Submit a link Features Reviews Podcasts Video Forums More ▾

How to configure Chrome to stop websites from bugging you with your computer's microphone and camera


Under Chrome's security model, a website that gets your permission to access your mic and camera once keeps it forever, regardless of which page is loaded -- so you might authorize an app running on one page of Github to use your mic, and thereafter, every Github page you visit can listen in on you automatically, without you getting any indication that this is going on. Google maintains that this is the right way for Chrome to behave -- that it complies with the relevant W3C standard.

Google has created a fix for this, but have not pushed it to Chrome users. If you want to protect your camera and mic from sneaky or unintended remote operation and you use Chrome, you'll need to take some extraordinary measures, which are laid out in this Lifehacker post. The simplest thing is to disable camera/mic access in Chrome altogether, but that sucks if there are some instances in which you'd like to have them switched on.

Read the rest

HOPE X call for participation now open

Emmanuel Goldstein from 2600 Magazine writes, "The call for participation at HOPE X in New York City is now open. There is room for over 100 talks and panels, dozens of workshops, and all kinds of creative artwork with hacker overtones. This is expected to be one of the largest conferences dealing with hacking, whistleblowing, social change, surveillance, and new technology ever presented in the United States. There will be no government agency recruiters, no commercial exploitation, and no shortage of controversy. The doors are now open for imaginative ideas at this very crucial point in hacker (and human) history. HOPE X takes place July 18-20, 2014 at the Hotel Pennsylvania in New York City." Cory 1

Teach your rooted Android phones to lie to apps about whether it's rooted

There's a funny paradox in rooting your Android phone. Once you take total control over your phone, some apps refuse to run, because they're trying to do something that treats you as untrusted. Now there's a utility called Rootcloak that lets you tell your rooted phone to lie to apps about whether it is rooted. It's both long overdue and a neat demonstration of what it means to be root on a computer. Cory 10

Scoring Obama's NSA reforms (spoiler: it's not good)


Earlier this week, EFF published a scorecard for rating Obama's NSA reforms. Now that the reforms have been announced, it's time to measure them up. They don't fare well, I'm afraid. Here's a roundup of commentary from privacy leaders around the world, expressing disappointment (if not surprise) at Obama's half-hearted reining in of the surveillance state.

Read the rest

Details about the malware used to attack Target's point-of-sale machines


The news that Target stores lost 110 million customers' credit card details in a hacker intrusion has illustrated just how grave a risk malicious software presents to the average person and the businesses they patronize. Brian Krebs has good, early details on the software that the hackers used on infected point-of-sale terminals at Target, and some good investigative guesses about who planted it there and how they operated it.

Krebs suggests that a Russian hacker called "Antikiller" may be implicated in the Target hack, and that Antikiller is, in any event, the author of the malware used against the point-of-sale systems.

Read the rest

Nun faces 30 years in prison for exposing security lapses in nuclear weapons program


Mike from Mother Jones sez, "Josh Harkinson writes about the upcoming sentencing of Megan Rice, an elderly nun and Plowshares activist who broke into the Y-12 enriched uranium facility with two fellow aging activists. The incident, which exposed glaring security flaws and was deeply embarrassing to the feds, could get the trio a maximum 30 years in federal prison. Harkinson writes:"

Read the rest

Blackphone: a privacy-oriented, high-end, unlocked phone

Blackphone is a secure, privacy-oriented mobile phone company co-founded by PGP inventor Phil Zimmerman. It integrates a lot of the privacy functionality of Zimmerman's Silent Circle, which makes Android-based privacy tools (secure calls, messaging, storage and proxies). Blackphone also runs Android, with a skin that switches on all the security stuff by default. The company is based in Switzerland, whose government privacy rules are better than most. The phone itself is a high-end, unlocked GSM handset. No info on pricing yet, but pre-orders open in late February. I'm interested in whether the sourcecode for the Blackphone stack will be free, open, auditable and transparent. If it is, I will certainly order one of these for myself and report here on its performance.

Read the rest

HEADWATER: NSA program for sabotaging Huawei routers over the Internet


Bruce Schneier leads a discussion of HEADWATER, the NSA's tool for compromising Huawei routers over the Internet and turning them into snoops. It's one of the entries from the notorious TAO catalog:

Read the rest

Victorian Transport Department calls cops on 16 year old for reporting bug that exposed customers' personal data

Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."

He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.

It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.

But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.

The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all.

Read the rest

Senior execs are the biggest risk to IT security

Stroz Friedberg, a risk-management consultancy, commissioned a survey [PDF] of information handling practices in businesses that concluded that senior managers are the greatest risk to information security within companies.

Read the rest

When the FBI asks you to weaken your security so it can spy on your users


Nico Sell is the CEO of Wickr, a privacy-oriented mobile messaging system that's been deliberately designed so that the company can't spy on its users, even if they're ordered to do so. As we know from the Snowden leaks, spooks hate this kind of thing, and spend $250M/year sabotaging security so that they can spy on everyone, all the time.

After a recent presentation, she was approached by an FBI agent who asked her if she'd put a back-door into Wickr.

Read the rest

More experts pull out of RSA conference

On Christmas Day, F-Secure's Mikko Hypponen pulled out of RSA's annual security conference in protest over RSA's collaboration with the NSA (they weakened their own security to make NSA spying easier). He's not the only one: more security experts cancelled their RSA appearances, including Atredis's Josh Thomas and Jeffrey Carr, who has called for a boycott of the event. Cory 8

NSA: a threat to national security

In an excellent editorial, Bruce Schneier explains how the NSA weakens American security (because the NSA relies upon weaknesses in American technology to permit it to spy) without stopping terrorism (by General Keith Alexander's own admission, the only plot foiled by bulk NSA spying was a plan by a guy in San Diego to send $8500 to some Somali militants).

Read the rest

Glitter nail-polish is the best tamper-evident seal


At a talk at the 30C3 in Hamburg, Ryan Lackey proposed an ingenious solution to detecting tampering with your computer, phone or tablet: paint the seams and screw-tops with glitter nail-polish and snap a photo of the random pattern formed by the glitter after it dries.

Security-conscious travelers have long used tamper-evident seals over their devices' screws and seams, but as Lackey points out, those seals are easy for spies, customs officials and other snoops to reproduce, especially if they can work in private (as happens when your laptop is taken away for a border inspection). But reproducing the random pattern of glitter polish is substantially more expensive that replicating a security seal -- it also takes longer, and there are no set procedures for doing so.

Lackey also recommends using stickers as an alternative seal; it's unlikely that a spy agency or a customs official has access to your favorite vintage Wacky Package sticker.

Read the rest

NSA has a 50-page catalog of exploits for software, hardware, and firmware

A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).

ANT's catalog runs to 50 pages, and lists electronic break-in tools, wiretaps, and other spook toys. For example, the catalog offers FEEDTROUGH, an exploit kit for Juniper Networks' firewalls; gimmicked monitor cables that leak video-signals; BIOS-based malware that compromises the computer even before the operating system is loaded; and compromised firmware for hard drives from Western Digital, Seagate, Maxtor and Samsung.

Many of the exploited products are made by American companies, and hundreds of millions of everyday people are at risk from the unpatched vulnerabilities that the NSA has discovered in their products.

Read the rest