How governments and cyber-militias attack civil society groups, and what they can do about it

The University of Toronto's Citizen Lab (previously) is one of the world's leading research centers for cybersecurity analysis, and they are the first port of call for many civil society groups when they are targeted by governments and cyber-militias. Read the rest

Every Android device potentially vulnerable to "most serious" Linux escalation attack, ever

The Dirty Cow vulnerability dates back to code included in the Linux kernel in 2007, and it can be trivially weaponized into an easy-to-run exploit that allows user-space programs to execute as root, meaning that attackers can take over the entire device by getting their targets to run apps without administrator privileges. Read the rest

UK police rely heavily on cyberweapons but won't answer any questions about them

The UK police and security services have frequently touted the necessity of "equipment interference" techniques -- cyberweapons used to infect suspects' computers -- in their investigations, but they have refused to release any information about their use in response to 40 Freedom of Information requests from Motherboard. Read the rest

How the market for zero-day vulnerabilities works

Zero-days -- bugs that are unknown to both vendors and users -- are often weaponized by governments, criminals, and private arms dealers who sell to the highest bidders. The market for zero-days means that newly discovered bugs are liable to go unpatched until they are used in a high-profile cyberattack or independently discovered by researchers who'd rather keep their neighbors safe than make a profit. Read the rest

Check whether Hacking Team demoed cyberweapons for your local cops

Michael from Muckrock sez, "Turns out death squads aren't the only agencies buying Hacking Squad's controversial spyware. Town from Miami Shores, FL to Eugene, OR appeared on a list of US agencies that received demonstrations from the hacked surveillance vendor. MuckRock has mapped out who was on the lists, and is working to FOIA what these towns actually bought, if anything. Check and see if your city is on the map." Read the rest

Spies can't make cyberspace secure AND vulnerable to their own attacks

In his Sunday Observer column, John Naughton makes an important point that's hammered home by the escape of the NSA/GCHQ Regin cyberweapon into the wild: spies who make war on the Internet can't be trusted with its security. Read the rest

Schneier: NSA's offense leaves Americans undefended

Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need. Read the rest

Security as a public health discipline, not an engineering one

In my latest Guardian column, If GCHQ wants to improve national security it must fix our technology, I argue that computer security isn't really an engineering issue, it's a public health issue. As with public health, it's more important to be sure that our pathogens are disclosed, understood and disclosed than it is to keep them secret so we can use them against our enemies. Read the rest