By Cory Doctorow at 4:00 pm Friday, May 18
• Comments • Share
Redditor Surprisemailbox posted this image of a note left by a seven year old for her parents, regarding security policies at home: "If you put a pasword on that I will make your life a nitmare."
The day Poesy leaves me a comparable note, I will have validation that all my parenting was not in vain. (Of course, that's assuming she doesn't just shoulder-surf the password and leave me in a fool's paradise.)
My friends 7 year old sister left this note for her parents on their computer.
(via Neatorama)
By Cory Doctorow at 6:12 am Thursday, May 17
• Comments • Share
The Met, London's police force, is buying "mobile device data extraction" devices that can suck all the data out of your phone "in minutes" -- that's where you've been, who you know, what you've said to them, what websites you visit, and, depending on your apps, what groceries you buy, when you've called for a cab, what your menstrual cycle is, what you eat, your passwords, and so on.
This is the police force that routinely DNA-swabbed suspects and refused to destroy the samples even after they were exonerated, despite being ordered to after a European high court ruling to the effect that this was illegal.
Does anyone know what technology they're buying, and what its limits are? I'd be interested in knowing if, for example, it is effective against the built-in Android mass storage encryption.
"When a suspect is arrested and found with a mobile phone that we suspect may have been used in crime, traditionally we submit it to our digital forensic laboratory for analysis."
Kavanagh said the new system located within the boroughs themselves will enable "trained officers to examine devices and gives immediate access to the data in that handset".
He said: "Our ability to act on forensically-sound, time-critical information, from SMS to images contained on a device quickly gives us an advantage in combating crime, notably in terms of identifying people of interest quickly and progressing cases more efficiently."
Met Police uses 'quick' mobile data extraction system against suspects
(via /.)
By Cory Doctorow at 8:06 am Wednesday, May 16
• Comments • Share
Yesterday, Byron Sonne was acquitted of all charges against him. Sonne is the Toronto-area security researcher who pointedly demonstrated the inadequacy and incoherence of the heavy-handed, $1.2B security arrangements for the G20 summit in 2010. Denise Balkissoon has done some of the best reporting on the bizarre trial that followed (after Sonne spent nearly a year in jail), and now she's got good commentary on the acquittal:
“Byron Sonne, you’re a free man,” said one of his lawyers, Joe DiLuca, as Sonne stood outside the courthouse.
“I can be a moron again on the internet,” Sonne said, as he ripped up court documents that listed the bail conditions—including a curfew and not using a cellphone—that he has lived with since May 2011...
Later on the day of the verdict, in Kensington Market, Sonne stood having a cigarette and discussing Anonymous and Gandhi with Alex Hundert, who pled guilty to counselling to commit mischief during the G20. “They took a somewhat radical person like me and said, ‘Let’s put the guy in jail with real radicals,'” said Sonne, who was not involved with organized activists in advance of the summit. “I’m not interested in playing by the rules anymore.”
Sonne said he intends to help non-technologically savvy activists learn to encrypt their computers and online communications. Police were unable to unencrypt one of Sonne’s hard drives, which led the Crown to argue that it must contain nefarious plans. “There’s nothing on there that wasn’t on my other computers,” said Sonne, who said he encrypted it for travelling over the U.S. border. “But it’s good to know that the technology works.”
Sonne aims to get back the computer security certification that was suspended during his arrest, and wants to start rebuilding his professional network.
Sounds like he needs a job. Toronto-area readers, take note!
Here's our previous Sonne posts.
Byron Sonne, found not guilty on all charges, has plans for the future
(Thanks, Denise!)
Dancho Danchev reports an incident in which a friend pinged him at an odd hour on Skype "with a message pointing to what appeared to be a photo site with the message 'hahahahaha foto' and a link to hxxp://random_subdomain.photalbum.org." Yup, malware.
The Poison Ivy trojan is spreading across Skype. [webroot via
Joseph Menn]
— Xeni
By Cory Doctorow at 10:23 am Tuesday, May 15
• Comments • Share
Twitter's #freebyron hashtag is alive with the news that Byron Sonne, the Toronto-area security expert who was incarcerated and treated as a terrorist for pointing out and making fun of the security flaws in the $1.2B security scheme for the Toronto G20 summit, has been found Not Guilty on all counts.
A moment of sanity from the Canadian judicial system, and all it cost was Sonne's marriage, house, and freedom.
Here's our earlier Sonne pieces.
#freebyron
By Cory Doctorow at 2:13 pm Monday, May 14
• Comments • Share
A Russian startup called "Pirate Pay" has received seed funding from Microsoft. The company's technology is designed to attack BitTorrent swarms and trick clients into disconnecting. They've already been hired by Disney and Sony Pictures to attack downloaders, apparently successfully. The company won't disclose how their technology works, which is usually a sign that it will be trivial to counter -- real security measures still work if the other side knows their mechanics. From TorrentFreak:
The idea started three years ago when the developers were building a traffic management solution for Internet providers. The technology worked well. It was able to stop BitTorrent traffic if needed, which made the developers realize that they might have built the holy anti-piracy grail.
“After creating the prototype, we realized we could more generally prevent files from being downloaded, which meant that the program had great promise in combating the spread of pirated content,” Pirate Pay CEO Andrei Klimenko says.
With this new business model in mind the company continued to develop their product, and it didn’t take long before an investor was willing to support it. Last year Pirate Pay received a $100,000 investment from the Microsoft Seed Financing Fund.
Microsoft Funded Startup Aims to Kill BitTorrent Traffic
By Cory Doctorow at 6:00 am Monday, May 14
• Comments • Share
As Kodak stumbles through its bankruptcy, all sorts of weird facts are surfacing, like the news that the company had its own nuclear reactor, producing weapons-grade isotopes. It was installed for neutron imaging experiments in 1974, and while the feds were duly notified, it doesn't look like there was ever a public announcement -- nor was there any notice given to the local firefighters who'd have turned up if anything ever went wrong. If only I'd known about this when writing Makers (which concerns itself with hedge fundies who buy up and strip down Kodak and Duracell), think of the subplots I could have written!
From the Democrat and Chronicle piece by Steve Orr:
Company spokesman Christopher Veronda said he could find no record that Kodak ever made a public announcement of the facility. He also wasn’t sure whether the company had ever notified local police, fire or hazardous-materials officials.
Current city of Rochester officials, whose personnel might have been summoned to Building 82 had an untoward incident occurred, said they were in the dark. Monroe County officials did not provide comment despite several requests.
The Democrat and Chronicle learned of the facility when an employee happened to mention it to a reporter a few months ago.
The recent silence was by design. Detailed information about nuclear power plants and other entities with radioactive material has been restricted since the 2001 terrorist attacks.
Did you know? Kodak Park had a nuclear reactor
(Image: Nuclear Regulatory Commission)
By Cory Doctorow at 7:46 am Friday, May 11
• Comments • Share
The $90 WiFi Pineapple is now in its fourth iteration. The gadget does man-in-the-middle attacks on WiFi networks, allowing its owner to snoop on all the traffic, keylog password entries, and generally compromise the shit out of anyone using WiFi in the area. It's a damned good reason to use a VPN, like The Pirate Bay's IPREDator. Also: it has epic rickrolling potential.
The WiFi Pineapple Mark IV improves tremendously on previous models in both hardware capabilities and ease of use. Where the Mark III brought a completely redesigned web management interface the Mark IV continues with plug & play 3G / 4G connectivity, automatic presistent reverse SSH tunnels and a simplistic status page to name a few. The new control center shows at a glance connected clients hostnames, IP addresses, Karma'd SSID as well as signal strength, idle time and network throughput.
Hardware wise the Mark IV is built on a powerful Atheros AR9331 SoC at 400 MHz--over double that of the previous generation--and sports two Ethernet ports, 802.11 b/g and N connectivity, as well as most notably a USB 2.0 port, allowing for expansions like mass storage and 3G / 4G modems. *modem sold separately.
Also it's black, which adds at least 50 hacker points.
WiFi Pineapple Mark IV
(via JWZ)
By Xeni Jardin at 1:51 pm Monday, May 7
• Comments • Share
Don't do this. (via @ryanaraine + @kimzetter)
CNET's Emil Protalinski reports that Osama bin Laden did not encrypt the thousands of files stored in the Pakistani compound where he was killed, and "17 of the 6,000 documents have now been publicly released."
(via @ioerror) — Xeni
By Cory Doctorow at 6:00 am Thursday, May 3
• Comments • Share
Bruce Schneier comments on an NYT report on cybercrime that shows that there's just not much money to be had in being a ripoff artist. Dinei Florêncio and Cormac Herley wrote:
A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
The authors frame cybercrime as a "tragedy of the commons," where the overfishing (overphishing) by crooks has reduced everyone's margins to nothing, making it hard graft indeed. Meanwhile, cybercrime estimates are subject to the same lobbynomics used to calculate losses from music downloading and profits from drug seizures:
Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can't be canceled.
Cybercrime as a Tragedy of the Commons
By Xeni Jardin at 4:35 pm Wednesday, May 2
• Comments • Share
Cue up the Yakity Sax! In case you missed it, there have been a number of Boing Boing posts of late documenting outrageous TSA incidents:
• A terminal in Newark airport was evacuated because the TSA forgot to screen a tiny baby.
• TSA agents discovered an "anomaly in the crotchital area" of a 79-year-old woman.
• TSA agents at JFK harassed the family of a 7-year-old girl with cerebral palsy and developmental disability.
• TSA screeners in LA ran a drug ring and took bribes from drug dealers.
• The TSA's anti-hugging squad caught a terrorist masquerading as a 4-year-old girl who loves her grandma.
• A 95-year-old US Air Force veteran from World War II and his 85-year-old friend were humiliated, searched and robbed at a San Diego TSA checkpoint.
Did we miss anything else in the past week or so? Let us know in the comments.
Photo: Carolina K. Smith, M.D. / Shutterstock.com
By Cory Doctorow at 12:12 pm Monday, Apr 30
• Comments • Share
Some WiFi-connected Samsung TVs can be put into an endless restart loop by sending invalid new-remote-added messages to them. Best part: the researcher who discovered this couldn't report it, because Sammy doesn't have a locatable facility for accepting information about security flaws.
“The bugs have been tested on a d6000 and d6050 TV, but it's highly possible that many of the Samsung devices supporting this protocol are vulnerable because d6xxx is a recent TV and usually these 'core' components are like libraries shared with other devices that make use of the same protocol,” he said via email.
Auriemma claims there is no fix for these bugs because he was unable to report the bugs to Samsung. He has also received no word from Samsung. He claims that Samsung doesn’t even have a channel through which to report these types of bugs.
Researcher Causes Endless Restart Loop on Samsung TVs
(via The Command Line)
By Xeni Jardin at 8:10 pm Wednesday, Apr 25
• Comments • Share
Photo: Reuters. A man is screened with a backscatter x-ray machine at an LAX TSA checkpoint.
Four present and past security screeners at LAX took 22 payments of up to $2400 each to let large shipments of coke, meth, and pot slip through baggage X-ray machines. Oh, we are so very, very shocked.
In one incident detailed in the 40-page indictment (Link), screeners plotted to allow eight pounds of crystal meth to get through—then one of them ducked into an airport men's room where he was handed $600, the second payment for that delivery.
Read the rest
By Xeni Jardin at 7:50 pm Wednesday, Apr 25
• Comments • Share
PHOTO: Snapshot by Lori Croft of her 4-year-old granddaughter Isabella Brademeyer, in Wichita, Kan., where she was a flower girl at her uncle’s wedding. The child was harassed by TSA goons on the way back from that family event, for the crime of hugging her granny.
Earlier this week on Boing Boing, Cory blogged about a 95-year-old Air Force veteran who was robbed of $300 at a TSA checkpoint. After picking on the elderly, today the TSA is bullying children. A 4-year-old girl who was upset during a TSA screening at the Wichita, KS airport was forced to undergo a manual pat-down after hugging her grandmother. Agents yelled at the child, and called her an uncooperative suspect.
Nope, we're not making this up.
The child's mom, Michelle Brademeyer of Montana, shared the incident in a public Facebook post last week, and the story has since spread widely.
“They didn’t explain anything and she did not know what was going on,” the grandmother told the Associated Press. “She saw people grabbing at her and raising their voices. To her, someone was trying to kidnap her or harm her in some way.”
Think the TSA has apologized? Nah. The agency is defending its agents, despite promised changes in operational standards to "reduce pat-downs of children."
Read the rest
