Welcome to Dead Drop number 27, your look at what's happening in the worlds of computer security, and digital freedom. All source links are below.

- Youtube link
- mirror
- Torrent


On the back of the internal breach at Github I mentioned in the last episode, it seems like Twitter also have experienced something similar, with what seems like the entire 300 odd million userbases passwords being stored in a plaintext log. If you haven't already, Twitter suggests changing your password immediately.


The Hak5 team made another cool video recently, this time talking to MG. LOL about how easy it is to covertly insert malicious hardware directly into USB cables.


Researchers have found a critical flaw in a range of PGP email tools, which they claim allows encrypted messages to be read as plaintext. At the time of making this video, the full details haven't been released, but it looks like it effects Enigmail for Thunderbird, GPGTools for AppleMail, as well as GPG4Win on Outlook.

The EFF is suggesting you disable or delete these utilities immediately, and has guides on it's site telling you exactly how to do it. It appears to be a problem with how those tools work with email clients, and not specifically the PGP algorithm itself.

The researchers are also suggesting you use something like Signal instead for private communications, but they too have been hit with some vulnerabilities this week. Alfredo Ortega posted a proof of concept video which shows how a javascript payload can be sent as a message to any user on the Signal Desktop apps to execute code on their system - all without the recipient interacting at all.

And on top of that, some other researchers found that Signal's self destructing messages were being logged in MacOS' notification bar, even after being deleted from the app. Signal pushed out an update the other day to mitigate this.


Some engineers in Germany have created a prototype for what they call the 'Unhackable Envelope'. The device consists of mini computer with volatile memory, encased in an electrode shield, and outer metal shield. What's interesting is that the keys used on the device are derived from the unique electric field generated by the device shielding, so if you try to break into it, the field changes, meaning the keys no longer work, and the volatile memory is wiped.


Purism posted some updates on their Librem 5 smartphone project the other day. This privacy focused Linux-based phone now has a custom designed GNOME UI, which looks pretty slick. The company is still aiming at a January 2019 release.


In the last Cyber Dump video I showed you someone who was making their own chips on their garage, well now the people at Duo have released a video showing how researchers decap existing chips in order to read their contents.


Just over a week ago, I released episode 1 of the new decentralize series, which will be looking at what I think will be the next step in the evolution of the internet. Check it out and share the primer if you want.

And speaking of creating this new decentralized web, Blockstack just announced a $1million fund for teams to start building decentralized social networking apps. The funds will be split up, so 10 teams each receive $100,000 to develop their apps. You can apply now at

Alright, that's it for this week. Thanks to those who sent in links, and thank you for watching. See you in the next video.