— FEATURED —
— FOLLOW US —
— POLICIES —
Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution
— FONTS —
Brilliant multimedia, multi-part feature in Mother Jones by Shane Bauer, one of the American hikers who was arrested by Iranian authorities on the Iran-Iraq border, then placed in solitary, then eventually released.
Argo, a thriller directed by and starring Ben Affleck, dramatizes the rescue of six U.S. diplomats from Tehran, Iran, during the 1979 hostage crisis. To infiltrate the country and facilitate the diplomats' return, CIA technician Tony Mendez concocts an incredible cover story: they're part of a film crew, scouting out locations in the Islamic republic for an epic science fiction movie. One core prop: a convincing, ready-to-shoot screenplay.
The movie obscures its real-life origins, but it started with one of the 1960s most cutting-edge novels, Roger Zelazny's Lord of Light. Winner of the 1968 Hugo Award, Lord of Light was inspired by Buddhist and Hindu texts and chronicles the lives of people who who have mastered mind-uploading, genetic engineering and bodily transmigration. Zelazny's novel, like many of Philip K. Dick's most hallucinatory narratives, anticipated many of cyberpunk's thematic concerns. Read the rest
Read the rest
Mikko H. Hypponen of F-Secure publishes an email he claims is from a scientist with the Atomic Energy Organization of Iran (or AEOI), which details a new "cyber attack" wave against Iranian nuclear systems.
Mikko can't validate the email or the tale therein, and neither can we, but if it's true? Heh.
* The 'shoop above is mine, not the hackers'.
Iranian President Mahmoud Ahmadinejad inspects centrifuges at a uranium enrichment plant.
Reporting for the New York Times, David Sanger confirms what internet security researchers suspected all along: Stuxnet, the worm that targeted computers in Iran's central nuclear enrichment facilities, was a US/Israeli project and part of an expanded effort at cyberweaponry by the Obama administration. Read the rest
Read the rest
A finance technology manager named Khosrow Zarefarid discovered a critical flaw in Iran's online banking systems. He extracted 1,000 account details (including card numbers and PINs) and emailed them to the CEOs of 22 Iranian banks along with detailed information about the vulnerability. A year later, nothing had been done. Zarefarid extracted 3 million accounts' details from the bank's systems and posted them to ircard.blogspot.ca. Many Iranian banks have now frozen their customers' accounts and are only allowing PIN-change transactions at ATMs. Some banks have texted their customers to warn them of the breach. The Central Bank of Iran has published an official notice of the breach, but the notice does not say that the underlying vulnerability has been fixed, or even whether it is being addressed. Zarefarid is said to have left Iran, though his whereabouts are not known, at least to Emil Protalinski, who wrote about the breach for ZDNet:
It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”
...Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.
Iran's governing elite have been making noises for years now about the construction of a "Halal Internet," a kind of national intranet with its own email service, microblogging, search tools, etc. Now a leaked Persian-language "Request for Information" from the Research Institute for ICT in Tehran, which consults on technology for Iran's Ministry of ICT suggests that the plan has evolved into a more ambitious version of the existing national censorship regime. In Ars Technica, Cyrus Farivar analyzes the proposal:
Collin Anderson, the researcher who found the document, said this RFI shows an unexpected shortcoming of the Iranian government to capitalize on its own domestic ability and recent deals with Chinese telecom companies such as Huawei and ZTE.
Huawai said late last year it was pulling out of Iran. ZTE, meanwhile, has previously sold millions of dollars of telecom and surveillance equipment to the Islamic Republic.
"I believe this clearly demonstrates that the Iranian government does not intend on cutting off access to the external Internet time soon," Anderson told Ars on Tuesday, explaining that the acquisition of a censorship system would not be necessary if Iran was trying to create a highly restricted whitelist or completely cut itself off from the Internet.
"This might suggest that the government has not been able to acquire the services of foreign companies for planning and optimizing an infrastructure," he added.
"This is surprising for those, including me, who believe that much of the censorship software and hardware was being developed internally. The RFI seems to imply the desire to move beyond blacklisting sites and keywords, to a more intelligent system of detecting and blocking ‘immoral’ content, such as pornographic or culturally offensive material."
I'm in the middle of reading Rebecca McKinnon's Consent of the Networked, which is probably the best single book on the subject I've read to date (review coming soon). McKinnon's analysis of Iran and other Middle-Eastern dictatorships is that they're stuck playing catch-up relative to China, and will have a hard time replicating China's strategy of combining censorship with floods of pro-government astroturfers and popular national alternatives to services like Facebook and Twitter, because Iranians have already widely adopted the "western" technologies and would aggressively circumvent national blocks for non-political reasons, providing cover for political dissidents.
PHOTO: Technicians monitor data flow in the control room of an internet service provider in Tehran February 15, 2011. REUTERS/Caren Firouz
There's an AFP item today on Iran's denial of online reports that it plans to shut off access to the Internet this August, replacing that access with a "national intranet." Snip:
The reports derived from a supposed interview with Communications Minister Reza Taghipour published on April 1 that was in fact a hoax, the ministry said in the statement on its own site www.ict.gov.ir -- which itself was not accessible outside of Iran. “The report is in no way confirmed by the ministry” and is “completely baseless,” the ministry statement said.
The hoax report quoted Taghipour saying that Iran would from August launch a “clean internet” that would block popular services like Google and Hotmail and replace them with government-sponsored search engines and e-mail services. The ministry statement slammed the false report as serving “the propaganda wing of the West and providing its hostile media with a pretext emanating from a baseless claim.”
(via Jillian York)
At Hacker News, a user named "Sara70" posts:
I'm writing this to report the serious troubles we have regarding accessing Internet in Iran at the moment. Since Thursday Iranian government has shutted down the https protocol which has caused almost all google services (gmail, and google.com itself) to become inaccessible. Almost all websites that reply on Google APIs (like wolfram alpha) won't work. Accessing to any website that replies on https (just imaging how many websites use this protocol, from Arch Wiki to bank websites). Also accessing many proxies is also impossible. There are almost no official reports on this and with many websites and my email accounts restricted I can just confirm this based on my own and friends experience. I have just found one report here. The reason for this horrible shutdown is that the Iranian regime celebrates 1979 Islamic revolution tomorrow.
Jake Appelbaum and the Tor Project folks confirm that Iran is partially blocking encrypted network traffic, and they are trying to help ensure free and safe access for activists (and everyone else inside the country).
PHOTO: Iranian schoolgirls chat online at an internet cafe which is exclusively for females, near the city of Karaj, 60km (38 miles) west of Tehran, May 24, 2007. REUTERS.
Dominic Girard from the Canadian Broadcasting Corporation sez,
It's one thing for Iran to arrest an American and sentence him to death for being a spy. It's a whole other thing when you say the spy made video games as propaganda for the CIA. Yet that's precisely one of the charges Iranian-American Amir Hekmati confessed to on Iranian television in December. (Let's remember that Iran routinely accuses foreigners of being spies, and there's no way of knowing exactly what methods were used to get Hekmati to read out his confession).
Hekmati did once worked with Kuma Games - a New York based game developer. Iran believes Kuma Games are CIA propagandists, that the company makes video games to disseminate a pro-USA message internationally. Some of Kuma Games' offerings are playable scenarios of real-world events. You can be a rebel trying to track down Gadhafi in Libya. You can join Team Six and kill Osama bin Laden. You can also be a soldier inserted in Iran, trying to sabotage their nuclear weapons program. But does that necessarily mean they're a CIA front? This short CBC Radio documentary tries to sort out if the CIA would ever consider such an idea, and if it would even be worth the effort.
A soldier carries ammunition on a naval ship during the Velayat-90 war game on Sea of Oman near the Strait of Hormuz in southern Iran December 31, 2011. Iran test-fired a new medium-range missile, designed to evade radars, on Sunday during the last days of its naval drill in the Gulf, the official IRNA news agency quoted a military official as saying. (REUTERS/Fars News/Hamed Jafarnejad - IRAN)
RanTek, a Danish company, is reportedly supplying Iran with censor/spyware technology, which was part of a larger effort that was used to identify a dissident journalist who was arrested and tortured.
Eksperter: Dansk firma hjælper med iransk overvågning (Danish)
Until he was arrested, he worked for Mehr, the official Iranian news agency. He received information from all over the country about protests and demonstrations, information too controversial to be used in the news agent's official work. Instead he published it through other channels, e.g. Facebook. However, after the elections in June 2009, when people took to the streets in protest against Ahmadinejad's election victory, it was clear to the Iranians that the Internet is in no way safe.
Nearly 4000 people were arrested solely on the basis of monitoring of their private internet traffic«, says Farahani.
Now it seems that the Danish company RanTek helps the Iranian regime with the monitoring of the Iranian population. The day before Christmas the Bloomberg news agency reported that the Danish IT company re-packages and sells surveillance equipment to Iran. Ironically, the equipment originally comes from the Israeli manufacturer Allot Communications, which means that the Israelis through a Danish intermediary have helped their mortal enemies.
And while Zahra's Paradise is an informative (if fictionalized) account of the Iranian election uprising and a vivid condemnation of the stern, joyless Khomeniest version of Islam, it is also a fantastic story, a graphic novel that races to its conclusion. The webcomic was serialized in 12 languages (including Farsi and Arabic) and the print edition is available in a dozen countries from today.
It appears that the fraud was detected before any harm could be done, but Eckersley explains how close we came to a global security meltdown, and starts thinking about how we can prepare for a more successful attack in the future.
Most Certificate Authorities do good work. Some make mistakes occasionally,2 but that is normal in computer security. The real problem is a structural one: there are 1,500 CA certificates controlled by around 650 organizations,3 and every time you connect to an HTTPS webserver, or exchange email (POP/IMAP/SMTP) encrypted by TLS, you implicitly trust all of those certificate authorities!Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?
What we need is a robust way to cross-check the good work that CAs currently do, to provide defense in depth and ensure (1) that a private key-compromise failure at a major CA does not lead to an Internet-wide cryptography meltdown and (2) that our software does not need to trust all of the CAs, for everything, all of the time.
For the time being, we will make just one remark about this. Many people have been touting DNSSEC PKI as a solution to the problem. While DNSSEC could be an improvement, we do not believe it is the right solution to the TLS security problem. One reason is that the DNS hierarchy is not trustworthy. Countries like the UAE and Tunisia control certificate authorities, and have a history of compromising their citizens' computer security. But these countries also control top-level DNS domains, and could control the DNSSEC entries for those ccTLDs. And the emergence of DNS manipulation by the US government also raises many concerns about whether DNSSEC will be reliable in the future.