Glenn Greenwald and Laura Poitras enter the US for first time since Snowden leaks

A first since they began reporting on the material leaked by NSA whistleblower Edward Snowden: Glenn Greenwald and Laura Poitras, landing in the United States. There have been concerns that the US might detain them if they entered the country.

(Disclosure: I'm on the board of the Freedom of the Press Foundation with all three) Read the rest

Playground removes "safety" rules; fun, development and injuries ensue

The Swanson School in Auckland, NZ, quietly eliminated all the rules against "unsafe play," allowing kids to play swordfight with sticks, ride scooters, and climb trees. It started when the playground structures were torn down to make way for new ones, and the school principal, Bruce McLachlan, noticed that kids were building their own structures out of the construction rubble. The "unsafe" playground has resulted in some injuries, including at least one broken arm, but the parents are very supportive of the initiative. In particular, the parents of the kid with the broken arm made a point of visiting the principal to ask him not to change the playground just because their kid got hurt.

The article in the Canadian National Post notes that Kiwis are less litigious, by and large, than Americans, and that they enjoy an excellent national health service, and says that these two factors are a large contributor to the realpolitik that makes the playground possible. But this is still rather daring by Kiwi standards. Read the rest

Google Maps' spam problem presents genuine security issues

Bryan Seely, a Microsoft Engineer demonstrated an attack against Google Maps through which he was able to set up fake Secret Service offices in the company's geo-database, complete with fake phone numbers that rang a switch under his control and then were forwarded to real Secret Service offices, allowing him to intercept and record phone-calls made to the Secret Service (including one call from a police officer reporting counterfeit money). Seely was able to attack Google Maps by adding two ATMs to the database through its Google Places crowdsourcing tool, verifying them through a phone verification service (since discontinued by Google), then changing them into Secret Service offices. According to Seely, the disabling of the phone-verification service would not prevent him from conducting this attack again.

As Dune Lawrence points out, this is a higher-stakes version of a common spam-attack on Google Maps practiced by locksmith, carpet cleaning, and home repair services. Spammers flood Google Maps with listing for fake "local" companies offering these services, and rake in high commissions when you call to get service, dispatching actual local tradespeople who often charge more than you were quoted (I fell victim to this once, when I had a key break off in the lock of my old office-door in London and called what appeared to be a "local" locksmith, only to reach a call-center who dispatched a locksmith who took two hours to arrive and charged a huge premium over what I later learned by local locksmiths would have charged). Read the rest

Spyware increasingly a part of domestic violence

Australian Simon Gittany murdered his girlfriend, Lisa Harnum, after an abusive relationship that involved his surveillance of her electronic communications using off-the-shelf spyware marketed for purposes ranging from keeping your kids safe to spotting dishonest employees. As Rachel Olding writes in The Age, surveillance technology is increasingly a factor in domestic violence, offering abusive partners new, thoroughgoing ways of invading their spouses' privacy and controlling them.

The spyware industry relies upon computers -- laptops, mobile devices, and soon, cars and TVs and thermostats -- being insecure. In this, it has the same goals as the NSA and GCHQ, whose BULLRUN/EDGEHILL program sought to weaken the security of widely used operating systems, algorithms and programs. Every weakness created at taxpayer expense was a weakness that spyware vendors could exploit for their products.

Likewise, the entertainment industry wants devices that are capable of running code that users can't terminate or inspect, so that they can stop you from killing the programs that stop you from saving Netflix streams, running unapproved apps, or hooking unapproved devices to your cable box.

And Ratters, the creeps who hijack peoples' webcams in order to spy on them and blackmail them into sexual performances, also want computers that can run code that users can't stop. And so do identity thieves, who want to run keyloggers on your computer to get your banking passwords. And so do cops, who want new powers to insert malware into criminals' computers.

There are a lot of ways to slice the political spectrum -- left/right, authoritarian/anti-authoritarian, centralist/decentralist. Read the rest

Basecamp, Meetup hit by extortionist's 20Gb/s DDoS

If you're a Basecamp user who couldn't get into your account yesterday, here's why: the company refused to pay ransom to a criminal who hit them with a 20Gb/s denial-of-service flood, apparently by the same person who attacked Meetup, who uses gmail addresses in this pattern: "dari***@gmail.com." Read the rest

Assistant AG admits he doesn't understand what Weev did, but he's sure it's bad

Andrew “weev” Auernheimer is serving a 41-month sentence for visiting a publicly available webpage and revealing that AT&T had not secured its customers' sensitive financial information. Now, weev's lawyers are appealing, and in the opening day's arguments, Assistant US Attorney Glenn Moramarco admitted I don’t even understand what [Auernheimer actually did.]" Then he compared it to blowing up a nuclear power-plant. Read the rest

Self-directed Crypto 101 online course

Crypto 101 is a free online course on practical, applied cryptography: " everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash functions, message authentication codes, public key encryption, key agreement protocols, and signature algorithms." Read the rest

Fedbizopps: the US government's searchable database of defense-contractor opportunities

Dave from the Electronic Frontier Foundation sez, "The government often makes itself more accessible to businesses than the general public. For Sunshine Week, we compiled this guide to using FedBizOpps to keep an eye on surveillance technology contracts."

Fedbizopps is a weird, revealing window into the world of creepy surveillance, arms, and technology contractors who build and maintain the most oppressive and unethical parts of the apparatus of the US government. Everything from drone-testing of biological and chemical weapons to license plate cameras to weaponized bugs and other malware are there. The EFF post also has links to data-mining tools that help estimate just how much money the private arms dealers extract from the tax-coffers. Read the rest

Samsung Galaxy back-door allows for over-the-air filesystem access

Developers from the Replicant project (a free Android offshoot) have documented a serious software back-door in Samsung's Android phones, which "provides remote access to the data stored on the device." They believe it is "likely" that the backdoor could provide "over-the-air remote control" to "access the phone's file system."

At issue is Samsung's proprietary IPC protocol, used in its modems. This protocol implements a set of commands called "RFS commands." The Replicant team says that it can't find "any particular legitimacy nor relevant use-case" for adding these commands, but adds that "it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage."

The Replicant site includes proof-of-concept sourcecode for a program that will access the file-system over the modem. Replicant has created a replacement for the relevant Samsung software that does not allow for back-door access. Read the rest

Tim Berners-Lee calls for Web "Magna Carta" - does the "Web we want" have DRM in it?

The Web is 25 today, and its inventor, Tim Berners-Lee, has called for a "Magna Carta" for the Web, through which the people of the world will articulate how they want to curtail their governments' adversarial attacks on Internet freedom. Berners-Lee is particularly concerned with the Edward Snowden revelations about mass surveillance and systematic government sabotage of Internet security.

I'm delighted to see Berners-Lee tackling this. Everything we do today involves the Web and everything we do tomorrow will require it; getting Web policy right is the first step to getting everything else right.

I hope that this also signals a re-think of Berners-Lee's endorsement of the idea of standardizing "digital rights management" technology for Web browsers through the W3C. The majority of the Web's users live in a country in which it is illegal to report on vulnerabilities in DRM, because doing so might help to defeat the DRM's locks. The standardization of DRM in the deep structures of the Web means that our browsers will become reservoirs of long-lived, critical bugs that can be used to attack Web users -- just as Web users are massively expanding the activities that are mediated through their browsers.

If we are to have a Web that is fit for a free and fair world, it must be a Web where researchers are free to warn users about defects in their tools. We wouldn't countenance a rule that banned engineers from telling you if your house was structurally unsound. By standardizing DRM in browsers, the W3C is setting in place rules that will make it virtually impossible to know if your digital infrastructure is stable and secure. Read the rest

How the NSA plans to automatically infect "millions" of computers with spyware

A new Snowden leak, detailed in a long, fascinating piece in The Intercept, explains the NSA's TURBINE initiative, intended to automate malicious software infections. These infections -- called "implants" in spy jargon -- have historically been carried out on a narrow, surgical scale, targeted at people of demonstrated value to spies, due to the expense and difficulty of arranging the attacks.

But TURBINE, which was carried out with other "Five Eyes" spy agencies as part of the NSA's $67.6M "Owning the Net" plan, is intended to automate the infection process, allowing for "millions" of infections at once.

The article mentions an internal NSA message-board posting called "I hunt sys admins," sheds some light on the surveillance practices at the NSA. In the post, an NSA operative explains that he targets systems administrators at companies, especially telecoms companies, as a "means to an end" -- that is, infiltrating the companies' networks. As Glenn Greenwald and Ryan Gallagher point out, this admission shows that malware attacks are not targeted solely or even particularly at people suspected of terrorism or other crimes -- rather, they are aimed at the people who maintain the infrastructure of critical networks and systems to allow the NSA to control those systems.

The malware that TURBINE implants can compromise systems in a variety of ways, including hijacking computer cameras and microphones, harvesting Web-browsing history and email traffic, logging passwords and other keystrokes, etc. Read the rest

Security as a public health discipline, not an engineering one

In my latest Guardian column, If GCHQ wants to improve national security it must fix our technology, I argue that computer security isn't really an engineering issue, it's a public health issue. As with public health, it's more important to be sure that our pathogens are disclosed, understood and disclosed than it is to keep them secret so we can use them against our enemies. Read the rest

Videos of individual Trustycon talks

I linked to the seven-hour video file from Trustycon, the convention held as an alternative to RSA's annual security event, inspired by the revelation that RSA took money from the NSA to sabotage its own products.

Now Al has broken down the video into the individual talks, uploading them to Youtube. This is very handy -- thanks, Al!

TrustyCon Videos Available (Thanks, Al!) Read the rest

Netflix disables Chrome's developer console

When you watch Netflix videos in the Chrome browser, the service disables Chrome's developer console, a debugging and programming tool that gives you transparency and control over what your browser is doing. The Hacker News thread explains that this is sometimes done in order to stop an attack called "Self-XSS" that primarily arises on social media sites, where it can cause a browser to leak nominally private information to third parties. But in this case, the "Self-XSS" attack Netflix is worried about is very different: they want to prevent browser owners from consciously choosing to run scripts in the Netflix window that subvert Netflix's restrictions on video.

This is the natural outflow of the pretense that "streaming" exists as a thing that is distinct from "downloading" -- the idea that you can send a stream of bytes to someone else's computer without the computer being able to store those bytes. "Streaming" is at the heart of "rental" business models like Netflix's, and there's nothing wrong with the idea of rental per se. But the only way to attain "rental" with computers is to design computers so that their owners can't give them orders that the landlords disagree with. You have to change the computer and its software so that you can't see what it's doing and can't change what it's doing.

Your browser is a portal to your whole social life, your financial life and your work life, entrusted with the most potentially compromising secrets of your life. Anything that allows third parties to make it harder for you to figure out what the browser is doing, or to prevent it from doing something you don't want, should be a non-starter. Read the rest

Comment-spammers threaten to sabotage their victims through Google Disavow if the evidence of their vandalism isn't removed

Tim got an email from someone trying to get rid of comment spams -- ever since Google started punishing sites that left comment spam on blogs, this has been going on a lot. When Tim told the guy to buzz off, he threatened Tim with sabotage by means of Google's "Disavow" tool, growing progressively more abusive as Tim stood his ground. Read the rest

Massive security flaw in GNU/Linux crypto code

A major, critical security flaw in a key cryptographic program used by most flavors of GNU/Linux as well as other free/open operating systems has been reported. The bug, which appears in the Gnutls code, allows for undetectable man-in-the-middle attacks against affected systems. My operating system, Ubuntu, had an update waiting for it this morning that patched this. If you're running any flavor of Linux or BSD, you should immediately check for, and apply, any TLS patches offered through your distribution. Read the rest

Guy who "fixed" women's computers spied through their webcams

A London court has found a man named Andrew Meldrum guilty of "unauthorised access to computer material" and "voyeurism." Meldrum "helped" young women fix their computers and covertly installed snoopware on them, and subsequently spied on them via their webcams. He is to be sentenced in April. A forensics expert claims that this sort of thing is "very common." Read the rest

More posts