Own your crypto-extremism with the Torrorist tee


Celebrate yesterday's news that the NSA classes all Tor users as "extremists" and targets them for indefinite, deep surveillance...with fashion!

Read the rest

Elements of Spook Style

The terrible writing and design of spook memos and Powerpoint slides have come to the fore since June 2013. However, that doesn't mean that there's not some pretty good style guides available for America's brave spooks. USA USA USA.

Read the rest

"Personal Internet security" is a team sport


My latest column in Locus magazine, Security in Numbers, looks at the impossibility of being secure on your own -- if you use the Internet to talk to other people, they have to care about security, too.

Read the rest

Edward Snowden to speak at HOPE X NYC


As if there weren't enough reasons to attend HOPE X in NYC this month, now there's a series of killer whistleblower presentations.

Read the rest

Facebook manipulation experiment has connections to DoD "emotional contagion" research


Here's a new wrinkle on the massive emotion-manipulation study that Facebook conducted in concert with researchers from Cornell and UCSF: one of its researchers is funded under a US Department of Defense program to study "emotional contagion" and civil unrest.

Read the rest

If you read Boing Boing, the NSA considers you a target for deep surveillance

The NSA says it only banks the communications of “targeted” individuals. Guess what? If you follow a search-engine link to Boing Boing’s articles about Tor and Tails, you’ve been targeted. Cory Doctorow digs into Xkeyscore and the NSA’s deep packet inspection rules.

Read the rest

ISPs sue UK spies over hack-attacks


ISPs in US, UK, Netherlands and South Korea are suing the UK spy agency GCHQ over its illegal attacks on their networks in the course of conducting surveillance.

Read the rest

Seven things you should know about Tor

Tor (The Onion Router) is a military-grade, secure tool for increasing the privacy and anonymity of your communications; but it's been the subject of plenty of fear, uncertainty and doubt.

The Electronic Frontier Foundation's 7 Things You Should Know About Tor debunks some of the most common myths about the service (which even the NSA can't break) and raises some important points about Tor's limitations.

7 Things You Should Know About Tor [Cooper Quintin/EFF]

How the CIA got Dr Zhivago into the hands of Soviet dissidents


Working from recently declassified documents disclosed in The Zhivago Affair: The Kremlin, the CIA, and the Battle Over a Forbidden Book, the BBC World Service tells the extraordinary story of how the CIA conspired with a Dutch spy to publish a Russian edition of Boris Pasternak's Dr Zhivago and smuggle it into Russia by sneaking it into the hands of Soviet attendees at the Brussels Universal and International Exposition in 1958. Zhivago was banned by the Soviets, who also forced Pasternak to renounce the Nobel Prize in literature, which he was awarded that year.

Read the rest

Researchers publish secret details of cops' phone-surveillance malware


Kaspersky Labs (Russia) and Citizen Lab (University of Toronto) have independently published details of phone-hacking tools sold to police departments worldwide by the Italian firm Hacking Team (here's Kaspersky's report and Citizen Lab's). The tools can be used to attack Android, Ios, Windows Mobile and Blackberry devices, with the most sophisticated attacks reserved for Android and Ios.

The spyware can covertly record sound, images and keystrokes, capture screenshots, and access the phones' storage and GPS. The tools are designed to detect attempts to search for them and to delete themselves without a trace if they sense that they are under attack.

Hacking Team insists that its tools are only sold to "democratic" police forces, but Citizen Lab's report suggests that the tool was used by the Saudi government to target dissidents.

The means of infection is device-specific. If police have physical access, it's simple. Android devices can be attacked by infecting a PC with a virus that installs the police malware when the device is connected to it. This attack also works on jailbroken Iphones.

Read the rest

NSA helps foreign governments conduct mass surveillance at home


A new release of Snowden's leaked NSA docs detail RAMPART-A, through which the NSA gives foreign governments the ability to conduct mass surveillance against their own populations in exchange for NSA access to their communications. RAMPART-A, is spread across 13 sites, accesses three terabytes/second from 70 cables and networks. It cost US taxpayers $170M between 2011 and 2013, allocated through the NSA's "black budget."

The NSA makes its foreign partners promise not to spy on the USA using its equipment and in return, agrees not to spy on its partners' populations (with "exceptions"). However, as was documented in Glenn Greenwald's indispensable No Place to Hide, the NSA has a simple trick for circumventing any promises not to spy on its partners' populations.

"No Place to Hide" revealed a list of 33 "third party" countries that assist the NSA in conducting mass surveillance, including Saudi Arabia, Israel, Singapore, Ethiopia, and 15 EU member states. These countries do not allow the NSA to spy on their own countries, but the NSA exploits a loophole to conduct this surveillance anyway: it will strike an agreement with Country A, on one end of a high-speed cable not to spy on it population, and with Country B, on the other end of the cable, not to spy on its population, but will conduct mass surveillance of Country A's communications from Country B and vice-versa.

How Secret Partners Expand NSA’s Surveillance Dragnet [Ryan Gallagher/The Intercept]

GCHQ claims right to do warrantless mass interception of all webmail, search and social media


The UK spy agency GCHQ says it doesn't need a warrant to intercept and store all UK social media traffic, search history and webmail because it is headed offshore, so it's "foreign communications". It had kept this interpretation of English and Welsh law a secret until now, and only revealed it after a protracted legal battle with the excellent people at Privacy International and six other civil liberties groups, including Amnesty International, and ACLU.

Read the rest

Possible hidden Latin warning about NSA in Truecrypt's suicide note


When the anonymous authors of the Truecrypt security tool mysteriously yanked their software last month, there was widespread suspicion that they had been ordered by the NSA to secretly compromise their software. A close look at the cryptic message they left behind suggests that they may have encoded a secret clue in the initials of each word of the sentence ("Using TrueCrypt is not secure as it may contain unfixed security issues"), the Latin phrase "uti nsa im cu si" which some claim can be translated as a warning that the NSA had pwned Truecrypt.

Read the rest

How can you trust your browser?


Tim Bray's Trusting Browser Code explores the political and technical problems with trusting your browser, especially when you're using it to do sensitive things like encrypt and decrypt your email. In an ideal world, you wouldn't have to trust Google or any other "intermediary" service to resist warrants forcing it to turn over your sensitive communications, because it would be technically impossible for anyone to peek into the mail without your permission. But as Bray points out, the complexity and relative opacity of Javascript makes this kind of surety difficult to attain.

Bray misses a crucial political problem, though: the DMCA. Under US law (and similar laws all over the world), telling people about vulnerabilities in DRM is illegal, meaning that a bug in your browser that makes your email vulnerable to spying might be illegal to report, and will thus potentially never be fixed. Now that the World Wide Web Consortium and all the major browser vendors (even including Mozilla) have capitulated on adding DRM to the Web, this is the most significant political problem in the world of trusting your browser.

Read the rest

Time-capsule crypto to help journalists protect their sources


Jonathan Zittrain writes, "I published an op-ed in the Boston Globe today musing on the prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions -- such as the passage of time -- are met. I could see libraries and archives offering such technology as part of accepting papers and manuscripts, especially in the wake of the "Belfast Project" situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely."

I'm less enthusiastic about this than Jonathan is. I think calibrating the strength of your time-capsule is very hard. If the NSA might be an order of magnitude faster than the rest of us at brute-force cryptanalysis, that means you need to make your 10-year capsule strong enough to last for 100 years just to be on the safe side. Same goes for proof-of-work.

Read the rest