Submit a link Features Reviews Podcasts Video Forums More ▾

Social-engineering the FBI in 1971


In The Burglary: The Discovery of J. Edgar Hoover's Secret FBI, Betty Medsger reveals the long-secret details of the Citizens Commission to Investigate the FBI, an activist group that raided the FBI's offices, retrieving evidence of J Edgar Hoover's criminal program of secret spying. The book is a rollicking history of the confluence of protest, locksport, activism and amateur spycraft. One of its most hilarious moments is the description of the group's social engineering hack on an unpickable lock that they needed to get past in order to get to their target:

Read the rest

David Cameron: TV crime dramas prove we need mass warrantless electronic surveillance

UK Conservative Prime Minister David Cameron says that ISPs and phone companies should be required to store records of every click you make, every conversation you have, and every place you physically move through. He says that communications companies should be required to make it impossible to keep your communications from being eavesdropped in, with mandatory back-doors.

He says we need this law because "TV crime dramas illustrated the value of monitoring mobile data."

Remember the Snooper's Charter, the 2012 UK Conservative plan to require ISPs and phone companies to retain the records of all your calls and movements, and make them available to police and government without a warrant? Home Secretary Theresa May proposed an unlimited budget to pay ISPs to help spy on you, and called people who opposed this "conspiracy theorists" and said the only people who need freedom from total, continuous surveillance were "criminals, terrorists and paedophiles."

The Snooper's Charter was killed by a rebellion from Libdem MPs, who rejected the plan. Now it's back, just as the public are starting to have a debate about electronic spying thanks to NSA whistleblower Edward Snowden, who revealed the extent to which our online habits are already illegally surveilled by government spies. Let's hope that the Snowden revelations -- and the US government's admission that mass spying never caught a terrorist or foiled a terrorism attempt -- strangles this Cameron brainchild in its cradle.

Read the rest

Extorted out of a one-character Twitter ID by a hacker who seized control of Godaddy domains


Naoki Hiroshima was lucky enough to snag a one-character Twitter username: @N. Over the years, he'd been offered large sums -- as much as $50,000 -- for the name, but he kept it. Then, according to a horrifying first-person account, a hacker socially engineered the last four digits of his credit-card out of Paypal, used that information to seize control of his Godaddy account, and threated to trash all of Hiroshima's websites unless Hiroshima transferred @N to the hacker. The hacker also seized control of Hiroshima's Facebook account. The attack took place over the Martin Luther King, Jr day holiday, and Hiroshima couldn't get his case escalated to anyone at Twitter, Godaddy or Paypal while it was taking place, and so he lost his domain. All three companies now say that they're looking into his story. Hiroshima offers some helpful advice on avoiding his fate (use two-factor authentication, mostly).

I'd add that it's generally good practice to avoid Godaddy, because they're SOPA-supporting sellout scum, and they suck.

Read the rest

US intel chief James Clapper: journalists reporting on leaked Snowden NSA docs “accomplices” to crime


U.S. Director of National Intelligence James Clapper. (Kevin Lamarque/Reuters)

In a Senate Judiciary Hearing on NSA surveillance today, Director of National Intelligence James Clapper insinuated dozens of journalists reporting on documents leaked by NSA whistleblower Edward Snowden were “accomplices” to a crime. His spokesman further suggested Clapper was referring to journalists after the hearing had concluded.

If this is the official stance of the US government, it is downright chilling.

Read the rest

How to configure Chrome to stop websites from bugging you with your computer's microphone and camera


Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.

Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on.

Read the rest

HOPE X call for participation now open

Emmanuel Goldstein from 2600 Magazine writes, "The call for participation at HOPE X in New York City is now open. There is room for over 100 talks and panels, dozens of workshops, and all kinds of creative artwork with hacker overtones. This is expected to be one of the largest conferences dealing with hacking, whistleblowing, social change, surveillance, and new technology ever presented in the United States. There will be no government agency recruiters, no commercial exploitation, and no shortage of controversy. The doors are now open for imaginative ideas at this very crucial point in hacker (and human) history. HOPE X takes place July 18-20, 2014 at the Hotel Pennsylvania in New York City." Cory 1

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer. Cory 10

Scoring Obama's NSA reforms (spoiler: it's not good)


Earlier this week, EFF published a scorecard for rating Obama's NSA reforms. Now that the reforms have been announced, it's time to measure them up. They don't fare well, I'm afraid. Here's a roundup of commentary from privacy leaders around the world, expressing disappointment (if not surprise) at Obama's half-hearted reining in of the surveillance state.

Read the rest

Details about the malware used to attack Target's point-of-sale machines


The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.

Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems.

Read the rest

Nun faces 30 years in prison for exposing security lapses in nuclear weapons program


Mike from Mother Jones sez, "Josh Harkinson writes about the upcoming sentencing of Megan Rice, an elderly nun and Plowshares activist who broke into the Y-12 enriched uranium facility with two fellow aging activists. The incident, which exposed glaring security flaws and was deeply embarrassing to the feds, could get the trio a maximum 30 years in federal prison. Harkinson writes:"

Read the rest

Blackphone: a privacy-oriented, high-end, unlocked phone

Blackphone is a secure, privacy-oriented mobile phone company co-founded by PGP inventor Phil Zimmerman. It integrates a lot of the privacy functionality of Zimmerman's Silent Circle, which makes Android-based privacy tools (secure calls, messaging, storage and proxies). Blackphone also runs Android, with a skin that switches on all the security stuff by default. The company is based in Switzerland, whose government privacy rules are better than most. The phone itself is a high-end, unlocked GSM handset. No info on pricing yet, but pre-orders open in late February. I'm interested in whether the sourcecode for the Blackphone stack will be free, open, auditable and transparent. If it is, I will certainly order one of these for myself and report here on its performance.

Read the rest

HEADWATER: NSA program for sabotaging Huawei routers over the Internet


Bruce Schneier leads a discussion of HEADWATER, the NSA's tool for compromising Huawei routers over the Internet and turning them into snoops. It's one of the entries from the notorious TAO catalog:

Read the rest

Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data

Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."

He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.

It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.

But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.

The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all.

Read the rest

Senior execs are the biggest risk to IT security

Stroz Friedberg, a risk-management consultancy, commissioned a survey [PDF] of information handling practices in businesses that concluded that senior managers are the greatest risk to information security within companies.

Read the rest

When the FBI asks you to weaken your security so it can spy on your users


Nico Sell is the CEO of Wickr, a privacy-oriented mobile messaging system that's been deliberately designed so that the company can't spy on its users, even if they're ordered to do so. As we know from the Snowden leaks, spooks hate this kind of thing, and spend $250M/year sabotaging security so that they can spy on everyone, all the time.

After a recent presentation, she was approached by an FBI agent who asked her if she'd put a back-door into Wickr.

Read the rest