You can read the forensics report that suggests Prince Mohammad Bin Salman Al Saud hacked Jeff Bezos's phone

Motherboard has obtained and published a copy of the forensics report that suggests that Jeff Bezos's phone was hacked by Prince Mohammad Bin Salman Al Saud, possibly in a scheme to obtain kompromat that could be used as leverage to prevent the Washington Post of reporting on the death of Jamal Khashoggi, who was murdered and mutilated by agents of the prince. Read the rest

Documentation Gathering, Sanitization, and Storage: an excerpt from "A Public Service"

[Yesterday, we published my review of Tim Schwartz's new guide for whistleblowers, A Public Service: Whistleblowing, Disclosure and Anonymity; today, I'm delighted to include this generous excerpt from Schwartz's book. Schwartz is an activist whom I've had the pleasure of working with and I'm delighted to help him get this book into the hands of the people who need to read it. -Cory]

Collection As you collect documents and bring new information to light, be aware that you are in an escalating digital arms race. There will always be new ways that data forensics can identify you, or uncover information based on data that you inadvertently leave in your files, or data that is retained in logs noting who has accessed what files on what network. Recently it was discovered that noise from electrical grids can be used to quite accurately pinpoint when, and potentially where, an audio recording was made. The best way to win this war—or at least to avoid becoming collateral damage—is to work outside the standard methods and find partners who have experience. Read the rest

A Public Service: a comprehensive, comprehensible guide to leaking documents to journalists and public service groups without getting caught

In A Public Service, activist/trainer Tim Schwartz presents the clearest-ever guide to securely blowing the whistle, explaining how to exfiltrate sensitive information from a corrupt employer -- ranging from governments to private firms -- and get it into the hands of a journalist or public interest group in a way that maximizes your chances of making a difference (and minimizes your chances of getting caught).

Happy 10th birthday, TAILS -- the real Paranoid Linux!

In my 2008 novel Little Brother, the underground resistance uses a secure operating system called "Paranoid Linux" that is designed to prevent surveillance and leave no evidence of its use; that was fiction, but there's a real Paranoid Linux out there: Tails, The Amnesic Incognito Live System, and it turns 10 today. Read the rest

Amazon's Ring surveillance doorbell leaks its customers' home addresses, linked to their doorbell videos

Evan from Fight for the Future writes, "A new investigation from Gizmodo just revealed that anyone, anywhere can get geographic coordinates of Ring devices from Amazon’s Neighbors App. Not only can someone find out where users live, they can use footage to track bystanders, locate children, and monitor people going into buildings, like clinics, for private appointments. Amazon sells these devices under the guise of keeping us safe. They’re lying. Their surveillance devices and network puts us all in danger. We need lawmakers to fully investigate the threats associated with Amazon’s dragnet and its impact on our privacy, security, and civil liberties. Fight for the Future has launched a campaign calling for Congress to investigate Amazon's surveillance practices. You can add your name here." (Image: Dan Calacci/MIT) Read the rest

95% of America's largest voting districts' mailservers lack basic anti-phishing protection

DMARC is an anti-email-spoofing tool that mail-server administrators can enable; it's designed to reject emails with forged return addresses. Read the rest

New York Times abruptly eliminates its "director of information security" position: "there is no need for a dedicated focus on newsroom and journalistic security"

Runa Sandvik (previously) is a legendary security researcher who spent many years as a lead on the Tor Project; in 2016, the New York Times hired her as "senior director of information security" where she was charged with protecting the information security of the Times's newsroom, sources and reporters. Yesterday, the Times fired her, eliminating her role altogether, because "there is no need for a dedicated focus on newsroom and journalistic security." Read the rest

The Catalan independence movement is being coordinated by an app designed for revolutions

Tsunami Democràtic is a radical, decentralized wing of the resurgent Catalan independence movement, centered around an anonymously authored app designed to coordinate revolutionary uprisings. Read the rest

Doordash's breach is different

One important detail from this week's admission from Doordash that they'd suffered (and remained silent about) a breach of 4.9 million records: Doordash, by its nature, includes the home addresses of people who otherwise avoid disclosing where they live. Read the rest

Permanent Record: Edward Snowden and the making of a whistleblower

I will never forget the moment on June 9, 2013, when I watched a video of a skinny, serious, unshaven man named Edward Snowden introduce himself to the world as the source of a series of blockbuster revelations about US spy agencies' illegal surveillance of the global internet. Please, I thought, be safe. And Please, don't turn out to be an asshole. Read the rest

Adversarial Fashion: clothes designed to confuse license-plate readers

Adversarial Fashions have a line of clothes (jackets, tees, hoodies, dresses, skirts, etc) designed to confound automated license-plate readers; one line is tiled with fake license plates that spell out the Fourth Amendment (!); the designers presented at Defcon this year. (via JWZ) Read the rest

Hong Kong's #612strike uprising is alive to surveillance threats, but its countermeasures are woefully inadequate

The millions of Hong Kong people participating in the #612strike uprising are justifiably worried about state retaliation, given the violent crackdowns on earlier uprisings like the Umbrella Revolution and Occupy Central; they're also justifiably worried that they will be punished after the fact. Read the rest

Research shows that 2FA and other basic measures are incredibly effective at preventing account hijacking

Google has published the results of a study of the efficacy of standard anti-account-hijacking techniques like two-factor authentication (2FA), secret questions, and passwords: the good news is that when these are used, they are incredibly effective at stopping both automated and targeted attacks, including "advanced" attacks of the sort that are often characterized as unstoppable. Read the rest

Secret Service learns why you don't plug strange USB drives into computers

After collaring a woman who got past security at Mar-a-Lago (described by Chris Hayes as President Donald Trump's "bribery palace") the Secret Service found a USB drive in her possession. So they stuck it in a computer to see what was on it.

From the Miami Herald:

Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.

Experts say don't do that.

Jake Williams, founder of Rendition Infosec and former NSA hacker, criticized the agent’s actions “threatened his own computing system and possibly the rest of the Secret Service network." ...

Williams said the best way to forensically examine a suspect USB drive is by plugging the device into an isolated Linux-based computer that doesn’t automatically mount the drive to the operating system.

“We would then create a forensic image of the USB and extract any malware for analysis in the lab,” he said. “While there is still a very small risk that the malware targets Linux, that’s not the normal case.”

Read the rest

What ephemeral messaging is good for

A few years ago, a friend of mine, Nico Sell (who runs the Defcon kids' programming track r00tz) asked me to join the advisory board for her startup, Wickr, which does "ephemeral messaging," a subject that is greatly in the news with Facebook's recent announcement of a new kind of "ephemeral messaging" option. Read the rest

Teen Vogue counsels taping over your webcam to resist FBI (and other) surveillance

As EFF's Eva Galperin notes, Nicole Kobie's story about resisting surveillance by taping over your webcam "proves that once more, the best and most straightforward tech reporting is being done by Teen Vogue." Read the rest

Unemployed 20-year-old who lives with his parents confesses to massive German political dox

When top German officials had their emails and social media hacked and dumped, people wondered whether the attack was some kind of well-financed act of political extremism, given that the targets were so high-profile (even Chancellor Angela Merkel wasn't spared) and that politicians from the neofascist Alternative for Germany were passed over by the hacker. Read the rest

More posts