Guy who "fixed" women's computers spied through their webcams

A London court has found a man named Andrew Meldrum guilty of "unauthorised access to computer material" and "voyeurism." Meldrum "helped" young women fix their computers and covertly installed snoopware on them, and subsequently spied on them via their webcams. He is to be sentenced in April. A forensics expert claims that this sort of thing is "very common." Read the rest

Trustycon: how to redesign NSA surveillance to catch more criminals and spy on a lot fewer people

The Trustycon folks have uploaded over seven hours' worth of talks from their event, an alternative to the RSA security conference founded by speakers who quit over RSA's collusion with the NSA. I've just watched Ed Felten's talk on "Redesigning NSA Programs to Protect Privacy" (starts at 6:32:33), an absolutely brilliant talk that blends a lucid discussion of statistics with practical computer science with crimefighting, all within a framework of respect for privacy, liberty and the US Bill of Rights.

Felten's talk lays out how the NSA's mass-collection program works, what its theoretical basis is for finding terrorists in all that data, and then explains how this is an incredibly inefficient and risky and expensive way of actually fighting crime. Then he goes on to propose an elegant alternative that gets better intelligence while massively reducing the degree of surveillance and the risk of disclosure.

I'm using Vid to MP3 to convert the whole seven hours' worth of talks to audio and plan on listening to them over the next couple of days.

Update: Here's that MP3 -- it's about 1GB. Thanks to the Internet Archive for hosting it!

TrustyCon - Live from San Francisco Read the rest

Report from Trustycon: like RSA, but without the corruption

Seth Rosenblatt reports from Trustycon, the conference formed as a protest against, and alternative to the RSA security conference. RSA's event is the flagship event in the security industry, but the news that RSA had accepted $10M from the NSA to sabotage its own products so that spies could break into the systems of RSA customers led high profile speakers like Mikko Hypponen to cancel their appearances at the event.

Trustycon sold out, raised $20,000 for the Electronic Frontier Foundation, and, most importantly, got key members of the security industry to come to grips with the question of improving network security in an age when spy agencies are spending hundreds of millions of dollars every year to undermine it. Read the rest

Break up the NSA and save American spooks from themselves

On CNN, Bruce Schneier lays out the current organizational structure of the NSA, dividing its activities in to three categories: spying on specific people; spying on everyone; and breaking the Internet to make spying easier. He then proposes a new structure for the American intelligence apparat: move spying on specific people to a totally separate US Cyber Command under the DoD ("attacking enemy networks is an offensive military operation, and should be part of an offensive military unit"); move spying on Americans to the FBI and create safeguards to be sure this is done in accord with the law and the Constitution; and terminate the NSA's program of undermining security.

Instead, put the NSA in charge of improving the security of Internet users -- including American residents, businesses and government agencies -- so that the nation is resilient. As Schneier writes: "We need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts -- from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly -- no secrecy required." Read the rest

Make your own DHS threat-level chart

Personalthreatlevel lets you create your own custom DHS-style threat-level that will serve you well as a means of frightening the people in your life with nebulous, ill-defined scariness. Here's Bruce Sterling's Tumblr version.

The Current Threat Level is... Read the rest

Podcast: EFF, Trustycon, and The Day We Fight Back

Nathan sez, "This is Episode 9 of Embracing Disruption Podcast (EDP). In this episode I interview April Glaser from the EFF. We talk about internet activism, the EFF, TrustyCon, and The Day We Fight Back."

009 EFF, TrustyCon, and The Day We Fight Back Read the rest

Careto (the Mask): long-running, sophisticated APT malware

Researchers at Kaspersky Labs have uncovered a new, long-lived piece of espionage malware called Careto (Spanish for "Mask"). The software, which attacks Windows, Mac OS and GNU/Linux, has been running since at least 2007 and has successfully targeted at least 380 victims in 31 countries, gaining access via directed spear-phishing attacks, which included setting up fake sites to impersonate The Guardian. The Mask was thought to be the work of a government, and its targets were "government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists." It is possible that the Mask also targeted Android and Ios devices. Read the rest

How UK spies committed illegal DoS attacks against Anonymous

A new Snowden leak, reported by NBC, documents the UK spy agency Read the rest

Social-engineering the FBI in 1971

In The Burglary: The Discovery of J. Edgar Hoover's Secret FBI, Betty Medsger reveals the long-secret details of the Citizens Commission to Investigate the FBI, an activist group that raided the FBI's offices, retrieving evidence of J Edgar Hoover's criminal program of secret spying. The book is a rollicking history of the confluence of protest, locksport, activism and amateur spycraft. One of its most hilarious moments is the description of the group's social engineering hack on an unpickable lock that they needed to get past in order to get to their target: Read the rest

David Cameron: TV crime dramas prove we need mass warrantless electronic surveillance

UK Conservative Prime Minister David Cameron says that ISPs and phone companies should be required to store records of every click you make, every conversation you have, and every place you physically move through. He says that communications companies should be required to make it impossible to keep your communications from being eavesdropped in, with mandatory back-doors.

He says we need this law because "TV crime dramas illustrated the value of monitoring mobile data."

Remember the Snooper's Charter, the 2012 UK Conservative plan to require ISPs and phone companies to retain the records of all your calls and movements, and make them available to police and government without a warrant? Home Secretary Theresa May proposed an unlimited budget to pay ISPs to help spy on you, and called people who opposed this "conspiracy theorists" and said the only people who need freedom from total, continuous surveillance were "criminals, terrorists and paedophiles."

The Snooper's Charter was killed by a rebellion from Libdem MPs, who rejected the plan. Now it's back, just as the public are starting to have a debate about electronic spying thanks to NSA whistleblower Edward Snowden, who revealed the extent to which our online habits are already illegally surveilled by government spies. Let's hope that the Snowden revelations -- and the US government's admission that mass spying never caught a terrorist or foiled a terrorism attempt -- strangles this Cameron brainchild in its cradle. Read the rest

Extorted out of a one-character Twitter ID by a hacker who seized control of Godaddy domains

Naoki Hiroshima was lucky enough to snag a one-character Twitter username: @N. Over the years, he'd been offered large sums -- as much as $50,000 -- for the name, but he kept it. Then, according to a horrifying first-person account, a hacker socially engineered the last four digits of his credit-card out of Paypal, used that information to seize control of his Godaddy account, and threated to trash all of Hiroshima's websites unless Hiroshima transferred @N to the hacker. The hacker also seized control of Hiroshima's Facebook account. The attack took place over the Martin Luther King, Jr day holiday, and Hiroshima couldn't get his case escalated to anyone at Twitter, Godaddy or Paypal while it was taking place, and so he lost his domain. All three companies now say that they're looking into his story. Hiroshima offers some helpful advice on avoiding his fate (use two-factor authentication, mostly).

I'd add that it's generally good practice to avoid Godaddy, because they're SOPA-supporting sellout scum, and they suck. Read the rest

US intel chief James Clapper: journalists reporting on leaked Snowden NSA docs “accomplices” to crime

U.S. Director of National Intelligence James Clapper. (Kevin Lamarque/Reuters)

In a Senate Judiciary Hearing on NSA surveillance today, Director of National Intelligence James Clapper insinuated dozens of journalists reporting on documents leaked by NSA whistleblower Edward Snowden were “accomplices” to a crime. His spokesman further suggested Clapper was referring to journalists after the hearing had concluded.

If this is the official stance of the US government, it is downright chilling.

Read the rest

How to configure Chrome to stop websites from bugging you with your computer's microphone and camera

Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.

Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on. Read the rest

HOPE X call for participation now open

Emmanuel Goldstein from 2600 Magazine writes, "The call for participation at HOPE X in New York City is now open. There is room for over 100 talks and panels, dozens of workshops, and all kinds of creative artwork with hacker overtones. This is expected to be one of the largest conferences dealing with hacking, whistleblowing, social change, surveillance, and new technology ever presented in the United States. There will be no government agency recruiters, no commercial exploitation, and no shortage of controversy. The doors are now open for imaginative ideas at this very crucial point in hacker (and human) history. HOPE X takes place July 18-20, 2014 at the Hotel Pennsylvania in New York City." Read the rest

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer. Read the rest

Scoring Obama's NSA reforms (spoiler: it's not good)

Earlier this week, EFF published a scorecard for rating Obama's NSA reforms. Now that the reforms have been announced, it's time to measure them up. They don't fare well, I'm afraid. Here's a roundup of commentary from privacy leaders around the world, expressing disappointment (if not surprise) at Obama's half-hearted reining in of the surveillance state. Read the rest

Details about the malware used to attack Target's point-of-sale machines

The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.

Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems. Read the rest

More posts