Submit a link Features Reviews Podcasts Video Forums More ▾

How the NSA plans to automatically infect "millions" of computers with spyware




A new Snowden leak, detailed in a long, fascinating piece in The Intercept, explains the NSA's TURBINE initiative, intended to automate malicious software infections. These infections -- called "implants" in spy jargon -- have historically been carried out on a narrow, surgical scale, targeted at people of demonstrated value to spies, due to the expense and difficulty of arranging the attacks.

But TURBINE, which was carried out with other "Five Eyes" spy agencies as part of the NSA's $67.6M "Owning the Net" plan, is intended to automate the infection process, allowing for "millions" of infections at once.

The article mentions an internal NSA message-board posting called "I hunt sys admins," sheds some light on the surveillance practices at the NSA. In the post, an NSA operative explains that he targets systems administrators at companies, especially telecoms companies, as a "means to an end" -- that is, infiltrating the companies' networks. As Glenn Greenwald and Ryan Gallagher point out, this admission shows that malware attacks are not targeted solely or even particularly at people suspected of terrorism or other crimes -- rather, they are aimed at the people who maintain the infrastructure of critical networks and systems to allow the NSA to control those systems.

The malware that TURBINE implants can compromise systems in a variety of ways, including hijacking computer cameras and microphones, harvesting Web-browsing history and email traffic, logging passwords and other keystrokes, etc.

Read the rest

Security as a public health discipline, not an engineering one

In my latest Guardian column, If GCHQ wants to improve national security it must fix our technology, I argue that computer security isn't really an engineering issue, it's a public health issue. As with public health, it's more important to be sure that our pathogens are disclosed, understood and disclosed than it is to keep them secret so we can use them against our enemies.

Read the rest

Videos of individual Trustycon talks

I linked to the seven-hour video file from Trustycon, the convention held as an alternative to RSA's annual security event, inspired by the revelation that RSA took money from the NSA to sabotage its own products.

Now Al has broken down the video into the individual talks, uploading them to Youtube. This is very handy -- thanks, Al!

TrustyCon Videos Available (Thanks, Al!)

Netflix disables Chrome's developer console

When you watch Netflix videos in the Chrome browser, the service disables Chrome's developer console, a debugging and programming tool that gives you transparency and control over what your browser is doing. The Hacker News thread explains that this is sometimes done in order to stop an attack called "Self-XSS" that primarily arises on social media sites, where it can cause a browser to leak nominally private information to third parties. But in this case, the "Self-XSS" attack Netflix is worried about is very different: they want to prevent browser owners from consciously choosing to run scripts in the Netflix window that subvert Netflix's restrictions on video.

This is the natural outflow of the pretense that "streaming" exists as a thing that is distinct from "downloading" -- the idea that you can send a stream of bytes to someone else's computer without the computer being able to store those bytes. "Streaming" is at the heart of "rental" business models like Netflix's, and there's nothing wrong with the idea of rental per se. But the only way to attain "rental" with computers is to design computers so that their owners can't give them orders that the landlords disagree with. You have to change the computer and its software so that you can't see what it's doing and can't change what it's doing.

Your browser is a portal to your whole social life, your financial life and your work life, entrusted with the most potentially compromising secrets of your life. Anything that allows third parties to make it harder for you to figure out what the browser is doing, or to prevent it from doing something you don't want, should be a non-starter. As soon as a powerful entity like Netflix comes to depend on -- and insist on -- computers that owners can't control, that company is doing something wrong. Not because rentals are bad, but because taking away owner control from computers is bad.

This is why it's such a big deal that Netflix has convinced Microsoft, Apple, and Google to build user-controlling technology into their browsers, and why it's such a big deal that Microsoft, Apple, and Google have convinced the W3C to standardize this for all devices with HTML5 interfaces. Any time we allow the discussion to be sidetracked into "How can Netflix maximize its revenue by enforcing rental terms?" we're missing the real point, which is, "How can people be sure that their browsers aren't betraying them?"

Netflix disables use of the Chrome developer console (pastebin.com)

Comment-spammers threaten to sabotage their victims through Google Disavow if the evidence of their vandalism isn't removed

Tim got an email from someone trying to get rid of comment spams -- ever since Google started punishing sites that left comment spam on blogs, this has been going on a lot. When Tim told the guy to buzz off, he threatened Tim with sabotage by means of Google's "Disavow" tool, growing progressively more abusive as Tim stood his ground.

Read the rest

Massive security flaw in GNU/Linux crypto code

A major, critical security flaw in a key cryptographic program used by most flavors of GNU/Linux as well as other free/open operating systems has been reported. The bug, which appears in the Gnutls code, allows for undetectable man-in-the-middle attacks against affected systems. My operating system, Ubuntu, had an update waiting for it this morning that patched this. If you're running any flavor of Linux or BSD, you should immediately check for, and apply, any TLS patches offered through your distribution.

Read the rest

Guy who "fixed" women's computers spied through their webcams


A London court has found a man named Andrew Meldrum guilty of "unauthorised access to computer material" and "voyeurism." Meldrum "helped" young women fix their computers and covertly installed snoopware on them, and subsequently spied on them via their webcams. He is to be sentenced in April. A forensics expert claims that this sort of thing is "very common."

Read the rest

Trustycon: how to redesign NSA surveillance to catch more criminals and spy on a lot fewer people

The Trustycon folks have uploaded over seven hours' worth of talks from their event, an alternative to the RSA security conference founded by speakers who quit over RSA's collusion with the NSA. I've just watched Ed Felten's talk on "Redesigning NSA Programs to Protect Privacy" (starts at 6:32:33), an absolutely brilliant talk that blends a lucid discussion of statistics with practical computer science with crimefighting, all within a framework of respect for privacy, liberty and the US Bill of Rights.

Felten's talk lays out how the NSA's mass-collection program works, what its theoretical basis is for finding terrorists in all that data, and then explains how this is an incredibly inefficient and risky and expensive way of actually fighting crime. Then he goes on to propose an elegant alternative that gets better intelligence while massively reducing the degree of surveillance and the risk of disclosure.

I'm using Vid to MP3 to convert the whole seven hours' worth of talks to audio and plan on listening to them over the next couple of days.

Update: Here's that MP3 -- it's about 1GB. Thanks to the Internet Archive for hosting it!

TrustyCon - Live from San Francisco

Report from Trustycon: like RSA, but without the corruption


Seth Rosenblatt reports from Trustycon, the conference formed as a protest against, and alternative to the RSA security conference. RSA's event is the flagship event in the security industry, but the news that RSA had accepted $10M from the NSA to sabotage its own products so that spies could break into the systems of RSA customers led high profile speakers like Mikko Hypponen to cancel their appearances at the event.

Trustycon sold out, raised $20,000 for the Electronic Frontier Foundation, and, most importantly, got key members of the security industry to come to grips with the question of improving network security in an age when spy agencies are spending hundreds of millions of dollars every year to undermine it.

Read the rest

Break up the NSA and save American spooks from themselves

On CNN, Bruce Schneier lays out the current organizational structure of the NSA, dividing its activities in to three categories: spying on specific people; spying on everyone; and breaking the Internet to make spying easier. He then proposes a new structure for the American intelligence apparat: move spying on specific people to a totally separate US Cyber Command under the DoD ("attacking enemy networks is an offensive military operation, and should be part of an offensive military unit"); move spying on Americans to the FBI and create safeguards to be sure this is done in accord with the law and the Constitution; and terminate the NSA's program of undermining security.

Instead, put the NSA in charge of improving the security of Internet users -- including American residents, businesses and government agencies -- so that the nation is resilient. As Schneier writes: "We need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts -- from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly -- no secrecy required."

Read the rest

Make your own DHS threat-level chart


Personalthreatlevel lets you create your own custom DHS-style threat-level that will serve you well as a means of frightening the people in your life with nebulous, ill-defined scariness. Here's Bruce Sterling's Tumblr version.

The Current Threat Level is...

Podcast: EFF, Trustycon, and The Day We Fight Back

Nathan sez, "This is Episode 9 of Embracing Disruption Podcast (EDP). In this episode I interview April Glaser from the EFF. We talk about internet activism, the EFF, TrustyCon, and The Day We Fight Back."

009 EFF, TrustyCon, and The Day We Fight Back

Careto (the Mask): long-running, sophisticated APT malware

Researchers at Kaspersky Labs have uncovered a new, long-lived piece of espionage malware called Careto (Spanish for "Mask"). The software, which attacks Windows, Mac OS and GNU/Linux, has been running since at least 2007 and has successfully targeted at least 380 victims in 31 countries, gaining access via directed spear-phishing attacks, which included setting up fake sites to impersonate The Guardian. The Mask was thought to be the work of a government, and its targets were "government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists." It is possible that the Mask also targeted Android and Ios devices.

Read the rest

How UK spies committed illegal DoS attacks against Anonymous

A new Snowden leak, reported by NBC, documents the UK spy agency GCHQ's attacks on Anonymous, which included Denial-of-Service attacks, which are strictly forbidden under UK law. As the Slashdot story notes, "Regular citizens would face 10 years in prison and enormous fines for committing a DoS / DDoS attack. The same applies if they encouraged or assisted in one. But if you work in the government, it seems like you're an exception to the rule."

NBC has published a minimally redacted version [PDF] of the GCHQ slide-deck detailing the agency's illegal hacking attacks on alleged Anonymous participants.

Read the rest

Social-engineering the FBI in 1971


In The Burglary: The Discovery of J. Edgar Hoover's Secret FBI, Betty Medsger reveals the long-secret details of the Citizens Commission to Investigate the FBI, an activist group that raided the FBI's offices, retrieving evidence of J Edgar Hoover's criminal program of secret spying. The book is a rollicking history of the confluence of protest, locksport, activism and amateur spycraft. One of its most hilarious moments is the description of the group's social engineering hack on an unpickable lock that they needed to get past in order to get to their target:

Read the rest