Tor: network security for domestic abuse survivors


Michael from Beta Boston writes, "The privacy protections offered by tools like Tor aren't just for journalists and spies; they're important for everyone. Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that, and we took a long look at the work cut out for them."

This is an important point: when you make it so that no one can keep secrets from the state and its enforcement arm, you also make it so that no one can keep secrets from crooks, thugs, stalkers, and every other kind of bad guy.

Read the rest

Kids are mostly sexually solicited online by classmates, peers, teens

The respected Crimes Against Children Research Center reports that one in seven children is sexually exploited online. This figure is both credible and alarming. But the context is vital: as danah boyd writes, the average predator isn't a twisted older man trawling for kids; rather, "most children are sexually solicited by their classmates, peers, or young adults just a few years older than they are."

Now, it's absolutely possible for a child to sexually exploit another child, so this isn't to minimize the potential harm to kids. But for so long as we model the threat to kids as being weird, strange grownups, rather than the young people they know and see every day, we will fail to prepare them to comport themselves wisely and safely.

Read the rest

Obama administration proves why we need someone to leak CIA Torture Report

image: Reuters


image: Reuters

It’s now been over a month since the Senate Intelligence Committee voted to force the Obama administration to declassify parts of the Committee’s landmark report on CIA torture, and the public still has not seen a word of the 6,000 page investigation.

Read the rest

Hacking the hospital: medical devices have terrible default security


Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago's Thotcon, "Just What The Doctor Ordered?" is a terrifying tour through the disastrous state of medical device security.

Wired's Kim Zetter summarizes Erven's research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords. For example: surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.

The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks -- or to withhold them when needed. Doctors' instructions to administer therapies can be intercepted and replayed, adding them to other patients' records. You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee's laptop with a trojan, you can roam free. You can change CT scanner parameters and cause them to over-irradiate patients.

The one bright spot is that anaesthesia and ventilators are not generally networked and are more secure.

Read the rest

Marshall Islands sues 9 nuclear powers, including US and Russia, over failure to disarm nuclear stockpiles

The Castle Bravo nuclear test on Bikini Atoll, Marshall Islands. A 15-megaton device equivalent to 1,000 Hiroshima blasts was detonated in 1954. Photograph: US Air Force - digital version


The Castle Bravo nuclear test on Bikini Atoll, Marshall Islands. A 15-megaton device equivalent to 1,000 Hiroshima blasts was detonated in 1954. Photograph: US Air Force - digital version

The Marshall Islands is suing the nine known nations with nuclear weapons at the international court of justice at The Hague, over charges they have violated their legal obligation to disarm under the 1968 nuclear non-proliferation treaty (NPT). From the Guardian:

In the unprecedented legal action, comprising nine separate cases brought before the ICJ on Thursday, the Republic of the Marshall Islands accuses the nuclear weapons states of a "flagrant denial of human justice". It argues it is justified in taking the action because of the harm it suffered as a result of the nuclear arms race. The Pacific chain of islands, including Bikini Atoll and Enewetak, was the site of 67 nuclear tests from 1946 to 1958, including the "Bravo shot", a 15-megaton device equivalent to a thousand Hiroshima blasts, detonated in 1954. The Marshallese islanders say they have been suffering serious health and environmental effects ever since.
Named in the lawsuit are the United States, Russia, China, France, the United Kingdom, India, Pakistan, North Korea, and Israel, an undeclared nuclear weapons state.

Phone phreakers' anthem

Brad sez, "A few decades ago, phone phreaks spent all of their free time learning about the Bell telephone system and making free phone calls to each other. This song by Bonecage attempts to capture that era, and the footage for the video was contributed by phone phreaks (and ex-phone phreaks) around the world."

Eternal vigilance app for social networks: treating privacy vulnerabilities like other security risks

Social networking sites are Skinner boxes designed to train you to undervalue your privacy. Since all the compromising facts of your life add less than a dollar to the market-cap of the average social network, they all push to add more "sharing" by default, with the result that unless you devote your life to it, you're going to find your personal info shared ever-more-widely by G+, Facebook, Linkedin, and other "social" services.

Arvind Narayanan has proposed a solution to this problem: a two-part system through which privacy researchers publish a steady stream of updates about new privacy vulnerabilities introduced by the social networking companies (part one), and your computer sifts through these and presents you with a small subset of the alerts that pertain to you and your own network use.

Read the rest

US intel chief's insane new secrecy directive forbids intel employees from "unauthorized" contact with reporters


U.S. Director of National Intelligence James Clapper. (Kevin Lamarque/Reuters)

The US Director of National Intelligence has issued a Directive [PDF] that forbids most intelligence community employees from talking to journalists about “intelligence-related information” unless they have explicit authorization to do so.

Intelligence community employees “must obtain authorization for contacts with the media” on any intel-related matters, and “must also report… unplanned or unintentional contact with the media on covered matters,” according to the Directive signed by James Clapper.

Read the rest

HOPE X conference: Dissent in NYC


Emmanuel from 2600 writes, "It should come as no surprise that dissent is playing a prominent role at the HOPE X conference this July in New York. So many technological developments of late involve standing up to authority and questioning the status quo. Whether it's using social media to organize people into doing something worthwhile, exposing security holes in the face of threats and lawsuits, becoming a whistleblower by using the information and technology we have access to, or just getting the word out about the latest laws, restrictions, and threats to our freedom and privacy, a lot of what we talk about constitutes one form or another of dissent. And it feels pretty good and healthy to speak out and share knowledge."

Read the rest

Edward Snowden: "Vladimir Putin must be called to account on surveillance just like Obama"


Vladimir Putin during the nationwide phone-in in Moscow. Photograph: RIA Novosti/Reuters

Today's question-and-answer session on Russian TV between NSA whistleblower Edward Snowden and Russian President Vladimir Putin did not go as Snowden had hoped. "I questioned the Russian president live on TV to get his answer on the record, not to whitewash him," Snowden says in an op-blog in the Guardian:

Read the rest

Appeals court overturns conviction of Andrew “weev” Auernheimer in iPad hacking case


Andrew “Weev” Auernheimer, in 2012. Photo: pinguino.

Notorious hacker and troll weev was released from prison this evening. A federal appeals court today overturned his conviction in a case of significance for all security researchers.

Weev exposed a security flaw in AT&T's website and obtained the personal data of more than 100,000 iPad users. He was charged with violating the Computer Fraud and Abuse Act (CFAA), and sentenced to three and a half years in prison. Today's ruling says prosecutors did not have the right to charge him in a state where none of the alleged crimes occurred.

Read the rest

Glenn Greenwald and Laura Poitras enter the US for first time since Snowden leaks

A first since they began reporting on the material leaked by NSA whistleblower Edward Snowden: Glenn Greenwald and Laura Poitras, landing in the United States. There have been concerns that the US might detain them if they entered the country.

(Disclosure: I'm on the board of the Freedom of the Press Foundation with all three)

Playground removes "safety" rules; fun, development and injuries ensue


The Swanson School in Auckland, NZ, quietly eliminated all the rules against "unsafe play," allowing kids to play swordfight with sticks, ride scooters, and climb trees. It started when the playground structures were torn down to make way for new ones, and the school principal, Bruce McLachlan, noticed that kids were building their own structures out of the construction rubble. The "unsafe" playground has resulted in some injuries, including at least one broken arm, but the parents are very supportive of the initiative. In particular, the parents of the kid with the broken arm made a point of visiting the principal to ask him not to change the playground just because their kid got hurt.

The article in the Canadian National Post notes that Kiwis are less litigious, by and large, than Americans, and that they enjoy an excellent national health service, and says that these two factors are a large contributor to the realpolitik that makes the playground possible. But this is still rather daring by Kiwi standards.

Read the rest

Google Maps' spam problem presents genuine security issues


Bryan Seely, a Microsoft Engineer demonstrated an attack against Google Maps through which he was able to set up fake Secret Service offices in the company's geo-database, complete with fake phone numbers that rang a switch under his control and then were forwarded to real Secret Service offices, allowing him to intercept and record phone-calls made to the Secret Service (including one call from a police officer reporting counterfeit money). Seely was able to attack Google Maps by adding two ATMs to the database through its Google Places crowdsourcing tool, verifying them through a phone verification service (since discontinued by Google), then changing them into Secret Service offices. According to Seely, the disabling of the phone-verification service would not prevent him from conducting this attack again.

As Dune Lawrence points out, this is a higher-stakes version of a common spam-attack on Google Maps practiced by locksmith, carpet cleaning, and home repair services. Spammers flood Google Maps with listing for fake "local" companies offering these services, and rake in high commissions when you call to get service, dispatching actual local tradespeople who often charge more than you were quoted (I fell victim to this once, when I had a key break off in the lock of my old office-door in London and called what appeared to be a "local" locksmith, only to reach a call-center who dispatched a locksmith who took two hours to arrive and charged a huge premium over what I later learned by local locksmiths would have charged).

A detailed post by Dan Austin describes this problem, points out that Google is more than four years late in delivering promised fixes to the problem, and offers solutions of his own. He suggests that the high Google Adwords revenue from spammy locksmiths and other services is responsible for the slow response to the problem.

Read the rest

Spyware increasingly a part of domestic violence

Australian Simon Gittany murdered his girlfriend, Lisa Harnum, after an abusive relationship that involved his surveillance of her electronic communications using off-the-shelf spyware marketed for purposes ranging from keeping your kids safe to spotting dishonest employees. As Rachel Olding writes in The Age, surveillance technology is increasingly a factor in domestic violence, offering abusive partners new, thoroughgoing ways of invading their spouses' privacy and controlling them.

The spyware industry relies upon computers -- laptops, mobile devices, and soon, cars and TVs and thermostats -- being insecure. In this, it has the same goals as the NSA and GCHQ, whose BULLRUN/EDGEHILL program sought to weaken the security of widely used operating systems, algorithms and programs. Every weakness created at taxpayer expense was a weakness that spyware vendors could exploit for their products.

Likewise, the entertainment industry wants devices that are capable of running code that users can't terminate or inspect, so that they can stop you from killing the programs that stop you from saving Netflix streams, running unapproved apps, or hooking unapproved devices to your cable box.

And Ratters, the creeps who hijack peoples' webcams in order to spy on them and blackmail them into sexual performances, also want computers that can run code that users can't stop. And so do identity thieves, who want to run keyloggers on your computer to get your banking passwords. And so do cops, who want new powers to insert malware into criminals' computers.

There are a lot of ways to slice the political spectrum -- left/right, authoritarian/anti-authoritarian, centralist/decentralist. But increasingly, the 21st century is being defined by the split between people who think your computer should do what you tell it, and people who think that you can't be trusted to control your own computer, and so they should be able to run code on it against your will, without your knowledge, and to your detriment.

Pick a side.

Spyware's role in domestic violence [Rachel Olding/The Age]

(via Geek Feminism)