Submit a link Features Reviews Podcasts Video Forums More ▾

How SOPA will attack the Internet's infrastructure and security

The Electronic Frontier Foundation is continuing its series of in-depth analysis of the Stop Online Piracy Act, the most dangerous piece of Internet legislation ever introduced, which is set to be fast-tracked through Congress by Christmas. Today, EFF's Corynne McSherry and Peter Eckersley look at the way that SOPA attacks innovation and the integrity of Internet infrastructure.

In this new bill, Hollywood has expanded its censorship ambitions. No longer content to just blacklist entries in the Domain Name System, this version targets software developers and distributors as well. It allows the Attorney General (doing Hollywood or trademark holders' bidding) to go after more or less anyone who provides or offers a product or service that could be used to get around DNS blacklisting orders. This language is clearly aimed at Mozilla, which took a principled stand in refusing to assist the Department of Homeland Security's efforts to censor the domain name system, but we are also concerned that it could affect the open source community, internet innovation, and software freedom more broadly:

* Do you write or distribute VPN, proxy, privacy or anonymization software? You might have to build in a censorship mechanism — or find yourself in a legal fight with the United States Attorney General.

* Even some of the most fundamental and widely used Internet security software, such as SSH, includes built-in proxy functionality. This kind of software is installed on hundreds of millions of computers, and is an indispensable tool for systems administration professionals, but it could easily become a target for censorship orders under the new bill.

* Do you work with or distribute zone files for gTLDs? Want to keep them accurate? Too bad — Hollywood might argue that if you provide a complete (i.e., uncensored) list, you are illegally helping people bypass SOPA orders.

* Want to write a client-side DNSSEC resolver that uses multiple servers until it finds a valid signed entry? Again, you could be in a fight with the U.S. Attorney General.

Hollywood's New War on Software Freedom and Internet Innovation

iPad 2 unlocking-by-cover vulnerability

The iPad 2 has a weird vulnerability: its PIN-based security can be bypassed by hooking up a "smart cover" Cory

Identity theft marketplace sells mothers' maiden names, dates of birth, etc


Many websites will allow you to "recover a lost password" if you (or a crook) can supply your date of birth, mother's maiden name, etc. So, of course, crooks buy and sell data like dates of birth, mothers' maiden names, Social Security Numbers, and other easily mined minutae. Brian Krebs reports from superget.info, a site that sells would-be fraudsters this information, and also has a wholesale program so that entrepreneurial crooks can resell your personal information to their friends.

Superget lets users search for specific individuals by name, city, and state. Each “credit” costs USD$1, and a successful hit on a Social Security number or date of birth costs 3 credits each. The more credits you buy, the cheaper the searches are per credit: Six credits cost $4.99; 35 credits cost $20.99, and $100.99 buys you 230 credits. Customers with special needs to can avail themselves of the “reseller plan,” which promises 1,500 credits for $500.99, and 3,500 credits for $1000.99.

“Our Databases are updated EVERY DAY,” the site’s owner enthuses. “About 99% nearly 100% US people could be found, more than any sites on the internet now.”

Customers who aren’t choosy about the identities they’re stealing can get a real bargain. Among the most trafficked commodities in the hacker underground are packages called “fullz infos,” which include the full identity information on dozens or hundreds of individuals.

How Much Is Your Identity Worth?

EFF report: How often is SSL attacked?

The Electronic Frontier Foundation's Peter Eckersley has been monitoring the revocation of SSL certificates as a way of figuring out how often the 600+ certificate authorities are hacked. A hacked CA is bad news, because bogus certificates issued by these compromised authorities can be used to undetectably trick your browser into thinking it has a secure connection to your bank, your government, or the update site for your browser:

The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 15 distinct CA organizations. A previous scan, conducted in June this year, showed different numbers...

Those "CA Compromise" CRL entries as of June were published by 10 distinct CAs. So, from this data, we can observe that at least 5 CAs have experienced or discovered compromise incidents in the past four months. Again, each of these incidents could have broken the security of any HTTPS website.

How secure is HTTPS today? How often is it attacked? | Electronic Frontier Foundation

The Homeland Directive: taut technothriller for the paranoid era

Robert Venditti and Mike Huddleston's stand-alone graphic novel The Homeland Directive is a tight, suspenseful technothriller (in Bruce Sterling's definition of the term: "a science fiction story with the president in it"). Mysterious government spooks are hunting a pair of CDC epidemiologists. One is murdered, the other, Dr Laura Regan, is framed for a variety of crimes and barely escapes in the company of rogue spooks who spirit her away to a safe house. The story that unfolds -- a plot to terrorize America into accepting an otherwise unthinkable authoritarian rule in the name of fighting terrorism -- is taut, filled with great spycraft and action sequences. A great, paranoid read for the modern age.

Scrutinizing mobile apps: privacy violations, bloat, and poor security


Troy Hunt installed the HTTP proxy Fiddler on his network and used it to examine the way that iPhone apps performed. What he discovered was a series of shockingly poor implementation decisions that massively bloat the bandwidth needed to load and use apps (important for users whose mobile phone plans contain strict bandwidth caps); poor password security (important for mobile users who roam to untrusted WiFi networks); and aggressive, over-the-top surveillance of your activities by apps that harvest every click, as well as your location, and send them to third parties.

I doubt that these issues are unique to iOS devices. Rather, they represent facts in evidence about the limits of software "curation" to guarantee robust, safe, secure software. It's vanishingly unlikely that any app store with hundreds of thousands (or millions) of apps will be able to subject them to the kind of scrutiny that Hunt engages in here. Combine that with the opacity of the platform, which makes it hard for independent auditors (and users!) to discover what their mobile devices are doing and how they're doing it, and you've got a recipe for a mobile ecosystem that subjects users to high bandwidth fees, invasions of privacy, and compromise of their passwords.

Expert curation of code is a good step towards secure mobile computing, but it's insufficient to keep users safe. Unless platforms are designed with the objective of allowing scrutiny of their inner workings -- something that is at odds with business-models that rely upon establishing exclusive rights to approve and distribute software for a platform -- then they should be assumed to be running apps that are riddled with these sorts of defects.

Suddenly monetisation with powerful data starts to make more sense.

But this is no different to a tracking cookie on a website, right? Well, yes and no. Firstly, tracking cookies can be disabled. If you don’t like ‘em, turn ‘em off. Not so the iOS app as everything is hidden under the covers. Actually, it’s in much the same way as a classic app that gets installed on any OS although in the desktop world, we’ve become accustomed to being asked if we’re happy to share our activities “for product improvement purposes”.

These privacy issues simply come down to this: what does the user expect? Do they expect to be tracked when browsing a cook book installed on their local device? And do they expect this activity to be cross-referenceable with the use of other apparently unrelated apps? I highly doubt it, and therein lays the problem.

Accelerometer-based keylogger in your phone guesses your PC keyboard typing from your body's motions

A Georgia Tech team has built a working app for latest-generation mobile phones that uses the built-in accelerometer to guess which words you're typing on your PC's keyboard, by measuring the movements of your body as you type.


The technique works through probability and by detecting pairs of keystrokes, rather than individual keys (which still is too difficult to accomplish reliably, Traynor said). It models “keyboard events” in pairs, then determines whether the pair of keys pressed is on the left versus right side of the keyboard, and whether they are close together or far apart. After the system has determined these characteristics for each pair of keys depressed, it compares the results against a preloaded dictionary, each word of which has been broken down along similar measurements (i.e., are the letters left/right, near/far on a standard QWERTY keyboard). Finally, the technique only works reliably on words of three or more letters.

For example, take the word “canoe,” which when typed breaks down into four keystroke pairs: “C-A, A-N, N-O and O-E.” Those pairs then translate into the detection system’s code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF. This code is then compared to the preloaded dictionary and yields “canoe” as the statistically probable typed word. Working with dictionaries comprising about 58,000 words, the system reached word-recovery rates as high as 80 percent.

(via /.)

(Image: Keyboard, a Creative Commons Attribution Share-Alike (2.0) image from bull3t's photostream)

Intel's "Tomorrow Project" -- public conversations about the future of technology

Forbes has a good article on Intel's "Tomorrow Project," wherein Intel Chief Futurist Brian David Johnson gets science fiction writers and technologists to produce materials about the future of technology as part of the company's future product development plans. I've contributed a short story, Knights of the Rainbow Table (about the moment when human-memorizable passwords become trivially computer-guessable), to the accompanying Tomorrow Project Anthology, which launches at NY Comic-Con today.

“It sounds science-fictiony,” he laughs. “But it’s ultimately pragmatic. Chip designs have lead times of 5-10 years, so it’s important to have an understanding of how people will want to to interact with computers. I’m literally working on chips for 2020 right now.”

I obviously couldn’t let it lie there. What do you take into account when planning the future? The answer is both intriguing and quite unlike most futurists I know. Johnson’s first stop is the social sciences. He works with Dr. Genevieve Bell, a cultural anthropologist who has been at Intel since 1998. Their teams work with ethnographers, social scientists, and others to understand the current state of the culture and try to figure out where it’s going.

The next step is then looking at the hardware. Johnson and his team work with computer scientists to look at the current state of the art in hardware, software, and algorithms, as well as the research coming up. The tech data is meshed with the social sciences data to answer a simple question: how can we apply this technology to capture people’s imaginations and make their lives better?

Why handmade keys?

Jimmy DiResta from Discovery's "Dirty Money" explains how and why he mods the keys he uses from day to day, making them into artworks:

Maker Jimmy DiResta shares his modded keys at World Maker Faire NYC. His collection of handmade keys are a combination of his problem solving skills and creativity. They are a great example of making art from everyday items without sacrificing functionality. Jimmy is a designer and fabricator who can make just about anything, from just about anything. He’s a woodworker, he sculpts in resin, he welds, and builds with plastics. His hammer and ax skull and crossbone belt buckle started as one of his wooden carvings before he cast it in metal. On a recent tour of his shop, I found the sewing machine he uses to add leather fronts to his pants next to the high-end wooden display he was building for a pop-up gallery.

Facebook's misleading "log out" button and the future of privacy legislation

The Electronic Frontier Foundation's Activism Director Rainey Reitman has an in-depth analysis of how Facebook continues to track its users even after they've taken several affirmative steps to log out of the service, and how this may interact with eventual privacy legislation.

This newest privacy snafu could prod legislators into moving on one of the many online privacy bills that have been introduced this year. Users’ unease with the quickly-evolving technical capabilities of companies to track users, combined with the abstruse ways in which that data can be collected (from social widgets to super cookies to fingerprinting), has resulted in a growing user demand to have Congress provide legal safeguards for individual privacy when using the Internet.

Unsurprisingly, Facebook hopes that its brand of data collection through ‘like’ buttons won’t be subject to federal regulation. According to AdAge, Facebook sent an “army of lawyers” to Washington to convince Senators McCain and Kerry to carve out exceptions to their recently introduced privacy bill so that Facebook could track their users via social widgets on other sites (dubbed the "Facebook loophole"). But while Kerry and McCain may have acquiesced to Facebook's requests, Senator Rockefeller did not. He introduced legislation that would empower the FTC to create rules around how best to protect users online from pervasive online tracking by third parties.

Facebook seems keen to influence future legislation on these issues. They recently filed paperwork to form a political action committee that will be "supporting candidates who share our goals of promoting the value of innovation to our economy while giving people the power to share and make the world more open and connected."

How online crooks use "work from home" patsies to launder goods and forward them offshore


Brian Krebs continues his excellent investigative series on the inner workings of online ripoffs, today with a deep look at underground freight-forwarders, so-called "Drops for stuff." These services use patsies recruited on Craigslist through a "work at home" scam to receive goods bought with stolen credit card numbers and forward them on to crooks.

A typical drop will receive and reship between two and four packages per day. The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

One drops operation, dropforrent.net, allows “clients” to “rent” drops who have signed up for reshipping jobs. “Managers,” those who facilitate drop recruitment scams, can earn money by purchasing merchandise that the reshipping operation can quickly resell. Most reshipping operations seek consumer electronics that can be easily sold for cash, including laptop computers, cameras, smart phones and parts for sports cars. Dropforrent.com pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products.

HOWTO write more secure free/open source software

Having recently conducted a security audit of several free/open source software programs for the Electronic Frontier Foundation, Chris Palmer and Dan Auerbach have published some guidelines for improving security in free/open software:

Avoid giving the user options that could compromise security, in the form of modes, dialogs, preferences, or tweaks of any sort. As security expert Ian Grigg puts it, there is “only one Mode, and it is Secure.” Ask yourself if that checkbox to toggle secure connections is really necessary? When would a user really want to weaken security? To the extent you must allow such user preferences, make sure that the default is always secure.

Chaos Computer Club cracks Germany's illegal government malware, a trojan that spies on your PC and lets anyone off the street hijack it


Germany's Chaos Computer Club published the sourcecode for a piece of malware used by the German government to spy on citizens. The software was discovered in the wild and reverse engineered. It can be used to spy on or control remote PCs. Because of flaws in the software, anyone who was infected with this by German police was vulnerable to spying by "anyone on the street." The German supreme court banned the use of trojans to spy on German citizens in 2008.

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data center in the USA. The control of this malware is only partially within the borders of its jurisdiction. The instrument could therefore violate the fundamental principle of national sovereignty. Considering the incompetent encryption and the missing digital signatures on the command channel, this poses an unacceptable and incalculable risk. It also poses the question how a citizen is supposed to get their right of legal redress in the case the wiretapping data get lost outside Germany, or the command channel is misused.

Unicode's "right-to-left" override obfuscates malware's filenames

Unicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left order; this facility is used to write text in Arabic, Hebrew, and other right-to-left scripts. However, this can (and is) also used by malware creeps to disguise the names of the files they attach to their phishing emails. For example, the file "CORP_INVOICE_08.14.2011_Pr.phylexe.doc" is actually "CORP_INVOICE_08.14.2011_Pr.phyldoc.exe" (an executable file!) with a U+202e placed just before "doc."

This is apparently an old attack, but I've never seen it, and it's a really interesting example of the unintended consequences that arise when small, reasonable changes are introduced into complex systems like type-display technology.

Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:

“evil ‮”cod.exe is an executable file. For security reasons, Gmail does not allow you to send “this type of file.

Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.

(via Command Line)

Technique for fighting submission-form spam

Ned Batchelder sums up a series of technique to keep spammers from attacking submission forms with automated bots (it won't work against humans, but even cheap humans are more expensive than bots). Some of these techniques look like they'll continue to work even if they're widely known, while others depend merely on exploiting vulnerabilities in spammer techniques that will be refined as soon as the exploits are widespread.

We get titanic amounts of spam to the anonymous Boing Boing submission form, and most of it gets stopped using variations on these techniques. One interesting thing about our submission spam is how indiscriminate it is: various scumbags have gone to some lengths to figure out how to send spam to a form whose output is emailed to four people, and who will never, ever accidentally post their submission to this blog -- indeed, I just bulk-delete the stuff that makes it through the filter without even opening it -- our spammers are indiscriminate enough to use spammy subject lines, which means, I suppose, that they think they're going to end up someone a human being won't see them but a search-engine might.

The comment form has four key components: timestamp, spinner, field names, and honeypots.

The timestamp is simply the number of seconds since some fixed point in time. For example, the PHP function time() follows the Unix convention of returning seconds since 1/1/1970.

The spinner is a hidden field used for a few things: it hashes together a number of values that prevent tampering and replays, and is used to obscure field names. The spinner is an MD5 hash of:

The timestamp,
The client's IP address,
The entry id of the blog entry being commented on, and
A secret.

The field names on the form are all randomized. They are hashes of the real field name, the spinner, and a secret. The spinner gets a fixed field name, but all other fields on the form, including the submission buttons, use hashed field names.

Honeypot fields are invisible fields on the form. Invisible is different than hidden. Hidden is a type of field that is not displayed for editing. Bots understand hidden fields, because hidden fields often carry identifying information that has to be returned intact. Invisible fields are ordinary editable fields that have been made invisible in the browser.

(via O'Reilly Radar)