"runa sandvik"

New York Times abruptly eliminates its "director of information security" position: "there is no need for a dedicated focus on newsroom and journalistic security"

Runa Sandvik (previously) is a legendary security researcher who spent many years as a lead on the Tor Project; in 2016, the New York Times hired her as "senior director of information security" where she was charged with protecting the information security of the Times's newsroom, sources and reporters. Yesterday, the Times fired her, eliminating her role altogether, because "there is no need for a dedicated focus on newsroom and journalistic security." Read the rest

The New York Times is now a Tor onion service

The New York Times is now available as an "Onion Service" on the Tor network, at the address https://www.nytimes3xbfgragh.onion/ -- meaning that anyone with Tor access can securely and privately access the Times without giving away any information about what they're looking at, even to state-level actors who control the ISPs. Read the rest

How the National Reconnaissance Office came to choose a sinister, planet-devouring octopus for a logo

Michael from Muckrock writes, "When the National Reconnaissance Office (NRO) announced the upcoming launch of their NROL-39 mission back in December 2013, they didn't get quite the response they hoped. That might have had something to do with the mission logo being a gigantic octopus devouring the Earth. Researcher Runa Sandvik wanted to know who approved this and why, so she filed a Freedom of Information Act with the NRO for the development materials that went into the logo. A few months later, the NRO delivered." Read the rest

Self-aiming sniper rifle can be pwned over the Internet

The $13,000 Trackingpoint sniper rifle is vulnerable to wifi-based attacks that allow your adversary to redirect bullets to new targets of their choosing. Read the rest

New version of SecureDrop, open-source whistleblower submission system originally created by Aaron Swartz

At Freedom of the Press Foundation, we’re excited to announce the release of a brand new version of SecureDrop, our open source whistleblower system which media organizations can use to communicate and receive documents from sources. Read the rest

#Ferguson cops claim they have no records of arrests of journalists

See Runa Sanvik's feature on this

Phil writes, "Runa Sandvik of Freedom of the Press Foundation is systematically documenting the arrests of journalists in Ferguson, Missouri made during protests of the August 9 officer-committed shooting death of Michael Brown." Read the rest

Edward Snowden hosted a cryptoparty and ran a Tor exit node

Before Edward Snowden went on the run and effected the first-ever leak of documents from the NSA, he threw a cryptoparty in Hawai'i, coordinating with Runa Sandvik from the Tor Project and Asher Wolf from the Cryptoparty movement to plan an event where everyday people were taught to use crypto. He gave a lecture for his neighbors on Truecrypt, and told people that he ran at least two Tor exist nodes to help people keep their anonymous traffic moving (Boing Boing also runs a Tor exit node). Apparently, his girlfriend videoed the event -- I'd love to see it!

Snowden used the Cincinnatus name to organize the event, which he announced on the Crypto Party wiki, and through the Hi Capacity hacker collective, which hosted the gathering. Hi Capacity is a small hacker club that holds workshops on everything from the basics of soldering to using a 3D printer.

“I’ll start with a casual agenda, but slot in additional speakers as desired,” write Cincinnatus in the announcement. “If you’ve got something important to add to someone’s talk, please share it (politely). When we’re out of speakers, we’ll do ad-hoc tutorials on anything we can.”

When the day came, Sandvik found her own way to the venue: an art space on Oahu in the back of a furniture store called Fishcake. It was filled to its tiny capacity with a mostly male audience of about 20 attendees. Snowden spotted her when she walked in and introduced himself and his then-girlfriend, Lindsay Mills, who was filming the event.

Read the rest

TOR project uncovers flaw in mass-surveillance appliance

The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. Cyberoam makes "deep packet inspection" software, used in mass surveillance of Internet traffic, and as TOR's Runa Sandvik and OpenSSL's Ben Laurie investigated the matter, they discovered that all Cyberoam devices share a common vulnerability related to their handling of certificates. The company was notified of this on June 30, and told that the vulnerability would be made public today.

Last week, a user in Jordan reported seeing a fake certificate for torproject.org. The user did not report any errors when browsing to sites such as Gmail, Facebook, and Twitter, which suggests that this was a targeted attack. The certificate was issued by a US company called Cyberoam. We first believed that this incident was similar to that of Comodo and DigiNotar, and that Cyberoam had been tricked to issue a fake certificate for our website.

After a bit of research, we learned that Cyberoam make a range of devices used for Deep Packet Inspection (DPI). The user was not just seeing a fake certificate for torproject.org, his connection was actually being intercepted by one of their devices. While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices.

Read the rest

:)