system that nobody controls. In doing so, it could help protect us from hackers trying to exploit the DNS's security weaknesses, and from governments hoping to use it to block free expression." From the report: The system would be based on blockchain technology, meaning it would be software that runs on a widely distributed network of computers. In theory, it would have no single point of failure and depend on no human-run organization that could be corrupted or co-opted. Handshake's software is a heavily modified version ("fork") of Bitcoin, and just as Bitcoin's network of miners protects the cryptocurrency from manipulation and makes it virtually impossible for authorities to shut down, a similar network could keep a permanent, censorship-resistant record of internet names. The Handshake team is far from the first to try to create a decentralized naming system for the web. But unlike previous efforts, Handshake isn't trying to replace DNS but work with it.

Besides ICANN, there's yet another class of organization whose job Handshake aims to decentralize. See that little padlock icon in your browser bar, to the left of the domain name? That means your computer has verified that your connection to this website is encrypted and that the site is authentic, not a fake one designed by a criminal trying to steal your login credentials. It does that by checking the veracity of a string of numbers called the site's digital certificate, issued by one of a number of so-called certificate authorities. These entities, many of which are for-profit companies, are crucial to internet security. They can also get hacked. And if one gets breached, and an attacker can start issuing fake certificates, it undermines the security of the whole internet. But if website names are managed on a tamper-resistant blockchain, then you don't need certificate authorities; the naming system itself can provide the guarantee that the site you're connected to is real. That's what Handshake aims to do.

A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, POLITICO reported on Wednesday, citing a document and a person with knowledge. From the report: VR Systems, based in Tallahassee but with customers in eight states, used what's known as remote-access software to connect for several hours to a central computer in Durham County, N.C., to troubleshoot problems with the company's voter list management tool, the person said. The software distributes voter lists to so-called electronic poll books, which poll workers use to check in voters and verify their eligibility to cast a ballot.

The company did not respond to POLITICO's requests for comment about its practices. But election security experts widely condemn remote connections to election-related computer systems -- not only because they can open a door for intruders but because they can also give attackers access to an entire network, depending on how they're configured. In Durham County's case, the computer in question communicated with North Carolina's State Board of Elections to download the county's voter list before elections, which could have potentially opened a gateway to the state system as well.

The European Union's embassy in Moscow was hacked and had information stolen from its network, according to a leaked internal document seen by BuzzFeed News. From the report: An ongoing "sophisticated cyber espionage event" was discovered in April, just weeks before the European Parliament elections -- but the European External Action Service (EEAS), the EU's foreign and security policy agency, did not disclose the incident publicly. Russian entities are believed to be behind the hack, a source, speaking on condition of anonymity, told BuzzFeed News.

The EEAS confirmed an incident had taken place and, asked whether the EU's foreign policy chief Federica Mogherini knew about the incident, said that EEAS hierarchy had been informed. "We have observed potential signs of compromised systems connected to our unclassified network in our Moscow Delegation. Measures have been taken and the investigation is in progress -- at this stage we cannot comment further," a spokesperson said. According to the leaked document, the initial attack took place in February 2017 but it was only detected in April this year. An analysis of the hack found activity affecting at least two computers and concluded that information had been stolen. However, officials have no idea how much and exactly what kind of information was taken during the attack.

JustAnotherOldGuy writes from a report via NBC New York: Did your personal, medical, or financial data just get hacked? Quest Diagnostics, one of the biggest blood testing providers in the country, warned Monday that nearly 12 million of its customers may have had personal, financial and medical information breached due to an issue with one of its vendors. In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018 and March 30, 2019, someone had unauthorized access to the systems of AMCA, a billing collections vendor. "The information on AMCA's affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers)," Quest said in a filing.

Apple today announced a "Sign in with Apple" button -- that is similar to sign-in buttons from Twitter, Facebook or Google that allow users to quickly login to a range of services using their social media account. But unlike any existing solution, Apple is focusing on privacy. From a report: More importantly, you can choose to hide your email address, and Apple will generate a random email ID visible to only to that particular app that'll forward all emails to your main email ID. Plus, this method creates a unique random email for each app, so that they can't track you and your personal data. The new sign-in feature is available across MacOS, iOS, and websites.

Synthetic events remain a big security hole for macOS in spite of Apple's recent efforts to prevent malicious applications from abusing this feature. From a report: Speaking at the second edition of the Objective by the Sea security conference that was held in Monaco over the weekend, Patrick Wardle, a well-known Apple security expert, has revealed a zero-day impacting Apple's macOS operating system, including the new version launched today. The zero-day is a bypass of the security protections that Apple has put in place to prevent unauthorized access to synthetic events. Synthetic events are a macOS mechanism that allows applications to automate mouse clicks and keyboard input. It was created for the sake of automation and can be used via either the Core Graphics framework or the AppleScript scripting language. [...]

For almost two years now, Wardle has been looking at Apple's countermeasures aimed to prevent the abuse of synthetic events. He previously showed two methods[1, 2] of bypassing Apple's synthetic events protections, so much so that Apple decided last year to block access to synthetic events by default. But over the weekend, Wardle disclosed a new way of bypassing these latest protections, once again. "It's the gift that keeps giving," Wardle told ZDNet via email. "And actually gets more and more valuable as Apple adds more protections (privacy and security mechanisms) that can be 'allowed' by a single synthetic click." The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist. This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.

"What would happen, or what should happen, if tomorrow a trivial method was discovered for Prime Factorization?" asks Slashdot reader medv4380: By trivial I mean an algorithm that runs in relatively constant time that could factor a number like 2737631357921793461914298938174501291 relatively instantly on most modern hardware today. And that even increasing the bit length wouldn't slow it down much. How much chaos would result if such a method were revealed tomorrow with little warning?

Keeping it a secret only means that others may have long ago exploited the method at the expense of others. Should proof be presented without revealing the method, to reduce the impact, and who should be told first if at all?
Slashdot reader Shikaku sees a real possibility of this actually happening when quantum computers are developed, adding that quantum-resistant encryption "is an ongoing experiment."

But if development lags -- what would happen if all encryption could be broken?

Long-time Slashdot reader Qbertino is your typical Linux/Apache/MySQL/PHP (LAMP) developer, and writes that "in recent years Docker has been the hottest thing since sliced bread." You are expected to "dockerize" your setups and be able to launch a whole string of processes to boot up various containers with databases and your primary PHP monolith with the launch of a single script. All fine and dandy this far.

However, I can't shake the notion that much of this -- especially in the context of LAMP -- seems overkill. If Apache, MariaDB/MySQL and PHP are running, getting your project or multiple projects to run is trivial. The benefits of having Docker seem negilible, especially having each project lug its own setup along. Yes, you can have your entire compiler and Continuous Integration stack with SASS, Gulp, Babel, Webpack and whatnot in one neat bundle, but that doesn't seem to dimish the usual problems with the recent bloat in frontend tooling, to the contrary....

But shouldn't tooling be standardised anyway? And shouldn't Docker then just be an option, who couldn't be bothered to have (L)AMP on their bare metal? I'm still skeptical of this Dockerization fad. I get it makes sense if you need to scale microsevices easy and fast in production, but for 'traditional' development and traditional setups, it just doesn't seem to fit all that well.

What are your experiences with using Docker in a development environment? Is Dockerization a fad or something really useful? And should I put up with the effort to make Docker a standard for my development and deployment setups?
The original submission ends with "Educated Slashdot opinions requested." So leave your best answers in the comments.

Is Dockerization a fad?

In his TechCrunch column, software engineer/journalist Jon Evans writes that last month "marked a victory for sanity and pragmatism over irrational paranoia." I'm talking about Microsoft finally -- finally! but credit to them for doing this nonetheless! -- removing the password expiration policies from their Windows 10 security baseline... Many enterprise-scale organizations (including TechCrunch's owner Verizon) require their users to change their passwords regularly. This is a spectacularly counterproductive policy.

To quote Microsoft: "Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives... If a password is never stolen, there's no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem... If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven't implemented modern mitigations, how much protection will they really gain from password expiration...?"

Perfect security doesn't exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it's best to keep those rules to a minimum, and get rid of the ones that don't make sense. Password expiration is one of those. Goodbye to it, and good riddance.
Instead the column recommends password managing software to avoid password re-use across sites, as well as two-factor authentication. "And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos."

But if your company still has a password expiration policy, he suggests mailing Microsoft's blog post to your sys-admin. "They will ignore you at first, of course, because that's what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security -- but they may grudgingly begin to accept that the world has moved on."

Slashdot reader Nicola Hahn argues that at first, Edward Snowden's revelations six years ago "put mass surveillance and state sponsored hacking center stage," leading to other revelations like the ANT Catalogue, the Equation Group tools, and the Vault 7 leaks: In the wake of these developments a number of high-ranking officials scrambled to justify clandestine programs. Executives likewise recalibrated their stance toward the government and lawmakers worked to defend our civil liberties. Yet despite the tumult of the post-Snowden era and the debates that ensued, has it actually changed anything? Or did society merely offer a collective shrug to the looming threat of pervasive monitoring, surrendering to the convenience of mobile devices?

One observer who has warily followed the aftermath of the Snowden affair believes that most people followed the latter path and that it does not bode well for civilization.
That observer is Bill Blunden, who asks this question in an essay at Counterpunch.

"After all the breathless headlines, Hollywood movies, book deals, Pulitzer prizes, and glossy primetime biopics. What, pray tell, has come of it?"

Horst Seehofer, Germany's federal interior minister, wants to require encryption companies to provide the government with plain text transcripts. One security expert says Facebook is already working on a way to make it happen.

An anonymous reader quotes his remarks in Forbes: The reality is that at its annual conference earlier this month, Facebook previewed all of the necessary infrastructure to make Germany's vision a reality and even alluded to the very issue of how Facebook's own business needs present it with the need to be able to covertly access content directly from users' devices that have been protected through end-to-end encryption...

While it was little noticed at the time, Facebook's presentation on its work towards moving AI-powered content moderation from its data centers directly onto users' phones presents a perfect blueprint for Seehofer's vision. Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines. This would actually allow a government like Germany to proactively prevent unauthorized speech before it is ever uttered, by using court orders to force Facebook to expand its censorship list for German users of its platform.

Even more worryingly, Facebook's presentation alluded to the company's need to covertly harvest unencrypted illicit messages from users' devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content. While it stopped short of saying it was actively building such a backdoor, the company noted that when edge content moderation flagged a post in an end-to-end encrypted conversation as a violation, the company needed to be able to access the unencrypted contents to further train its algorithms, which would likely require transmitting an unencrypted copy from the user's device directly to Facebook without their approval.

Could this be the solution Germany has been searching for?
The article warns that by "sparking the idea of being able to silently harvest those decrypted conversations on the client side, Facebook is inadvertently telegraphing to anti-encryption governments that there are ways to bypass encryption while also bypassing the encryption debate."

Long-time Slashdot reader rastos1 works for a mid-size software company that for many decades has been developing CAD-CAM software for the textile industry. But last weekend their code-signing certificate was revoked -- and they're looking for advice. On Monday morning we woke up to phones ringing from confused customers unable to launch our software. This has hit mostly Java applications launched from a web page because JRE checks the signature by default using OCSP. But traditional executables and shared libraries also would report invalid signature upon checking.

We reached out, but for half a day we could not get any feedback. Later we got information that some malware was signed with our certificate. Two days and many e-mails and phone calls later, we understand that this is what happened: someone submitted one of our executables to virustotal.com -- a site that runs ~70 antivirus programs on submitted files and reports back whether they flag the uploaded file. Five of their antivirus packages flagged our executable. We tracked down the version and we positively know it was a false positive. There is random guy that wrote a tool that creates a monthly report of files flagged at Virustotal. Sectigo found the report, and, according to their statement, revoked all certificates used to sign executables -- causing major disruption to us and downtime for our customers... There was no attempt to contact us and clarify the situation.

How do you prepare and deal with such scenario? Did you know how little it takes to get your certificate revoked?
They'd bought their certs from the same seller for more than a decade -- and their story has already drawn some interesting comments from long-time Slashdot readers. "False positives are way too common in the anti-virus world today..." argues Z00L00K, adding "you have to cut down all unnecessary players in the chain to a minimum, so the dependency on an external CA is worth reconsidering."

sjames -- Slashdot reader #1,099 -- agrees. "If you must depend on another entity, make sure they're small enough that they would actually care if they lost you as a customer." And Martin S. simply recommends talking to a lawyer, adding "This is a legal problem, not a technology problem."

But what's your advice? Leave your best thoughts in the comments. What should you do when your certificate authority suddenly revokes your cert?