Following up on rules one and two, it seems appropriate to add a third: “You should probably worry more about being attacked online by your own government than by any other organization”.
This is really an extension of the point about how governments are more dangerous than terrorists and how institutions of armed power need oversight.
Based on the open source intelligence available, we have to assume that governments all over the world are constantly monitoring the activity of their citizens online, for reasons both reasonably benign and exceedingly nefarious. It is worth remembering that even if the official purpose of a surveillance program is acceptable, it can be abused by anyone who gains access to it for purposes that may be very dubious. Hackers and rogue government agents are well positioned to use internet surveillance to rob or blackmail people, for instance. It is also worth remembering that data is not only being monitored in real time; it is also being archived for unknown future purposes.
Tools for privacy
Thankfully, we do have some tools to make this ubiquitous surveillance more difficult to carry out. You probably cannot encrypt your hard drive well enough to protect the contents if government agents grab it, but you can encrypt your online communications sufficiently well to make it at least challenging to decrypt them. The more people streaming gigabytes of data via encrypted HTTPS connections, the less feasible it is to archive and crack internet traffic taken all in all.
You can also use tools like Tor. People should be willing to assert their right to anonymous communication.
Backdoor Found In Hacked Version of Anti-Censorship Tool Simurgh
“Simurgh, a privacy tool used in Iran and Syria to bypass Internet censorship and governmental monitoring, is being circulated with a backdoor. The compromised version has been offered on P2P networks and via web searches. Research conducted by CitizenLab.org has shown that the malicious version isn’t available from the original software source, only through third-party access, so it appears that Simurgh has been repackaged. The troubling aspect of the malicious version is that while it does install the proxy as expected, it then adds a keylogging component, and ships the recorded information off to a server hosted in the U.S. and registered to a person in Saudi Arabia. In response to this attack, the team that develops Simurgh has instituted a check that will warn the user if they are running a compromised version of the software. At present, it is unknown who developed the hijacked version of Simurgh, or why they did so.”
http://www.slashgear.com/flame-cyber-espionage-discovered-in-vast-infection-net-28230470/
A new and fast spreading malware tipped to already dwarf the notorious Stuxnet has been identified, codenamed Flame and believed to be state-run cyberespionage affecting PCs in Iran and nearby countries. Spotted by Kaspersky Lab, “Worm.Win32.Flame” blends features from backdoor, trojan and worm malware, and once surreptitiously loaded onto a target machine can monitor network traffic, local use, grab screenshots and record audio, sending all that data back to its home servers. Believed to be active from at least March 2010, Flame is tipped to be 20x more prevalent than Stuxnet.
Iran is the most common place Kaspersky have discovered Flame, but it’s also been discovered in Israel, Palestine, the Sudan, Syria, Lebanon, Saudi Arabia and Egypt; there are “probably thousands of victims worldwide” the researchers estimate. Interestingly, there’s a broad spread of targeted computers, across academia, private companies, specific individuals and others; the operators appear to be cleaning up after themselves, too, only leaving Flame active on the most interesting machines, and deleting it from those with little worth.
…
What has researchers particularly concerned is the scale of Flame’s monitoring abilities. Rather than merely recording VoIP calls, the malware can turn on the PC’s microphone and surreptitiously begin its own recordings, for instance, while screenshots are taken when “interesting” apps, such as instant messaging clients, are on-screen. Meanwhile, if the computer has Bluetooth, it can scan for nearby devices and then use the short-range wireless technology to create secret peer-to-peer connections while embedding details on Flame’s status in the “discoverable device” information.
Google adds feature to help users in China avoid Internet censorship
Google: government requests to censor content “alarming”
http://mobile.reuters.com/article/idUSBRE85H0S220120618?irpc=932
RUSSELS (Reuters) – Google has received more than 1,000 requests from authorities to take down content from its search results or YouTube video in the last six months of 2011, the company said on Monday, denouncing what it said was an alarming trend.
In its twice-yearly Transparency Report, the world’s largest web search engine said the requests were aimed at having some 12,000 items overall removed, about a quarter more than during the first half of last year.
“Unfortunately, what we’ve seen over the past couple years has been troubling, and today is no different,” Dorothy Chou, the search engine’s senior policy analyst, said in a blogpost. “We hoped this was an aberration. But now we know it’s not.”
Many of those requests targeted political speech, keeping up a trend Google said it has noticed since it started releasing its Transparency Report in 2010.
The Failure of Anti-Virus Companies to Catch Military Malware
…
It isn’t just the military that tests their malware against commercial defense products; criminals do it, too. Virus and worm writers do it. Spam writers do it. This is the never-ending arms race between attacker and defender, and it’s been going on for decades. Probably the people who wrote Flame had a larger budget than a large-scale criminal organization, but their evasive techniques weren’t magically better. Note that F-Secure and others had samples of Flame; they just didn’t do anything about them.
I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. It was never a priority to understand — and then write signatures to detect — the Flame samples because they were never considered a problem. Maybe they were classified as a one-off. Or as an anomaly. I don’t know, but it seems clear that conventional non-military malware writers that want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu.
Canadian encryption software beats Syrian regime’s censors
I spy
SIR – One thing to bear in mind about cybersecurity concerns posed by telecoms-equipment firms (“The company that spooked the world”, August 4th) is that most communications surveillance is carried out by governments eavesdropping on their own citizens. Authorities are increasingly insisting that telecoms gear (and services like Skype) should allow for the lawful interception of communications. Once these rules are in place they can be subverted for unauthorised spying.
Ericsson’s phone exchanges, used by Vodafone’s network in Greece, were accessed in 2004 to spy on the Greek prime minister and other top officials. The noise Western governments make about Chinese companies like Huawei and ZTE is more about control rather than a genuine concern about privacy.
Professor Diomidis Spinellis
Athens University of Economics and Business
A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.
Government surveillance
Little peepers everywhere
America’s laws governing digital and mobile surveillance are an unholy mess
Jul 21st 2012 | SAN FRANCISCO AND WASHINGTON, DC | from the print edition
Big Brother on a budget: How Internet surveillance got so cheap
Deep packet inspection, petabyte-scale analytics create a “CCTV for networks.”
When Libyan rebels finally wrested control of the country last year away from its mercurial dictator, they discovered the Qaddafi regime had received an unusual gift from its allies: foreign firms had supplied technology that allowed security forces to track nearly all of the online activities of the country’s 100,000 Internet users. That technology, supplied by a subsidiary of the French IT firm Bull, used a technique called deep packet inspection (DPI) to capture e-mails, chat messages, and Web visits of Libyan citizens.
The fact that the Qaddafi regime was using deep packet inspection technology wasn’t surprising. Many governments have invested heavily in packet inspection and related technologies, which allow them to build a picture of what passes through their networks and what comes in from beyond their borders. The tools secure networks from attack—and help keep tabs on citizens.
Narus, a subsidiary of Boeing, supplies “cyber analytics” to a customer base largely made up of government agencies and network carriers. Neil Harrington, the company’s director of product management for cyber analytics, said that his company’s “enterprise” customers—agencies of the US government and large telecommunications companies—are ”more interested in what’s going on inside their networks” for security reasons. But some of Narus’ other customers, like Middle Eastern governments that own their nations’ connections to the global Internet or control the companies that provide them, “are more interested in what people are doing on Facebook and Twitter.”
FinSpy Commercial Spyware Abused By Governments
“The NY Times has a story about FinSpy, a commercial spyware package sold ‘only for law enforcement purposes,’ being used by governments to spy on dissidents, journalists, and others. Two U.S. computer experts, Morgan Marquis-Boire from Google, and Bill Marczak, a PhD student in Computer Science, have been tracking it down around the world. ‘The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men said they discovered mobile versions of the spyware customized for all major mobile phones. But what made the software especially sophisticated was how well it avoided detection. Its creators specifically engineered it to elude antivirus software made by Kaspersky Lab, Symantec, F-Secure and others.'”
Sir Tim Berners-Lee Accuses UK Government of “Draconian Internet Snooping”
“According to British daily The Telegraph, Sir Tim Berners-Lee has warned that plans to monitor individuals’ use of the internet would result in Britain losing its reputation as an upholder of web freedom. The plans, by Home Secretary Theresa May, would force British ISPs and other service providers to keep records of every phone call, email and website visit in Britain. Sir Tim has told the Times: ‘In Britain, like in the US, there has been a series of Bills that would give government very strong powers to, for example, collect data. I am worried about that.’ Sir Tim has also warned that the UK may wind up slipping down the list of countries with the most Internet freedom, if the proposed data-snooping laws pass parliament. The draft bill extends the type of data that internet service providers must store for at least 12 months. Providers would also be required to keep details of a much wider set of data, including use of social network sites, webmail and voice calls over the internet.”
Cops might finally need a warrant to read your Gmail
Major surveillance law change arrives in the Senate—and it might well pass.
Right now, if the cops want to read my e-mail, it’s pretty trivial for them to do so. All they have to do is ask my online e-mail provider. But a new bill set to be introduced Thursday in the Senate Judiciary Committee by its chair, Sen. Patrick Leahy (D-VT), seems to stand the best chance of finally changing that situation and giving e-mail stored on remote servers the same privacy protections as e-mail stored on one’s home computer.
When Congress passed the 1986 Electronic Communications Privacy Act (ECPA), a time when massive online storage of e-mail was essentially unimaginable, it was presumed that if you hadn’t actually bothered to download your e-mail, it could be considered “abandoned” after 180 days. By that logic, law enforcement would not need a warrant to go to the e-mail provider or ISP to get the messages that are older than 180 days; police only need to show that they have “reasonable grounds to believe” the information gathered would be useful in an investigation. Many Americans and legal scholars have found this standard, in today’s world, problematic.
Leahy, who was one of ECPA’s original authors, proposed similar changes in May 2011, but that was never even brought to a vote in the committee. The new version, which keeps the most important element of the 2011 proposal, will be incorporated into a larger bill aimed at revising the 1988 Video Privacy Protection Act (VPPA).
Stellar Wind (code name)
From Wikipedia, the free encyclopedia
Stellar Wind is the open secret code name for certain information collection activities performed by the United States’ National Security Agency and revealed by Thomas M. Tamm to New York Times reporters James Risen and Eric Lichtblau. The operation was approved by President George W. Bush shortly after the September 11 attacks in 2001.
The program’s activities involve data mining of a large database of the communications of American citizens, including e-mail communications, phone conversations, financial transactions, and Internet activity.
Stratfor emails reveal secret, widespread TrapWire surveillance system
Published: 10 August, 2012, 11:23
Edited: 11 August, 2012, 01:35
Former senior intelligence officials have created a detailed surveillance system more accurate than modern facial recognition technology — and have installed it across the US under the radar of most Americans, according to emails hacked by Anonymous.
Every few seconds, data picked up at surveillance points in major cities and landmarks across the United States are recorded digitally on the spot, then encrypted and instantaneously delivered to a fortified central database center at an undisclosed location to be aggregated with other intelligence. It’s part of a program called TrapWire and it’s the brainchild of the Abraxas, a Northern Virginia company staffed with elite from America’s intelligence community. The employee roster at Arbaxas reads like a who’s who of agents once with the Pentagon, CIA and other government entities according to their public LinkedIn profiles, and the corporation’s ties are assumed to go deeper than even documented.
The details on Abraxas and, to an even greater extent TrapWire, are scarce, however, and not without reason. For a program touted as a tool to thwart terrorism and monitor activity meant to be under wraps, its understandable that Abraxas would want the program’s public presence to be relatively limited. But thanks to last year’s hack of the Strategic Forecasting intelligence agency, or Stratfor, all of that is quickly changing.
Trailblazer Project
From Wikipedia, the free encyclopedia
Trailblazer was a United States National Security Agency (NSA) program intended to develop a capability to analyze data carried on communications networks like the Internet. It was intended to track entities using communication methods such as cell phones and e-mail. It ran over budget, failed to accomplish critical goals, and was cancelled.
NSA whistleblowers J. Kirk Wiebe, William Binney, Ed Loomis, and House Permanent Select Committee on Intelligence staffer Diane Roark complained to the Department of Defense’s Inspector General (IG) about waste, fraud, and abuse in the program, and the fact that a successful operating prototype existed, but was ignored when the Trailblazer program was launched. The complaint was accepted by the IG and an investigation began that lasted until mid-2005 when the final results were issued. The results were largely hidden, as the report given to the public was heavily (90%) redacted, while the original report was heavily classified, thus restricting the ability of most people to see it.
The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance
Christopher Soghoian
Ph.D. Dissertation, August 2012.
Can You See Me Now: Toward Reasonable Standards for Law Enforcement Access to Location Data that Congress Could Enact
Stephanie K. Pell and Christopher Soghoian
Berkeley Technology Law Journal, Vol. 27, 2012.
The Law Enforcement Surveillance Reporting Gap
Christopher Soghoian
Unpublished Draft
An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government
Christopher Soghoian
Minnesota Journal of Law, Science & Technology Vol. 12, No. 1, 2011.
Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL
Christopher Soghoian and Sid Stamm
Financial Cryptography and Data Security ’11 March 2011.
Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era
Christopher Soghoian
Journal on Telecommunications and High Technology Law, Vol. 8, No. 2, 2010.
Pine Gap
From Wikipedia, the free encyclopedia
Pine Gap is the commonly used name for a satellite tracking station at 23.799°S 133.737°E, some 18 kilometres (11 mi) south-west of the town of Alice Springs in the centre of Australia which is operated by both Australia and the United States. The facility has become a key part of the local economy.
It consists of a large computer complex with eight radomes protecting antennas and has over 800 employees. It is officially called the Joint Defence Facility Pine Gap since 1988; previously, it was known as Joint Defence Space Research Facility.[2] It is believed to be one of the largest ECHELON ground stations and appears to be physically and operationally similar to the American signals intelligence facilities at Buckley Air Force Base, Colorado and RAF Menwith Hill, United Kingdom. United States government personnel at Pine Gap are believed to be mostly from the National Security Agency and subordinate service-associated agencies as well as the Central Intelligence Agency.
In July of this year, Morgan Marquis-Boire and Bill Marczak published analysis of what appeared to be FinSpy, a commercial trojan from the FinFisher suite of surveillance tools sold by Gamma Group International. Their report, From Bahrain with Love: FinFisher’s Spykit Exposed? (https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/) , presented evidence consistent with the use of FinSpy to target Bahraini dissidents, both within Bahrain and abroad. A range of other companies sell surveillance backdoors and vulnerabilities for what they describe as “lawful intercept tools.”
Recently, CSO magazine published an article reporting on claims by anti-virus company Dr Web that a backdoor known as “Crisis” or “DaVinci” was, in fact, the commercial surveillance tool “Remote Control System” sold by a Milan, Italy-based lawful intercept vendor known as Hacking Team. According to an article published by Slate magazine, the same backdoor was used to target the Moroccan citizen journalist group, Mamfakinch.
This report examines the targeting of Mamfakinch and evidence suggesting that the same commercial surveillance toolkit described in these articles appears to have also been used in a recent campaign targeting Ahmed Mansoor, a human rights activist based in the UAE. Additionally, it examines the possibility that a vulnerability linked to the French company, VUPEN, was used as the vector for intrusion into Ahmed Mansoor’s online presence.
————————————————————
Read the full research brief (https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/) .
Read the Bloomberg news article (http://www.bloomberg.com/news/2012-10-10/spyware-leaves-trail-to-beaten-activist-through-microsoft-flaw.html) .
Canada’s Spy Groups Divulge Secret Intelligence to Energy Companies
Documents raise fears that info on environmentalists, Indigenous groups and more shared with industry at biannual, secret-level, briefings.
by Tim Groves
TORONTO—The Canadian government has been orchestrating briefings that provide energy companies with classified intelligence from the Canadian Security Intelligence Service, the RCMP and other agencies, raising concerns that federal officials are spying on environmentalists and First Nations in order to provide information to the businesses they criticize.
The secret-level briefings have taken place twice a year since 2005, and are detailed in documents obtained under the Access to Information Act, and in publicly-available government files.
The draft agenda for one of the briefings, acquired by The Dominion, shows that the RCMP and CSIS assisted the department of Natural Resources in organizing a daylong event on November 25, 2010, at CSIS headquarters in Ottawa, and a networking reception the previous night at the Chateau Laurier.
UK surveillance bill: 19,000 letters opposing, 0 in favour
The Snooper’s Charter is Britain’s pending Internet surveillance law, which requires ISPs, online services and telcoms companies to retain enormous amounts of private online transactions, and to hand them over to government and law enforcement employees without a warrant. A public campaign on the bill had 19,000 responses, every one of which opposed the legislation. 19,000 against, 0 for. The question is, will the government (which ran in part by opposing similar legislation proposed by the previous Labour government) actually pay attention?
Privacy app puts the spooks on edge
Ryan Gallagher
Lately, Mike Janke has been getting what he calls the “hairy eyeball” from international government agencies. The 44-year-old former Navy SEAL commando, together with two of the world’s most renowned cryptographers, was always bound to ruffle some high-level feathers with his new project – a surveillance-resistant communications platform that makes complex encryption so simple your grandmother can use it.
This week, after more than two years of preparation, the finished product has hit the market. Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications – text messages plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus and Android in the works. An email service is also soon scheduled to launch.
The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user – a bit like how “this tape will self-destruct” goes down in Mission: Impossible but without the smoke or fire.
I’ve been thinking a lot about how information technology, and the Internet in particular, is becoming a tool for oppressive governments. As Evgeny Morozov describes in his great book The Net Delusion: The Dark Side of Internet Freedom, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, and propaganda. And they’re getting really good at it.
For a lot of us who imagined that the Internet would spark an inevitable wave of Internet freedom, this has come as a bit of a surprise. But it turns out that information technology is not just a tool for freedom-fighting rebels under oppressive governments, it’s also a tool for those oppressive governments. Basically, IT magnifies power; the more power you have, the more it can be magnified in IT.
There is, finally, a powerful political reason to introduce strong end-to-end encryption now, beyond the obvious benefits for individual users. The FBI, which fears that its digital wiretaps will “go dark” as encrypted communications become more popular, has been quietly but vigorously promoting an update to the Communications Assistance for Law Enforcement Act to cover providers of online communication services like Google and Skype. Just as phone companies have to build wiretap capability into their networks, they want Skype and Google to build in centralized backdoors for law enforcement: Strong end-to-end encryption would be out, as companies would be required to hold copies of the keys to all “secure” communications for police convenience. This myopic move would drastically reduce the security of everyone’s communications in the name of making it a bit easier to spy on a tiny handful of criminals. It’s also unlikely to do much good: If criminals know that Google can’t offer truly secure communications, there’s no way to stop them from simply employing their own unbreakable encryption.
On Friday morning, the Senate renewed the FISA Amendments Act (PDF), which allows for warrantless electronic eavesdropping, for an additional five years. The act, which was originally passed by Congress in 2008, allows law enforcement agencies to access private communications as long as one participant in the communications could reasonably be believed to be outside the United States. This law has been the subject of a federal lawsuit, and was argued before the Supreme Court recently. ‘The legislation does not require the government to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application. The court’s rulings are not public.
Cyber-warfare
Hype and fear
America is leading the way in developing doctrines for cyber-warfare. Other countries may follow, but the value of offensive capabilities is overrated
While the original analog phreaker playground may be long gone, its digital descendants have evolved into playgrounds for insiders, whose activities we only hear about in whispers and leaks. In 2006, former AT&T technician Mark Klein exposed the National Security Agency’s illegal wiretapping program, which housed equipment in AT&T’s own buildings. In 2008, 50 years after retroactively legalizing the Greenstar wiretapping, Congress retroactively immunized telecom carriers for their national security wiretapping. In 2011, former NSA code breaker William Binney revealed that the NSA was working with AT&T and other telecom companies to store phone records for “everyone in the country.” (In the vaguely New Age-y sci-fi spirit of Greenstar, they even code named the program “Stellar Wind.”) The NSA is building a $4 billion data center to store this unprecedented trove of data, sifting it for interesting patterns, finding novel, unexpected things to do with it.
http://lareviewofbooks.org/article.php?type&id=1570&fulltext=1&media
Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight
http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-aircard/all/
Government data breached thousands of times in last decade, documents say
OTTAWA — The federal government has seen more than 3,000 data and privacy breaches over the past 10 years, breaches that have affected more than 725,350 Canadians, according to documents tabled in Parliament on Tuesday.
The responses from departments, given to the New Democrats in response to an order paper question, also show that less than 13 per cent of all breaches have been reported, including a handful from the Department of Fisheries and Oceans that affected more than 4,400 individuals.
Apple can decrypt iPhones for cops; Google can remotely “reset password” for Android devices
NSA boss wants companies to be immunized from liability if they follow illegal orders from the NSA
http://boingboing.net/2013/06/20/more-nsa-leaks-how-the-nsa-be.html
On Ars Technica, Dan Goodin goes further into the documents, showing how people who use encryption and proxies, such as Tor and PGP mail, are especially targeted for spying and data-retention, even when it is clear that the communications originate with, and are destined for, US persons
…
And as Goodin notes, some of the heaviest users of PGP-encrypted email are lawyers handling confidential, privileged attorney-client communications, meaning that the US Attorney General is deliberately targeting privileged communications between US persons for extra surveillance and retention, an act of galling lawlessness.
http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto-could-increase-chances-that-nsa-keeps-your-data/
Feds demand porn suspect decrypt hard drives now before he forgets passwords
http://www.wired.com/threatlevel/2013/07/decryption-flap/?cid=co9375814
My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Sincerely,
Ladar Levison
Owner and Operator, Lavabit
http://lavabit.com/
http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html
Lavabit competitor Silent Circle shuts down its secure email service, destroys servers
Silent Circle, a secure communications company founded by PGP creator Phil Zimmerman, has pre-emptively shut down its secure, encrypted email service and destroyed the servers so that it cannot be forced to reveal its customers’ secrets to NSA spooks.
…
“We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now. “
NSA leak: US can spy on Americans, despite direct statements of President, Congress, top spooks
The Guardian has the latest of the Snowden/NSA leaks, detailing the semantic loophole exploited by the Agency in order to spy on the communications of Americans and people in the USA, something it is otherwise forbidden from doing. Since the initial Snowden leaks, President Obama, ranking Democrats (including Diane Feinstein), and NSA officials have made categorical statements denying that the NSA spies on Americans. These statements appear to be outright lies, as revealed by these revelations, and make me wonder if there are Hill rats looking up the procedures for impeachment at this very moment.
Lavabit founder has stopped using email: “If you knew what I know, you might not use it either”
The Economist explains
How does “secured” e-mail work?
NSA surveillance: A guide to staying secure
The NSA has huge capabilities – and if it wants in to your computer, it’s in. With that in mind, here are five ways to stay safe
Bruce Schneier
theguardian.com, Friday 6 September 2013 14.09 BST
…
The primary way the NSA eavesdrops on internet communications is in the network. That’s where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.
Leveraging its secret agreements with telecommunications companies – all the US and UK ones, and many other “partners” around the world – the NSA gets access to the communications trunks that move internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.
…
The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.
The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.
…
The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs.
…
As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.
…
Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake.
…
If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all.
With all this in mind, I have five pieces of advice:
1) Hide in the network.
…
2) Encrypt your communications.
…
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t.
…
4) Be suspicious of commercial encryption software, especially from large vendors.
…
5) Try to use public-domain encryption that has to be compatible with other implementations.
N.S.A. Able to Foil Basic Safeguards of Privacy on Web
…
Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.
…
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
…
N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.
…
Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones.
…
Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.
How the feds asked Microsoft to backdoor BitLocker, their full-disk encryption tool
http://boingboing.net/2013/09/11/how-the-feds-asked-microsoft-t.html
—
This is the crypto standard that the NSA sabotaged
http://boingboing.net/2013/09/11/this-the-the-crypto-standard-t.html
The New York Times has published further details of last week’s leaked documents detailing the NSA’s program of sabotage to crypto products and standards. The new report confirms that the standard that the NSA sabotaged was the widely-suspected NIST Dual EC DRBG standard. The Times reports that the NSA then pushed its backdoored standard through the International Organization for Standardization and the Canadian Communications Security Establishment.
I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA’s actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
Unsealed Lavabit docs show that Feds demanded SSL keys
Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show
As F.B.I. Pursued Snowden, an E-Mail Service Stood Firm
Lavabit got order for Snowden’s login info, then gov’t demanded site’s SSL key
How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID
The NSA and cryptography
Cracked credibility
To be safe, the internet needs reliable encryption. But the standards, software and hardware it uses are vulnerable
Sep 14th 2013 | LONDON AND SAN FRANCISCO |From the print edition
http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and
“Have important meetings naked, in newly ploughed field, at night, in a howling gale. Failing that, draw curtains, sweep for bugs, mutter and avoid direct factual references.
Silk Road’s Downfall Killed the Dream of the Dark Net
It’s a dark time on the Dark Net. This Tuesday the FBI shuttered Silk Road, a drug market that operated for more than two years with impunity. The Silk Road helped popularize the Dark Net as the Mall of Anarcho-Capitalism, where illegal drugs, stolen credit cards, child porn and weapons are traded openly. But a series of high-profile busts has seriously undermined the premise of the Dark Net.
In fact the mood on the shadow web went sour weeks ago. “There’s been so much doubt about it recently,” I was told by a guy who calls himself Heisenberg 2.0 last week, before the Silk Road fell. Heisenberg has been directly affected by the Dark Net blues. He was the former social marketing maven for the underground online drug market Atlantis, a Silk Road competitor, but now he’s out of a job. Atlantis abruptly shut down last month, citing “security reasons”, in a move that now seems eerily prophetic.
A Court Order is an Insider Attack
Commentators on the Lavabit case, including the judge himself, have criticized Lavabit for designing its system in a way that resisted court-ordered access to user data. They ask: If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access?
The answer is simple but subtle: There are good reasons to protect against insider attacks, and a court order is an insider attack.
To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.
From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.
In June, the Guardian disclosed the existence of GCHQ’s Tempora internet surveillance programme. It uses intercepts on the fibre-optic cables that make up the backbone of the internet to gain access to vast swaths of internet users’ personal data. The intercepts are placed in the UK and overseas, with the knowledge of companies owning either the cables or landing stations.
http://www.theguardian.com/uk-news/2013/oct/25/leaked-memos-gchq-mass-surveillance-secret-snowden
GCHQ taps fibre-optic cables for secret access to world’s communications
http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa
The GCHQ mass tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data to western Europe from telephone exchanges and internet servers in north America.
This was done under secret agreements with commercial companies, described in one document as “intercept partners”.
The papers seen by the Guardian suggest some companies have been paid for the cost of their co-operation and GCHQ went to great lengths to keep their names secret. They were assigned “sensitive relationship teams” and staff were urged in one internal guidance paper to disguise the origin of “special source” material in their reports for fear that the role of the companies as intercept partners would cause “high-level political fallout”.
The internet backbone — the infrastructure of networks upon which internet traffic travels — went from being a passive infrastructure for communication to an active weapon for attacks.
According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”
If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgacom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own.
Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.
SECURITY guards (at least the good ones) are paid to be paranoid. Computer-security researchers are the same. Many had long suspected that governments use the internet not only to keep tabs on particular targets, but also to snoop on entire populations. But suspicions are not facts. So when newspapers began publishing documents leaked by Edward Snowden, once employed as a contractor by America’s National Security Agency (NSA), the world’s most munificently funded electronic spy agency, those researchers sat up.
They were especially incensed by leaks published in September by the Guardian and the New York Times, which suggested that American spooks (with help from their British counterparts) had been working quietly for years to subvert and undermine the cryptographic software and standards which make secure communication over the internet possible. “At that point”, says Matthew Green, a cryptographer at Johns Hopkins University, “people started to get really upset.”
On November 6th a meeting in Vancouver of the Internet Engineering Task Force (IETF), an organisation which brings together the scientists, technicians and programmers who built the internet in the first place and whose behind-the-scenes efforts keep it running, debated what to do about all this. A strong streak of West Coast libertarianism still runs through the IETF, and the tone was mostly hostile to the idea of omnipresent surveillance. Some of its members were involved in creating the parts of the internet that spooks are now exploiting. “I think we should treat this as an attack,” said Stephen Farrell, a computer scientist from Trinity College, Dublin, in his presentation to the delegates. Discussion then moved on to what should be done to thwart it.\
…
Other security experts are re-examining existing products. Dr Green and his colleague Kenn White are leading a forensic audit of Truecrypt, a popular program that enciphers a user’s hard disks but which displays some odd-looking behaviour and has rather murky origins (it is open-source, but its designers are anonymous, and are thought to live in eastern Europe).
…
“There’s a lot of anger out there,” says Christopher Soghoian, principal technologist at the American Civil Liberties Union, a lobbying group. “I’ve seen two blog posts by Google engineers in the last three days that contained the words ‘fuck you, NSA’.” Google has brought forward a programme to encrypt traffic between its data centres, which should make life harder for spies. Yahoo has promised similar measures and Twitter (a big social-media site) is considering them.
Wyden, who said that he has had “several spirited discussions” with Obama, is not optimistic. “It really seems like General Clapper, the intelligence leadership, and the lawyers drive this in terms of how decisions get made at the White House,” he told me. It is evident from the Snowden leaks that Obama inherited a regime of dragnet surveillance that often operated outside the law and raised serious constitutional questions. Instead of shutting down or scaling back the programs, Obama has worked to bring them into narrow compliance with rules—set forth by a court that operates in secret—that often contradict the views on surveillance that he strongly expressed when he was a senator and a Presidential candidate.
Exclusive: Secret contract tied NSA and security industry pioneer
NSA had secret deal on back-doored crypto with security firm RSA, Snowden docs reveal
NSA Paid Security Company to Adopt Weakened Encryption Standards
…
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
Yes, it may be true that RSA engineers didn’t know Dual EC_DRBG was dangerously weak in 2004, when they made it the BSAFE default. But by 2007—when researchers from Microsoft devised an attack that allowed adversaries to guess any key created with the PRNG with relatively little work—the weakness was abundantly clear. Whether RSA didn’t notice the glaring insecurity or was contractually prevented from demoting or speaking out against Dual EC_DRBG is unknown. In either case, RSA allowed BSAFE to favor an algorithm known to be unsafe for more than five years, and thanks to a contract that was never publicly disclosed, RSA profited from that action. That hardly endorses RSA or its products.
How the NSA Threatens National Security
Our choice isn’t between a digital world where the agency can eavesdrop and one where it cannot; our choice is between a digital world that is vulnerable to any attacker and one that is secure for all users.
Malware is a tool that most states have their toolbox, and Vietnam is no exception. For the last several years, the communist government of Vietnam has used malware and RATs to spy on journalists, activists, dissidents, and bloggers, while it cracks down on dissent. Vietnam’s Internet spying campaign dates back to at least March 2010, when engineers at Google discovered malware broadly targeting Vietnamese computer users. The infected machines were used to spy on their owners as well as participating in DDoS attacks against dissident websites. The Vietnamese government has cracked down sharply on anti-government bloggers, who represent the country’s only independent press. It is currently holding 18 bloggers and journalists, 14 from a year earlier, according to a report issued by the Committee to Protect Journalists in 2013.
http://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal
Did you use TorMail? If so, ‘the FBI Has Your Inbox’
Now we know Ottawa can snoop on any Canadian. What are we going to do?
…
What’s this mean for Canadians? When you go to the airport and flip open your phone to get your flight status, the government could have a record. When you check into your hotel and log on to the Internet, there’s another data point that could be collected. When you surf the Web at the local cafe hotspot, the spies could be watching. Even if you’re just going about your usual routine at your place of work, they may be following your communications trail.
Ingenious? Yes. Audacious? Yes. Unlawful? Time for the courts to decide. With regard to recent revelations, Canadian government officials have strenuously denied doing what is clearly described in this presentation. On 19 September 2013, CSEC chief John Forster was quoted by the Globe and Mail saying “CSEC does not direct its activities at Canadians and is prohibited by law from doing so.” In response to a lawsuit launched by the British Columbia Civil Liberties Association against the Government of Canada, CSEC admitted that there “may be circumstances in which incidental interception of private communications or information about Canadians will occur.” Only in Orwell-speak would what is contained in these presentations be described as “incidental” or “not directed at Canadians.” Then again, an Orwellian society is what we are in danger of becoming.
The revelations require an immediate response. They throw into sharp relief the obvious inadequacy of the existing “oversight” mechanism, which operates entirely within the security tent. They cast into doubt all government statements made about the limits of such programs. They raise the alarming prospect that Canada’s intelligence agencies may be routinely obtaining data on Canadian citizens from private companies – which includes revealing personal data – on the basis of a unilateral and highly dubious definition of “metadata” (the information sent by cellphones and mobile devices describing their location, numbers called and so on) as somehow not being “communications.” Such operations go well beyond invasions of privacy; the potential for the abuse of unchecked power contained here is practically limitless.
** Snowden document reveals CSEC used wi-fi to track Canadians (https://citizenlab.org/2014/01/snowden-documents-reveal-csec-used-airport-wi-fi-track-canadians/?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437)
————————————————————
A top secret document leaked by US whistleblower Edward Snowden and obtained by CBC News shows that “Canada’s electronic spy agency, the Communications Security Establishment Canada (CSEC), used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal.” The document was reviewed by Citizen Lab Director Ron Deibert, who said the clandestine operation by the CSEC was “almost certainly illegal.”
Read the full coverage on the CBC (http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-travellers-edward-snowden-documents-1.2517881?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) and Deibert’s editorial in the Globe and Mail (http://www.theglobeandmail.com/globe-debate/now-we-know-ottawa-can-snoop-on-any-canadian-what-are-we-going-to-do/article16625310/%3Cbr%20/%3E?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) . See more media coverage in CBC The National (http://www.cbc.ca/player/News/TV%20Shows/The%20National/ID/2433957387/?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) (video) and CBC Metro Morning (http://www.cbc.ca/metromorning/episodes/2014/01/31/spying-at-airports/?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) .
—
** Towards Transparency in Canadian Telecommunications (https://citizenlab.org/2014/01/towards-transparency-canadian-telecommunications/?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437)
————————————————————
The Citizen Lab, along with other Canadian scholars and civil liberties organizations, issued a letter on 22 January to the country’s Internet and phone service providers asking how, when, and why they disclose private and personal information to agents of the state. The letter asked that many of Canada’s most preeminent telecommunications companies disclose the kinds, amounts, and regularity at which state agencies request telecommunications data pertaining to Canadians. See the coverage of the campaign in the Globe and Mail (http://www.theglobeandmail.com/news/national/telecom-firms-being-asked-what-data-they-are-giving-to-police-intelligence-agencies/article16455076/?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) , Toronto Star (http://www.thestar.com/business/tech_news/2014/01/24/why_canadas_telecoms_should_come_clean_about_customer_information_geist.html?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) , Ottawa Citizen (http://www.ottawacitizen.com/news/Reveal+extent+government+data+surveillance+campaign+asks+telecom+companies/9418668/story.html?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) , and The
Wire Report (http://www.thewirereport.ca/briefs/2014/01/22/academics-ask-telecoms-about-information-disclosure-to-government/27753?utm_source=Non+Media+Mailing+List&utm_campaign=57579713a6-CLBriefing_January_2014_Non_Media&utm_medium=email&utm_term=0_94857f7409-57579713a6-300699437) .
The Internet is Broken–Act Accordingly
PUNTA CANA–Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab’s Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using.
So when Raiu says he conducts his online activities under the assumption that his movements are being monitored by government hackers, it is not meant as a scare tactic. It is a simple statement of fact.
“I operate under the principle that my computer is owned by at least three governments,” Raiu said during a presentation he gave to industry analysts at the company’s analyst summit here on Thursday.
The comment drew some chuckles from the audience, but Raiu was not joking. Security experts for years have been telling users–especially enterprise users–to assume that their network or PC is compromised. The reasoning is that if you assume you’re owned then you’ll be more cautious about what you do. It’s the technical equivalent of telling a child to behave as if his mother is watching everything he does. It doesn’t always work, but it can’t hurt.
Raiu and his fellow researchers around the world are obvious targets for highly skilled attackers of all stripes. They spend their days analyzing new attack techniques and working out methods for countering them. Intelligence agencies, APT groups and cybercrime gangs all would love to know what researchers know and how they get their information. Just about every researcher has a story about being attacked or compromised at some point. It’s an occupational hazard.
If law enforcement gets hold of your locked iPhone and has some interest in its contents, Apple can pull all kinds of content from the device, including texts, contacts, photos and videos, call history and audio recordings.
The company said in a new document that provides guidance for law enforcement agencies on the kinds of information Apple can provide and what methods can be used to obtain it that if served with a search warrant, officials will help law enforcement agents extract specific application-specific data from a locked iOS device. However, that data appears to be limited to information related to Apple apps, such as iMessage, the contacts and the camera.
…
Interestingly, Apple said that its technicians can only extract the data from a locked iOS device at the company’s headquarters in Cupertino, Calif. And law enforcement officials need to provide their own removable media in order to store the extracted data.
…
However, Apple said that because of the way that its Find My iPhone feature works, the company can’t provide historical location data for a given device or turn on that feature remotely. It also says that Apple doesn’t have GPS data for iOS devices.
Photo of NSA technicians sabotaging Cisco router prior to export
—
Photos of an NSA “upgrade” factory show Cisco router getting implant
Servers, routers get “beacons” implanted at secret locations by NSA’s TAO team
I am regularly asked what is the most surprising thing about the Snowden NSA documents. It’s this: the NSA is not made of magic. Its tools are no different from what we have in our world, it’s just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the backbone. The NSA breaks crypto not with super-secret cryptanalysis, but by using standard hacking tricks such as exploiting weak implementations and default keys. Its TAO implants are straightforward enhancements of attack tools developed by researchers, academics, and hackers; here’s a computer the size of a grain of rice, if you want to make your own such tools. The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.
The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:
GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.
MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.
MOUTH: Tool for collection for downloading a user’s files from Archive.org.
PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.
SILVER SPECTOR: Allows batch Nmap scanning over Tor.
SPRING BISHOP: Find private photographs of targets on Facebook.
ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.
BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.
BOMB BAY: is the capacity to increase website hits/rankings.
BURLESQUE: is the capacity to send spoofed SMS messages.
CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.
CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.
GATEWAY: Ability to artificially increase traffic to a website.
GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).
SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.
SUNBLOCK: Ability to deny functionality to send/receive email or view material online.
SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine
UNDERPASS: Change outcome of online polls (previously known as NUBILO).
WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.
HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.
HUSK: Secure one-on-one web based dead-drop messaging platform.
The FBI Is Infecting Tor Users With Malware With Drive-By Downloads
For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it’s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants.
Dread Pirate Sunk By Leaky CAPTCHA
“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”
“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”
At 1:30pm on Christmas Eve, the NSA dumped a huge cache of documents on its website in response to a long-fought ACLU Freedom of Information Act request, including documents that reveal criminal wrongdoing.
The dump consists of its quarterly and annual reports to the President’s Intelligence Oversight Board from Q4/2001 to Q1/2013. They were heavily redacted prior to release, but even so, they reveal that the NSA illegally spied on Americans, including a parade of user-errors in which NSA operatives accidentally spied on themselves, raided their spouses’ data, and made self-serving errors in their interpretation of the rules under which they were allowed to gather and search data.
The NSA admits that its analysts “deliberately ignored restrictions on their authority to spy on Americans multiple times in the past decade.”
—
U.S. Spy Agency Reports Improper Surveillance of Americans
The National Security Agency today released reports on intelligence collection that may have violated the law or U.S. policy over more than a decade, including unauthorized surveillance of Americans’ overseas communications.
The NSA’s inspector general last year detailed 12 cases of “intentional misuse” of intelligence authorities from 2003 to 2013 in a letter to Senator Charles Grassley, of Iowa, the top Republican on the Senate Judiciary Committee.
Those cases included a member of a U.S. military intelligence unit who violated policy by obtaining the communications of his wife, who was stationed in another country. After a military proceeding, the violator was punished by a reduction in rank, 45 days of extra duty and forfeiture of half of his pay for two months, according to the letter.
In a 2003 case, a civilian employee ordered intelligence collection “of the telephone number of his foreign-national girlfriend without an authorized purpose for approximately one month” to determine whether she was being faithful to him, according to the letter. The employee retired before an investigation could be completed.
FBI Access To NSA Surveillance Data Expands In Recent Years
The FBI’s access to email and other data collected from overseas targets in the NSA’s Prism program has been growing since 2008, according to a 2012 U.S. Department of Justice inspector general’s report declassified last Friday by the DOJ in response to a Freedom of Information Act request by the New York Times. Here are some of the milestones mentioned in the report: In 2008, the FBI began reviewing email accounts targeted by the NSA through the Prism program. In October 2009, the FBI requested that information collected under the Prism program be ‘dual routed’ to both the NSA and the FBI so that the FBI ‘could retain this data for analysis and dissemination in intelligence reports.’ And in April 2012, the FBI began nominating email addresses and phone numbers that the NSA should target in it surveillance program, according to the document.
Watching Everyone:NSA Hides Snooper Spyware on Gov’t Hard Drives Worldwide
Equation Group: The Backdoors Spying on Most of the World’s Hard Drives
Russian researchers expose ‘NSA’s Secret Weapon’: Outrage as program which enables America to spy on every home computer is uncovered
The Great SIM Heist
How Spies Stole the Keys to the Encryption Castle
The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.
In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”
With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
Greatest Threat to Free Speech Comes Not From Terrorism, But From Those Claiming to Fight It
* Canadian authorities have received expansive new powers, with more planned, that have increased authorities’ powers to conduct telecommunications surveillance. Moreover, the ‘official’ modes of surveillance (used by police and other domestic agencies to conduct surveillance) may soon be amplified should C-51 be passed into law and CSE consequently expands its domestic and foreign collaborations with CSIS
* Canadian telecommunications and government representatives work within international standards-setting forums to develop new modes of intercepting communications. Rogers Communications, in particular, has been involved in a European standards body (ETSI) and has proposed ways of defeating some forms of end-to-end encryption, discussed challenges of deploying a lawful-intercept compliant Dropbox competitor, and raised concerns about how Canadian lawful access legislation may force updates to how lawful interception is conceived
* Telecom companies’ transparency reports are a good, first, step but are lacking details needed to contextualize how often, and what kinds of, surveillance is being conducted on Canadians. Details on the kinds of legal requests (e.g. for interceptions, for stored data, etc), their annual totals, as well as subscribers affected must be added in future reports. Moreover, these companies must release information about how long they retain data as well as how they work with government to lawfully disclose Canadians’ telecommunications data to government agencies
* Federal government watchdogs – such as CSE’s oversight commission, CSIS’s review board (SIRC), and the Privacy Commissioner of Canada – are largely unable to assure Canadians that telecommunications surveillance is occurring lawfully. These agencies cannot effectively coordinate with one another, have stunted mandates, and are under resourced. These limitations are made worse by the fact that the annual interception reports tabled by federal and provincial governments are relics of the 1970s: they do not include the contemporary modes of surveillance that are most commonly used by government agencies and, in the case of provinces, are rarely placed online. Consequently it is almost impossible to know how many interceptions of government communications, let alone other kinds of telecommunications surveillance, take place annually in Canada
* The result of the large amount of surveillance, often authorized by secret regulation or enabled through largely closed-door standards negotiations, is that neither Canadians nor their elected representatives can effectively debate or raise questions about contemporary surveillance practices. Consequently, companies’ products may be treated with skepticism and, more significantly, the democratic deficit between citizens and their governments may broaden
Latest Privacy Revelations Show It’s Up to Canadians to Protect Themselves
The most important self-help step? Get into encryption.
By Michael Geist, Yesterday, TheTyee.ca
FBI has fleet of secret spy planes with tech to identify people through their cellphones
Who needs Alex Jones to feed your paranoid fantasies about the authoritarian panopticon when you have the FBI to do it for you? The Associated Press has identified at least 50 small planes used by the FBI to spy on Americans in “both major cities and rural areas.” The planes are equipped with sophisticated technology that can identify people through the cell phones they carry. And they aren’t the only government organization who uses these tools
Divining the capabilities of the FBI’s ubiquitous spy aircraft
The FBI has filled the skies of America’s cities with covert aircraft, crisscrossing overhead, bristling with sensors and cloaked in mystery, from the shell companies that own them to the obfuscated tail-numbers they sport.
The FBI won’t talk about the capabilities or uses of their planes, but we can make some good guesses at their capabilities, thanks to the NYPD. The nation’s largest police force did a lot of ill-advised bragging about its $10M spy helicopter, and since then, there’s been a steady leak of good technical detail of what a state-of-the-art spy aircraft is likely doing when it passes overhead.
…
Spy equipment added to the NYPD helicopter in 2003 includes a WESCAM MX-15 Video Imaging System, also described as a Thermal Imager, and a WESCAM SkyPod B Airborne Microwave Transmission System. The latter includes a GPS receiver that allows the camera to zoom in on specified locations.
Additionally, there is a Comant CI 405 GPS antenna installed on the cockpit roof, a Chelton 931-8 Direction Finding system and a Datong Tracking System “for tracking targeted electronic beacons.” The latter presumably is for monitoring GPS trackers that law enforcement agencies place surreptitiously on vehicles.
For the first time ever, a judge has invalidated a secret Patriot Act warrant
…
U.S. District Judge Victor Marrero’s decision invalidated the gag order in full, finding no “good reason” to prevent Merrill from speaking about any aspect of the NSL, particularly an attachment to the NSL that lists the specific types of “electronic communication transactional records” (“ECTR”) that the FBI believed it was authorized to demand. The FBI has long refused to clarify what kinds of information it sweeps up under the rubric of ECTR, a phrase that appears in the NSL statute but is not publicly defined anywhere.
Judge Marrero’s decision describes the FBI’s position as “extreme and overly broad,” affirming that “Courts cannot, consistent with the First Amendment, simply accept the Government’s assertions that disclosure would implicate and create a risk.” The Court observed that, according to the government, Mr. Merrill would only be allowed to discuss the kinds of records the FBI demanded in “a world in which no threat of terrorism exists, or a world in which the FBI, acting on its own accord and its own time, decides to disclose the contents of the Attachment.” The Court decisively rejected this position: “Such a result implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.”
Smurfs vs phones: GCHQ’s smartphone malware can take pics, listen in even when phone is off
…
“Dreamy Smurf is the power management tool which means turning your phone on and off with you knowing,” he said.
“Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you – even if your phone is switched off because they’ve got the other tools for turning it on.
“Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.”
Mr Snowden also referred to a tool known as Paronoid Smurf.
“It’s a self-protection tool that’s used to armour [GCHQ’s] manipulation of your phone. For example, if you wanted to take the phone in to get it serviced because you saw something strange going on or you suspected something was wrong, it makes it much more difficult for any technician to realise that anything’s gone amiss.”
Home Secretary Theresa May has introduced the long-awaited, frequently assayed Snoopers’ Charter, and it is a complete disaster.
In the new bill, May says that she will ban products that use end-to-end encryption, whereby the company that made the product can’t tell how it’s being used. She seems to think that all this will require is orders to Facebook, Apple, Google and perhaps a couple of smaller players to get them to re-engineer their products so that all messages get decrypted at their data-centres, re-encrypted and passed on to their recipients.
She is wrong.
End-to-end encryption can be accomplished with literally thousands of products, many of them free/open source software that can be downloaded from tens of thousands of websites, including websites like Github that are indispensable to UK industry and cannot be blocked without crippling the economy. Even the Chinese government was unable to block Github.
This means that anyone who wants to communicate in a way that cannot be intercepted needs only to go on using the tools that they use presently. It means that anyone who wants to communicate in a way that the government can’t intercept can download software from any of many, many, many sites and they’re home free.
“The government is insisting that every service provider stockpile massive quantities of unstable toxic personal information, and simultaneously taking measures to make those stockpiles much, much less secure.”
Britons’ Internet access bills will soar to pay for Snoopers Charter
Did the FBI pay Carnegie Mellon $1 million to identify and attack Tor users?
UK Snooper’s Charter “would put an invisible landmine under every security researcher”
Respected UK tech elder statesman and journalist Rupert Goodwins blasts the UK government’s plan to impose secret gag-orders on researchers who discover government-inserted security flaws in widely used products, with prison sentences of up to a year for blowing the whistle or even mentioning the gag orders in a court of law.
These gag-orders short-circuit the normal — and vital — process of independent security research, which involves continuous auditing and assessment of digital tools, followed by a staged disclosure of critical flaws — first to the vendor, then users, then the public.
FBI’s war on encryption is unnecessary because the Internet of Things will spy on us just fine
Maryland’s Attorney General: you consent to surveillance by turning on your phone
The FBI has ordered Apple to provide it backdoor access to the iPhone operating system, writes CEO Tim Cook in a letter to customers published Wednesday. Apple opposes the order, he says, because it would be impossible to do so without putting millions of customers’ privacy at risk.
https://boingboing.net/2016/02/17/fbi-demands-iphone-backdoor-ac.html
” Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.
The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.
The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”
This Is the Real Reason Apple Is Fighting the FBI
The first thing to understand about Apple’s latest fight with the FBI—over a court order to help unlock the deceased San Bernardino shooter’s phone—is that it has very little to do with the San Bernardino shooter’s phone.
It’s not even, really, the latest round of the Crypto Wars—the long running debate about how law enforcement and intelligence agencies can adapt to the growing ubiquity of uncrackable encryption tools.
Rather, it’s a fight over the future of high-tech surveillance, the trust infrastructure undergirding the global software ecosystem, and how far technology companies and software developers can be conscripted as unwilling suppliers of hacking tools for governments. It’s also the public face of a conflict that will undoubtedly be continued in secret—and is likely already well underway.
…
3. The consequences of a precedent permitting this sort of coding conscription are likely to be enormous in scope. This summer, Manhattan District Attorney Cyrus Vance wrote that his office alone had encountered 74 iPhones it had been unable to open over a six-month period. Once it has been established that Apple can be forced to build one skeleton key, the inevitable flood of similar requests—from governments at all levels, foreign and domestic—could effectively force Apple and its peers to develop internal departments dedicated to building spyware for governments, just as many already have full-time compliance teams dedicated to dealing with ordinary search warrants.
This would create an internal conflict of interest: The same company must work to both secure its products and to undermine that security—and the better it does at the first job, the larger the headaches it creates for itself in doing the second. It would also, as Apple’s Cook has argued, make it far more difficult to prevent those cracking tools from escaping into the wild or being replicated.
4. Most ominously, the effects of a win for the FBI in this case almost certainly won’t be limited to smartphones. Over the past year I worked with a group of experts at Harvard Law School on a report that predicted governments will to respond to the challenges encryption poses by turning to the burgeoning “Internet of Things” to create a global network of surveillance devices. Armed with code blessed by the developer’s secret key, governments will be able to deliver spyware in the form of trusted updates to a host of sensor-enabled appliances. Don’t just think of the webcam and microphone on your laptop, but voice-control devices like Amazon’s Echo, smart televisions, network routers, wearable computing devices and even Hello Barbie.
Many have been misinterpreting the portions of Apple’s public response letter with regards to the technique that might help break into the iPhone 5c being usable with other devices (if such a tool was created for other devices). This is not describing a technical issue, but is instead directly related to the later-mentioned issue of setting a precedent.
On a technical level, Apple could carry out the order by creating a RAM disk signed by the company’s production certificate for the specific ECID of the suspect’s iPhone. This solution would allow Apple to use existing technologies in the firmware file format to grant access to the phone ensuring that there is no possible way the same solution would work on another device.
The aspect that would actually affect the public is the fact that by doing this, Apple will show that breaking into an iPhone is “possible,” and allow the FBI to use this case in the future as leverage.
This is only possible on a technical level in very specific circumstances, but if Apple assists in this instance, then it paves the way for more unreasonable and technically difficult requests to be made. In those scenarios, it will be on Apple to try to explain why it cannot accommodate the new requests. The company will have to show definitively why it is different from the “last time” it assisted in a similar case, though there is no way to speculate on how exactly this might be leveraged.
https://bgr.com/2016/02/18/apple-fbi-backdoor-will-strafach-opinion/
US defence department funded Carnegie Mellon research to break Tor
Court documents show that the government funded apparently successful study into revealing identity of anonymity service users
…
The US government funded research into breaking the online anonymity service Tor, court documents have revealed.
Carnegie Mellon University carried out the research, funded by the US Department of Defense, which attempted to deanonymise users of the service.
Once the researchers reported success, some of the information, including the IP address of a user alleged to be on the staff of an online black market called Silk Road 2, was then subpoenaed by the FBI for use in an investigation into the market.
Adding a further wrinkle to the case is the fact that Tor is itself funded by the US government. The service, which works by encrypting communications and then relaying them between multiple users in its network in order to baffle outside surveillance and hide the identity of the two ends of the connection from the other, was initially developed by the US Naval Research Laboratory, and still receives money from the US Department of State and National Science Foundation.
Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist
FBI has accessed San Bernardino shooter’s phone without Apple’s help
https://www.sindark.com/genre/HideFromTheNSA.png
BlackBerry CEO responds to critics’ RCMP encryption key concerns
CTVNews.ca Staff
Published Monday, April 18, 2016 11:42AM EDT
BlackBerry’s CEO has responded to critics after it was revealed last week that the RCMP used a key to unlock approximately one million encrypted PIN-to-PIN messages sent between personal BlackBerry users since at least 2010.
BlackBerry CEO John Chen published a blog post on the company’s website Monday, noting that the company has always sought to “do what is right for the citizenry, within legal and ethical boundaries.”
“We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access,” Chen said.
“I have stated before that we are indeed in a dark place when companies put their reputations above the greater good.”
Chen said the company, headquartered in Waterloo, Ont., always strives to find a balance between “doing what’s right” for the greater good, and protecting citizens’ privacy. He pointed to an example from last November, when BlackBerry refused to give the Pakistan government access to its servers due to privacy concerns.
Supreme court grants FBI massive expansion of powers to hack computers | Technology | The Guardian
https://www.theguardian.com/technology/2016/apr/29/fbi-hacking-computers-warrants-supreme-court-congress
The US Congress has seven months to block a potentially massive expansion of the government’s ability to hack into suspects’ computers.
At the FBI’s request this week, the supreme court ruled that federal judges should be able to issue hacking warrants to federal law enforcement for anywhere in the US if the suspect has tried to hide their location, as criminal suspects are wont to do.
Additionally, the FBI could get authority to infiltrate any computer – regardless of the owner – if it has already been taken over by bad hackers.
Mounties used Stingrays to secretly surveil millions of Canadians for years
Motherboard used public records requests to extract 3,000+ pages of court docs from a massive 2010 RCMP mafia/drug bust in Montreal, codenamed “Project Clemenza,” which revealed the full extent of the Mounties’ secret use of Stingrays — AKA “IMSI Catchers,” the fake cellular towers that let cops covertly track whole populations by tricking their phones into revealing information about them.
Stingrays are a notorious nexus of secrecy: in the USA, their manufacturers collaborated with federal law enforcement to swear local cops to secrecy, going so far as to drop cases rather than reveal the use of Stingrays, and, in a few known cases, lying to judges. Feds even raided local cops and stole all documents related to Stingrays before they could be entered into evidence.
But even by those standards, the RCMP’s use of Stingrays is breathtakingly broad and out-of-control. The training materials that the agency uses for the devices show that they not only routinely use Stingrays to surviel regions in a radius of up to 2km in the course of investigations, but that they also retained this data indefinitely, creating permanent surveillance databases that recorded the locations and activities (including the calls) of literally millions of Canadians who had never come under any suspicion for any crime.
Yahoo didn’t install an NSA email scanner, it was a “buggy” NSA “rootkit”
Ex-Yahoo employees have spoken anonymously to Motherboard about the news that Yahoo had built an “email scanner” for a US security agency, likely the FBI or the NSA. These sources — at least one of whom worked on the security team — say that in actuality, the NSA or FBI had secretly installed a “rootkit” on Yahoo’s mail servers and that this was discovered by the Yahoo security team (who had not been apprised of it), who, believing the company had been hacked, sounded the alarm, only to have the company executives tell them that the US government had installed the tool.
Though ostensibly designed to strengthen local networks against malicious hackers, in fact the bill looks very much like a techno-nationalist Trojan horse. The law affects both domestic and foreign firms operating on the Chinese mainland and covers a wide range of activity relating to use of the internet and information and communications technologies (ICT). It will not come into force until June next year, so it is not yet clear how the rules will be implemented.
…
This is a headache for multinationals, which typically rely on cross-border flows of business data. Firms worry that the law will not only require expensive new investments but also increase the risk of data theft. Another thorny provision requires companies to get security certifications for important network equipment and software. Foreign firms fear this might be used to force them to turn over security keys and proprietary technologies, which could be passed on to state-owned rivals.
The availability of Smartphones and other computing devices using commercial, network based operating systems in military use enable developers to introduce innovative solutions that add efficiency and improve processes, but also compromises organizations to exploitation by adversaries. When it comes to military organizations, such compromise can lead to defeat.
A recent example is ‘Попр-Д30.apk’, an artillery support app developed in 2013 by an officer of the Ukrainian 55th Artillery Brigade officer. As the filename suggested, the app relates specifically to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today. According to the developer Yaroslav Sherstuk, the application computes the traditional manual process of positioning, planning and firing tables, thus dramatically reducing the time to fire the D-30. Although the app was not distributed in the open, Sherstuk claim it had a user base of 9000 users. (A video covering the artillery units using the application is shown below).
In-depth reverse engineering by Crowdstrike revealed that the original application package was ‘contaminated’, probably as early as 2014, by a Trojan malware identified as an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50-byte base key.
“This is one of the most brazen cases of abuse we have ever seen,” said John Scott-Railton, a senior researcher at Citizen Lab. “It points to a total breakdown of government oversight in Mexico, and a complete failure of due diligence by the NSO Group.”
The legal case for the use of spyware in Mexico is uncertain. Only the federal and justice authorities can lawfully intercept private communications in Mexico, but require a court order to do so. However, Mr. García and others argue that spyware is more invasive than traditional forms of interception, and they say it is not clear what case the government would have to monitor the communications of health researchers and activists.
“I doubt these intrusions were approved by any judge,” Mr. García, of R3D, said.
“I’ll never bring my phone on an international flight again. Neither should you.”
Quincy Larson asks you to image “What’s the worst thing that could happen if the Customs and Border Patrol succeed in getting ahold of your unlocked phone?”
Well…
Think of all of the people you’ve ever called or emailed, and all the people you’re connected with on Facebook and LinkedIn. What are the chances that one of them has committed a serious crime, or will do so in the future?
Have you ever taken a photo at a protest, bought a controversial book on Amazon, or vented about an encounter with a police officer to a loved one? That information is now part of your permanent record, and could be dragged out as evidence against you if you ever end up in court.
There’s a movement within government to make all data from all departments available to all staff at a local, state, and federal level. The more places your data ends up, the larger a hacker’s “attack surface” is — that is, the more vulnerable your data is. A security breach in a single police station in the middle of nowhere could result in your data ending up in the hands of hackers — and potentially used against you from the shadows — for the rest of your life.
Cegłowski’s proposal is for a timed “trip mode” during which our social media only allows us to access a few days’ worth of material. It would be irrevocable, so you couldn’t be ordered to disable it during a border crossing.
Google already does this, but only for googlers. The Google employees I know who travel to China say that when they go abroad, their managers and IT support arrange to constrain their accounts, so they can only see a subset of their email and access a subset of Google’s internal servers while traveling, typically with an otherwise blank Chromebook that is dropped in a shredder when they return to the USA.
UK tourists to US may get asked to hand in passwords or be denied entry
Although mitigation options exist, lawyers warn attempts to protect personal data may be seen as ‘probable cause’ for searching
1Password’s new travel mode locks you out of your accounts while you’re travelling and crossing borders
Police now routinely crack and extract all phone data from arrestees
Muckrock filed Freedom of Information Requests with multiple US police forces to find out how they were using “mobile phone forensic extraction devices” — commercial devices that suck all the data out of peoples’ phones and make it available for offline browsing.
Canada: Trump shows us what happens when “good” politicians demand surveillance powers
…
I wrote about bill C-51, a reckless, sweeping mass surveillance bill that now-PM Trudeau got his MPs to support when he was in opposition, promising to reform the bill once he came to power.
The situation is analogous to Barack Obama’s history with mass surveillance in the USA: when Obama was a Senator, he shepherded legislation to immunize the phone companies for their complicity with illegal spying under GW Bush, promising to fix the situation when he came to power. Instead, he built out a fearsome surveillance apparatus that he handed to the paranoid, racist Donald Trump, who now gets to use that surveillance system to target his enemies, including 11 million undocumented people in America, and people of Muslim origin.
Now-PM Justin Trudeau has finally tabled some reforms to C-51, but they leave the bill’s worst provisions intact. Even if Canadians trust Trudeau to use these spying powers wisely, they can’t afford to bet that Trudeau’s successors will not abuse them.
—
What happens after the ‘good’ politicians give away our rights? Cory Doctorow shares a cautionary tale.
The spy powers that “good” politicians create are inevitably inherited by much worse politicians. If the Liberal government wants to safeguard its legacy and the future of Canadians, it will do better than Obama, brave the spy agencies, and make good on that promise of 2015. It will restore the right of Canadians to have a private life in an age where network surveillance can be used to comprehensively invade our personal lives, relationships and thoughts.
Within living memory, our loved ones were persecuted, hounded to suicide, imprisoned for activities that we recognize today as normal and right: being gay, smoking pot, demanding that settler governments honour their treaties with First Nations. The legitimization of these activities only took place because we had a private sphere in which to agitate for them.
Today, there are people you love, people I love, who sorrow over their secrets about their lives and values and ambitions, who will go to their graves with that sorrow in their minds — unless we give them the private space to choose the time and manner of their disclosure, so as to maximize the chances that we will be their allies in their struggles. If we are to stand on guard for the future of Canada, let us stand on guard for these people, for they are us.
Censorship in China
It was strange to read about the death of Liu Xiaobo, China’s foremost political dissident, only in foreign newspapers (“China’s conscience”, July 15th). But this is a country where strange things happen all the time. This summer, foreign television shows and films have mysteriously disappeared from almost all the popular video-streaming sites. Western talk shows have been banned. Since June social platforms have been prodding their users to register their real names.
Before it was deleted, I watched a biopic of Aung San Suu Kyi (using a pseudonym to avoid the censor). When she was in confinement for being Myanmar’s conscience, Ms Suu Kyi wrote “Freedom from Fear”. I wonder if Liu Xiaobo got a chance to do the same. We are often told by the government that the West’s influence will corrupt us and damage the younger generation. The truth is we fear the government more than any outside influence.
LU YANHAN
Suzhou, China
Canadian woman banned from US for life after border agent searches phone, finds email to doctor about drug use
Chinese man imprisoned for selling VPN access
In June, China started vigorously enforcing its ban on VPNs, ordering mobile app stores to end access to VPN services that hadn’t left a set of man-in-the-middle keys with the Chinese police.
ISO Rejects NSA Encryption Algorithms
The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. It’s because the NSA is not trusted to put security ahead of surveillance
The new surveillance state
Written By Shannon Kari
In the summer of 2011, a day after the ambush-style shooting death of Keith Brissett Jr., Peel Regional Police obtained a production order from a justice of the peace for a “tower dump” as part of the investigation.
The request permitted police to obtain subscriber data and call records of anyone who used their mobile devices near cell towers, in a location in Mississauga, just outside of Toronto. The immediate suspect was Sheldon Ranglin, who was believed to have shot Brissett to death in a revenge attack.
Ranglin was ultimately convicted of first-degree murder at trial nearly five years later, based on other evidence. None of the information turned over from the tower dump was put to the jury by the Crown. The many individuals who were not a target in the murder investigation yet had personal phone data turned over to the police were not notified of this fact because there is no legal requirement to do so. What happened to this information and with data that is obtained from any other tower dump production order is also unknown, because unlike traditional wiretap authorizations, reporting requirements are virtually non-existent.
Michael Moon, the defence lawyer who represented Ranglin, says tower dump requests are not unusual in Toronto-area murder investigations. “You can have thousands and thousands of people accessing the same tower,” says Moon, who heads Moon Rozier LPC in Brampton, Ont. Unless it uncovers information that may negatively impact a client, there is no reason for the defence to challenge these sweeping orders, he points out.
The Ranglin case is just one example of how police surveillance techniques have fundamentally changed as a result of new technologies. Instead of seeking court permission for traditional wiretaps, law enforcement will obtain orders to access an enormous volume of text messages or other mobile device data. Instead of listening to the wiretaps — or “wires” — police will utilize tower dumps or other devices, such as International Mobile Subscriber Identity — or IMSI — catchers, which impersonate actual cell towers and trick phones into attaching to them and disclosing phone log and location information.
Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core
A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.
privacytools.io
You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides knowledge and tools to protect your privacy against global mass surveillance.
Citizen Lab, CIPPIC analysis of the CSE Act
…
You can read a brief introduction to the report here. The full document is here.
News coverage:
Alex Boutilier, “Canada’s electronic spies will be able to launch cyber attacks with little oversight, report warns,” Toronto Star, 18 December 2017
Jim Bronskill, “‘Case not made’ for Liberal bill’s problematic cyberspy powers, researchers say,” Canadian Press, 18 December 2017
Chris Arsenault, “Canada’s spies are on the verge of new offensive powers for cyber attacks,” Vice News, 18 December 2017
Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C. In each of these cities, The Intercept has identified an AT&T facility containing networking equipment that transports large quantities of internet traffic across the United States and the world. A body of evidence – including classified NSA documents, public records, and interviews with several former AT&T employees – indicates that the buildings are central to an NSA spying initiative that has for years monitored billions of emails, phone calls, and online chats passing across U.S. territory.
Apartheid with Chinese characteristics
China has turned Xinjiang into a police state like no other
Totalitarian determination and modern technology have produced a massive abuse of human rights
…
Under a system called fanghuiju, teams of half a dozen—composed of policemen or local officials and always including one Uighur speaker, which almost always means a Uighur—go from house to house compiling dossiers of personal information. Fanghuiju is short for “researching people’s conditions, improving people’s lives, winning people’s hearts”. But the party refers to the work as “eradicating tumours”. The teams—over 10,000 in rural areas in 2017—report on “extremist” behaviour such as not drinking alcohol, fasting during Ramadan and sporting long beards. They report back on the presence of “undesirable” items, such as Korans, or attitudes—such as an “ideological situation” that is not in wholehearted support of the party.
Since the spring of 2017, the information has been used to rank citizens’ “trustworthiness” using various criteria. People are deemed trustworthy, average or untrustworthy depending on how they fit into the following categories: 15 to 55 years old (ie, of military age); Uighur (the catalogue is explicitly racist: people are suspected merely on account of their ethnicity); unemployed; have religious knowledge; pray five times a day (freedom of worship is guaranteed by China’s constitution); have a passport; have visited one of 26 countries; have ever overstayed a visa; have family members in a foreign country (there are at least 10,000 Uighurs in Turkey); and home school their children. Being labelled “untrustworthy” can lead to a camp.
ShmooCon 2014: The NSA: Capabilities and Countermeasures
Australia’s parliament approved a law that allows the government to demand that tech firms give access to encrypted online communications, even if the firms have designed their services so that they themselves do not have access to their customers’ conversations. Tech firms said the law is unworkable. See article.
https://www.economist.com/the-world-this-week/2018/12/13/politics-this-week
The fear is that any peephole built for the good guys will inevitably be exploited by bad guys. Apple, an American tech giant, said the law would give the government “extraordinarily broad and vague powers”. Australian academics said it would have “serious negative consequences for the cyber-security of Australians”. Human-rights groups and lawyers railed.
The bill passed anyway and came into force this week. The government can now oblige tech firms to create backdoors to their systems to allow the authorities to spy on their customers. The penalties for non-compliance are stiff: a$10m ($7.2m) for defiant firms and a$50,000 for recalcitrant people. Exposing police snooping is punishable with five years in prison.
Internet v internyet
Russians are shunning state-controlled TV for YouTube
A worried Vladimir Putin is trying to regain control of Russia’s web
…
The government pressed Pavel Durov, the co-founder of VKontakte, a home-grown social network, to divulge user information to the FSB, the state security service. When he refused, it made him sell the firm and it was acquired by Mail.ru, a big Russian internet business, in 2014. Until October 2018 (when there was a transfer of voting rights to the company’s CEO) Mail.ru was controlled by USM Holdings, a company founded by Alisher Usmanov, a loyal oligarch, in which he has a 48% interest. VKontakte remains Russia’s top social network, partly because it offers pornography and pirated content. Last year Mr Usmanov hailed a $2bn joint venture by Mail.ru with Alibaba, a Chinese e-commerce giant.
Unlike Mr Durov, Mail.ru had no qualms about giving users’ data to the security services, which has led to a series of arrests. According to Agora, a human-rights watchdog, Russian prosecutors have initiated 1,295 criminal proceedings for online offences and handed out 143 sentences since 2015. The vast majority originated from VKontakte pages.
‘Five Eyes’ nations discuss backdoor access to WhatsApp | World news | The Guardian
‘We’re closer to the knife’s edge’: Confrontation looming on encryption ‘backdoors’ as Goodale looks for balance | National Post
Facebook and WhatsApp Will Be Forced to Share Encrypted Messages With British Police – Slashdot
Russia Wants To Ban the Use of Secure Protocols Such As TLS 1.3, DoH, DoT, ESNI – Slashdot
https://tech.slashdot.org/story/20/09/22/157245/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-13-doh-dot-esni
Are We Headed For 200 Separate Nationally-Controlled Internets? – Slashdot
https://tech.slashdot.org/story/20/10/03/0359215/are-we-headed-for-200-separate-nationally-controlled-internets
The Police Can Probably Break Into Your Phone – Slashdot
https://it.slashdot.org/story/20/10/21/1558220/the-police-can-probably-break-into-your-phone