Cyber-crooks turn to Bitcoin extortion


Security journalist Brian Krebs documents a string of escalating extortion crimes perpetrated with help from the net, and proposes that the growth of extortion as a tactic preferred over traditional identity theft and botnetting is driven by Bitcoin, which provides a safe way for crooks to get payouts from their victims.

Read the rest

Possible hidden Latin warning about NSA in Truecrypt's suicide note


When the anonymous authors of the Truecrypt security tool mysteriously yanked their software last month, there was widespread suspicion that they had been ordered by the NSA to secretly compromise their software. A close look at the cryptic message they left behind suggests that they may have encoded a secret clue in the initials of each word of the sentence ("Using TrueCrypt is not secure as it may contain unfixed security issues"), the Latin phrase "uti nsa im cu si" which some claim can be translated as a warning that the NSA had pwned Truecrypt.

Read the rest

Anti-forensic mobile OS gets your phone to lie for you

In Android Anti-forensics: Modifying CyanogenMod Karl-Johan Karlsson and William Bradley Glisson present a version of the Cyanogenmod alternate operating system for Android devices, modified so that it generates plausible false data to foil forensic analysis by law enforcement. The idea is to create a mobile phone that "lies" for you so that adversaries who coerce you into letting them take a copy of its data can't find out where you've been, who you've been talking to, or what you've been talking about.

I'm interested in this project but wonder about how to make it practical for daily use. Presently, it maintains a hidden set of true data, and a trick set of false data intended to be fetched by forensic tools. Presumably, this only works until the forensic tools are modified to spot the real data. But you can conceptually imagine a phone that maintains a normal address book and SMS history, etc -- all the things that are useful to have in daily use -- but that, on a certain signal (say, when an alternate unlock code is entered, or after a certain number of failed unlock attempts) scrubs all that and replaces it with plausible deniability data.

Obviously, this kind of thing doesn't work against state-level actors who can subpoena (or coerce) your location data and call history from your carrier, but those people don't need to seize your phone in the first place.

Read the rest

Whistleblower org says it will go to jail rather than turning over its keys


The Project on Government Oversight (POGO) has told the Obama administration that its leaders will go to jail rather than respond to an extrajudicial administrative subpoena seeking the identity of whistleblowers who disclosed corruption in the Veterans' Administration.

Read the rest

How can you trust your browser?


Tim Bray's Trusting Browser Code explores the political and technical problems with trusting your browser, especially when you're using it to do sensitive things like encrypt and decrypt your email. In an ideal world, you wouldn't have to trust Google or any other "intermediary" service to resist warrants forcing it to turn over your sensitive communications, because it would be technically impossible for anyone to peek into the mail without your permission. But as Bray points out, the complexity and relative opacity of Javascript makes this kind of surety difficult to attain.

Bray misses a crucial political problem, though: the DMCA. Under US law (and similar laws all over the world), telling people about vulnerabilities in DRM is illegal, meaning that a bug in your browser that makes your email vulnerable to spying might be illegal to report, and will thus potentially never be fixed. Now that the World Wide Web Consortium and all the major browser vendors (even including Mozilla) have capitulated on adding DRM to the Web, this is the most significant political problem in the world of trusting your browser.

Read the rest

Time-capsule crypto to help journalists protect their sources


Jonathan Zittrain writes, "I published an op-ed in the Boston Globe today musing on the prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions -- such as the passage of time -- are met. I could see libraries and archives offering such technology as part of accepting papers and manuscripts, especially in the wake of the "Belfast Project" situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely."

I'm less enthusiastic about this than Jonathan is. I think calibrating the strength of your time-capsule is very hard. If the NSA might be an order of magnitude faster than the rest of us at brute-force cryptanalysis, that means you need to make your 10-year capsule strong enough to last for 100 years just to be on the safe side. Same goes for proof-of-work.

Read the rest

Encrypt like a boss with the Email Self-Defense Guide


Libby writes, "Today the Free Software Foundation is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder. We're releasing it as part of Reset the Net, a global day of action to push back against the surveillance-industrial complex. The guide will get you encrypting your emails in under 30 minutes, and takes you all the way through sending and receiving your first encrypted email."

Email Self-Defense - a guide to fighting surveillance with GnuPG (Thanks, Libby!)

Today is the day we Reset the Net

Today is the day we Reset the Net! It’s been one year since the Edward Snowden disclosures hit the news and the whole world woke up to the scale of mass, indiscriminate Internet surveillance — a spying campaign that was only possible because our own tools leak our private information in great gouts. Reset the Net provides you with a technical, political, and social toolkit to harden our Internet against the spies; and Boing Boing is proud to be playing a role.

Read the rest

Google announces end-to-end encryption for Gmail (a big deal!)

Google has announced support for end-to-end encryption with Gmail, a major step for privacy and a major blow against mass surveillance. Gmail users who install free and open Chrome plugin will be able to send and receive messages that can only be read by people who have their intended recipients' passphrase, and not Google -- meaning that even if the NSA legally or covertly taps into Google's data-centers, they won't be able to read mail that's encrypted with the End-to-End plugin.

This is marvellous news. There is already support for Gnu Privacy Guard (GPG) and Pretty Good Privacy (PGP) in Gmail, through Firefox plugin or Chrome plugin, but long experience has shown that many people are confused by PGP/GPG in its current state.

What's more, Google has explicitly tied this to the Reset the Net campaign (in which Boing Boing is a partner), a global day commemorating the Snowden leaks and calling for an Internet that is made strong and secure from mass spying.

Read the rest

Engineering our way out of mass surveillance

Smári "Mailpile" McCarthy's lecture Engineering Our Way Out of Fascism sets out a set of technical, legal and social interventions we can undertake to make mass surveillance impossible, starting with this: "The goal of those interested in protecting human rights should be to raise the average cost of surveillance to $10.000 per person per day within the next five years."

Read the rest

Warrantless spying makes spying-with-a-warrant impossible

Tim Bray's taxonomy of privacy levels makes a compact and compelling argument that the existence of warrantless spying and security sabotage is what drives people to adopt cryptographic techniques that can't be broken even with a warrant. Cory 1

Mysterious announcement from Truecrypt declares the project insecure and dead

The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world–after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai’i. Cory Doctorow tries to make sense of it all.

Read the rest

Greenwald's "No Place to Hide": a compelling, vital narrative about official criminality

Cory Doctorow reviews Glenn Greenwald’s long-awaited No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. More than a summary of the Snowden leaks, it’s a compelling narrative that puts the most explosive revelations about official criminality into vital context.

Read the rest

You Are Not a Digital Native: on the publication of the Homeland paperback, a letter to kids

The US paperback of my novel Homeland comes out today, and I've written an open letter to teenagers for Tor.com to celebrate it: You Are Not a Digital Native. I used the opportunity to draw a connection between kids being told that as "digital natives," everything they do embodies some mystical truth about what the Internet is for, and the way that surveillance companies like Facebook suck up their personal data by the truckload and excuse themselves by saying "digital natives" have demonstrated that privacy is dead.

As researchers like danah boyd have pointed out, a much more plausible explanation for teens' privacy disclosures is that they're making mistakes, because they're teenagers, and teenagers learn to be adults by making (and learning from) mistakes. I finish the piece with a list of tools that teens can use to have a more private, more fulfilling online social life.

They say that the Holy Roman Emperor Frederick II ordered a group of children to be raised without any human interaction so that he could observe their “natural” behavior, untainted by human culture, and find out the true, deep nature of the human animal.

If you were born around the turn of the 21st century, you’ve probably had to endure someone calling you a “digital native” at least once. At first, this kind of sounds like a good thing to be—raised without the taint of the offline world, and so imbued with a kind of mystic sixth sense about how the Internet should be.

But children aren’t mystic innocents. They’re young people, learning how to be adult people, and they learn how to be adults the way all humans learn: by making mistakes. All humans screw up, but kids have an excuse: they haven’t yet learned the lessons the screw-ups can impart. If you want to double your success rate, you have to triple your failure rate.

The problem with being a “digital native” is that it transforms all of your screw-ups into revealed deep truths about how humans are supposed to use the Internet. So if you make mistakes with your Internet privacy, not only do the companies who set the stage for those mistakes (and profited from them) get off Scot-free, but everyone else who raises privacy concerns is dismissed out of hand. After all, if the “digital natives” supposedly don’t care about their privacy, then anyone who does is a laughable, dinosauric idiot, who isn’t Down With the Kids.

You Are Not a Digital Native: Privacy in the Age of the Internet

Edward Snowden hosted a cryptoparty and ran a Tor exit node

Before Edward Snowden went on the run and effected the first-ever leak of documents from the NSA, he threw a cryptoparty in Hawai'i, coordinating with Runa Sandvik from the Tor Project and Asher Wolf from the Cryptoparty movement to plan an event where everyday people were taught to use crypto. He gave a lecture for his neighbors on Truecrypt, and told people that he ran at least two Tor exist nodes to help people keep their anonymous traffic moving (Boing Boing also runs a Tor exit node). Apparently, his girlfriend videoed the event -- I'd love to see it!

Snowden used the Cincinnatus name to organize the event, which he announced on the Crypto Party wiki, and through the Hi Capacity hacker collective, which hosted the gathering. Hi Capacity is a small hacker club that holds workshops on everything from the basics of soldering to using a 3D printer.

“I’ll start with a casual agenda, but slot in additional speakers as desired,” write Cincinnatus in the announcement. “If you’ve got something important to add to someone’s talk, please share it (politely). When we’re out of speakers, we’ll do ad-hoc tutorials on anything we can.”

When the day came, Sandvik found her own way to the venue: an art space on Oahu in the back of a furniture store called Fishcake. It was filled to its tiny capacity with a mostly male audience of about 20 attendees. Snowden spotted her when she walked in and introduced himself and his then-girlfriend, Lindsay Mills, who was filming the event. “He was just very nice, and he came to the door and introduced himself and talked about how the event was going to run,” Sandvik says.

They chatted for a bit. Sandvik asked Snowden where he worked, and after hemming and hawing, he finally said he worked for Dell. He didn’t let on that his work for Dell was under an NSA contract, but Sandvik could tell he was hiding something. “I got the sense that he didn’t like me prying too much, and he was happy to say Dell and move on,” she says.

Sandvik began by giving her usual Tor presentation, then Snowden stood in front of the white board and gave a 30- to 40-minute introduction to TrueCrypt, an open-source full disk encryption tool. He walked through the steps to encrypt a hard drive or a USB stick. “Then we did an impromptu joint presentation on how to set up and run a Tor relay,” Sandvik says. “He was definitely a really, really smart guy. There was nothing about Tor that he didn’t already know.”

Snowden’s First Move Against the NSA Was a Party in Hawaii [Kevin Poulsen/Wired]

(Image: a downsized thumbnail of a photo by Bart Gellman/Getty)