According to the statement, it appears he rejected a US court order to cooperate with the government in spying on users.
The email service offered various security features to a claimed user base of 350,000, and is the first such firm to have publicly and transparently closed down, rather than cooperate with state surveillance programs. The email address Snowden (or someone sending emails on his behalf) is reported to have used to send invites to a press conference at Moscow's Sheremetyevo Airport in mid-July was a Lavabit account.
Below, the full message from Lavabit's founder and operator Ladar Levison: Read the rest
In Xerox scanners/photocopiers randomly alter numbers in scanned documents, computer scientist David Kriesel shows that the Xerox WorkCentre 7535 randomly changes the numbers in its scans. The copier has firmware that tries to compress images by recognizing the numbers and letters in the documents it scans, and when it misinterprets those numbers, it produces untrustworthy output. The bug also occurs in the Xerox 7556 and possibly other machines, and as Kriesel points out, this could mean that engineering diagrams, invoices, prescriptions, architectural drawings and other documents whose numeric values are potentially a matter of life-and-death (or at least financial stability) are being randomly edited by machines we count on to produce faithful copies. Read the rest
Kwikset makes an incredibly popular line of reprogrammable locks that can be easily re-keyed, meaning that landlords don't have to physically change the locks when their tenants move out. Kwikset boasts that their locks are extremely secure, but Marc Weber Tobias and Toby Bluzmanis will present six Kwikset vulnerabilities at DEFCON; their demo includes an attack that opens the lock "in 15 seconds with a screwdriver and a paper clip." Tobias and Bluzmanis have spoken to Kwikset technicians about this, and in recorded conversations, the Kwikset employees insisted that the product was secure, something that can't be taken seriously if you've seen Bluzmanis and Tobias work on them. Read the rest
A large group of "security researchers, academics, and lawyers" have signed onto a letter to Congress demanding that lawmakers enact "Aaron's Law," which would reform the antiquated and terrible Computer Fraud and Abuse Act, which US prosecutors claim makes violating online terms of service into a felony punishable by imprisonment. This is the law that was used to persecute Aaron Swartz, who was accused of violating terms of service by automatically downloading academic articles, rather than accessing them one at a time. The federal prosecutor threatened Aaron with 35 years in prison. Read the rest
Billy Lau and Yeongjin Jang from Georgia Institute of Technology have presented a demo at Black Hat of a way of stealthily compromising Iphones and other Ios devices with gimmicked chargers. The devices need to be unlocked -- either having no unlock code to begin with, or unlocked by the user after connection -- but apart from that, the device can compromise any Ios device. Read the rest
The Wall Street Journal covers the FBI's use of malware to take over peoples' computers and phones, including one package that is used to turn the microphone in Android devices into a remote listening device. The story is alarming, but misses the two most significant points:
1. That this undermines the security of all of us, not just the people whom the FBI spies upon. The fact that the FBI and other law enforcement organizations have created a market for bugs that can be turned into spyware means that people who find bugs are less likely to present them to the manufacturers for patching. That means that when those bugs are independently identified by criminals, we're all at risk of having our devices subverted.
2. The same companies that sell malware to the FBI also sell it to dictatorships around the world. The FBI legitimizes the development of spyware that is used by despots to decide whom to arrest, whom to disappear, and whom to murder. Read the rest
A law that required you to give a list of all your friendships to the NSA would die in a hail of political outrage. A law that allows the NSA to make Facebook tell you who all your friends are somehow doesn't create a similar problem. Bruce Schneier's The Public-Private Surveillance Partnership makes an important point about the way that corporations have become an arm of the surveillance state. Read the rest
Noted perjuror and NSA Director Keith Alexander appeared onstage at the Black Hat security conference today, where he was heckled by audience members, notably a 30-year-old security consultant named Jon McCoy, who shouted things like "Freedom!" and "Bullshit!" and then got into some more substantive points. Read the rest
A pair of crooks in Oklahoma made more than $400,000 with a whisper-thin gas-pump credit-card skimmer that they installed in Wal-Mart gas stations, using rental cars while they were doing the installation. Kevin Konstantinov and Elvin Alisuretove allegedly harvested their skimmers every two months or so, creating bogus credit cards with the data and then withdrawing cash at ATMs or sharing it with crooks in Russia and the former USSR. Brian Krebs details the technology, as well as a series of next-gen gas-pump skimmers that use tiny, unobtrusive Bluetooth bugs to harvest credit-card data. Read the rest
Flavio Garcia, a security researcher from the University of Birmingham has been ordered not to deliver an important paper at the Usenix Security conference by an English court. Garcia, along with colleagues from a Dutch university, had authored a paper showing the security failings of the keyless entry systems used by a variety of luxury cars. Volkswagon asked an English court for an injunction censoring his work -- which demonstrated their incompetence and the risk they'd exposed their customers to -- and Mr Justice Birss agreed. Read the rest
Badly configured home automation systems are easy to locate using Google, and once you discover them, you can seize control of a stranger's entire home: "lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices." The manufacturers blame their customers for not following security advice, but even "enthusiast" customers who think they've locked down their networks are sometimes in for a nasty surprise.
Read the rest
Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)
“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.
In Thomas Hatley’s case, he created a website that acted as the gateway for a number of services for his home. There is a password on his website, but you can circumvent that by going straight to the Insteon port, which was not password protected.
Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs). Read the rest