Yesterday, Bloomberg published a blockbuster story accusing the Chinese military of sneaking spy-chips "the size of a grain of rice" onto the motherboards of servers sold by Supermicro and/or Elemental for use in data-centers operated by the biggest US corporations (Apple and Amazon, among others), as well as US warships and military data-centers, and the servers used by Congress and the Senate.
Read the rest
Richard Branson got a call from the UK Secretary of State for Defence asking for his help in a covert ransom payment of $5m to rescue a ranking diplomat from kidnappers; Branson recognised the man's voice but he was suspicious of the plan to validate the scheme by sending an assistant to lobby of a government building to meet the Secretary's secretary and exchange codewords. Read the rest
In 1984, the Stasi -- East Germany's notorious secret police -- searched the flat of an auditor to determine if he'd leaked files that put the country in a bad light to Stern, a West German magazine, published in Hamburg. They recorded the clandestine search for posterity, and used it as the basis for a training video explaining to other secret police operatives how to search a dissident's home without alerting them that they were under suspicion. (via Grugq) Read the rest
After Colin Dickey wrote about United CEO Oscar Munoz's nonpology for the savage beating of Dr David Dao, he was taken to task for accusing the CEO of writing in the "passive voice."
The closer Dickey looked, the more he concluded that "passive voice" is not a good characterization of the style employed by corporate America; rather, the instantly recognizable "Bureaucratic Style" "makes use of both active and passive constructions, but its purpose is uniform: to erase and efface any active agent on the part of the bureaucracy."
Dickey's essay on Bureaucratic Style is fascinating.
Read the rest
To begin with, the bureaucratic style works to erase cause. Here is Munoz’s description of the start of the incident: “On Sunday, April 9, after United Express Flight 3411 was fully boarded, United’s gate agents were approached by crewmembers that were told they needed to board the flight.” Setting aside the passengers for a second, in this sentence there are two named actors: the gate agents and the crewmembers. You might expect, then, that this all started when the crewmembers approached the gate agents and told them they needed to board the flight. However, a closer reading of the syntax implies this is not the case; the crewmembers themselves “were told they needed to board the flight.” Who told them? The sentence does not make this clear, even though it is this unnamed actor, presumably a supervisor, who set this entire chain of events in motion. Deliberately pushed back as far off the stage as possible, there is no one here to responsibly hold accountable for subsequent events.
DC Dave's "Seventeen Techniques for Truth Suppression" are a good analytical tool for understanding what's happening when governments are embarrassed by revelations of corruption and criminality and get to spinning, a kind of Spicer-Conway masterclass (albeit one that's spoiled by its descent into conspiracy theory with the Vince Foster suicide as an example of such truth-suppression).
Read the rest
East Germany's secret police, the Stasi, were the most aggressive surveillance force of their day -- at the Stasi's peak, one in 60 East Germans was snitching for the agency. Read the rest
Privacy International interviewed 57 sources for their report on the link between surveillance and torture and murder in Kenya, including 32 law enforcement, military or intelligence officers with direct firsthand knowledge of the programs. Read the rest
A team of esteemed scholars including Yochai "Wealth of Networks" Benkler and Ethan Zuckerman (co-founder of Global Voices) analyzed 1.25 million media stories published between April 1, 2015 and election day, finding "a right-wing media network anchored around Breitbart developed as a distinct and insulated media system, using social media as a backbone to transmit a hyper-partisan perspective to the world." Read the rest
Jonathan Stray summarizes three different strains of propaganda, analyzing why they work, and suggesting counter-tactics: in Russia, it's about flooding the channel with a mix of lies and truth, crowding out other stories; in China, it's about suffocating arguments with happy-talk distractions, and for trolls like Milo Yiannopoulos, it's weaponizing hate, outraging people so they spread your message to the small, diffused minority of broken people who welcome your message and would otherwise be uneconomical to reach. Read the rest
The Anonymous activists behind "OpKKK" -- which infiltrated and unmasked Klan members, including many in US military and police departments -- began by creating thin-but-plausible fake identities on Facebook that signalled support for "Blue Lives Matter." By friending other accounts that indicated support for Blue Lives Matter, they found themselves being auto-suggested friendships with KKK members. Read the rest
The Shadow Brokers, a previously unknown hacker group, has announced that it has stolen a trove of ready-to-use cyber weapons from The Equation Group (previously), an advanced cyberweapons dealer believed to be operating on behalf of, or within, the NSA. Read the rest
Here's a must-read story from Tech Review about the thriving trade in "zero-day exploits" -- critical software bugs that are sold off to military contractors to be integrated into offensive malware, rather than reported to the manufacturer for repair. The stuff built with zero-days -- network appliances that can snoop on a whole country, even supposedly secure conversations; viruses that can hijack the camera and microphone on your phone or laptop; and more -- are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder. The US government is encouraging this market by participating actively in it, even as it makes a lot of noise about "cyber-defense."
Read the rest
Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.
No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe.
The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.
Read the rest
“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg.