Boing Boing 

Spies can't make cyberspace secure AND vulnerable to their own attacks


In his Sunday Observer column, John Naughton makes an important point that's hammered home by the escape of the NSA/GCHQ Regin cyberweapon into the wild: spies who make war on the Internet can't be trusted with its security.

Read the rest

NSA leak reveal plans to subvert mobile network security around the world


The NSA's AURORAGOLD program -- revealed in newly released Snowden docs -- used plundered internal emails to compromise nearly every mobile carrier in the world, and show that the agency had planned to introduce vulnerabilities into future improvements into mobile security.

Read the rest

Vodafone made millions helping GCHQ spy on the world


A newly released Snowden doc, published in the German newspaper Süddeutsche Zeitung, shows how Cable and Wireless (now a Vodafone subsidiary) made millions of pounds illegally installing fiber-taps to help GCHQ conduct its programme of mass surveillance.

Read the rest

UK spies secretly granted power to spy on journalists and lawyers

The UK Investigatory Powers Tribunal secretly granted permission to MI5 and MI6 to spy on journalists and lawyers, in ways that violate attorney-client privilege.

Read the rest

Honorable spies anonymously leak NSA/GHCQ-discovered flaws in Tor

Andrew Lewman, head of operations for The Onion Router (TOR), an anonymity and privacy tool that is particularly loathed by the spy agencies' capos, credits Tor's anonymous bug-reporting system for giving spies a safe way to report bugs in Tor that would otherwise be weaponized to attack Tor's users.

Read the rest

GCHQ's black bag of dirty hacking tricks revealed

The dirty tricks used by JTRIG -- the toolsmiths of the UK spy agency GCHQ -- have been published, with details on how the agency manipulates public opinion, censors Youtube, games pageview statistics, spy on Ebay use, conduct DDoS attacks, and connect two unsuspecting parties with one another by phone.

Read the rest

Snowden: #DRIP "defies belief," could have been dreamed up by NSA


Edward Snowden has spoken out on #DRIP, the surveillance bill that the UK's major parties have vowed to ram through without any debate.

Read the rest

ISPs sue UK spies over hack-attacks


ISPs in US, UK, Netherlands and South Korea are suing the UK spy agency GCHQ over its illegal attacks on their networks in the course of conducting surveillance.

Read the rest

UK secretary of state: "There is no surveillance state"


UK Secretary of State Theresa May -- part of a regime that presides over a spy service that claims the right to intercept all webmail, search and clicks; that spends hundreds of millions sabotaging Internet security; that dirty-tricks and psy-opses peaceful protest groups;

Read the rest

GCHQ claims right to do warrantless mass interception of all webmail, search and social media


The UK spy agency GCHQ says it doesn't need a warrant to intercept and store all UK social media traffic, search history and webmail because it is headed offshore, so it's "foreign communications". It had kept this interpretation of English and Welsh law a secret until now, and only revealed it after a protracted legal battle with the excellent people at Privacy International and six other civil liberties groups, including Amnesty International, and ACLU.

Read the rest

Privacy vs network effects


Respected cryptographer and security researcher Ross Anderson has a fascinating new paper, Privacy versus government surveillance: where network effects meet public choice [PDF], which explores the "privacy economics" of mass surveillance, pointing out the largely overlooked impact of "network effects" on the reality of who spies, who is spied upon, and under what circumstances.

My first big point is that all the three factors which lead to monopoly – network effects, low marginal costs and technical lock-in – are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily involved in information sharing with the NSA, even though they have tried for years to pretend otherwise. A non-aligned country such as India used to be happy to buy warplanes from Russia; nowadays it still does, but it shares intelligence with the NSA rather then the FSB. If you have a choice of joining a big spy network like America's or a small one like Russia's then it's like choosing whether to write software for the PC or the Mac back in the 1990s. It may be partly an ideological choice, but the economics can often be stronger than the ideology.

Second, modern warfare, like the software industry, has seen the bulk of its costs turn from variable costs into fixed costs. In medieval times, warfare was almost entirely a matter of manpower, and society was organised appropriately; as well as rent or produce, tenants owed their feudal lord forty days’ service in peacetime, and sixty days during a war. Barons held their land from the king in return for an oath of fealty, and a duty to provide a certain size of force on demand; priests and scholars paid a tax in lieu of service, so that a mercenary could be hired in their place. But advancing technology brought steady industrialisation. When the UK and the USA attacked Germany in 1944, we did not send millions of men to Europe, as in the first world war, but a combat force of a couple of hundred thousand troops – though with thousands of tanks and backed by larger numbers of men in support roles in tens of thousands of aircraft and ships. Nowadays the transition from labour to capital has gone still further: to kill a foreign leader, we could get a drone fire a missile that costs $30,000. But that's backed by colossal investment – the firms whose data are tapped by PRISM have a combined market capitalisation of over $1 trillion.

Third is the technical lock-in, which operates at a number of levels. First, there are lock-in effects in the underlying industries, where (for example) Cisco dominates the router market: those countries that have tried to build US-free information infrastructures (China) or even just government information infrastructures (Russia, Germany) find it’s expensive. China went to the trouble of sponsoring an indigenous vendor, Huawei, but it’s unclear how much separation that buys them because of the common code shared by router vendors: a vulnerability discovered in one firm’s products may affect another. Thus the UK government lets BT buy Huawei routers for all but its network’s most sensitive parts (the backbone and the lawful-intercept functions). Second, technical lock-in affects the equipment used by the intelligence agencies themselves, and is in fact promoted by the agencies via ETSI standards for functions such as lawful intercept.

Just as these three factors led to the IBM network dominating the mainframe age, the Intel/Microsoft network dominating the PC age, and Facebook dominating the social networking scene, so they push strongly towards global surveillance becoming a single connected ecosystem.

Privacy versus government surveillance: where network effects meet public choice (via Schneier)

(Image: Friendwheel, Steve Jurvetson, CC-BY)

Did GCHQ reveal secrets about computer insecurity when it exorcised the Snowden leaks from the Guardian's laptops?


When Prime Minister David Cameron ordered two GCHQ spooks to go the the Guardian's offices and ritually exorcise two laptops that had held copies of the Snowden leaks, we assumed it was just spook-lunacy; but Privacy International thinks that if you look at which components the spies targeted for destruction, there are hints about ways that spies can control computer hardware.

Read the rest

Mathematicians: refuse to work for the NSA!


In a stirring editorial in the New Scientist, University of Edinburgh mathematician Tom Leinster calls on the world's mathematicians to boycott working for the NSA, which describes itself as the "largest employer of mathematicians in the US" and which may the world's number one employer of mathematicians. Leinster suggests that mathematicians could refuse to work for the NSA, that university heads could refuse to grant professors leave to work at NSA or GCHQ, that national mathematical societies could refuse NSA job-posting ads, and even "expel members who work for agencies of mass surveillance."

Read the rest

Yahoo beefs up security in two meaningful and important ways

Yahoo has taken some serious steps towards protecting user-privacy, writes the Electronic Frontier Foundation's Seth Schoen. After revelations that the NSA and GCHQ had hacked its services, intercepted private video-chats, and harvesting mass data from its fiber optic links, the company has added forward secrecy and STARTTLS to its roster of default-on security measures. Of the two, forward secrecy is the most interesting, as it protects the privacy of old intercepted Yahoo data even if the company loses control of its keys. Bravo, Yahoo!

Britain is turning into a country that can't tell its terrorists from its journalists


Sarah Harrison, a British journalist who's worked with Wikileaks and the Snowden papers, writes that she will not enter the UK any longer because the nation's overbroad anti-terror laws, combined with the court decision that validates using them to detain journalists who are not suspected of terrorism under any reasonable definition of the term, means that she fears begin detained at the airport and then jailed as a terrorist when she refuses to decrypt her files and grant police access to her online accounts. Under the UK's Terrorism Act of 2000, journalists who write because they hope to expose and halt corruption are liable to being jailed as terrorists because they report on leaks in a way that is "designed to influence the government." And "the government," according to the Act, is any government, anywhere in the world -- meaning that journalists who report on leaks that embarrass any government in the world can be treated as terrorists in the UK.

Nor is this an idle risk: Glenn Greenwald's partner, David Miranda, was detained under terrorism rules when he transited through the UK, and a UK judge subsequently found that the detention was justified on these grounds, even though no one suggests that Miranda is involved in terrorism in any way. As Harrison writes, "Britain is turning into a country that can't tell its terrorists from its journalists."

The final paragraphs of Harrison's editorial sum it up neatly:

Read the rest

NSA wiretapped 122 world leaders; GCHQ penetrated German satellite companies for mass surveillance potential


Newly disclosed documents from the trove Edward Snowden provided to journalists reveal the existence of the "Nymrod" database that listed 122 world leaders, many from nations friendly to the USA, that were spied upon by the NSA. Included in the list is German Chancellor Angela Merkel, who was already known to have been wiretapped by the NSA thanks to an earlier disclosure. Nymrod's "Target Knowledge Database" combed through the NSA's pool of global intercepts to amass dossiers of private communications -- emails, faxes, calls and Internet traffic -- related to the leaders.

Additionally, the UK spy agency GCHQ infiltrated and compromised two German satellite communications companies -- Stellar and Cetel -- and IABG, a company that supplied them with equipment. It wiretapped their senior executives as well. None of these companies are accused of having done anything amiss, but were targeted by British spies because their services carried Internet traffic and were a convenient "access chokepoint" from which to conduct mass-surveillance programs.

Read the rest

Podcast: If GCHQ wants to improve national security it must fix our technology

Here's a reading (MP3) of my latest Guardian column, If GCHQ wants to improve national security it must fix our technology where I try to convey the insanity of spy agencies that weaken Internet security in order to make it easier for them to spy on people, by comparing this to germ warfare.

Read the rest

UK Deputy PM commissions independent review of spy powers

Glyn sez, "UK Deputy PM Nick Clegg has commissioned a review into the new intrusive capabilities of British intelligence agencies and the legal framework in which they operate."

Read the rest

GCHQ spied on millions of Yahoo video chats, harvested sexual images of chatters, compared itself to "Tom Cruise in Minority Report"



A stunning new Snowden leak reveals that the UK spy agency GCHQ harvested images and text from millions of Yahoo video chats, including chats in which one or both of the participants was British or American. Between 3 and 11 percent of the chats they intercepted were sexual in nature, and revealing images of thousands of people were captured and displayed to spies. The programme, called OPTIC NERVE, focused on people whose usernames were similar to those of suspects, and ran from at least 2008 until at least 2010. The leak reveals that GCHQ intended to expand the programme to Xbox 360 Kinect cameras and "fairly normal webcam traffic." The programme was part of a facial recognition research effort that GCHQ compared to "Tom Cruise in Minority Report." While the documents do not detail efforts as widescale as those against Yahoo users, one presentation discusses with interest the potential and capabilities of the Xbox 360's Kinect camera, saying it generated "fairly normal webcam traffic" and was being evaluated as part of a wider program. Beyond webcams and consoles, GCHQ and the NSA looked at building more detailed and accurate facial recognition tools, such as iris recognition cameras – "think Tom Cruise in Minority Report", one presentation noted.

Read the rest

GCHQ's dirty-tricking psyops groups: infiltrating, disrupting and discrediting political and protest groups


In a piece on the new Omidyar-funded news-site "The Intercept," Glenn Greenwald pulls together the recent Snowden leaks about the NSA's psyops programs, through which they sought to attack, undermine, and dirty-trick participants in Anonymous and Occupy. The new leaks describe the NSA' GCHQs use of "false flag" operations (undertaking malicious actions and making it look like the work of a group they wish to discredit), the application of "social science" to disrupting and steering online activist discussions, luring targets into compromising sexual situations, deploying malicious software, and posting lies about targets in order to discredit them.

As Greenwald points out, the unit that conducted these actions, "Jtrig" (Joint Threat Research Intelligence Group), does not limit itself to attacking terrorists -- it explicitly targets protest groups, and political groups that have no connection with national security, including garden-variety criminals who are properly the purview of law enforcement agencies, not intelligence agencies.

The UK spy agency GCHQ operates a programme, called the "Human Science Operations Cell," whose remit is "strategic influence and disruption."

Some of the slides suggest pretty dubious "social science" (see below) -- they read like a mix between NLP hucksters and desperate Pick Up Artist losers.

Read the rest

How UK spies committed illegal DoS attacks against Anonymous

A new Snowden leak, reported by NBC, documents the UK spy agency GCHQ's attacks on Anonymous, which included Denial-of-Service attacks, which are strictly forbidden under UK law. As the Slashdot story notes, "Regular citizens would face 10 years in prison and enormous fines for committing a DoS / DDoS attack. The same applies if they encouraged or assisted in one. But if you work in the government, it seems like you're an exception to the rule."

NBC has published a minimally redacted version [PDF] of the GCHQ slide-deck detailing the agency's illegal hacking attacks on alleged Anonymous participants.

Read the rest

Video of the ritual destruction of a Guardian laptop with the Snowden leaks, as ordered by Prime Minister David Cameron


Remember when UK Prime Minister David Cameron ordered government officials to go to the offices of the Guardian in London and demand the symbolic destruction of a laptop with the Edward Snowden leaks on it? It was a bizarre kind of high-tech exorcism, a bizarre ritual in which one of many, many copies of the Snowden documents were ritually destroyed, because, in the Prime Minister's words, "We've had enough debate about them."

The Guardian has posted a video of the exorcism, showing how the stern officials oversaw the piece-by-piece systematic destruction of the machine. It's not embeddable, but it's a remarkable piece of footage that you should really go and watch.

Revealed: the day Guardian destroyed Snowden hard drives under watchful eye of GCHQ – video

(via Techdirt)

Top lawyer finds GCHQ spying is illegal & UK spies who help US drone strike may be accessories to murder


UK Labour Member of Parliament Tom Watson writes, "I thought you might be interested to read the latest developments on the drones and data collection front. I've asked privacy expert Jemima Stratford QC for her legal opinion on aspects of the Snowden revelations. Contrary to reassurance from the Foreign Secretary and Chair of the ISC she finds [PDF]:


1. interception of 'internal' contents data of British citizens in the UK is unlawful under RIPA [ed: the Regulation of Investigatory Powers Act 2000; the UK's controversial spying bill]

2. the RIPA framework is outdated and not fit for purpose, leaving British citizens exposed to unlawful interference

3. transfer of data to NSA, which shares data with CIA, leaves GCHQ officials exposed to charges of aiding murder in the UK where the government knows that data is available for use to direct drone strikes against non-combatants

Further, she argues:

4. the government should agree and publish a new memorandum of understanding with the US specifying how data from UK can be stored and used by foreign agents.

Watson doesn't do the report justice, really -- Stratford's opinion includes that UK participation in US drone strikes opens up individual UK intelligence operatives to being charged as accessories to murder. Watson sent copies of the report to all the members of the all-party parliamentary drone group, which of which he is chair. He's also sending it to the parliamentary intelligence and security committee for their own hearings on surveillance.

The Guardian has a great summary of the memo here, but really, you should read it yourself [PDF] -- it's a very quick and easy read. Stratford is a leading public law barrister, and she argues beautifully.

Read the rest

European Court of Human Rights will hear case about GCHQ spying


This is huge news: the European Court of Human Rights has agreed to hear a challenge to bulk Internet surveillance by the UK spy agency GCHQ. The case was brought by Big Brother Watch, the Open Rights Group and English PEN, and German Internet activist Constanze Kurz. This is a rare instance of "impact litigation" in the UK, where a bad law or practice can be ended swiftly and decisively by having a court hear a test-case about the law and rule on its constitutionality. This tactic has been incredibly effective in the US -- EFF's famous Bernstein victory, which legalized strong cryptography, is a good example -- but has been less available to UK activists.

Read the rest

NSA harvests 200M of SMSes every day with untargeted, global "Dishfire" program

The latest Snowden leak details DISHFIRE, a joint NSA/GCHQ program to slurp up hundreds of millions of SMS messages from global mobile phone users. Included in the program are text messages to and from Americans, though these are apparently subsequently purged. The UK spy agency GCHQ also makes extensive use of the database. Text messages are stored for long terms, so that spies can do historic lookups on people they target. The DISHFIRE database allows for full-text search.

Vodaphone expressed shock and outrage at the news that its customers' private messages were being harvested without a warrant or due process, characterising the program as outside the law.

Read the rest

UK Ministry of Defense can arrest you without warrant for taking pictures, grazing animals near NSA and drone outposts

The UK Ministry of Defense has introduced by-laws in the vicinity of bases in the UK, making it a detainable offense to take pictures or make any image of any person or thing; to graze livestock; or to fail to clean up your dog's turds. The rules also allow the MoD to put you in jail "without warrant" for setting up protest camps on MoD property.

These rules come into effect just as a recent Snowden leak revealed that one of the bases in the UK was used by the NSA and GCHQ to spy on Oxfam, Medecins Sans Frontiers, as well as Angela Merkel. Another one of the affected bases is reportedly used to pilot drones deployed in Yemen.

All in all, the rules effect 150 bases around the UK. The MoD the second-largest landowner in the UK.

Read the rest

NSA and GCHQ targeted NGOs, charities, EU chief, Israeli defense minister for deep surveillance


The latest Snowden leak reveals a list of bizarre targets for NSA/GCHQ surveillance, including the World Health Organization, Unicef and Medecins Sans Frontiers; the VP of the European Commission (whose file included EU competition policy); the UN's special representative to Darfur; German diplomatic networks; and other diplomatic targets. The program was run through GCHQ's Bude listening station in Cornwall, which receives large amounts of funding from the NSA. There's no colourable claim that this surveillance had anything to do with preventing terrorism or enhancing national security. It's an incoherent mishmash of out-and-out industrial espionage, institutional mistrust of humanitarian relief agencies, and a reflexive need to spy. And it's going to piss a lot of people off.

Read the rest

NSA uses Google's tracking cookies to target and "exploit" their subjects


A new set of leaked NSA slides from the Snowden trove was published in the Washington Post today, detailing NSA/GCHQ's use of Web cookies (including Google's PREF cookie) to uniquely identify people as they move around the Web, in order to target them and compromise them.

They also report on an NSA program called HAPPYFOOT that uses mobile phones to do very fine-grained tracking of targets.

Ed Felten, an eminent computer scientist and security researcher, has written a lengthy comment on the disclosures, exploring the different options companies have if they want to safeguard their tracking cookies from being hijacked by the NSA. His primary recommendation is that these cookies should only be sent over SSL.

Read the rest

Spooks of Warcraft: how the NSA infiltrated gamespace


A new Snowden leak details how the NSA and GCHQ tasked agents to infiltrate Second Life, World of Warcraft, and other MMOs to find jihadis and spy on them. The battalions of undercover orcs did indeed take much of gamespace, but there's no evidence they ever spotted a plot. I was once questioned by members of an "unnamed branch of the State Department" at a games and public diplomacy event about the likelihood that jihadis were playing MMOs; and I said something like, "Sure, of course. Everyone plays MMOs." I didn't realize they'd take it all quite so much to heart.

The absurdity of sending spies to infiltrate Warcraft can best be understood as a natural outflow of the doctrine that holds that if any two bad guys, anywhere in the world, can communicate in such a way that the NSA can't listen in on them, all of society will crumble. Once you set yourself the insane task of eavesdropping on all conversations, everywhere, always, it's inevitable that you'll send Secret Squirrel and his pals to Azeroth.

Read the rest

English Pen's privacy/surveillance debate in London

Jo from English Pen writes, "Thanks to Edward Snowden's leaks about the secret surveillance of all our communications by intelligence services in the UK and US, privacy is one of the biggest stories of the day. None of us can be sure now that our emails or phone calls are ever confidential, so this is something we should all be worried about. At English PEN there's a discussion next Wednesday 11 December at 630pm, with some experts on the subject and it should be a lively debate - with writer Alan Judd, former MI6 director for operations Nigel Inkster and Ian Brown, director of the Oxford Internet Institute. It's chaired by English PEN's director Jo Glanville at the Free Word Centre, 60 Farringdon Road, EC1R 3GA."