cover photo

Gadget Gurus

gadget@econpros.com

With laptops banned onboard aircraft, your data is no longer yours if you fly

Gadget Gurus
  
Privacy Online NewsPrivacy Online News wrote the following post Sun, 16 Apr 2017 09:47:04 -0500

With laptops banned onboard aircraft, your data is no longer yours if you fly

New US regulations ban laptops on board some aircraft, requiring laptops to be in checked luggage. One of the first things you learn in information security is that if an adversary has had physical access to your computer, then it is not your computer anymore. This effectively means that the US three-letter agencies are taking themselves the right to compromise any computer from any traveler on these flights.

According to the United States Department of Homeland Security, which bills the ban as a “change to carry-on items” that affect “ten out of the more than 250 airports that serve the United States internationally”, there is a “security enhancement” because explosives can now be built into “consumer items”, and therefore laptops must now be banned from carry-on luggage and instead checked in.

When looking at this justification, the DHS notably fails to describe how it would be any safer flying with such alleged explosives in checked luggage rather than carry-on luggage onboard the same aircraft. In other words, the justification is utter nonsense, and so, there must be a different reason they issue this edict that they’re not writing about.
“The aviation security enhancements will include requiring that all personal electronic devices larger than a cell phone or smart phone be placed in checked baggage at 10 airports where flights are departing for the United States.”

When Microsoft (finally) trained every single one of their employees in security in the big so-called “security push” around the turn of the century, there were about a dozen insights that they really hammered home, again and again. One of the most important ones related to this was the simple insight of “if an adversary has had physical access to your computer, then it’s not your computer anymore”.

After all, if somebody has had physical access to the machine itself, then they will have been able to do everything from installing hardware keyloggers to booting the machine from USB and possibly get root access to some part of the filesystem – even on a fully encrypted GNU/Linux system, there is a small bootstrap portion that is unencrypted, and which can be compromised with assorted malware if somebody has physical access. They could conceivably even have replaced the entire processor or motherboard with hostile versions.

This is a much more probable reason for requiring all exploitable electronics to be outside of passengers’ field of view.

Remember that both the NSA and the CIA have a history of routinely pwning devices, even from the factory, or intercepting them while being shipped from the factory. (There was one incident where this was revealed last year, after the courier’s package tracking page showed how a new keyboard shipped to a Tor developer had taken a detour around the entire country, with a remarkable two-day stop – marked “delivered” – at a known NSA infiltration facility.)

Now imagine that the laptops and other large computing devices of these travelers — remember that the Tor developer in question was an American citizen! — that these devices will be required to be surrendered to the TSA, the CIA, the NSA, the TLA, and the WTF for several hours while inflight. It’s just not your device anymore when you get it back from the aircraft’s luggage hold – if it was ever there.
If your laptop has been checked in and has been in the TSA’s control, it can no longer be considered your laptop. Any further login to the compromised laptop will compromise your encrypted data, too.

The choice of the ten particular airports is also interesting. It’s the key airports of Dubai, Turkey, Egypt, Saudi Arabia, Kuwait… all predominantly Muslim countries. Some have pointed this out as racial profiling, but there are signs it may be something else entirely and more worrying.

For example, the Intercept presents the measure as a “muslim laptop ban”. The might or might not be an accurate framing, but the worrying part is that this is a best case scenario. More likely, it is a so-called “political test balloon” to check for how much protesting erupts, and to put it bluntly, if they get away with it. If they do, then this can be a precursor to a much wider ban on in-flight laptops – or, as you would more correctly have it, a much wider access for three-letter agencies to people’s laptops and data.

Privacy remains your own responsibility.

The post With laptops banned onboard aircraft, your data is no longer yours if you fly appeared first on Privacy Online News.


#Privacy #Security
Seth Martin
  last edited: Fri, 21 Apr 2017 18:02:48 -0500  
Once more, with passion: Fingerprints suck as passwords

Biometric data is identity (public), never authentication (secret). You leave a copy of your fingerprints literally on everything you touch.


#Privacy #Security #Passwords #Cybersecurity #Biometrics @Gadget Gurus+ @LibertyPod+
Comcast Paid Civil Rights Groups To Support Killing Broadband Privacy Rules

Seth Martin
  
Techdirt.Techdirt. wrote the following post Wed, 05 Apr 2017 08:24:00 -0500

Comcast Paid Civil Rights Groups To Support Killing Broadband Privacy Rules

For years, one of the greasier lobbying and PR tactics by the telecom industry has been the use of minority groups to parrot awful policy positions. Historically, such groups are happy to take financing from a company like Comcast, in exchange for repeating whatever talking point memos are thrust in their general direction, even if the policy being supported may dramatically hurt their constituents. This strategy has played a starring role in supporting anti-consumer mega-mergers, killing attempts to make the cable box market more competitive, and efforts to eliminate net neutrality.

The goal is to provide an artificial wave of "support" for bad policies, used to then justify bad policy votes. And despite this being something the press has highlighted for the better part of several decades, the practice continues to work wonders. Hell, pretending to serve minority communities while effectively undermining them with bad internet policy is part of the reason Comcast now calls top lobbyist David Cohen the company's Chief Diversity Officer (something the folks at Comcast hate when I point it out, by the way).

Last week, we noted how Congress voted to kill relatively modest but necessary FCC privacy protections. You'd be hard pressed to find a single, financially-objective group or person that supports such a move. Even Donald Trump's most obnoxious supporters were relatively disgusted by the vote. Yet The Intercept notes that groups like the League of United Latin American Citizens and the OCA (Asian Pacific American Advocates) breathlessly urged the FCC to kill the rules, arguing that snoopvertising and data collection would be a great boon to low income families:

"The League of United Latin American Citizens and OCA – Asian Pacific American Advocates, two self-described civil rights organizations, told the FCC that “many consumers, especially households with limited incomes, appreciate receiving relevant advertising that is keyed to their interests and provides them with discounts on the products and services they use."

Of course, folks like Senator Ted Cruz then used this entirely-farmed support to insist there were "strenuous objections from throughout the internet community" at the creation of the rules, which simply wasn't true. Most people understood that the rules were a direct response to some reckless and irresponsible privacy practices at major ISPs -- ranging from charging consumers more to keep their data private, or using customer credit data to provide even worse customer support than they usually do. Yes, what consumer (minority or otherwise) doesn't want to pay significantly more money for absolutely no coherent reason?

It took only a little bit of digging for The Intercept to highlight what the real motivation for this support of anti-consumer policies was:

"OCA has long relied on telecom industry cash. Verizon and Comcast are listed as business advisory council members to OCA, and provide funding along with “corporate guidance to the organization.” Last year, both companies sponsored the OCA annual gala.

AT&T, Comcast, Time Warner Cable, Charter Communications and Verizon serve as part of the LULAC “corporate alliance,” providing “advice and assistance” to the group. Comcast gave $240,000 to LULAC between 2004 and 2012.

When a reporter asks these groups why they're supporting internet policies that run in stark contrast to their constituents, you'll usually be met with either breathless indignance at the idea that these groups are being used as marionettes, or no comment whatsoever (which was the case in the Intercept's latest report). This kind of co-opting still somehow doesn't get much attention in the technology press or policy circles, so it continues to work wonders. And it will continue to work wonders as the administration shifts its gaze from gutting privacy protections to killing net neutrality.

Permalink | Comments | Email This Story

Image/photo Image/photo
Image/photo


#Privacy #Net Neutrality #Communications #Comcast #FCC #Lobbying #LULAC #Politics @LibertyPod+ @Gadget Gurus+ @Laissez-Faire Capitalism+
I invented the web. Here are three things we need to change to save it | Tim Berners-Lee

Gadget Gurus
  
Technology | The GuardianTechnology | The Guardian wrote the following post Sat, 11 Mar 2017 18:01:08 -0600

I invented the web. Here are three things we need to change to save it | Tim Berners-Lee

It has taken all of us to build the web we have, and now it is up to all of us to build the web we want – for everyone

Today marks 28 years since I submitted my original proposal for the worldwide web. I imagined the web as an open platform that would allow everyone, everywhere to share information, access opportunities, and collaborate across geographic and cultural boundaries. In many ways, the web has lived up to this vision, though it has been a recurring battle to keep it open. But over the past 12 months, I’ve become increasingly worried about three new trends, which I believe we must tackle in order for the web to fulfill its true potential as a tool that serves all of humanity.

1) We’ve lost control of our personal data
Continue reading...


#Privacy #Internet #Advertising #Web #Politics #Social Media @LibertyPod+
Gadget Gurus
  
Wikileaks Unveils 'Vault 7': "The Largest Ever Publication Of Confidential CIA Documents"; Another Snowden Emerges | Zero Hedge

Image/photo

WikiLeaks has published what it claims is the "largest ever publication of confidential documents on the CIA." It includes more than 8,000 documents as part of ‘Vault 7’, a series of leaks on the agency which expose the agency's massive hacking arsenal.


#Privacy #CIA #Spying #Hacking #Snooping #Surveillance #WikiLeaks #Leaks #Vault 7 #Vault7 #Weeping Angel #HIVE @LibertyPod+
State Appeals Court Says Unlocking A Phone With A Fingerprint Doesn't Violate The Fifth Amendment

Gadget Gurus
  
Techdirt.Techdirt. wrote the following post Wed, 25 Jan 2017 17:11:31 -0600

State Appeals Court Says Unlocking A Phone With A Fingerprint Doesn't Violate The Fifth Amendment

As was hinted heavily three years ago, you might be better off securing your phone with a passcode than your fingerprint. While a fingerprint is definitely unique and (theoretically...) a better way to keep thieves and snoopers from breaking into your phone, it's not much help when it comes to your Fifth Amendment protections against self-incrimination.

The Minnesota Appeals Court has ruled [PDF] that unlocking a phone with a fingerprint is no more "testimonial" than a blood draw, police lineup appearance, or even matching the description of a suspected criminal. (h/t Orin Kerr)
Diamond relies on In re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012), to support his argument that supplying his fingerprint was testimonial. In In re Grand Jury, the court reasoned that requiring the defendant to decrypt and produce the contents of a computer’s hard drive, when it was unknown whether any documents were even on the encrypted drive, “would be tantamount to testimony by [the defendant] of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Id. at 1346. The court concluded that such a requirement is analogous to requiring production of a combination and that such a production involves implied factual statements that could potentially incriminate. Id.

By being ordered to produce his fingerprint, however, Diamond was not required to disclose any knowledge he might have or to speak his guilt. See Doe, 487 U.S. at 211, 108 S. Ct. at 2348. The district court’s order is therefore distinguishable from requiring a defendant to decrypt a hard drive or produce a combination. See, e.g., In re Grand Jury, 670 F.3d at 1346; United States v. Kirschner, 823 F. Supp. 2d 665, 669 (E.D. Mich. 2010) (holding that requiring a defendant to provide computer password violates the Fifth Amendment). Those requirements involve a level of knowledge and mental capacity that is not present in ordering Diamond to place his fingerprint on his cellphone. Instead, the task that Diamond was compelled to perform—to provide his fingerprint—is no more testimonial than furnishing a blood sample, providing handwriting or voice exemplars, standing in a lineup, or wearing particular clothing.

Of course, it's what's contained in the now-unlocked device that might be incriminating, which is why Diamond pointed to In re Grand Jury as being analogous to the forced provision of a fingerprint. The court's rebuttal of this argument, however, doesn't make a lot of sense. It says the process that unlocked the device requires no knowledge or mental capacity -- which is certainly true -- but that the end result, despite being the same (the production of evidence against themselves) is somehow different because of the part of the body used to obtain access (finger v. brain).

In recounting the obtaining of the print, the court shows that some knowledge is imparted by this effort -- information not possessed by law enforcement or prosecutors.
Diamond also argues that he “was required to identify for the police which of his fingerprints would open the phone” and that this requirement compelled a testimonial communication. This argument, however, mischaracterizes the district court’s order. The district court’s February 11 order compelled Diamond to “provide a fingerprint or thumbprint as deemed necessary by the Chaska Police Department to unlock his seized cell phone.” At the April 3 contempt hearing, the district court referred to Diamond providing his “thumbprint.” The prosecutor noted that they were “not sure if it’s an index finger or a thumb.” The district court answered, “Take whatever samples you need.” Diamond then asked the detectives which finger they wanted, and they answered, “The one that unlocks it.”

This is something only Diamond would know, and by unlocking the phone, he would be demonstrating some form of control of the device as well as responsibility for its contents. So, it is still a testimonial act, even if it doesn't rise to the mental level of retaining a password or combination. (And, if so, would four-digit passcodes be less "testimonial" than a nine-digit alphanumeric password, if the bright line comes down to mental effort?)

Given the reasoning of the court, it almost appears as though Diamond may have succeeded in this constitutional challenge if he had chosen to do so at the point he was ordered to produce the correct finger.
It is clear that the district court permitted the state to take samples of all of Diamond’s fingerprints and thumbprints. The district court did not ask Diamond whether his prints would unlock the cellphone or which print would unlock it, nor did the district court compel Diamond to disclose that information. There is no indication that Diamond would have been asked to do more had none of his fingerprints unlocked the cellphone. Diamond himself asked which finger the detectives wanted when he was ready to comply with the order, and the detectives answered his question. Diamond did not object then, nor did he bring an additional motion to suppress the evidence based on the exchange that he initiated.

And so, in first decision of its kind for this Appeals Court, the precedent established is that fingerprints are less protective of defendants' Fifth Amendment rights than passwords.

Permalink


#Fifth Amendment #Liberty #Self-Incrimination @LibertyPod+
Dropbox: Oops, yeah, we didn't actually delete all your files

Seth Martin
  
It's probably not a good idea to store anything sensitive, private or potentially revealing at locations you don't own. Big data companies like this, keep your data forever! Choice is only an illusion.

Dropbox: Oops, yeah, we didn't actually delete all your files – this bug kept them in the cloud

Image/photo

Biz apologizes after years-old data mysteriously reappears
Dropbox says it was responsible for an attempted bug fix that instead caused old, deleted data to reappear on the site.…


#Dropbox #Cloud #Storage #Big Data @Gadget Guru+
Mozilla’s First Internet Health Report Tackles Privacy and Security

Seth Martin
  last edited: Sat, 21 Jan 2017 11:41:11 -0600  
The Internet Health Report

Image/photo


Welcome to Mozilla’s new open source initiative to document and explain what’s happening to the health of the Internet. Combining research from multiple sources, we collect data on five key topics and offer a brief overview of each.


#Decentralization #Privacy #Internet #Security #Cybersecurity #Mozilla @LibertyPod+ @Gadget Guru+
... "Surprise"!

Gadget Gurus
  
Technology | The GuardianTechnology | The Guardian wrote the following post Fri, 13 Jan 2017 05:00:16 -0600

WhatsApp backdoor allows snooping on encrypted messages

Exclusive: Privacy campaigners criticise WhatsApp vulnerability as a ‘huge threat to freedom of speech’ and warn it could be exploited by government agencies

A security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.
Continue reading...


#WhatsApp #Signal #Encryption #Social Networking #Communications #Surveillance #Snooping #Privacy
Secure Messaging Takes Some Steps Forward, Some Steps Back: 2016 In Review

Seth Martin
  last edited: Thu, 29 Dec 2016 22:35:47 -0600  
DeeplinksDeeplinks wrote the following post Thu, 29 Dec 2016 18:10:08 -0600

Secure Messaging Takes Some Steps Forward, Some Steps Back: 2016 In Review

This year has been full of developments in messaging platforms that employ encryption to protect users. 2016 saw an increase in the level of security for some major messaging services, bringing end-to-end encryption to over a billion people. Unfortunately, we’ve also seen major platforms making poor decisions for users and potentially undermining the strong cryptography built into their apps.

WhatsApp makes big improvements, but concerning privacy changes
In late March, the Facebook-owned messaging service WhatsApp introduced end-to-end encryption for its over 1 billion monthly active users.  The enormous significance of rolling out strong encryption to such a large user-base was combined with the fact that underlying Whatsapp’s new feature was the Signal Protocol, a well-regarded and independently reviewed encryption protocol. WhatsApp was not only protecting users’ chats, but also doing so with one of the best end-to-end encrypted messaging protocols out there. At the time, we praised WhatsApp and created a guide for both iOS and Android on how you could protect your communications using it.

In August, however, we were alarmed to see WhatsApp establish data-sharing practices that signaled a shift in its attitude toward user privacy. In its first privacy policy change since 2012, WhatsApp laid the groundwork for expanded data-sharing with its parent company, Facebook. This change allows Facebook access to several pieces of users’ WhatsApp information, including WhatsApp phone number, contact list, and usage data (e.g. when a user last used WhatsApp, what device it was used it on, and what OS it was run on). This new data-sharing compounded our previous concerns about some of WhatsApp’s non-privacy-friendly default settings.

Signal takes steps forward
Meanwhile, the well-regarded end-to-end encryption app Signal, for which the Signal Protocol was created, has grown its user-base and introduced new features.  Available for iOS and Android (as well as desktop if you have either of the previous two), Signal recently introduced disappearing messages to its platform.  With this, users can be assured that after a chosen amount of time, messages will be deleted from both their own and their contact’s devices.

Signal also recently changed the way users verify their communications, introducing the concept of “safety numbers” to authenticate conversations and verify the long-lived keys of contacts in a more streamlined way.

Mixed-mode messaging
2016  reminded us that it’s not as black-and-white as secure messaging apps vs. not-secure ones. This year we saw several existing players in the messaging space add end-to-end encrypted options to their platforms. Facebook Messenger added “secret” messaging, and Google released Allo Messenger with “incognito” mode. These end-to-end encrypted options co-exist on the apps with a default option that is only encrypted in transit.

Unfortunately, this “mixed mode” design may do more harm than good by teaching users the wrong lessons about encryption. Branding end-to-end encryption as “secret,” “incognito,” or “private” may encourage users to use end-to-end encryption only when they are doing something shady or embarrassing. And if end-to-end encryption is a feature that you only use when you want to hide or protect something, then the simple act of using it functions as a red flag for valuable, sensitive information. Instead, encryption should be an automatic, straightforward, easy-to-use status quo to protect all communications.

Further, mixing end-to-end encrypted modes with less sensitive defaults has been demonstrated to result in users making mistakes and inadvertently sending sensitive messages without end-to-end encryption.

In contrast, the end-to-end encrypted “letter sealing” that LINE expanded this year is enabled by default. Since first introducing it for 1-on-1 chats in 2015, LINE has made end-to-end encryption the default and progressively expanded the feature to group chats and 1-on-1 calls. Users can still send messages on LINE without end-to-end encryption by changing security settings, but the company recommends leaving the default “letter sealing” enabled at all times. This kind of default design makes it easier for users to communicate with encryption from the get-go, and much more difficult for them to make dangerous mistakes.

The dangers of unsecure messaging
In stark contrast to the above-mentioned secure messaging apps, a November report from Citizen Lab exposes China’s WeChat messenger’s practice of performing selective censorship on its over 806 million monthly active users.  When a user registers with a Chinese phone number, WeChat will censor content critical of the regime no matter where that user is. The censorship effectively “follows them around,” even if the user switches to an international phone number or leaves China to travel abroad. Effectively, WeChat users may be under the control of China’s censorship regime no matter where they go.

Compared to the secure messaging practices EFF advocates for, WeChat represents the other end of the messaging spectrum, employing algorithms to control and limit access rather than using privacy-enhancing technologies to allow communication. This is an urgent reminder of how users can be put in danger when their communications are available to platform providers and governments, and why it is so important to continue promoting privacy-enhancing technologies and secure messaging.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2016.

Like what you're reading? Support digital freedom defense today!
Image/photo

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF


#Encryption #Privacy #Communications #Messaging #Security #WhatsApp #Signal #LINE #Allo #incognito  
@Gadget Guru+ @LibertyPod+
Google’s ad tracking just got creepier. Here’s how to disable it

Gadget Gurus
  
Technology | The GuardianTechnology | The Guardian wrote the following post Fri, 21 Oct 2016 16:30:58 -0500

Google’s ad tracking just got creepier. Here’s how to disable it

Google in June quietly deleted a clause in its privacy settings that said it would not combine cookie information with personal information without consent

Google has changed the way it tracks users across the internet so that it can now link people’s personally identifiable information from Gmail, YouTube and other accounts with their browsing records across the web. The company had previously pledged to keep these two data sets separate to protect individuals’ privacy.

As first reported by Propublica, Google quietly updated its privacy settings in June to delete a clause that said “we will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent”.
Continue reading...


#Privacy #Google #Tracking #Advertising
Never at my workplace!

Seth Martin
  last edited: Tue, 11 Oct 2016 12:58:51 -0500  
We use #Hubzilla at my workplace so our data remains our data!
I'm also considering introducing the team to Riot/matrix for a Slack/IRC like experience.

MotherboardMotherboard wrote the following post Tue, 11 Oct 2016 11:45:00 -0500

Facebook's Version of Slack Is Coming for Your Workplace. What Now?

Image/photo

Sitting at work all day scrolling through Facebook is almost definitely frowned upon by your bosses, but Facebook wants to change that with the launch of a new version of Facebook—specifically designed for work—called Workplace.

Facebook is ubiquitous. If it’s not Mark Zuckerberg handing out “Free Basics” to developing countries, it’s internet connectivity beamed down from giant, solar-powered drones. As of July 2016, the social network had 1.71 billion monthly users. Facebook is without doubt one of the most pervasive technological phenomenons of the 21st Century. Thing is, Facebook’s hit a brick wall when it comes to growth. Everybody who would want to use Facebook, generally speaking, is already, or at least will be using Facebook very soon. So, to eke out the last embers of growth in a saturated market, Facebook has now, officially, entered your workplace.

Workplace by Facebook launched on Monday October 10 after almost two years of development and months of beta tests on early customers. The service is the social giant’s new effort to infiltrate businesses around the world, and to rival office apps like Slack and Microsoft’s Yammer. Essentially, it’s a modified version of the Facebook we all know and love/hate. It’s the same algorithms, the same news feeds, the same ability to share photos and documents and chat in groups or in private—only your bosses can see everything that happens and it’s all controlled by your company’s IT team. Workplace is on mobile, too, with standalone apps for Android and iOS meaning employees can access everything remotely, just like users would with the regular Facebook app.

Facebook, with Workplace, is hoping to revolutionise how companies want to work with employees by shedding the old ideals of emails and intranet. “It's for everyone, not just for one team, not just for five percent of the company, it's for everyone from the CEO to the factory workers to the baristas in the coffee shop,” a Facebook spokesperson said at the London launch event this week, which Motherboard attended. “Even people who don't have a desk, even people who have never had a PC, even people who have never had an email.”

Image/photo

Image: Workplace by Facebook

The question is, to what extent will this horizontal workflow management clash with privacy concerns? If your team or company decides to implement Workplace, will signing up be compulsory? It would seem so, if Facebook has its way and truly lets your bosses ditch emails and intranet and all of the inner workings of PC-based bureaucracy. But then what?

The Facebook spokesperson at the launch event said it best when he was explaining how the chief information officer of an airline wanted to be able to see what his staff were doing in their personal, consumer versions of Facebook groups. “Every crew of every flight were using Facebook groups,” the spokesperson said. “It's not necessarily what the CIO of the company wanted, because he wants to control who sees the information.”

But the reason why many organisations will be attracted to Workplace, such as the familiarity employees will have with regular old Facebook, could also be its downfall. Employees will be accustomed to Facebook being a place for gossip, cat videos, and friends. So what’s the decorum for Workplace by Facebook? While the two are completely different applications, old habits die hard. Who can you trust to speak to in private? Is my group being monitored for productivity? Do I have to befriend everyone in the company, and if I block someone’s news feed, will my boss know I hate them?
Your workplace chats may well one day be used as evidence against you

It’s also worth noting, as highlighted in the Gawker vs Hulk Hogan case, in which Gawker Media’s Slack conversations were subpoenaed for court, that your workplace chats may well one day be used as evidence against you. While data on Workplace belongs to the company using it, rather than Facebook, it’s still wise to watch what you say with any office productivity app. Facebook did not immediately respond to Motherboard’s request for comment on whether workplace chats would be susceptible to subpoenas.

Ultimately, Facebook is banking on the familiarity of the platform winning over customers. It’s appears easy to use and offers all of the same features as regular Facebook. But in the end, only time will tell whether employees will ever be, or ever want to be, comfortable using Facebook as a work tool or not.


#CCF #Facebook #Social Networking #Communications #Privacy @Gadget Guru+
Feds get sweet FA from Whisper Systems Signal subpoena

Gadget Gurus
  
Feds get sweet FA from Whisper Systems Signal subpoena

Image/photo


That's why it's called secure and private
Open Whisper Systems – the secure messaging firm set up by respected crypto anarchist Moxie Marlinspike – has published the results of a federal subpoena and shown that the Feds got very little for their trouble.…


#Privacy #Encryption #OpenWhisperSystems #OWS @LibertyPod+
Government uses gag order to keep encryption company quiet

Gadget Gurus
  
Engadget RSS FeedEngadget RSS Feed wrote the following post Tue, 04 Oct 2016 15:41:00 -0500

Government uses gag order to keep encryption company quiet

Image/photo
In the first half of 2016, Open Whisper Systems (OWS) -- the maker of Signal and creator of the encryption used by Google Allo and Facebook Messenger -- was served a subpoena for information concerning two users of the service. That's not out of the...


#Privacy #Encryption #OpenWhisperSystems #OWS #First Amendment @LibertyPod+
Apple Logs Your iMessage Contacts — and May Share Them with Police

Gadget Gurus
  
The InterceptThe Intercept wrote the following post Wed, 28 Sep 2016 09:00:52 -0500

Apple Logs Your iMessage Contacts — and May Share Them with Police

Apple promises that your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for of systems known as “pen registers” or “tap and trace devices,” orders that are not particularly onerous to obtain, requiring only that a government lawyer represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

The Intercept received the document about Apple’s Messages logs as part of a larger cache originating from within the Florida Department of Law Enforcement’s Electronic Surveillance Support Team, a state police agency that facilitates police data collection using controversial tools like the Stingray, along with conventional techniques like pen registers. The document, titled “iMessage FAQ for Law Enforcement,” is designated for “Law Enforcement Sources” and “For Official Use Only,” though it’s unclear who wrote it or for what specific audience — metadata embedded in the PDF cites an author only named “mrrodriguez.” (The term “iMessages” refers to an old name for the Messages app, a name still commonly used to refer to it.)

Phone companies routinely hand over metadata about calls to law enforcement in response to pen register warrants. But it’s noteworthy that Apple is able to provide information on iMessage contacts under such warrants given that Apple and others have positioned the messaging platform as a particularly secure alternative to regular texting.

The document like a fairly standard overview that one might forward to a clueless parent (questions include “How does it work?” and “Does iMessage use my cellular data plan?”), until the final section, “What will I get if I serve Apple with a [Pen Register/Tap and Trace] court order for an iMessage account?”:

Image/photo

This is a lot of bullet points to say one thing: Apple maintains a log of phone numbers you’ve entered into Messages, and potentially elsewhere on an Apple device, like the Contacts app, even if you never end up communicating with those people. The document implies that Messages transmits these numbers to Apple when you open a new chat window and select a contact or number with whom to communicate, but it’s unclear exactly when these queries are triggered, and how often—an Apple spokesperson confirmed only that the logging information in the iMessage FAQ is “generally accurate,” but declined to elaborate on the record.

Image/photo

Illustration: Selman Design for The Intercept

Apple provided the following statement:
“When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place.”

And it’s true, based on the sample information provided in the FAQ, that Apple doesn’t appear to provide any indication whatsoever that an iMessage conversation took place. But a list of the people you choose to associate with can be just as sensitive as your messages with those people. It requires little stretching of the imagination to come up with a scenario in which the fact that you swapped numbers with someone at some point in the past could be construed as incriminating or compromising.

Andrew Crocker, an attorney with the Electronic Frontier Foundation, said the document prompted further questions:
“How often are lookups performed? Does opening [an iMessage] thread cause a lookup? Why is Apple retaining this information?”

The Florida Department of Law Enforcement did not return a request for comment.

The fact that Apple is able and willing to help the government map the communications networks of its users doesn’t necessarily undermine the company’s posturing (and record) as a guardian of privacy, though this leaked document provides more detail about how the iMessages system can be monitored than has been volunteered in the past. Ideally, customers wouldn’t need to read documents marked “For Official Use Only” in order to know what information Apple may or may not disclose to the police. In a section of its website devoted to touting the privacy safeguards in its products, Apple claims that “your iMessages and FaceTime calls are your business, not ours… Unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to.”

In 2013, after Apple was revealed to be among the tech companies caught up in an NSA surveillance program known as PRISM, which tapped into customer information on the central servers of nine leading internet companies, the company released a rare statement regarding its “commitment to customer privacy,” insisting that it would be unable to share sensitive customer data even if it wanted to:
For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

Questions of how much Apple could or would aid police if asked vaulted back into headlines following the mass shooting in San Bernardino last year, which left the FBI in possession of the shooter’s iPhone, which it was unable initially to decrypt. Apple balked at demands that it help crack the phone, allowing it to enjoy a reputation as not just a maker of expensive electronics, but a determined privacy advocate. We need more technology companies that are willing to take public, principled stands in defense of our private lives, but these same companies should follow through with technical transparency, not just statements.

Sign up for The Intercept Newsletter here.

The post Apple Logs Your iMessage Contacts — and May Share Them with Police appeared first on The Intercept.


#Privacy #Surveillance #Tracking @LibertyPod+
Long-Secret Stingray Manuals Detail How Police Can Spy on Phones

Gadget Gurus
  
The InterceptThe Intercept wrote the following post Mon, 12 Sep 2016 13:33:47 -0500

Long-Secret Stingray Manuals Detail How Police Can Spy on Phones

Harris Corp.’s Stingray surveillance device has been one of the most closely-guarded secrets in law enforcement for more than 15 years. The company and its police clients across the United States have fought to keep information about the mobile-phone-monitoring boxes from the public against which they are used. The Intercept has obtained several Harris instruction manuals spanning roughly 200 pages and meticulously detailing how to create a cellular surveillance dragnet.

Harris has fought to keep its surveillance equipment, which carry price tags in the low six figures, hidden from both privacy activists and the general public, arguing that information about the gear could help criminals. Accordingly, an older Stingray manual released under the the Freedom of Information Act to news website TheBlot.com last year was almost completely redacted. So too have law enforcement agencies at every level, across the country, evaded almost all attempts to learn how and why these extremely powerful tools are being used—though court battles have made it clear Stingrays are often deployed without any warrant. The San Bernardino Sheriff’s Department alone has snooped via Stingray, sans warrant, over 300 times.

Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up to date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.

“There really isn’t  any place for innocent people to hide from a device such as this,” he wrote in an email message.

“As more of our infrastructure, homes, environment, and transportation are connected wirelessly to the internet, such technologies really do pose a massive risk to public safety and security.”

And the Harris software isn’t just extremely powerful, Tynan adds, but relatively simple, providing any law enforcement agent with a modicum of computer literacy the ability to spy on large groups of people:
The ease with which the StingRay II can be used is quite striking and there do not seem to be any technical safeguards against misuse… It also allows the operator to configure virtually every aspect of the operation of the fake cell tower… The Gemini platform also allows for the logging and analysis of data to and from the network and “Once a message to/from any active subscriber in the Subscriber list is detected, Gemini will notify the user.” How many innocent communications of the public are analyzed during this process?

Tynan also raised questions about the extent to which Stingrays may be disrupting the communications infrastructure, including existing cellular towers.

Harris declined to comment. In a 2014 letter to the FCC, the company argued that if the owner’s manuals were released under the Freedom of Information Act this would “harm Harris’ competitive interests” and that “criminals and terrorist[s] would have access to information that would allow them to build countermeasures.” But Stingrays are known for spying on low-level marijuana dealers and other domestic targets, not al Qaeda; as the Electronic Frontier Foundation’s Jennifer Lynch said in December,  “I am not aware of any case in which a police agency has used a cell-site simulator to find a terrorist.” Meanwhile, it is already publicly known that the NSA uses Stingray-like devices to locate suspected terrorists as part of a system known as Gilgamesh. Nathan Wessler, an attorney with the ACLU, told The Intercept that “when the most likely ‘countermeasure’ is someone turning their phone off or leaving it at home, it is hard to understand how public release of a manual like this could cause harm.” And furthermore, says Wessler, “it is in the public interest to understand the general capabilities of this technology, so that lawmakers and judges can exercise appropriate oversight and protect people’s privacy rights.”

The documents described and linked below, instruction manuals for the software used by Stingray operators, were provided to The Intercept as part of a larger cache believed to have originated with the Florida Department of Law Enforcement. Two of them contain a “distribution warning” saying they contain “Proprietary Information and the release of this document and the information contained herein is prohibited to the fullest extent allowable by law.”

Although “Stingray” has become a catch-all name for devices of its kind, often referred to as “IMSI catchers,” the manuals include instructions for a range of other Harris surveillance boxes, including the Hailstorm, ArrowHead, AmberJack, and KingFish. They make clear the capability of those devices and the Stingray II to spy on cell phones by, at minimum, tracking their connection to the simulated tower, information about their location, and certain “over the air” electronic messages sent to and from them. Wessler added that parts of the manuals make specific reference to permanently storing this data, something that American law enforcement has denied doing in the past.

Image/photo

One piece of Windows software used to control Harris’ spy boxes, software that appears to be sold under the name “Gemini,” allows police to track phones across 2G, 3G, and LTE networks. Another Harris app, “iDen Controller,” provides a litany of fine-grained options for tracking phones. A law enforcement agent using these pieces of software along with Harris hardware could not only track a large number of phones as they moved throughout a city but could also apply nicknames to certain phones to keep track of them in the future. The manual describing how to operate iDEN, the lengthiest document of the four at 156 pages, uses an example of a target (called a “subscriber”) tagged alternately as Green Boy and Green Ben:

Image/photo

The documents also make clear just how easy it is to execute a bulk surveillance regime from the trunk of a car: a Gemini “Quick Start Guide”, which runs to 54 pages, contains an entire chapter on logging, which “enables the user to listen and log over the air messages that are being transmitted between the Base Transceiver Station (BTS) and the Mobile Subscriber (MS).” It’s not clear exactly what sort of metadata or content would be captured in such logging. The “user” here, of course, is a police officer.

Image/photo

In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example knocking a connection from LTE to 2G:

Image/photo

A video of the Gemini software installed on a personal computer, obtained by The Intercept and embedded below, provides not only an extensive demonstration of the app but also underlines how accessible the mass surveillance code can be: Installing a complete warrantless surveillance suite is no more complicated than installing Skype. Indeed, software such as Photoshop or Microsoft Office, which require a registration key or some other proof of ownership, are more strictly controlled by their makers than software designed for cellular interception.

“While this device is being discussed in the context of US law enforcement,” said Tynan, “this could be used by foreign agents against the US public and administration. It is no longer acceptable for our phones and mobile networks to be exploited in such an invasive and indiscriminate way.”

Documents published with this article:Sign up for The Intercept Newsletter here.

The post Long-Secret Stingray Manuals Detail How Police Can Spy on Phones appeared first on The Intercept.


#Privacy #Surveillance #Stingray #Snooping #Communications #Freedom #Liberty #Policing @LibertyPod+
With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive

Seth Martin
  
DeeplinksDeeplinks wrote the following post Wed, 17 Aug 2016 09:12:52 -0500

With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive

Image/photo


Microsoft had an ambitious goal with the launch of Windows 10: a billion devices running the software by the end of 2018. In its quest to reach that goal, the company aggressively pushed Windows 10 on its users and went so far as to offer free upgrades for a whole year. However, the company’s strategy for user adoption has trampled on essential aspects of modern computing: user choice and privacy. We think that’s wrong.

You don’t need to search long to come across stories of people who are horrified and amazed at just how far Microsoft has gone in order to increase Windows 10’s install base. Sure, there is some misinformation and hyperbole, but there are also some real concerns that current and future users of Windows 10 should be aware of. As the company is currently rolling out its “Anniversary Update” to Windows 10, we think it’s an appropriate time to focus on and examine the company’s strategy behind deploying Windows 10.

Disregarding User Choice

The tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious. Some highlights: Microsoft installed an app in users’ system trays advertising the free upgrade to Windows 10. The app couldn’t be easily hidden or removed, but some enterprising users figured out a way. Then, the company kept changing the app and bundling it into various security patches, creating a cat-and-mouse game to uninstall it.

Eventually, Microsoft started pushing Windows 10 via its Windows Update system. It started off by pre-selecting the download for users and downloading it on their machines. Not satisfied, the company eventually made Windows 10 a recommended update so users receiving critical security updates were now also downloading an entirely new operating system onto their machines without their knowledge. Microsoft even rolled in the Windows 10 ad as part of an Internet Explorer security patch. Suffice to say, this is not the standard when it comes to security updates, and isn’t how most users expect them to work. When installing security updates, users expect to patch their existing operating system, and not see an advertisement or find out that they have downloaded an entirely new operating system in the process.

In May 2016, in an action designed in a way we think was highly deceptive, Microsoft actually changed the expected behavior of a dialog window, a user interface element that’s been around and acted the same way since the birth of the modern desktop. Specifically, when prompted with a Windows 10 update, if the user chose to decline it by hitting the ‘X’ in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10.

Time after time, with each update, Microsoft chose to employ questionable tactics to cause users to download a piece of software that many didn’t want. What users actually wanted didn’t seem to matter. In an extreme case, members of a wildlife conservation group in the African jungle felt that the automatic download of Windows 10 on a limited bandwidth connection could have endangered their lives if a forced upgrade had begun during a mission.

Disregarding User Privacy

The trouble with Windows 10 doesn’t end with forcing users to download the operating system. By default, Windows 10 sends an unprecedented amount of usage data back to Microsoft, and the company claims most of it is to “personalize” the software by feeding it to the OS assistant called Cortana. Here’s a non-exhaustive list of data sent back: location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.

While we understand that many users find features like Cortana useful, and that such features would be difficult (though not necessarily impossible) to implement in a way that doesn’t send data back to the cloud, the fact remains that many users would much prefer to opt out of these features in exchange for maintaining their privacy.

And while users can opt-out of some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so. Microsoft also won’t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.

Microsoft has tried to explain this lack of choice by saying that Windows Update won’t function properly on copies of the operating system with telemetry reporting turned to its lowest level. In other words, Microsoft is claiming that giving ordinary users more privacy by letting them turn telemetry reporting down to its lowest level would risk their security since they would no longer get security updates1. (Notably, this is not something many articles about Windows 10 have touched on.)

But this is a false choice that is entirely of Microsoft’s own creation. There’s no good reason why the types of data Microsoft collects at each telemetry level couldn’t be adjusted so that even at the lowest level of telemetry collection, users could still benefit from Windows Update and secure their machines from vulnerabilities, without having to send back things like app usage data or unique IDs like an IMEI number.

And if this wasn’t bad enough, Microsoft’s questionable upgrade tactics of bundling Windows 10 into various levels of security updates have also managed to lower users’ trust in the necessity of security updates. Sadly, this has led some people to forego security updates entirely, meaning that there are users whose machines are at risk of being attacked.

There’s no doubt that Windows 10 has some great security improvements over previous versions of the operating system. But it’s a shame that Microsoft made users choose between having privacy and security.

The Way Forward

Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.

Otherwise it will face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.

We at EFF have heard from many users who have asked us to take action, and we urge Microsoft to listen to these concerns and incorporate this feedback into the next release of its operating system. Otherwise, Microsoft may find that it has inadvertently discovered just how far it can push its users before they abandon a once-trusted company for a better, more privacy-protective solution.
  • 1. Confusingly, Microsoft calls the lowest level of telemetry reporting (which is not available on Home or Professional editions of Windows 10) the “security” level—even though it prevents security patches from being delivered via Windows Update.
Share this: Image/photo Image/photo Image/photo Image/photo Join EFF


#Privacy #Security #Microsoft #Windows #Cybersecurity @Gadget Guru+ @LibertyPod+
Inventor of The Internet’s Most Terrifying Search Engine Shows Us How To Use It

Gadget Gurus
  last edited: Sat, 20 Aug 2016 16:23:21 -0500  
MotherboardMotherboard wrote the following post Sat, 20 Aug 2016 10:00:00 -0500

Inventor of The Internet’s Most Terrifying Search Engine Shows Us How To Use It

Image/photo

    

The internet isn’t just made of Facebook, Motherboard, 4chan and all your other favorite websites. There are thousands of devices, such as webcams, smart light bulbs, printers, and even smart homes, connected to it and there’s a special search engine that allows you to find them.

It’s called Shodan and it’s a great tool to find insecure devices, so that people can fix them and make the internet safer. Shodan crawls the internet and collects all kind of stuff connected to the internet, from mundane smart fridges to industrial control systems. It’s a powerful tool, and you don’t really appreciate it until you use it yourself, or, better yet, until its inventor shows you what it can do.

We met with Shodan’s creator John Matherly, who gave us a glimpse of all the crazy things you can find with Shodan.

“There’s so many homes connected to the internet,” Shodan’s inventor John Matherly says.

Check out the deleted scene above to learn about Shodan, and check out VICELAND’s documentary series CYBERWAR every Tuesday at 10:30 PM on VICELAND.


#Shodan #Security #Hacking #Privacy #IoT #Cybersecurity
The NSA Was Hacked, Snowden Documents Confirm

Gadget Gurus
  last edited: Sat, 20 Aug 2016 13:15:06 -0500  
The InterceptThe Intercept wrote the following post Fri, 19 Aug 2016 07:00:55 -0500

The NSA Was Hacked, Snowden Documents Confirm

On Monday, a hacking group selling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.

The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, with some observers blaming the Russians and others hypothesizing unilateral action by a disgruntled NSA staffer, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.

SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.

But malicious software of this sophistication doesn’t just pose a threat to foreign governments, Johns Hopkins University cryptographer Matthew Green told The Intercept:
The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lockpicking tools lying around a high school cafeteria. It’s worse, in fact, because many of these exploits are not available through any other means, so they’re just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable.

So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there’s no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets.

The NSA did not respond to questions concerning ShadowBrokers, the Snowden documents, or its malware.

A Memorable SECONDDATE
The offensive tools released by ShadowBrokers are organized under a litany of code names such as POLARSNEEZE and ELIGIBLE BOMBSHELL, and their exact purpose is still being assessed. But we do know more about one of the weapons: SECONDDATE.

SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.

Other documents released by The Intercept today not only tie SECONDDATE to the ShadowBrokers leak but also provide new detail on how it fits into the NSA’s broader surveillance and infection network. They also show how SECONDDATE has been used, including to spy on Pakistan and a computer system in Lebanon.

The top-secret manual that authenticates the SECONDDATE found in the wild as the same one used within the NSA is a 31-page document titled “FOXACID SOP for Operational Management” and marked as a draft. It dates to no earlier than 2010. A section within the manual describes administrative tools for tracking how victims are funneled into FOXACID, including a set of tags used to catalogue servers. When such a tag is created in relation to a SECONDDATE-related infection, the document says, a certain distinctive identifier must be used:

Image/photo

The same SECONDDATE MSGID string appears in 14 different files throughout the ShadowBrokers leak, including in a file titled SecondDate-3021.exe. Viewed through a code-editing program (screenshot below), the NSA’s secret number can be found hiding in plain sight:

Image/photo

All told, throughout many of the folders contained in the ShadowBrokers’ package (screenshot below), there are 47 files with SECONDDATE-related names, including different versions of the raw code required to execute a SECONDDATE attack, instructions for how to use it, and other related files.

.

Image/photo

After viewing the code, Green told The Intercept the MSGID string’s occurrence in both an NSA training document and this week’s leak is “unlikely to be a coincidence.” Computer security researcher Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies, who has been particularly vocal in his analysis of the ShadowBrokers this week, told The Intercept “there is no way” the MSGID string’s appearance in both places is a coincidence.”

Where SECONDDATE Fits In
This overview jibes with previously unpublished classified files provided by Snowden that illustrate how SECONDDATE is a component of BADDECISION, a broader NSA infiltration tool. SECONDDATE helps the NSA pull off a “man in the middle” attack against users on a wireless network, tricking them into thinking they’re talking to a safe website when in reality they’ve been sent a malicious payload from an NSA server.

According to one December 2010 PowerPoint presentation titled “Introduction to BADDECISION,” that tool is also designed to send users of a wireless network, sometimes referred to as an 802.11 network, to FOXACID malware servers. Or, as the presentation puts it, BADDECISION is an “802.11 CNE [computer network exploitation] tool that uses a true man-in-the-middle attack and a frame injection technique to redirect a target client to a FOXACID server.” As another top-secret slide puts it, the attack homes in on “the greatest vulnerability to your computer: your web browser.”

Image/photo

One slide points out that the attack works on users with an encrypted wireless connection to the internet.

That trick, it seems, often involves BADDECISION and SECONDDATE, with the latter described as a “component” for the former. A series of diagrams in the “Introduction to BADDECISION” presentation show how an NSA operator “uses SECONDDATE to inject a redirection payload at [a] Target Client,” invisibly hijacking a user’s web browser as the user attempts to visit a benign website (in the example given, it’s CNN.com). Executed correctly, the file explains, a “Target Client continues normal webpage browsing, completely unaware,” lands on a malware-filled NSA server, and becomes infected with as much of that malware as possible — or as the presentation puts it, the user will be left “WHACKED!” In the other top-secret presentations, it’s put plainly: “How do we redirect the target to the FOXACID server without being noticed”? Simple: “Use NIGHTSTAND or BADDECISION.”

The sheer number of interlocking tools available to crack a computer is dizzying. In the FOXACID manual, government hackers are told an NSA hacker ought to be familiar with using SECONDDATE along with similar man-in-the-middle wi-fi attacks code-named MAGIC SQUIRREL and MAGICBEAN. A top-secret presentation on FOXACID lists further ways to redirect targets to the malware server system.

Image/photo

To position themselves within range of a vulnerable wireless network, NSA operators can use a mobile antenna system running software code-named BLINDDATE, depicted in the field in what appears to be Kabul. The software can even be attached to a drone. BLINDDATE in turn can run BADDECISION, which allows for a SECONDDATE attack:

Image/photo

Elsewhere in these files, there are at least two documented cases of SECONDDATE being used to successfully infect computers overseas: An April 2013 presentation boasts of successful attacks against computer systems in both Pakistan and Lebanon. In the first, NSA hackers used SECONDDATE to breach “targets in Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division,” which contained documents pertaining to “the backbone of Pakistan’s Green Line communications network” used by “civilian and military leadership.”

In the latter, the NSA used SECONDDATE to pull off a man-in-the-middle attack in Lebanon “for the first time ever,” infecting a Lebanese ISP to extract “100+ MB of Hizballah Unit 1800 data,” a special subset of the terrorist group dedicated to aiding Palestinian militants.

SECONDDATE is just one method that the NSA uses to get its target’s browser pointed at a FOXACID server. Other methods include sending spam that attempts to exploit bugs in popular web-based email providers or entices targets to click on malicious links that lead to a FOXACID server. One document, a newsletter for the NSA’s Special Source Operations division, describes how NSA software other than SECONDDATE was used to repeatedly direct targets in Pakistan to FOXACID malware web servers, eventually infecting the targets’ computers.

A Potentially Mundane Hack
Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.
6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

— Edward Snowden (@Snowden) August 16, 2016


Sign up for The Intercept Newsletter here.

The post The NSA Was Hacked, Snowden Documents Confirm appeared first on The Intercept.


#NSA #Malware #Privacy #Snowden #Cybersecurity @LibertyPod+
Chill Out, Snowden is Fine.

Seth Martin
  last edited: Sun, 07 Aug 2016 10:14:09 -0500  
Edward Snowden Not Dead: ‘He’s Fine’ Says Glenn Greenwald After Mysterious Tweet

Image/photo

Snowden issued a cryptic 64-character code via Twitter leading to concern that the whistleblower was captured or killed triggering a "dead man’s switch" message designed to release if he didn’t check into his computer at a certain time.


#Snowden #Whistleblowing #Privacy @Gadget Guru+  @LibertyPod+