James Clapper, the US Director of National Intelligence, has tendered his resignation. He says he will serve through the handover to the new administration, whereupon Donald Trump will inherit an arsenal of cyberweapons and a $52B/year army of 107,000 secret, unaccountable spies that Clapper has strengthened and emboldened in one of the most sustained and successful exercises in empire-building in US governmental history. Read the rest
The more we learn about the Shadow Brokers, who claim to be auctioning off "cyberweapons" that crafted for the NSA's use, the scarier the breach gets: some of the world's biggest security companies are tacitly admitting that the exploits in the Shadow Brokers' initial release can successfully penetrate their products, and they have no fix at hand. Read the rest
The House Committee on Oversight and Government Reform has asked dozens of agencies in the US government to disclose whether they used switches made by Juniper, the disgraced US network technology giant that had at least two backdoors inserted into the software for one of its most popular product-lines. Read the rest
In the month since network security giant Juniper Networks was forced to admit that its products had NSA-linked backdoors, the company's tried a lot of different strategies: minimizing assurances, apologies, firmware updates -- everything, that is, except for removing th Dual_EC random number generator that is widely understood to have been compromised by the NSA. Read the rest
It's been a month since Juniper admitted that its firewalls had back-doors in them, possibly inserted by (or to aid) US intelligence agencies. In the month since, Juniper has failed to comprehensively seal those doors, and more suspicious information has come to light. Read the rest
Under the UK's new Snoopers Charter (AKA the Investigatory Powers Bill), the Secretary of State will be able to order companies to introduce security vulnerabilities into their software ("backdoors") and then bind those companies over to perpetual secrecy on the matter, with punishments of up to a year in prison for speaking out, even in court. Read the rest
In a new episode of the BBC's Panorama, Edward Snowden describes the secret mobile phone malware developed by GCHQ and the NSA, which has the power to listen in through your phone's mic and follow you around, even when your phone is switched off. Read the rest
The British spy-agency targeted anti-virus software and other common applications in reverse-engineering projects aimed at discovering and weaponizing defects in the code. Read the rest
The FBI used to publish excellent advice about encrypting your devices to keep your data secure when your stuff is lost or stolen; this advice has been silently dropped now that FBI Director James Comey is trying to stop manufacturers from using crypto by default. Read the rest
Citizenlab's Ron Diebert lays out the terrible contradiction of putting spy agencies -- who rely on vulnerabilities in the networks used by their adversaries -- in change of cybersecurity, which is securing those same networks for their own citizens. Read the rest
Daniel Bernstein, the defendant in the landmark lawsuit that legalized cryptography (over howls of protest from the NSA) engages in a thought-experiment about how the NSA might be secretly undermining crypto through sabotage projects like BULLRUN/EDGEHILL.
crypto stays insecure [PDF/Daniel J Bernstein]
(via O'Reilly Radar) Read the rest
Andrew Lewman, head of operations for The Onion Router (TOR), an anonymity and privacy tool that is particularly loathed by the spy agencies' capos, credits Tor's anonymous bug-reporting system for giving spies a safe way to report bugs in Tor that would otherwise be weaponized to attack Tor's users. Read the rest
When Prime Minister David Cameron ordered two GCHQ spooks to go the the Guardian's offices and ritually exorcise two laptops that had held copies of the Snowden leaks, we assumed it was just spook-lunacy; but Privacy International thinks that if you look at which components the spies targeted for destruction, there are hints about ways that spies can control computer hardware. Read the rest
Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need. Read the rest
One of the Snowden documents published by Glenn Greenwald with the release of his new book is a photo showing an actual NSA Tailored Access Operations team sabotaging a Cisco router before it is exported, a practice reported earlier this week in a story Greenwald wrote for the Guardian.
The great irony is that this kind of sabotage is exactly the sort of thing that the USA has repeatedly accuse Chinese authorities of doing to Huawei routers, something for which we have no evidence. Unlike the photographic evidence we have here of the NSA doing this to a Cisco router. Read the rest
"The same security holes that the NSA relied on to gain access to your (or Osama bin Laden's) email allowed gangsters to steal passwords and login credentials and credit card numbers. And ultimately these same baked-in security holes allowed Edward Snowden to rampage through their systems.
The moral of the story is clear: be cautious about poisoning the banquet you serve your guests, lest you end up accidentally ingesting it." Read the rest
For me, the most under-reported, under-appreciated element of the Snowden leaks is the BULLRUN/EDGEHILL program, through which the NSA and GCHQ spend $250,000,000/year sabotaging information security. In a great Wired story, Andy Greenberg analyzes former NSA chief Keith Alexander's defense of the stockpiling of vulnerabilities to attack "bad guys." There is no delusion more deadly than the idea that spies will make us more secure by weakening our computers' security to make it easier to spy on us. Read the rest