« | Home | Recent Comments | Categories | »

Militarized Schooling? “Newtown Was A Nuclear Bomb That Changed Everything”

Posted on August 28th, 2014 at 14:25 by John Sinteur in category: Do you feel safer yet?

[Quote]:

Returning students at Hillsborough County Public Schools in Tampa, Fla. found 20 new armed officers in the elementary schools in the first year of a plan costing about $1 million.

The school board also approved security training for employees, the hiring of a safety consultant and more measures to control school access, such as fencing and buzzers.

Meanwhile, all 16 schools in the Coeur d’Alene, Idaho, public school district have been enclosed in security fencing and each school limits visitors to a single entry point, officials said. This September, for the first time, two police officers will patrol elementary schools, at a cost of roughly $68,000 from the district’s state funding.

…officials continue to allow four anonymous employees to carry firearms on school property. Bulletproof glass and panic buttons have been installed, and officials held schoolwide assemblies for security training.

Because, clearly, the solution to “too many weapons in society” is “more weapons!”


Write a comment

Comments:

  1. In cold war terms, this was known as “Mutually Assured Destruction”, or more simply, just plain MAD… :rolleyes:

  2. Changed “everything”? Hardly – especially no change in any real control of access to weapons.

  3. I’d say it was incremental not a massive change. Everyone thinks Hell is over a cliff but you can get there on a broad, easy road, according to the old preachers…

Entirety Of Man’s Personal Data Protected By Reference To Third Season Of ‘The West Wing’

Posted on August 26th, 2014 at 17:21 by John Sinteur in category: Privacy, Security

[Quote]:

Online sources confirmed Wednesday that every piece of 34-year-old Mark O’Connell’s personal data is currently protected by a reference to the third season of long-running NBC political drama The West Wing. Reports indicate that the reference, derived from the name of a guest character in an early-season episode of the Aaron Sorkin drama that went off the air in 2006, is, at present, all that stands in the way of strangers gaining total access to intimate details of the automotive insurance agent’s personal, professional, and financial life. In particular, sources noted that the security of everything from O’Connell’s banking and credit card accounts, to proprietary documents from his work, to his social media profiles, to all of his email correspondence, rests solely on the wry nod to a scene during the Emmy-nominated episode “On The Day Before,” in which the White House staff hosts a dinner for several Nobel laureates while President Bartlet works to veto an estate tax bill. Those close to the situation, however, noted that some of O’Connell’s most sensitive information is safeguarded by a secondary layer of protection in the form of a security question about his favorite character from Sports Night.


Write a comment

Comments:

  1. I know that episode. Wonder if I could get all of his goodies.

BGP Hijacking for fun and profit!

Posted on August 14th, 2014 at 20:40 by John Sinteur in category: Security

[Quote]:

You got you this big-ass computer that was designed by big-brained dweebs to make money out of, I shit you not, thin-fucking-air.

Now, this ain’t folding money, this is the kind of money bankers and shit put down in ledgers, only there ain’t no more ledgers, that shit’s all computers on the internet now. So instead of hiring Sean and Vinnie to take a paper bag of the folding stuff to the bosses, it’s got to go over the internet, one computer to another.

Now, computers generally don’t talk to each other direct – they hand off like runners and bag-men. So, the big-ass computer pulls money almost literally out of it’s ass, and then hands it off to a bag-man, who stuffs it in a bag and puts the Boss’ name and organization on it. He hands it off to a runner, who runs up to the corner, and goes, “Hey, any of you guys know this dude?”

Bad-ass at the corner goes, “Nah, man, but I heard of the dude and his crew. Hard core motherfuckers. Head on over five blocks east, and ask there.”

This works, up until the runner comes across someone who got duped. He heard from someone important that the Boss works out of “The Cafe” out on the docks, but someone who seemed legit, but was a fucking weasel, just now told him that The Boss at the Organization was now running out of some garage just outside town.

“Who you running for, kid?”

“Big-Ass Computer’s bag-man, by way of the dude at that corner! This is for The Boss, at The Organization!”

“Hey, hey, you’re in luck! I know where that’s going! Just heard about it! Hand it over, guy, and you’re done for the night! My runner will take it from here! Good job!”

So, the next day, the Boss rolls on up to an abandoned garage, all the money the computer pulled out of its ass is gone. The weasel got snuffed, but even he didn’t know where the money was headed.

These modern times, I tell ya.


Write a comment

Why surveillance companies hate the iPhone

Posted on August 12th, 2014 at 10:59 by John Sinteur in category: Privacy, Security

[Quote]:

The secrets of one of the world’s most prominent surveillance companies, Gamma Group, spilled onto the Internet last week, courtesy of an anonymous leaker who appears to have gained access to sensitive corporate documents. And while they provide illuminating details about the capabilities of Gamma’s many spy tools, perhaps the most surprising revelation is about something the company is unable to do: It can’t hack into your typical iPhone.

Android phones, some Blackberries and phones running older Microsoft operating systems all are vulnerable to Gamma’s spyware, called FinSpy, which can turn your smart phone into a potent surveillance device. Users of the spyware are capable of listening to calls on targeted devices, stealing contacts, activating the microphone, tracking your location and more. But for FinSpy to hack into an iPhone, its owner must have already stripped away much of its built-in security through a process called “jailbreaking.” No jailbreak, no FinSpy on your iPhone, at least according to a leaked Gamma document dated April 2014.


Write a comment

Oracle Database 12c’s data redaction security smashed live on stage

Posted on August 9th, 2014 at 7:46 by John Sinteur in category: Security

[Quote]:

Oracle’s much-ballyhooed data redaction feature in Database 12c is easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have heard.

The redaction features in 12c are designed to automatically protect sensitive database material by either totally obscuring column data or partially masking it – for example, recalling just the last four digits of a US social security number when a search query is run.

But according to David Litchfield, security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, the mechanism is so riddled with basic flaws that you don’t even need to execute native exploit code to defeat the redaction – some clever SQL is all that’s needed, we’re told.

“If Oracle has a decent security development lifecycle in place anyone would have found these flaws and stopped them in tracks,” Litchfield said.

“Anyone with a modicum of SQL would have found these bugs.”

Litchfield said that within five minutes of investigating the redactions system, he found serious flaws in the coding. He’s previously documented his findings here [PDF].


Write a comment

The Social Laboratory

Posted on August 8th, 2014 at 8:06 by John Sinteur in category: Privacy, Security

[Quote]:

When Peter Ho, the senior defense official, met with John Poindexter back in 2002 about the Total Information Awareness program, Poindexter suggested that Singapore would face a much easier time installing a big-data analysis system than he had in the United States, because Singapore’s privacy laws were so much more permissive. But Ho replied that the law wasn’t the only consideration. The public’s acceptance of government programs and policies was not absolute, particularly when it came to those that impinged on people’s rights and privileges.

It sounds like an accurate forecast. In this tiny laboratory of big-data mining, the experiment is yielding an unexpected result: The more time Singaporeans spend online, the more they read, the more they share their thoughts with each other and their government, the more they’ve come to realize that Singapore’s light-touch repression is not entirely normal among developed, democratic countries — and that their government is not infallible. To the extent that Singapore is a model for other countries to follow, it may tell them more about the limits of big data and that not every problem can be predicted.


Write a comment

Comments:

  1. Interesting. Not much mention that they are yet trying to manipulate public opinion.

    Another thought: The idea that perpetual growth in an economy is necessary and desirable seems to be unquestioningly accepted, by everyone. At some point humans will have to manage population growth so that a fertility rate of 1.2 is good.

Former NSA Director Patenting Computer Security Techniques

Posted on August 4th, 2014 at 20:37 by John Sinteur in category: Intellectual Property, Security

[Quote]:

Former NSA Director Keith Alexander is patenting a variety of techniques to protect computer networks. We’re supposed to believe that he developed these on his own time and they have nothing to do with the work he did at the NSA, except for the parts where they obviously did and therefore are worth $1 million per month for companies to license.

No, nothing fishy here.


Write a comment

Comments:

  1. No backdoors, do you promise?

  2. I’m sure if he uses a backdoor he will have the common decency to give a reach-around…

Construction of New CYBER/ISR Facility

Posted on July 18th, 2014 at 19:44 by John Sinteur in category: Do you feel safer yet?

[Quote]:

The 175th Wing, Maryland Air National Guard, located at Warfield Air National Guard Base, Baltimore, Maryland, intends to issue a Request for Proposal (RFP) to award a single firm fixed-price contract for Construction of a CYBER/ISR Facility. Project to be LEEDR Silver Certified. Construction services will consist of the construction of a new CYBER/ISR Facility. The purpose of this facility is to house a Network Warfare Group and ISR Squadron. The Cyber mission includes a set of capabilities, expertise to enable the cyber operational need for an always-on, net-speed awareness and integrated operational response with global reach. It enables operators to drive upstream in pursuit of cyber adversaries, and is informed 24/7 by intelligence and all-source information

[Quote]:

Let’s get real, how many guardsmen speak Farsi, Chinese, Russian, Swahili or Hindi?

Virtually none.

How many know anything about NZ, Australia, GB or Canada worth knowing in a cyber context.

Virtually none.

So who does that leave for adversaries?

Right. You and me.


Write a comment

Make sure you update the firmware on all your lightbulbs!

Posted on July 14th, 2014 at 14:31 by John Sinteur in category: Security

[Quote]:

In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.

[..]

According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.


Write a comment

Google Glass Snoopers Can Steal Your Passcode With a Glance

Posted on July 14th, 2014 at 14:00 by John Sinteur in category: Security

[Quote]:

The odds are you can’t make out the PIN of that guy with the sun glaring obliquely off his iPad’s screen across the coffee shop. But if he’s wearing Google Glass or a smartwatch, he probably can see yours.

Researchers at the University of Massachusetts Lowell found they could use video from wearables like Google Glass and the Samsung smartwatch to surreptitiously pick up four-digit PIN codes typed onto an iPad from almost 10 feet away—and from nearly 150 feet with a high-def camcorder. Their software, which used a custom-coded video recognition algorithm that tracks the shadows from finger taps, could spot the codes even when the video didn’t capture any images on the target devices’ displays.

“I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Xinwen Fu, a computer science professor at UMass Lowell who plans to present the findings with his students at the Black Hat security conference in August. “If someone can take a video of you typing on the screen, you lose everything.”


Write a comment

X509

Posted on July 14th, 2014 at 13:37 by John Sinteur in category: Do you feel safer yet?, Google

[Quote]:

Shortly after the initial news came out that NSA fakes google and yahoo servers with stolen or faked certificates:

https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html

the german computer magazine C’T issued a warning that it is a security risk, when microsoft automatically updates its list of certificates without any noticing of the users, so that dubious certificates could easily get into the windows certificate list, which is thrusted by webbrowsers like internet explorer or google chrome for windows:

http://www.heise.de/ct/artikel/Microsofts-Hintertuer-1921730.html

After reading this, I filed a bug in chromium, which then was dismissed as a “won’t fix”, with the chromium developers saying that the certificate list is “signed by Microsoft” and there would not be any break in the “chain of thrust”.

And now I see this message from google:

http://www.heise.de/security/meldung/Indien-stellte-falsche-Google-Zertifikate-aus-2252544.html

http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html

“On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.

We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.”

Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”

Now microsoft has removed the certificates in question and it turnes out that the issue affected 45 domains:

http://www.heise.de/security/meldung/Microsoft-entzieht-Indischer-CA-das-Vertrauen-2255992.html

https://technet.microsoft.com/en-us/library/security/2982792

google.com
mail.google.com
gmail.com
www.gmail.com
m.gmail.com
smtp.gmail.com
pop.gmail.com
imap.gmail.com
googlemail.com
www.googlemail.com
smtp.googlemail.com
pop.googlemail.com
imap.googlemail.com
gstatic.com
ssl.gstatic.com
www.static.com
encrypted-tbn1.gstatic.com
encrypted-tbn2.gstatic.com
login.yahoo.com
mail.yahoo.com
mail.yahoo-inc.com
fb.member.yahoo.com
login.korea.yahoo.com
api.reg.yahoo.com
edit.yahoo.com
watchlist.yahoo.com
edit.india.yahoo.com
edit.korea.yahoo.com
edit.europe.yahoo.com
edit.singapore.yahoo.com
edit.tpe.yahoo.com
legalredirect.yahoo.com
me.yahoo.com
open.login.yahooapis.com
subscribe.yahoo.com
edit.secure.yahoo.com
edit.client.yahoo.com
bt.edit.client.yahoo.com
verizon.edit.client.yahoo.com
na.edit.client.yahoo.com
au.api.reg.yahoo.com
au.reg.yahoo.com
profile.yahoo.com
static.profile.yahoo.com
openid.yahoo.com

In view of this list, the advice from google looks especially funny:

“Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”

The microsoft certificate list is used in the browser chrome. Faking of a google server is difficult, since chrome checks its certificate by different means and that was how the attack was revealed. But chrome does not have a similar check for yahoo. If that attack would not be working after all, the hackers would not have used it.

But still, google does explicitely not suggesting anyone that they should change passwords…


Write a comment

The ultimate goal of the NSA is total population control

Posted on July 11th, 2014 at 17:03 by John Sinteur in category: Do you feel safer yet?, Privacy, Security

[Quote]:

William Binney is one of the highest-level whistleblowers to ever emerge from the NSA. He was a leading code-breaker against the Soviet Union during the Cold War but resigned soon after September 11, disgusted by Washington’s move towards mass surveillance.

On 5 July he spoke at a conference in London organised by the Centre for Investigative Journalism and revealed the extent of the surveillance programs unleashed by the Bush and Obama administrations.

“At least 80% of fibre-optic cables globally go via the US”, Binney said. “This is no accident and allows the US to view all communication coming in. At least 80% of all audio calls, not just metadata, are recorded and stored in the US. The NSA lies about what it stores.”


Write a comment

Comments:

  1. Population control? That would be a good thing, imo.

Meet the Muslim-American Leaders the FBI and NSA Have Been Spying On

Posted on July 9th, 2014 at 21:04 by John Sinteur in category: Do you feel safer yet?, Security

[Quote]:

The National Security Agency and FBI have covertly monitored the emails of prominent Muslim-Americans—including a political candidate and several civil rights activists, academics, and lawyers—under secretive procedures intended to target terrorists and foreign spies.

According to documents provided by NSA whistleblower Edward Snowden, the list of Americans monitored by their own government includes:

• Faisal Gill, a longtime Republican Party operative and one-time candidate for public office who held a top-secret security clearance and served in the Department of Homeland Security under President George W. Bush;

• Asim Ghafoor, a prominent attorney who has represented clients in terrorism-related cases;

• Hooshang Amirahmadi, an Iranian-American professor of international relations at Rutgers University;

• Agha Saeed, a former political science professor at California State University who champions Muslim civil liberties and Palestinian rights;

• Nihad Awad, the executive director of the Council on American-Islamic Relations (CAIR), the largest Muslim civil rights organization in the country.

The official NSA reply is predictable:

[I did not have sex with that woman]:

No U.S. person can be the subject of surveillance based solely on First Amendment activities, such as staging public rallies, organizing campaigns, writing critical essays, or expressing personal beliefs.

On the other hand, a person who the court finds is an agent of a foreign power under this rigorous standard is not exempted just because of his or her occupation.

The United States is as committed to protecting privacy rights and individual freedom as we are to defending our national security.


Write a comment

Jamming XKeyScore

Posted on July 6th, 2014 at 14:08 by John Sinteur in category: Privacy, Security

[Quote]:

Back in the day there was talk about “jamming echelon” by adding keywords to email that the echelon system was supposedly looking for. We can do the same thing for XKeyScore: jam the system with more information than it can handle.


Write a comment

Comments:

  1. And given what we learned recently, if you even read that article, you’ll be added to the list of people to be monitored.

  2. Got added to their monitoring list, I dont give a sh…. on it.

Von der NSA als Extremist gebrandmarkt

Posted on July 3rd, 2014 at 13:53 by John Sinteur in category: Privacy, Security

[Quote]:

Ironischerweise sind es nach den speziellen Regeln, die NDR und WDR vorliegen, also ausgerechnet Personen mit dem Wunsch nach Anonymisierung, die zum Ziel der NSA werden. In den Augen des Geheimdienstes: Extremisten. Das ist keine Rhetorik, keine journalistische Zuspitzung. Der Begriff befindet sich sogar in der Kommentarspalte des Quelltexts, notiert von Programmierern der NSA.

Extremisten? Das Gegenteil ist der Fall, wie die Recherchen zeigen. Die deutschen Opfer sind politisch keinesfalls am äußeren Rand zu finden. Extrem sind sie allein in einem Punkt: Sie sind besorgt um die Sicherheit ihrer Daten. Und genau das macht sie in den Augen des US-Geheimdienstes verdächtig.

[..]

Darko Medic, 18, kurze braune Haare, sitzt vor seinem Laptop. Er gibt “Tails” und “USB” in die Maske seiner Suchmaschine ein. Was Darko nicht weiß: Er ist damit gerade ebenfalls in einer Datenbank der NSA gelandet. Markiert als einer der Extremisten, nach denen die Geheimdienstler so fleißig suchen.

Denn was die Regeln des Quellcodes ebenfalls verraten: Die NSA beobachtet im großen Stil die Suchanfragen weltweit – auch in Deutschland. Allein schon die einfache Suche nach Verschlüsselungssoftware wie “Tails” reicht aus, um ins Raster der NSA zu geraten. Die Verbindung der Anfrage mit Suchmaschinen macht verdächtig. Seine Suche nach “Tails” öffnet eine Tür, einen Zugang zu Darko und seiner Welt. Einmal in der Datenbank, kann jede Anfrage von Darko gezielt abgerufen werden. Darko ist unter Beobachtung.


Write a comment

Privacy board backs NSA’s foreign spying

Posted on July 2nd, 2014 at 7:49 by John Sinteur in category: Privacy, Security

[Quote]:

A federal privacy watchdog is largely putting its support behind a major pillar of the National Security Agency’s foreign snooping.

A draft version of a new Privacy and Civil Liberties Oversight Board (PCLOB) report released late Tuesday said that NSA programs targeting foreigners are effective, legal and show “no trace” of “illegitimate activity,” though some changes should be made to better protect Americans’ privacy.

The conclusion stands in stark contrast to a previous blistering report from the PCLOB, which ruled the NSA’s bulk collection of Americans’ phone records illegal earlier this year.

Makes you wonder what kind of dirt does the NSA has on the board members…


Write a comment

Comments:

  1. Ever since Obama reversed his opposition to FISA as Senator, and his behavior as POTUS, I have wondering what the NSA has on him?

  2. Surely it’s simpler to assume evil than conspiracy :-)

  3. Even a “vast right-wing” one…

NSA soll auch Merkels neues Handy abgehört haben

Posted on June 30th, 2014 at 9:51 by John Sinteur in category: Privacy, Security

[Quote]:

In Sachen Ausspähen scheint die NSA wieder einen Schritt voraus zu sein: Medienberichten zufolge belauscht der amerikanische Geheimdienst auch das neue Krypto-Handy der Kanzlerin.

Nach Bekanntwerden des NSA-Lauschangriffs auf die Bundesregierung sollten neue Verschlüsselungs-Smartphones des Typs BlackBerry 10 die Gespräche der Kanzlerin und ihres Kabinetts vor unbefugtem Mithören schützen. Doch der amerikanische Geheimdienst hat auch die neuen Krypto-Telefone bereits entschlüsselt, berichtet die “Bild am Sonntag”. Ein ranghoher Mitarbeiter des US-Geheimdienstes in Deutschland habe das bestätigt. “Die technischen Veränderungen beeinträchtigen unsere Arbeit nicht” sagte der Abhör-Spezialist der Bild.

The million dollar question is now how the nsa got access to the new blackberry+secusmart…

And to go above the million dollar prize… I find it hard to believe the german government is stupid enough to buy an enhanced version of an insecure and subverted platform. If I were Merkel I would wonder who gave me this advice. Why not follow the same path as the French did – have a local defense contractor do a limited edition modification of the german cryptophone.

And for us peons, it’s safe to assume our smartphone usage is unsecurable and act accordingly.


Write a comment

Poorly anonymized logs reveal NYC cab drivers’ detailed whereabouts

Posted on June 27th, 2014 at 0:03 by John Sinteur in category: Privacy, Security

[Quote]:

In the latest gaffe to demonstrate the privacy perils of anonymized data, New York City officials have inadvertently revealed the detailed comings and goings of individual taxi drivers over more than 173 million trips.

City officials released the data in response to a public records request and specifically obscured the drivers’ hack license numbers and medallion numbers. Rather than including those numbers in plaintext, the 20 gigabyte file contained one-way cryptographic hashes using the MD5 algorithm. Instead of a record showing medallion number 9Y99 or hack number 5296319, for example, those numbers were converted to 71b9c3f3ee5efb81ca05e9b90c91c88f and 98c2b1aeb8d40ff826c6f1580a600853, respectively. Because they’re one-way hashes, they can’t be mathematically converted back into their original values. Presumably, officials used the hashes to preserve the privacy of individual drivers since the records provide a detailed view of their locations and work performance over an extended period of time.

It turns out there’s a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.


Write a comment

US to extend privacy protection rights to EU citizens

Posted on June 26th, 2014 at 7:59 by John Sinteur in category: Privacy, Security

[Quote]:

The Obama administration has caved in to pressure from the European Union in the wake of Edward Snowden’s revelations on surveillance by promising to pass legislation granting European citizens many of the privacy protection rights enjoyed by US citizens.

The proposed law would apply to data on European citizens being transferred to the US for what Washington says is law enforcement purposes.

So they are going to lie to us in the exact same way they lie to their own citizens. Not much of an improvement.

Holder said: “The Obama administration is committed to seeking legislation that would ensure that … EU citizens would have the same right to seek judicial redress for intentional or wilful disclosures of protected information and for refusal to grant access or to rectify any errors in that information, as would a US citizen under the Privacy Act.

So, in practice, none at all.


Write a comment

Comments:

  1. On this matter the Obama administration is totally untrustworthy. The software companies are aware that this is damaging to them – at least they say so publicly.
    This is one good reason to avoid the products of major American software giants, the knowledge that personal communications on mobile phones or on Facebook and other social media sites are routinely monitored by GCHQ, NSA and presumably others – they can’t be alone surely – is profoundly disquieting.

    On the plus side this business is a great money spinner for the encryption industry.

  2. The real problem here is the unending surveillance is a huge waste of money, my tax money.

  3. @chas: Absolutely! However, I don’t see that any of today’s political leaders could bring themselves to slacken off the surveillance. There is no major political cost to keeping the police state but it could be difficult for the person that decides to cancel the program if there was another major atrocity (which will happens eventually, anyway).

    There are a lot of jobs in the police state too. Think of it as a government make-work program. Instead of shovels, they get to wear flak jackets and carry guns

New leaks show Germany’s collusion with NSA

Posted on June 22nd, 2014 at 15:24 by John Sinteur in category: Privacy, Security

[Quote]:

This week German news magazine Der Spiegel published the largest single set of files leaked by whistleblower and former US National Security Agency contractor Edward Snowden. The roughly 50 documents show the depth of the German intelligence agencies’ collusion with the NSA.

They suggest that the German Intelligence Agency (BND), the country’s foreign spy agency, and the Office for the Protection of the Constitution (BfV), the German domestic spy agency, worked more closely with the NSA than they have admitted – and more than many observers thought.

[..]

Among its “success stories,” the documents praise how the German government was able to weaken the public’s protection from surveillance. “The German government has changed its interpretation of the G10 law, which protects German citizens’ communications, to allow the BND to be more flexible with the sharing of protected information with foreign partners.” Germany’s G10 law regulates in what circumstances its intelligence agencies are allowed to break Article 10 of the German constitution, which guarantees the privacy of letters and telecommunications.


Write a comment

Comments:

  1. They have a law guaranteeing privacy? Why don’t we (USA) have a law like that?

  2. In light of those documents, chas, what’s the difference between US privacy and German “guaranteed” privacy?

  3. The problem is not that there are no laws against this kind of thing, but that the Authorities think that flouting such laws is A-OK and that subjecting us all to arbitrary measures is fine.

  4. Building on what Sue said, the big problem is that True Believers will always believe that their goal justifies breaking the rules, or that the current situation is an exception that the rule makers couldn’t have predicted, so clearly the rules shouldn’t apply.

    A (pardon the pun) canonical example is Lying for Jesus, http://rationalwiki.org/wiki/Lying_for_Jesus

    The background philosophical issue is whether rules are specific (imperfect) expressions of underlying ideals, and more importantly, if some of those ideals are more important than others. Clearly there are some Authorities who believe that Freedom requires Security, so those who threaten Security forfeit their Freedom.

    So the big question is: does lack of Privacy undermine our Freedom, or does the presence of Privacy undermine our Security?

Emails Show Feds Asking Florida Cops to Deceive Judges

Posted on June 21st, 2014 at 11:34 by John Sinteur in category: Do you feel safer yet?, Privacy, Security

[Quote]:

Police in Florida have, at the request of the U.S. Marshals Service, been deliberately deceiving judges and defendants about their use of a controversial surveillance tool to track suspects, according to newly obtained emails.

At the request of the Marshals Service, the officers using so-called stingrays have been routinely telling judges, in applications for warrants, that they obtained knowledge of a suspect’s location from a “confidential source” rather than disclosing that the information was gleaned using a stingray.

A series of five emails (.pdf) written in April, 2009, were obtained today by the American Civil Liberties Union showing police officials discussing the deception. The organization has filed Freedom of Information Act requests with police departments throughout Florida seeking information about their use of stingrays.

“Concealing the use of stingrays deprives defendants of their right to challenge unconstitutional surveillance and keeps the public in the dark about invasive monitoring by local police,” the ACLU writes in a blog post about the emails. “And local and federal law enforcement should certainly not be colluding to hide basic and accurate information about their practices from the public and the courts.”

The U.S. Marshals Service did not respond to a call for comment.


Write a comment

Mike Rogers Says Google Is Unpatriotic For Not Wanting NSA To Spy On Its Users

Posted on June 14th, 2014 at 12:07 by John Sinteur in category: Privacy, Security

[Quote]:

This past Wednesday, the CIA held its first ever Conference on National Security at Georgetown University. It included plenty of the usual talking heads spouting nonsense, but I wanted to focus in on one particular talking head spouting particularly ridiculous nonsense. It’s our old friend, Rep. Mike Rogers, who is retiring from Congress to try to become an even bigger blowhard on talk radio (as if that’s possible). Apparently, Rogers is using this conference to practice the classical blowhard strategy of making a variety of absolutely ridiculous claims that directly contradict each other.


Write a comment

Code-cracking teens hack into Grant Avenue ATM

Posted on June 10th, 2014 at 8:47 by John Sinteur in category: Security

[Quote]:

Matthew Hewlett and Caleb Turon, both Grade 9 students, found an old ATM operators manual online that showed how to get into the machine’s operator mode. On Wednesday over their lunch hour, they went to the BMO’s ATM at the Safeway on Grant Avenue to see if they could get into the system.

“We thought it would be fun to try it, but we were not expecting it to work,” Hewlett said. “When it did, it asked for a password.”

Hewlett and Turon were even more shocked when their first random guess at the six-digit password worked. They used a common default password. The boys then immediately went to the BMO Charleswood Centre branch on Grant Avenue to notify them.

When they told staff about a security problem with an ATM, they assumed one of their PIN numbers had been stolen, Hewlett said.

“I said: ‘No, no, no. We hacked your ATM. We got into the operator mode,’” Hewlett said.

“He said that wasn’t really possible and we don’t have any proof that we did it.

“I asked them: ‘Is it all right for us to get proof?’

“He said: ‘Yeah, sure, but you’ll never be able to get anything out of it.’

“So we both went back to the ATM and I got into the operator mode again. Then I started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day, how much it’s made off surcharges.

“Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.”

As further proof, Hewlett playfully changed the ATM’s greeting from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”

They returned to BMO with six printed documents. This time, staff took them seriously.


Write a comment

Comments:

  1. Smart kids! And (assuming the story can be taken as written) kudos to the bank for not having the kids tased, handcuffed, and thrown in a cell. Oh wait, this was in Canada….that explains a bit.

Judge Orders NSA To Stop Destroying Evidence For Third Time

Posted on June 7th, 2014 at 19:24 by John Sinteur in category: Privacy, Security

[Quote]:

A federal judge has ordered the government to stop destroying National Security Agency surveillance records that could be used to challenge the legality of its spying programs in court.

U.S. District Court Judge Jeffrey White’s ruling came at the request of the Electronic Frontier Foundation, which is in the midst of a case challenging NSA’s ability to surveil foreign citizen’s U.S.-based email and social media accounts.

According to the EFF, the signals intelligence agency and the Department of Justice were knowingly destroying key evidence in the case by purposefully misinterpreting earlier preservation orders by multiple courts, multiple times.


Write a comment

U.S. Marshals Seize Cops’ Spying Records to Keep Them From the ACLU

Posted on June 4th, 2014 at 15:08 by John Sinteur in category: Privacy, Security

[Quote]:

A routine request in Florida for public records regarding the use of a surveillance tool known as stingray took an extraordinary turn recently when federal authorities seized the documents before police could release them.

The surprise move by the U.S. Marshals Service stunned the American Civil Liberties Union, which earlier this year filed the public records request with the Sarasota, Florida, police department for information detailing its use of the controversial surveillance tool.

The ACLU had an appointment last Tuesday to review documents pertaining to a case investigated by a Sarasota police detective. But marshals swooped in at the last minute to grab the records, claiming they belong to the U.S. Marshals Service and barring the police from releasing them.

ACLU staff attorney Nathan Freed Wessler called the move “truly extraordinary and beyond the worst transparency violations” the group has seen regarding documents detailing police use of the technology.

“This is consistent with what we’ve seen around the country with federal agencies trying to meddle with public requests for stingray information,” Wessler said, noting that federal authorities have in other cases invoked the Homeland Security Act to prevent the release of such records. “The feds are working very hard to block any release of this information to the public.”

Stingrays, also known as IMSI catchers, simulate a cellphone tower and trick nearby mobile devices into connecting with them, thereby revealing their location. A stingray can see and record a device’s unique ID number and traffic data, as well as information that points to its location. By moving a stingray around, authorities can triangulate a device’s location with greater precision than is possible using data obtained from a carrier’s fixed tower location.


Write a comment

Melanie Rieback on Radically Open Security

Posted on June 4th, 2014 at 9:08 by John Sinteur in category: Security

If you wonder why I am posting this, check the team page on http://radical.sexy.


Write a comment

Comments:

  1. Good site (even if the colors on some pages are a bit off-putting for someone with my bad eyes), and Melanie is definitely the “Uber-Geek Girl”! :-) Looks like a great team, and I wish you all the best to come.

    -Spiff

    P.S. I’m also married to an “Uber-Geek Girl” – my wife has a PhD in particle physics.

FBI chief says anti-marijuana policy hinders the hiring of cyber experts

Posted on May 21st, 2014 at 17:07 by Paul Jay in category: batshitinsane, Do you feel safer yet?

[Quote]:

James Comey, the FBI director, says the bureau’s no-tolerance marijuana policy is hindering the hiring of cyber-security experts. Coney added that he is “grappling” with possibly changing the practice.

The director’s comments come one day after five members of the Chinese military were indicted in the US on allegations of hacking into major US corporations and stealing trade secrets

“I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,” Comey told a New York City Bar Association meeting Tuesday.

The bureau, which is seeking to employ as many as 2,000 new recruits this year, is prohibited from hiring those who have used marijuana the previous years.


Write a comment

Comments:

  1. Come on James, I want to smoke weed during the interview!

  2. It sounds like an episode of “Get Smart”.

The pre-play vulnerability in Chip and PIN

Posted on May 21st, 2014 at 11:48 by John Sinteur in category: Security

[Quote]:

When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the transaction. Part of this transaction is a number that is supposed to be random, so as to stop an authentication code being generated in advance. However, there are two ways in which the protection can by bypassed: the first requires that the Chip and PIN terminal has a poorly designed random generation (which we have observed in the wild); the second requires that the Chip and PIN terminal or its communications back to the bank can be tampered with (which again, we have observed in the wild).


Write a comment

Secrets, lies and Snowden’s email: why I was forced to shut down Lavabit

Posted on May 20th, 2014 at 17:24 by John Sinteur in category: Privacy, Security

[Quote]:

My legal saga started last summer with a knock at the door, behind which stood two federal agents ready to to serve me with a court order requiring the installation of surveillance equipment on my company’s network.

My company, Lavabit, provided email services to 410,000 people – including Edward Snowden, according to news reports – and thrived by offering features specifically designed to protect the privacy and security of its customers. I had no choice but to consent to the installation of their device, which would hand the US government access to all of the messages – to and from all of my customers – as they travelled between their email accounts other providers on the Internet.

But that wasn’t enough. The federal agents then claimed that their court order required me to surrender my company’s private encryption keys, and I balked. What they said they needed were customer passwords – which were sent securely – so that they could access the plain-text versions of messages from customers using my company’s encrypted storage feature. (The government would later claim they only made this demand because of my “noncompliance”.)

Bothered by what the agents were saying, I informed them that I would first need to read the order they had just delivered – and then consult with an attorney. The feds seemed surprised by my hesitation.

What ensued was a flurry of legal proceedings that would last 38 days, ending not only my startup but also destroying, bit by bit, the very principle upon which I founded it – that we all have a right to personal privacy.

[..]

Then, a federal judge entered an order of contempt against me – without even so much as a hearing.

But the judge created a loophole: without a hearing, I was never given the opportunity to object, let alone make any any substantive defense, to the contempt change. Without any objection (because I wasn’t allowed a hearing), the appellate court waived consideration of the substantive questions my case raised – and upheld the contempt charge, on the grounds that I hadn’t disputed it in court. Since the US supreme court traditionally declines to review decided on wholly procedural grounds, I will be permanently denied justice.

a case held in a secret court where the defendant isn’t allowed adequate time to find counsel, defendant found in contempt without any chance to object, contempt charge upheld on appeal because there was no objection, Supreme Court says “no thanks” to hearing the case because it was all decided on procedural grounds….

Guys, reminder – Kafka is a novel, not a manual.


Write a comment

Comments:

  1. Did I miss something? I thought we won WWII, the Cold War and the War on Terror.

Guardian obtains footage of police officer firing Taser at naked man

Posted on May 1st, 2014 at 17:54 by Paul Jay in category: Do you feel safer yet?, Security

[Quote]:

The Guardian has obtained CCTV footage showing a police officer firing a Taser at a naked man in a cell.

A chief constable tried to prevent the release of footage showing the Wiltshire constable Lee Birch shooting the Taser at 23-year-old Daniel Dove – despite a court agreeing it could be published.

The Guardian obtained the footage from another source.

It shows Dove, who had been arrested on suspicion of being drunk and disorderly, being subjected to a strip search in a custody suite.

He pulls off his boxer shorts and flicks them at Birch. The officer takes a Taser he had held behind his back and fires it at Dove’s chest. The young man falls on to a mat that had been placed on the floor of the cell.

A crown court jury on Tuesday cleared Birch of assault causing actual bodily harm and misconduct in a public office. Charges were subsequently dropped against Dove.

However the Independent Police Complaints Commission (IPCC) is investigating five officers including Birch in connection with the incident and is also looking at why the force involved, Wiltshire, did not inform it about what happened.

The IPCC will now examine if Birch, 31, and four colleagues breached professional standards.


Write a comment


« Older Entries