High-stakes one-shot Prisoner's Dilemma on a British game show with an astounding strategy

A British game-show called "Golden Balls" concludes each installment with a single-shot version of the Prisoner's Dilemma in which the two players' choices can result in a large cash prize being awarded to both of them, neither of them, or just one of them. The players are allowed to tell each other what they plan on doing, but they are also allowed to lie and try to trick the other player into making a choice that would leave the whole pot in the trickster's hands.

In this remarkable clip, a player named Nick runs an extraordinary end-game that has to be seen to be believed. As Bruce Schneier says,

This is the weirdest, most surreal round of "Split or Steal" I have ever seen. The more I think about the psychology of it, the more interesting it is. I'll save my comments for the comments, because I want you to watch it before I say more. Really.

Once you've watched the clip, check out Bruce's spoiler-y discussion of what is going on there.

Amazing Round of "Split or Steal"

Iranian finance/tech manager publishes 3,000,000 bank accounts' details and PINs

A finance technology manager named Khosrow Zarefarid discovered a critical flaw in Iran's online banking systems. He extracted 1,000 account details (including card numbers and PINs) and emailed them to the CEOs of 22 Iranian banks along with detailed information about the vulnerability. A year later, nothing had been done. Zarefarid extracted 3 million accounts' details from the bank's systems and posted them to ircard.blogspot.ca. Many Iranian banks have now frozen their customers' accounts and are only allowing PIN-change transactions at ATMs. Some banks have texted their customers to warn them of the breach. The Central Bank of Iran has published an official notice of the breach, but the notice does not say that the underlying vulnerability has been fixed, or even whether it is being addressed. Zarefarid is said to have left Iran, though his whereabouts are not known, at least to Emil Protalinski, who wrote about the breach for ZDNet:

It does not appear as if Zarefarid stole money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs, on his blog: ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between thease 3000000 cards?”

...Zarefarid previously worked as a manager at a company called Eniak, which operates the Shetab (Interbank Information Transfer Network) system, an electronic banking clearance and automated payments system used in Iran. The company also manufactures and installs point of sale (POS) devices. In other words, Zarefarid worked for a firm that offered services to Iranian banks for accepting electronic payments.

Update: In a post to the ircard blog, Zarefarid clarifies what he has done, and claims he is not a "hacker." (via "Khosrow Zarefarid, in the comments)

3 million bank accounts hacked in Iran (via /.)

Forever-day bugs

A nice piece of frightening securityspeak to conjure with: forever-day bugs, which are known bugs that the vendor has no intention of patching. These are often found in control systems, and are the sort of thing that Stuxnet exploited to attack the Iranian nuclear program. These controllers are also found on other kinds of industrial lines and, of course, in aircraft. "Forever day is a play on 'zero day,' a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or 'infinite days' by some researchers..." [Ars Technica] Cory

Malware targeted at Syrian activists can operate webcam, disable AV, keylog, steal passwords


A fake PDF purporting to contain information on "the formation of the leadership council of the Syrian revolution" is circulating. As the Electronic Frontier Foundation's Eva Galperin and Morgan Marquis-Boire report, it's bad news for people who install it.

The latest surveillance malware comes in the form of an extracting file which is made to look like a PDF if you have file extensions turned off. The PDF purports to be a document concerning the formation of the leadership council of the Syrian revolution and is delivered via Skype message from a known friend. The malware installs a remote administration tool called DarkComet RAT, which can capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more. It sends this data back to the same IP address in Syrian IP space that was used in several previous attacks, including the attacks reported by CNN in February, the Xtreme RAT Trojan EFF reported in March, and this sample from March 21st.

Syrian Internet users should be extremely cautious about clicking on suspicious-looking links, or downloading documents over Skype, even if the document purportedly comes from a friend.

Campaign Targeting Syrian Activists Escalates with New Surveillance Malware

Shredding company's awesome logo


Snapped yesterday near my flat in east London, this Irish shredding company's logo on the back of their truck. Talk about "does what it says on the tin!"

Awesome logo on hard-drive-shredding service's lorry, Brunswick Place, Hackney, London, UK

Buy a ticket to HOPE in NYC and 10% goes to EFF

Emmanuel Goldstein writes, "The coordinators of this year's Hackers On Planet Earth conference in New York have joined forces with the Electronic Frontier Foundation and have designated April as the month where 10 percent of all ticket sales will be donated to EFF. The net would be a much more dangerous place without the EFF being around to help fight the many battles currently taking place. This is a way to help them out and be part of a really cool conference at the same time."

H.O.P.E. stands for Hackers On Planet Earth, one of the most creative and diverse hacker events in the world. HOPE Number Nine will be taking place on July 13, 14, and 15, 2012 at the Hotel Pennsylvania in New York City. If you haven't been before, this is the year to attend. For every ticket purchased in the month of April, conference organizers 2600: The Hacker Quarterly are donating 10% of the proceeds to EFF--so buy your tickets today!

For three full days and nights you can explore hackerspace villages, film festivals, art installations, vintage computers, electronic workshops, savor the country's biggest supply of Club-Mate, and attend the host of provocative talks that HOPE has become well-known for offering. Join thousands of hackers to hear this year's keynote on hacking corporations by famous troublemakers and EFF clients The Yes Men, as well as these exciting talks from EFF staffers...

Buy Your HOPE 9 Tickets in April and 10% of Proceeds Go to EFF (Thanks, Emmanuel!)

It's easy to get credit card numbers off used Xbox 360s


A group of researchers at Drexel University have demonstrated a method of recovering credit card details and other sensitive information from used Xbox 360s, even after they have been "reset to factory defaults." The method is straightforward and uses readily available tools. Ashley Podhradsky, one of the Drexel researchers, says, "Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data."

Which is to say that Microsoft is spending a lot of money and resource in ensuring that your Xbox 360 only runs software that is authorized by Microsoft (like Apple and iOS and Nintendo and the Wii/3DS, Microsoft charges money for the right to sell software that will play on your device). But they don't pay any particular attention to protecting your interests as the owner of the device.

What's more, the Digital Millennium Copyright Act, which regulates the breaking of software locks, makes it illegal to investigate the internal workings of devices like the Xbox 360, and to publish the details of your findings, where those findings might also aid people in choosing to run unauthorized software on their own property.

Podhradsky, along with colleagues Rob D'Ovidio and Cindy Casey at Drexel and Pat Engebretson at Dakota State University, bought a refurbished Xbox 360 from a Microsoft-authorized retailer last year. They downloaded a basic modding tool and used it to crack open the gaming console, giving them access to its files and folders. After some work, they were able to identify and extract the original owner's credit card information.

We reached out to Microsoft for comment on this issue, but as of press time, they have not yet responded.

Podhradsky isn't even a gamer, she says. For seasoned modders and hackers, the process might be even easier.

"A lot of them already know how to do all this," she said. "Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."

..."I think Microsoft has a longstanding pattern of this," Podhradsky said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate—the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate. There's a lot more that needs to be done."

Hackers Can Steal Credit Card Information From Your Old Xbox, Experts Tell Us (via /.)

(Image: Red Ring of Death: RRoD 1 Microsoft Xbox 360, a Creative Commons Attribution (2.0) image from tomasland's photostream)

Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.

While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million. But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.

EFF calls out governments for trafficking in these vulnerabilities, rather than demanding their disclosure and repair. Any unpatched vulnerability puts every user of the affected software at risk. For a government to appropriate a vulnerability to itself and keep it secret in the name of "national security," rather than fixing it for the nation's citizens, is "security for the 1%."

“Zero-day” exploit sales should be key point in cybersecurity debate

Facebook passwords: many employers can snoop them, and don't need to ask

US senators are calling for action on employers' habit of demanding employees' Facebook passwords, but no one seems to notice that many companies configure their computers so that they can eavesdrop on your Facebook, bank, and webmail passwords, even when those passwords are "protected" by SSL. In my latest Guardian column, "Protecting your Facebook privacy at work isn't just about passwords," I talk about how our belief that property rights -- your employer's right to control the software load on the computer they bought for your use -- have come to trump privacy, human rights and basic decency.

Firms have legitimate (ish) reasons to install these certificates. Many firms treat the names of the machines on their internal networks as proprietary information (eg accounting.sydney.australia.company.com), but still want to use certificates to protect their users' connections to those machines. So rather than paying for certificates from one of the hundreds of certificate authorities trusted by default in our browsers – which would entail disclosing their servers' names – they use self-signed certificates to protect those connections.

But the presence of your employer's self-signed certificate in your computers' list of trusted certs means that your employer can (nearly) undetectably impersonate all the computers on the internet, tricking your browser into thinking that it has a secure connection to your bank, Facebook, or Gmail, all the while eavesdropping on your connection.

Many big firms use "lawful interception" appliances that monitor all employee communications, including logins to banks, health providers, family members, and other personal sites.

Protecting your Facebook privacy at work isn't just about passwords

Update: To everyone who says that your employer has the unlimited right to spy on your computer use because you're on company property, here's a paragraph from later in the piece:

Besides, there are plenty of contexts in which "company property" would not excuse this level of snooping. If you met your spouse on your lunchbreak to discuss a private medical matter in the break room or car park, you would probably expect that your employer wouldn't use a hidden microphone to listen in on the conversation – even though you were "on company property". Why should your employer get to snoop on your private webmail conversations with your spouse during your lunch-break?

TSA gets Bruce Schneier booted from House Committee on Oversight and Government Reform hearing

Bruce Schneier was invited to testify about the TSA to the House Committee on Oversight and Government Reform, but at the last minute he was disinvited, after the TSA objected to having him in the room.

On Friday, at the request of the TSA, I was removed from the witness list. The excuse was that I am involved in a lawsuit against the TSA, trying to get them to suspend their full-body scanner program. But it's pretty clear that the TSA is afraid of public testimony on the topic, and especially of being challenged in front of Congress. They want to control the story, and it's easier for them to do that if I'm not sitting next to them pointing out all the holes in their position. Unfortunately, the committee went along with them. (They tried to pull the same thing last year and it failed -- video at the 10:50 mark.)

The committee said it would try to invite me back for another hearing, but with my busy schedule, I don't know if I will be able to make it. And it would be far less effective for me to testify without forcing the TSA to respond to my points.

Congressional Testimony on the TSA (Thanks, Bruce!)

Bruce Schneier and former TSA boss Kip Hawley debate air security on The Economist

The Economist is hosting a debate between Bruce Schneier and former TSA honcho Kip Hawley, on the proposition "This house believes that changes made to airport security since 9/11 have done more harm than good." I'm admittedly biased for Bruce's position (he's for the proposition), but it seems to me that no matter what your bias, Schneier totally crushed Hawley in the opening volley. The first commenter on the debate called Hawley's argument "post hoc reasoning at its most egregious," which sums it all up neatly.

Here's a bit of Schneier:

Let us start with the obvious: in the entire decade or so of airport security since the attacks on America on September 11th 2001, the Transportation Security Administration (TSA) has not foiled a single terrorist plot or caught a single terrorist. Its own "Top 10 Good Catches of 2011" does not have a single terrorist on the list. The "good catches" are forbidden items carried by mostly forgetful, and entirely innocent, people—the sorts of guns and knives that would have been just as easily caught by pre-9/11 screening procedures. Not that the TSA is expert at that; it regularly misses guns and bombs in tests and real life. Even its top "good catch"—a passenger with C4 explosives—was caught on his return flight; TSA agents missed it the first time through.

In previous years, the TSA has congratulated itself for confiscating home-made electronics, alerting the police to people with outstanding misdemeanour warrants and arresting people for wearing fake military uniforms. These are hardly the sorts of things we spend $8 billion annually for the TSA to keep us safe from.

Don't be fooled by claims that the plots it foils are secret. Stopping a terrorist attack is a political triumph. Witness the litany of half-baked and farcical plots that were paraded in front of the public to justify the Bush administration's anti-terrorism measures. If the TSA ever caught anything even remotely resembling a terrorist, it would be holding press conferences and petitioning Congress for a bigger budget.

And some of Hawley:

More than 6 billion consecutive safe arrivals of airline passengers since the attacks on America on September 11th 2001 mean that whatever the annoying and seemingly obtuse airport-security measures may have been, they have been ultimately successful. However one measures the value of our resilient society careening through ten tumultuous years without the added drag of one or more industry-crushing and national psyche-devastating catastrophic 9/11-scale attacks, the sum of all that is more than its cost. If the question is whether the changes made to airport security since 9/11 have done more harm than good, the answer is no.

Risk management is second nature to us. At the airport we see a simple equation: "I pay a cost in convenience and privacy to get reasonable certainty that my flight will be terror-free." Since 9/11, the cost feels greater while the benefits seem increasingly blurred. Much of the pain felt by airport security stems from the security process not keeping up with its risk model. In airport security, we have stacked security measures from different risk models on top of each other rather than adding and subtracting security actions as we refine the risk strategy. This is inefficient but it does not create serious harm.

Schneier adds, "I'll take suggestions for things to say in Part III."

This house believes that changes made to airport security since 9/11 have done more harm than good. (Thanks, Bruce!)

How a cult created a chemical weapons program

A really, really interesting report from The Center for a New American Security about how Japanese cult Aum Shinrikyo developed its own chemical weapons program, and what factors enabled it to successfully attack a Tokyo subway with sarin gas. I'm still reading through this and will probably have something longer to say later. But it's got some very interesting examples of things I've noticed in other analyses of successful terrorist attacks: Groups can do things that make them seem comically inept, and they can fail over and over, and still end up pulling off a successful attack. In the end, some of this is about simple, single-minded perseverance. You don't have to be a criminal mastermind. You just have to be willing to keep trying long after most people would have given up. (Via Rowan Hooper)

Anonymosus-OS: the checksums that don't check out

Further to the ignoble saga of Anonymosus-OS, an Ubuntu variant targeted as people who want to participate in Anonymous actions: Sean Gallagher has done the legwork to compare the checksums of the packages included in the OS with their canonical versions and has found a long list of files that have been modified. Some of these ("usr/share/gnome/help/tomboy/eu/figures/tomboy-pinup.png: FAILED") are vanishingly unlikely to be malware, while others ("usr/share/ubiquity/apt-setup") are more alarming.

None of this is conclusive proof of malware in the OS, but it is further reason not to trust it -- if you're going to produce this kind of project and modify the packages so that they don't check, you really should document the alterations you've made.

all.md5 > /dev/shm/check.txt
md5sum: WARNING: 143 of 95805 computed checksums did NOT match
anonymous@anonymous:/$ grep -v ': OK$' /dev/shm/check.txt
usr/share/locale-langpack/en_AU/LC_MESSAGES/subversion.mo: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/gbrainy.mo: FAILED
usr/share/applications/language-selector.desktop: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/file-roller.mo: FAILED
usr/share/locale-langpack/en_CA/LC_MESSAGES/metacity.mo: FAILED
usr/share/locale-langpack/en_GB/LC_MESSAGES/jockey.mo: FAILED
usr/share/locale-langpack/en_AU/LC_MESSAGES/lightdm.mo: FAILED
usr/share/doc/libxcb-render0/changelog.Debian.gz: FAILED...

The bad checksums in Anonymous-OS (Thanks, Sean!)

Preliminary analysis of Anonymosus-OS: lame, but no obvious malware


On Ars Technica, Sean Gallagher delves into the Anonymosus-OS, an Ubuntu Linux derivative I wrote about yesterday that billed itself as an OS for Anonymous, with a number of security/hacking tools pre-installed. Sean's conclusions is that, contrary to rumor, there's not any malware visible in the package, but there's plenty of dubious "security" tools like the Low Orbit Ion Cannon: "I don't know how much more booby-trapped a tool can get than pointing authorities right back at your IP address as LOIC does without being modified."

As far as I can tell, Sean hasn't compared the package checksums for Anonymosus-OS, which would be an important and easy (though tedious) step for anyone who was worried about the OS hiding malware to take.

Update: Sean's done the checksum comparison and found 143 files that don't match up with the published versions.

Some of the tools are of questionable value, and the attack tools might well be booby-trapped in some way. But I don't know how much more booby-trapped a tool can get than pointing authorities right back at your IP address as LOIC does without being modified.

Most of the stuff in the "Anonymous" menu here is widely available as open source or as Web-based tools—in fact, a number of the tools are just links to websites, such as the MD5 hash cracker MD5Crack Web. But it's clear there are a number of tools here that are in daily use by AnonOps and others, including the encryption tool they've taken to using for passing target information back and forth.

Lame hacker tool or trojan delivery device? Hands on with Anonymous-OS

Android screen lock bests FBI

A court filing from an FBI Special Agent reports that the Bureau's forensics teams can't crack the pattern-lock utility on Android devices' screens. This is moderately comforting, given the courts' recent findings that mobile phones can be searched without warrants. David Kravets writes on Wired:

A San Diego federal judge days ago approved the warrant upon a request by FBI Special Agent Jonathan Cupina. The warrant was disclosed Wednesday by security researcher Christopher Soghoian,

In a court filing, Cupina wrote: (.pdf)

Failure to gain access to the cellular telephone’s memory was caused by an electronic ‘pattern lock’ programmed into the cellular telephone. A pattern lock is a modern type of password installed on electronic devices, typically cellular telephones. To unlock the device, a user must move a finger or stylus over the keypad touch screen in a precise pattern so as to trigger the previously coded un-locking mechanism. Entering repeated incorrect patterns will cause a lock-out, requiring a Google e-mail login and password to override. Without the Google e-mail login and password, the cellular telephone’s memory can not be accessed. Obtaining this information from Google, per the issuance of this search warrant, will allow law enforcement to gain access to the contents of the memory of the cellular telephone in question.

Rosenberg, in a telephone interview, suggested the authorities could “dismantle a phone and extract data from the physical components inside if you’re looking to get access.”

However, that runs the risk of damaging the phone’s innards, and preventing any data recovery.

FBI Can’t Crack Android Pattern-Screen Lock