Movie plot threat semifinalists announced

Bruce Schneier has announced the semifinalists in his seventh annual Movie-Plot Threat Contest, wherein contestants dream up implausible reasons to justify extreme surveillance and other lawless policing techniques like torture and indefinite detention. My favorite: Homeopathic Factoring, "The NSA, through the White House's Office of Faith Based and Community Initiatives formed a partnership with Zicam Digital to explore and exploit homeopathic techniques for advanced cryptanalysis."

Read the rest

IETF declares war on surveillance


The Internet Engineering Task Force has published RFC 7258, which is a bombshell whose title is: "Pervasive Monitoring Is an Attack." It represents the outcome of a long argument about whether the Internet's technical architecture should take active countermeasures to fight mass surveillance, which Tim Bray summarizes. I especially like his rejoinder to people who argue against this because there are places where it's legitimate to monitor communications, like prisons: "We don't want an In­ter­net optimized for prisons."

Read the rest

Clapper's ban on talking about leaks makes life difficult for crypto profs with cleared students

When James Clapper banned intelligence agency employees from discussing or acknowledging the existence of leaked docs (including the Snowden docs), he made life very hard for university professors like Matt Blaze, a security expert whose classes often have students with security clearance.

My own books -- which deal with leaks like these -- are taught at West Point at a course whose instructors include a member of US Cyber Command. I imagine a rule like this would make future inclusion on the curriculum difficult, if not impossible.

You are a Gmail user


For years, Benjamin Mako Hill has paid to host his own mail, as a measure to enhance his privacy and independence from big companies. But a bit of clever analysis of his stored mail reveals that despite this expense and effort, he is a Gmail user, because so many of his correspondents are Gmail users and store copies of his messages with Google. And thanks to an archaic US law, any message left on Gmail for more than six months can be requested by police without a warrant, as it is considered "abandoned."

Mako has posted the script he used to calculate how much of his correspondence ends up in Google's hands.

I host my own mail, too. I'm really looking forward to Mailpile, which should make this process a lot easier, and also make keeping all my mail encrypted simpler. Knowing that Google has a copy of my correspondence is a lot less worrisome if they can't read it (though it's still not an ideal situation).

Read the rest

Forged certificates common in HTTPS sessions

In Analyzing Forged SSL Certificates in the Wild [PDF] a paper authored by researchers at CMU and Facebook, we learn that "a small but significant percentage" of HTTPS connections are made using forged certificates generated by adware and malware. Disturbingly, some of this malware may be working by attacking anti-virus software and stealing its keys, and the authors also speculate that anti-virus authors may be giving their keys out to governments in order to allow police to carry out man-in-the-middle attacks.

The researchers used a technique to detect forged-cert connections that has post-Heartbleed applications, since it would allow sites to discover whether their visitors are being man-in-the-middled through keys stolen before Heartbleed was widely known. This all points to a larger problem with HTTPS, which has been under increased scrutiny since Heartbleed, but whose defects were well understood within the security community for a long time. I co-wrote this editorial for Nature with Ben Laurie in 2012 describing a system called "Certificate Transparency" that makes it easier to audit and remediate problems with SSL certificates, which Google is now adding to Chrome.

Read the rest

Tor: network security for domestic abuse survivors


Michael from Beta Boston writes, "The privacy protections offered by tools like Tor aren't just for journalists and spies; they're important for everyone. Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that, and we took a long look at the work cut out for them."

This is an important point: when you make it so that no one can keep secrets from the state and its enforcement arm, you also make it so that no one can keep secrets from crooks, thugs, stalkers, and every other kind of bad guy.

Read the rest

TAILS: Snowden's favorite anonymous, secure OS goes 1.0


TAILS -- The Amnesiac Incognito Live System -- is a highly secure operating system intended to be booted from an external USB stick without leaving behind any trace of your activity on either your computer or the drive. It comes with a full suite multimedia creation, communications, and utility software, all configured to be as secure as possible out of the box.

It was Edward Snowden's tradecraft tool of choice for harvesting and exfiltrating NSA documents. Yesterday, it went 1.0. If you need to turn a computer whose operating system you don't trust into one that you can use with confidence, download the free disk image. (Note: TAILS won't help you defend against hardware keyloggers, hidden CCTVs inside the computer, or some deep malware hidden in the BIOS). It's free as in speech and free as in beer, and anyone can (and should) audit it.

Effectively, this is the ParanoidLinux I fictionalized in my novel Little Brother.

Read the rest

NZ Greens unveil Internet Rights and Freedoms bill

Andrew writes, "The Green Party of Aotearoa New Zealand has launched their Internet Rights and Freedoms Bill. The Bill was launched on a crowdsourced platform where members of the public are given the opportunity to shape these emerging rights and freedoms. This is the first time a Bill has been crowdsourced by a political party in New Zealand. The Internet Rights and Freedoms Bill proposes:"

Read the rest

Yahoo beefs up security in two meaningful and important ways

Yahoo has taken some serious steps towards protecting user-privacy, writes the Electronic Frontier Foundation's Seth Schoen. After revelations that the NSA and GCHQ had hacked its services, intercepted private video-chats, and harvesting mass data from its fiber optic links, the company has added forward secrecy and STARTTLS to its roster of default-on security measures. Of the two, forward secrecy is the most interesting, as it protects the privacy of old intercepted Yahoo data even if the company loses control of its keys. Bravo, Yahoo! Cory 7

Michigan's Penguicon will focus on crypto and privacy this year

Scott sez, "Privacy and security has been a huge problem since the Snowden revelations, and midwest SF/open source software convention Penguicon [ed: near Detroit!] wants to be part of the solution. With Guest of Honor Eva Galperin from the Electronic Frontier Foundation and Cory Doctorow returning as Guest Emeritus, much of their tech track is focused on finding answers to the recent privacy problems highlighted by Snowden. Pre-registration tickets are available until April 1st. Programming was just announced." (Thanks, Scott!)

Self-directed Crypto 101 online course

Crypto 101 is a free online course on practical, applied cryptography: " everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash functions, message authentication codes, public key encryption, key agreement protocols, and signature algorithms." Cory 5

Australian attorney general wants the power to launch man-in-the-middle attacks on secure Internet connections


The Australian attorney general has mooted a proposal to require service providers to compromise their cryptographic security in order to assist in wiretaps. The proposal is given passing mention in a senate submission from the AG's office, where it is referenced as "intelligibility orders" that would allow "law enforcement, anti-corruption and national security agencies" to secure orders under which providers like Google, Facebook and Yahoo would have to escrow their cryptographic keys with the state in order to facilitate mass surveillance.

Edward Snowden referenced this possibility in his SXSW remarks, pointing out that any communications that are decrypted by service providers are vulnerable to government surveillance, because governments can order providers to reveal their keys. This is why Snowden recommended the use of "end-to-end" security, where only the parties in the discussion -- and not the software vendor -- have the ability to spy on users.

The "intelligibility order" is the same kind of order that led to the shutdown of Lavabit, the secure email provider used by Snowden, whose creator shut the service down rather than compromising his users' security.

Read the rest

Kickstarting an Arduino-based Enigma machine

ST Geotronics have exanded their Instructables project for building your own Arduino-based Enigma and turned it into a Kickstarter. $40 gets you some boards you can kit-bash with; $125 gets you the full kit; $300 gets you the whole thing, beautifully made and fully assembled.

The Open Enigma Project (Thanks, Tina!)

EFF's HTTPS Everywhere + Firefox = most secure mobile browser

Peter from the Electronic Frontier Foundation writes, "Over at EFF, we just released a version of our HTTPS Everywhere extension for Firefox for Android. HTTPS Everywhere upgrades your insecure web requests to HTTPS on many thousands of sites, and this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies."

I installed it today.

Read the rest

Cryptocurrency soap


Liz writes, "I bet you never wished before that you had handmade soap with a glider from Conway's Game of Life, a doge, or the bitcoin logo on it. It's twee. It's vaguely punk rock. It's cryptocurrency soap!"