Submit a link Features Reviews Podcasts Video Forums More ▾

Comment-spammers threaten to sabotage their victims through Google Disavow if the evidence of their vandalism isn't removed

Tim got an email from someone trying to get rid of comment spams -- ever since Google started punishing sites that left comment spam on blogs, this has been going on a lot. When Tim told the guy to buzz off, he threatened Tim with sabotage by means of Google's "Disavow" tool, growing progressively more abusive as Tim stood his ground.

Read the rest

Massive security flaw in GNU/Linux crypto code

A major, critical security flaw in a key cryptographic program used by most flavors of GNU/Linux as well as other free/open operating systems has been reported. The bug, which appears in the Gnutls code, allows for undetectable man-in-the-middle attacks against affected systems. My operating system, Ubuntu, had an update waiting for it this morning that patched this. If you're running any flavor of Linux or BSD, you should immediately check for, and apply, any TLS patches offered through your distribution.

Read the rest

Guy who "fixed" women's computers spied through their webcams


A London court has found a man named Andrew Meldrum guilty of "unauthorised access to computer material" and "voyeurism." Meldrum "helped" young women fix their computers and covertly installed snoopware on them, and subsequently spied on them via their webcams. He is to be sentenced in April. A forensics expert claims that this sort of thing is "very common."

Read the rest

Trustycon: how to redesign NSA surveillance to catch more criminals and spy on a lot fewer people

The Trustycon folks have uploaded over seven hours' worth of talks from their event, an alternative to the RSA security conference founded by speakers who quit over RSA's collusion with the NSA. I've just watched Ed Felten's talk on "Redesigning NSA Programs to Protect Privacy" (starts at 6:32:33), an absolutely brilliant talk that blends a lucid discussion of statistics with practical computer science with crimefighting, all within a framework of respect for privacy, liberty and the US Bill of Rights.

Felten's talk lays out how the NSA's mass-collection program works, what its theoretical basis is for finding terrorists in all that data, and then explains how this is an incredibly inefficient and risky and expensive way of actually fighting crime. Then he goes on to propose an elegant alternative that gets better intelligence while massively reducing the degree of surveillance and the risk of disclosure.

I'm using Vid to MP3 to convert the whole seven hours' worth of talks to audio and plan on listening to them over the next couple of days.

Update: Here's that MP3 -- it's about 1GB. Thanks to the Internet Archive for hosting it!

TrustyCon - Live from San Francisco

Report from Trustycon: like RSA, but without the corruption


Seth Rosenblatt reports from Trustycon, the conference formed as a protest against, and alternative to the RSA security conference. RSA's event is the flagship event in the security industry, but the news that RSA had accepted $10M from the NSA to sabotage its own products so that spies could break into the systems of RSA customers led high profile speakers like Mikko Hypponen to cancel their appearances at the event.

Trustycon sold out, raised $20,000 for the Electronic Frontier Foundation, and, most importantly, got key members of the security industry to come to grips with the question of improving network security in an age when spy agencies are spending hundreds of millions of dollars every year to undermine it.

Read the rest

Break up the NSA and save American spooks from themselves

On CNN, Bruce Schneier lays out the current organizational structure of the NSA, dividing its activities in to three categories: spying on specific people; spying on everyone; and breaking the Internet to make spying easier. He then proposes a new structure for the American intelligence apparat: move spying on specific people to a totally separate US Cyber Command under the DoD ("attacking enemy networks is an offensive military operation, and should be part of an offensive military unit"); move spying on Americans to the FBI and create safeguards to be sure this is done in accord with the law and the Constitution; and terminate the NSA's program of undermining security.

Instead, put the NSA in charge of improving the security of Internet users -- including American residents, businesses and government agencies -- so that the nation is resilient. As Schneier writes: "We need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts -- from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly -- no secrecy required."

Read the rest

Make your own DHS threat-level chart


Personalthreatlevel lets you create your own custom DHS-style threat-level that will serve you well as a means of frightening the people in your life with nebulous, ill-defined scariness. Here's Bruce Sterling's Tumblr version.

The Current Threat Level is...

Podcast: EFF, Trustycon, and The Day We Fight Back

Nathan sez, "This is Episode 9 of Embracing Disruption Podcast (EDP). In this episode I interview April Glaser from the EFF. We talk about internet activism, the EFF, TrustyCon, and The Day We Fight Back."

009 EFF, TrustyCon, and The Day We Fight Back

Careto (the Mask): long-running, sophisticated APT malware

Researchers at Kaspersky Labs have uncovered a new, long-lived piece of espionage malware called Careto (Spanish for "Mask"). The software, which attacks Windows, Mac OS and GNU/Linux, has been running since at least 2007 and has successfully targeted at least 380 victims in 31 countries, gaining access via directed spear-phishing attacks, which included setting up fake sites to impersonate The Guardian. The Mask was thought to be the work of a government, and its targets were "government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists." It is possible that the Mask also targeted Android and Ios devices.

Read the rest

How UK spies committed illegal DoS attacks against Anonymous

A new Snowden leak, reported by NBC, documents the UK spy agency GCHQ's attacks on Anonymous, which included Denial-of-Service attacks, which are strictly forbidden under UK law. As the Slashdot story notes, "Regular citizens would face 10 years in prison and enormous fines for committing a DoS / DDoS attack. The same applies if they encouraged or assisted in one. But if you work in the government, it seems like you're an exception to the rule."

NBC has published a minimally redacted version [PDF] of the GCHQ slide-deck detailing the agency's illegal hacking attacks on alleged Anonymous participants.

Read the rest

Social-engineering the FBI in 1971


In The Burglary: The Discovery of J. Edgar Hoover's Secret FBI, Betty Medsger reveals the long-secret details of the Citizens Commission to Investigate the FBI, an activist group that raided the FBI's offices, retrieving evidence of J Edgar Hoover's criminal program of secret spying. The book is a rollicking history of the confluence of protest, locksport, activism and amateur spycraft. One of its most hilarious moments is the description of the group's social engineering hack on an unpickable lock that they needed to get past in order to get to their target:

Read the rest

David Cameron: TV crime dramas prove we need mass warrantless electronic surveillance

UK Conservative Prime Minister David Cameron says that ISPs and phone companies should be required to store records of every click you make, every conversation you have, and every place you physically move through. He says that communications companies should be required to make it impossible to keep your communications from being eavesdropped in, with mandatory back-doors.

He says we need this law because "TV crime dramas illustrated the value of monitoring mobile data."

Remember the Snooper's Charter, the 2012 UK Conservative plan to require ISPs and phone companies to retain the records of all your calls and movements, and make them available to police and government without a warrant? Home Secretary Theresa May proposed an unlimited budget to pay ISPs to help spy on you, and called people who opposed this "conspiracy theorists" and said the only people who need freedom from total, continuous surveillance were "criminals, terrorists and paedophiles."

The Snooper's Charter was killed by a rebellion from Libdem MPs, who rejected the plan. Now it's back, just as the public are starting to have a debate about electronic spying thanks to NSA whistleblower Edward Snowden, who revealed the extent to which our online habits are already illegally surveilled by government spies. Let's hope that the Snowden revelations -- and the US government's admission that mass spying never caught a terrorist or foiled a terrorism attempt -- strangles this Cameron brainchild in its cradle.

Read the rest

Extorted out of a one-character Twitter ID by a hacker who seized control of Godaddy domains


Naoki Hiroshima was lucky enough to snag a one-character Twitter username: @N. Over the years, he'd been offered large sums -- as much as $50,000 -- for the name, but he kept it. Then, according to a horrifying first-person account, a hacker socially engineered the last four digits of his credit-card out of Paypal, used that information to seize control of his Godaddy account, and threated to trash all of Hiroshima's websites unless Hiroshima transferred @N to the hacker. The hacker also seized control of Hiroshima's Facebook account. The attack took place over the Martin Luther King, Jr day holiday, and Hiroshima couldn't get his case escalated to anyone at Twitter, Godaddy or Paypal while it was taking place, and so he lost his domain. All three companies now say that they're looking into his story. Hiroshima offers some helpful advice on avoiding his fate (use two-factor authentication, mostly).

I'd add that it's generally good practice to avoid Godaddy, because they're SOPA-supporting sellout scum, and they suck.

Read the rest

US intel chief James Clapper: journalists reporting on leaked Snowden NSA docs “accomplices” to crime


U.S. Director of National Intelligence James Clapper. (Kevin Lamarque/Reuters)

In a Senate Judiciary Hearing on NSA surveillance today, Director of National Intelligence James Clapper insinuated dozens of journalists reporting on documents leaked by NSA whistleblower Edward Snowden were “accomplices” to a crime. His spokesman further suggested Clapper was referring to journalists after the hearing had concluded.

If this is the official stance of the US government, it is downright chilling.

Read the rest

How to configure Chrome to stop websites from bugging you with your computer's microphone and camera


Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.

Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on.

Read the rest