Security expert offers hacking advice to students whose campuses have implemented pervasive wireless surveillance

After a late-December Washington Post story revealed a nationwide epidemic of colleges quietly installing pervasive wireless location-tracking systems on campus, which gathered data on students without meaningful consent, inside and outside of class, broken down by protected categories such as race and gender, as well as on potentially invasive lines such as whether a student is from abroad, security researcher Lace R Vick (previously) tweeted an offer to students to explain how they could "dismantle such a system." Read the rest

Terabytes of data leaked from an oligarch-friendly offshore bank

The Distributed Denial of Secrets Twitter account has published links to terabytes of data identified as raw data from the Cayman National Bank and Trust; Phineas Fisher (previously), the public-interest hacker(s) behind the Hacking Team breach, is credited with the leak. Read the rest

[UPDATED] Google image search for "best toilet paper" returns images of Pakistan flag

[UPDATE 2/18/2019, 3:37pm PT: Here's a statement from a Google spokesperson: “While we continue to investigate the matter, we have not found any evidence that Google Images was ranking the Pakistani flag in response to this particular search. Many news outlets wrote about an old screenshot from a meme website that is inconsistent with our UI and dates back to 2017, and we have not seen any independent verification that these results ever appeared as depicted. Since these news stories published, images from those articles are now ranking for this query, as the pages contain words relevant to the search.”]

[UPDATE 2/18/2019 I've learned that tt's likely the screenshot images are fakes, and are based on a 2017 meme. I'll post an update as I get more information.]

Unknown persons gamed Google's algorithm so that search results for "best toilet paper" returned photos of the Pakistan flag. Read the rest

Unemployed 20-year-old who lives with his parents confesses to massive German political dox

When top German officials had their emails and social media hacked and dumped, people wondered whether the attack was some kind of well-financed act of political extremism, given that the targets were so high-profile (even Chancellor Angela Merkel wasn't spared) and that politicians from the neofascist Alternative for Germany were passed over by the hacker. Read the rest

DDoSers sell attacks for $5 on Fivver

Many years ago, EFF co-founder John Gilmore and I were discussing the prevalence of botnets, which are commonly used to launch distributed denial of service (DDoS) attacks that overwhelm websites with floods of traffic; John said that if the botnets were really on the rise at the reported rate, we should expect to see a massive crash in the price of DDoS services, following simple supply/demand logic. Read the rest

Videos from the thirty-second Chaos Communications Congress

More overtly political than security events like Vegas's Defcon, more regular than New York's HOPE, CCC events in Hamburg are an annual gathering of the hacktivist tribes. Read the rest

Analysis of leaked logs from Syria's censoring national firewall

Syria's brutal Assad government uses censorware from California's Blue Coat System as part of its systematic suppression of dissent and to help it spy on dissidents; 600GB of 2011 logs from Syria's seven SG-9000 internet proxies were leaked by hacktivist group Telecomix and then analyzed by University College London's Emiliano De Cristofaro. Read the rest

Paolo Bacigalupi's "The Doubt Factory"

From one of science fiction's most versatile writers comes a caper novel about corporate sleaze and net-savvy guerrilla activists that is as thrilling as it is trenchant. Cory Doctorow reviews Paolo Bacigalupi's The Doubt Factory.

Hactivistas protest brutal Spanish copyright law with flood of complaints

Spain's brutal new copyright/censorship law, passed at the behest of the US Trade Rep, has gone into effect. Spanish hactivists working with a recording artist have flooded the service with copyright complaints, busying it out so that none of the major labels' complaints can be processed.

Threatened with being put on a United States trade blacklist, the Government passed the so-called ‘Sinde Law’ in a rush late last year. The law allows for the blocking of allegedly infringing sites based on reports from copyright holders, a position similar to that proposed by the US SOPA bill.

Today the Sinde law went into effect and immediately it was met with resistance from opponents. The group Hackivistas was quick to organize a rather unique form of protest. They encouraged sites to link to a copyrighted track from the artist Eme Navarro, who’s a member of the music rights group SGAE, but critical of the Sinde law.

While Navarro generally publishes his music under a Creative Commons license, he created an “all rights reserved” track specifically for the protest. Thanks to the hacktivist campaign hundreds of websites are now linking to this copyrighted song without permission, and Navarro reported a first batch of sites to the Ministry of Culture early this morning.

As a result, the commission tasked with reviewing all the requests will be overloaded with complaints. All the reported sites have to be processed on order of arrival, so the protest will significantly slow down this review process.

Artist and Hacktivists Sabotage Spanish Anti-Piracy Law Read the rest

Spain, South America arrest 25 in Anonymous crackdown, with Interpol assist

With help from the international police organization Interpol, Spain and three South American countries today arrested 25 people who are suspected of being Anonymous activist/hacktivist/hackers. They are accused of defacing government and corporate websites. Reuters:

Spanish police also accused one of four suspects picked up in the cities of Madrid and Malaga of releasing personal data about police officers and bodyguards protecting Spain's royal family and the prime minister.

Other arrests were in Argentina, Chile and Colombia, and 250 items of computer equipment and mobile phones were seized across 15 cities, Interpol said. Colombia's Ministry of Defence and presidential websites as well as Chile's Endesa electricity company were among the targets of the hackers, it said.

And not coincidentally, the Interpol website has been intermittently offline today.

Read the rest

MegaUpload raided, founder arrested; Anonymous launches mass DDoS against entertainment companies and US law enforcement

New Zealand police, responding from a request from the US government, raided MegaUpload today, arresting founder and CEO Kim ”Dotcom” Schmitz and three "associates." The service, which allowed users to upload files that were too big to email, claimed 150 million users. The entertainment industry alleged that the service was primarily intended to facilitate copyright infringement, since people could use it to illegally share music and movies, but the company claimed that while some users might infringe copyright with MegaUpload, others simply used it to share files that belonged to them. For example, I use a comparable service, YouSendIt, to exchange large MP3 files of my podcast with John Taylor Williams, the sound engineer who masters them. At other times, companies that wanted me to review their movies and music have uploaded them to a file locker and supplied me with the link and password to get them.

In response, a large denial-of-service attack ("OpMegaupload") has been launched against the US Department of Justice, the FBI, Universal Music and other entertainment and law-enforcement sites, by activists operating under the Anonymous banner.

MegaUpload has been waging an online campaign against Universal Music and US law enforcement and trade representatives, first releasing a video featuring famous artists singing an anthem in praise of MegaUpload, then suing Universal Music over false copyright claims that had the video removed from YouTube.

The Swedish Pirate Party strongly condemns raid against MegaUpload Read the rest

Denial of service, sit-ins and the politics of the cloud

Make Magazine's just reprinted my column, "Moral Suasion," in its online edition. It's a discussion of the politics of cloud computing, including denial-of-service attacks against cloud providers who cave to government pressure:

I grew up in the antiwar movement and participated in my first sit-in when I was 12. Sit-ins are a sort of denial of service, but that's not why they work. What they do is convey the message: "I am willing to put myself in harm's way for my beliefs. I am willing to risk arrest and jail. This matters." This may not be convincing for people who strongly disagree with you, but it makes an impression on people who haven't been paying attention. Discovering that your neighbors are willing to be harmed, arrested, imprisoned, or even killed for their beliefs is a striking thing.

And that's a crucial difference between a DDoS and a sit-in: participants in a sit-in expect to get arrested. Participants in a DDoS do everything they can to avoid getting caught. If you want to draw a metaphor, DDoSers are like the animal rights activists who fill a lab's locks with super glue. This is effective at shutting down your opponent for a good while, but it's a lot less likely to draw sympathy from the public, who can dismiss it as vandalism.

Moral Suasion

(Image: Sit-in "Giornata degli studenti", a Creative Commons Attribution Share-Alike (2.0) image from retestudentimassa's photostream) Read the rest

NATO fears Anonymous, Wikileaks as "threat to member-states' security"

James Nixon at "NATO leaders have been warned that Wikileaks-loving 'hacktivist' collective Anonymous could pose a threat to member states' security, following recent attacks on the US Chamber of Commerce and defence contractor HBGary - and promise to 'persecute' its members." Here's a draft report by General Rapporteur Lord Jopling which claims Anonymous "is becoming more and more sophisticated", and "could potentially hack into sensitive government, military, and corporate files".


Pentagon: Hacking can count as an act of war Pentagon has list of "cyber-weapons" for use in computer warfare ... Court forces Twitter to expose anonymous government critic - Boing ... Two veteran Anonymous members say group is responsible for Sony ... Anonymous dumps huge torrent of Chamber of Commerce docs Read the rest

PBS Hack and LulzSec: Xeni on The Madeleine Brand Radio Show


Audio: MP3 Download.

I joined "The Madeleine Brand Show" today for a discussion about the marathon hack of by a group calling itself LulzSec, or The Lulz Boat. They've published what they claim was the method used: in short, vulnerabilities in Movable Type, and related weaknesses.

As noted here on Boing Boing in previous posts, the hack was said to be in retaliation for the PBS Frontline "Wikisecrets" documentary, which was perceived by Wikileaks advocates (and whoever LulzSec is) to be unfair to the secrets-leaking organization and to accused leaker Bradley Manning.

Taking a news organization effectively offline to protest the content of its coverage is not exactly supporting free speech—but this was about lulz, not logic. And as I said on Twitter when news of the attack first broke: PBS doesn't operate like CNN or Fox News, with a centralized news production process. Attacking PBS like this because one episode of one show wasn't A+ is like firebombing an entire grocery store because one apple you bit was bad.

Of course, unlike a firebombing, PBS will recover just fine. While the hack was ongoing last night, the organization coped by publishing to Tumblr and interacting more directly on Twitter with viewers. But a bunch of poor IT admins at PBS HQ, and affiliate stations around the country whose logins and passwords were exposed, probably had a really crappy Memorial Day (and will have a lot of cleanup and stress in weeks ahead). Read the rest

Disgraced security firm asked Bank of America to fund anti-Wikileaks/anti-Glenn Greenwald campaign

Last week, hackers operating under the Anonymous banner broken into servers for HBGary, a security firm whose COO, Aaron Barr had declared his intention to reveal the identities of key people operating as Anonymous. The hackers released 50,000-some emails from HBGary, including a series of slides presented to Bank of America by HBGary and two other security firms, Palantir Technologies and Berico Technologies.

The slide presentation proposes a series of dirty tricks to neutralize Wikileaks and its supporters, including targetted attacks on Salon's Glenn Greenwald, as well as infrastructure attacks, disinformation campaigns, and sabotage. There's no indication that Bank of America signed off on this plan.

Data intelligence firms proposed a systematic attack against WikiLeaks

  Wikileaks: Anonymous stops dropping DDoS bombs, starts dropping ... Continuing pro-Wikileaks DDOS actions, Anonymous takes down PayPal ... Wikileaks supporters and Anonymous stage offline protests, too ... Report: Designer arrested over pro-Wikileaks Anonymous press ... Xeni on Madeleine Brand radio show: Wikileaks, Anonymous ... 2600 Magazine condemns DDoS attacks against Wikileaks censors ... Read the rest

Having DDOsed to the ground, Anonymous sets sights on VISA

Looks like Operation Payback is shifting targets from to VISA. (Previous BB article here, and a related radio piece with Xeni is here.)

Update, 1:02pm PT: The site is now unavailable. Goodness, that was fast. Post updated with a screengrab of the response I get when attempting to access Below, a video released when Operation Payback began back in October (only recently did the focal point become companies cutting off the lifeblood of funding or internet services to Wikileaks).

Read the rest

Silencing Wikileaks is silencing the press

(image: Reuters)

Operation Payback is a bitch. "Anonymous" is retaliating against Mastercard for denying payment processing services to WikiLeaks, and is currently down as a result.

The apparent US government efforts to cut Wikileaks' lifeblood—cashflow and web services—kicked into high gear this week. On Monday, Swiss bank PostFinance closed the defense fund account for WikiLeaks founder Julian Assange. PayPal shut down donation processing after receiving a State Department letter, and most recently, Visa and Mastercard have suspended Wikileaks' accounts. Did the credit card companies do so in response to the same pressures? And, further, in part because the cables show the US lobbied Russia on their behalf? A Guardian report today suggests so., which provided some hosting services to Wikileaks, and DNS service provider, have also cut off service to the secret-leaking website. Both companies cite technical reasons: the burden of too many anti-Wikileaks hacking attacks, in the case of EveryDNS, and a violation of TOS in Amazon's. But perhaps they, too, are reacting to explicit or implicit government pressure. Wikileaks' latest response is here.

"Operation: Payback" began months ago as a series of attacks targeting anti-piracy entities like the RIAA and MPAA. The shift in focus to defending Wikileaks isn't without a link: a portion of the "Cablegate" tranche reportedly amounts to proof the US pressured Sweden to "do something" about The Pirate Bay."

"Their servers have been shut down and they will remain so for as long as there is no true freedom of information and data," read an Anonymous open letter related to Operation Payback. Read the rest