"In 1967, The Public Interest, then a leading venue for highbrow policy debate, published a provocative essay by Paul Baran, one of the fathers of the data transmission method known as packet switching [and agent of RAND]. Titled “The Future Computer Utility," the essay speculated that someday a few big, centralized computers would provide 'information processing … the same way one now buys electricity. Highly sensitive personal and important business information will be stored in many of the contemplated systems … At present, nothing more than trust—or, at best, a lack of technical sophistication—stands in the way of a would-be eavesdropper.' To read Baran’s essay (just one of the many on utility computing published at the time) is to realize that our contemporary privacy problem is not contemporary. It’s not just a consequence of Mark Zuckerberg’s selling his soul and our profiles to the NSA. The problem was recognized early on, and little was done about it... It’s not enough for a website to prompt us to decide who should see our data. Instead it should reawaken our own imaginations. Designed right, sites would not nudge citizens to either guard or share their private information but would reveal the hidden political dimensions to various acts of information sharing." -- MIT Technology Review on The Real Privacy Problem
Should software makers be held financially liable for the insecurity of their products? "The joke goes that only two industries refer to their customers as “users.” But here's the real punch line: Drug users and software users are about equally likely to recover damages for whatever harms those wares cause them." [more inside]
A recent strain of malware called Cryptolocker (technical description from BleepingComputer) has been infecting computers across the Internet. It's of the Ransomware (wiki) genre of attack, and searches a computer's drive for critical files by browsing their extensions (for example, focusing on word processing documents, images and music) and encrypts them with its own key that you can then buy back from the hacker for a fee of $100 to $300 dollars payable in Bitcoins. More information about the virus and how to avoid it is available at Krebs On Security, and the Malwarebytes Blog, with more recent developments on Naked Security.
Rewarding friendly hackers who contribute to a more secure internet. "We've selected some of the most important software that supports the internet stack, and we want you to hack it. If the public is demonstrably safer as a result of your contribution to internet security, we'd like to be the first to recognize your work and say "thanks" by sending some cash to you or your favorite non-profit." This is a full disclosure bug bounty program, and all vulnerability reports will eventually be made public. Also featuring an Allie Brosh logo for The Internet.
How would you, as a junior analyst in S2C41, the branch of the Signals Intelligence Directorate, navigate the millions of records logged daily, in order to find the nugget to get you noticed? “EVILOLIVE, MADCAPOCELOT, ORANGECRUSH, COBALTFALCON, DARKTHUNDER: the names are beguiling. But they don’t always tell us much, which is their reason for existing: covernames aren’t classified, and many of them – including the names of the NSA’s main databases for intercepted communications data, MAINWAY, MARINA, PINWALE and NUCLEON – have been seen in public before, in job ads and resumés posted online.” Daniel Soar sorts through the possibilities in the London Review of Books, 24 Oct 2013. (See also William Arkin's blog on codenames) [more inside]
Youtube user rogueamp dedicates his channel to discussing fraudulent antivirus software, AKA "rogues" and "ransomware". (MLYT)
LinkedIn offer to man-in-the-middle all of your email, for free! LinkedIn Intro is a new service by LinkedIn, adding inline data to all your iOS emails. "But how can they read my emails?!" you ask: you use the best encryption money can buy! Well, you just need to install one little security certificate... after all, how much of a a bad idea can it be? LinkedIn are well-known for their good security practices!
But that didn't prevent On the Media producer Sarah Abdurrahman and several members of her family and friends from being detained at a Canadian-US border while on the way home from a wedding. The story is all the more frightening as it details Sarah's inability to get any answers about policy from the Border Patrol, including the name of the officers who held her.
Google knows almost every wi-fi password. Of course this means that the NSA also has access to them. Apple might not be much better.
If the NSA is able to break through banks' computer security, does that mean it solved the prime factorization problem? The New York Times reported recently that “the agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems.” Since banks' encryption codes rely on the fact that nobody knows how to find the prime factors of really large numbers, it could mean that the NSA has found a way to do that. Or it could mean that the NSA has simply gotten lots of banks to give up their information, or found other ways around their encryption. But if they've cracked this long-standing math problem, might the secret leak? What would be the effects?
"As I watch fellow passengers walk into the machines, posing with their arms raised over their heads like prison inmates submitting to a strip search, I feel proud of my small act of protest. Then I spread my legs and await my public groping."
Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting [pdf]. From the 2013 IEEE Symposium on Security and Privacy, this article examines "how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers [i.e. cookies]." [more inside]
Don't fly during Ramadan. Aditya Mukerjee describes his experience while attempting to clear the U.S. Transportation Security Administration's checks and board a JetBlue flight. After being cleared by the TSA, following two hours of questioning and checks, Mukerjee was prevented by JetBlue from boarding his intended flight. He was offered rebooking for the following day and, when he declined, given a refund.
This isn't the first time that the TSA and JetBlue have been called out for this type of action.
This isn't the first time that the TSA and JetBlue have been called out for this type of action.
To reduce the risk of future Edward Snowden style leaks, the NSA wants to reduce the number of people in the loop. Director Keith Alexander told Reuters that the NSA plans to eliminate fully 90 percent of its system administrators and replace them with machines.
In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail. FreedomWeb, an Irish company known for providing hosting for Tor "hidden services" -- services reached over the Tor anonymized/encrypted network -- has shut down after its owner, Eric Eoin Marques, was arrested over allegations that he had facilitated the spread of child pornography. [more inside]
Barnaby Jack, a hacker and security researcher previously known for his hacks involving ATMs and insulin pumps, has died in San Francisco. He was 35. His death came just days before he was to give a presentation about techniques for hacking implanted heart devices, which could kill a person from 30 feet away.
PreCheck, a new program instituted by the TSA, will allow passengers to keep their shoes, jackets and belts during screening, as well as allow laptop computers and approved liquids to remain in bags for a fee of $85.
Bulletproof Security is a paramilitary security company. They have provided security to Habitat for Humanity and Empire CAT among others. [more inside]
The TSA has started an Instagram page showing confiscated items from TSA checkpoints in airports around the country.
Relive techno fears of yore ... malware aficionado Daniel White collects vintage computer viruses, infects his machines and records the results. See more examples at his YouTube channel.
Imagine two politicians: One preaches fear and excessive "security," while the other says terrorism is a negligible risk. They hold, like me, that risk is part of life, and that while some security is necessary, we should mostly just refuse to be terrorized and get on with our lives. Fast-forward 10 years. If I'm right and there have been no more terrorist attacks, the preacher of fear takes credit for keeping us safe. But if a terrorist attack has occurred, my government career is over.
Going back to at least 2011, it was believed that Facebook kept "shadow profiles" of users and non-users, accumulating information when users synchronize mobile phones, import personal data from e-mail providers, import personal information from instant messaging services, send invitations to friends or make search queries for other people on Facebook. In early 2012, four members of the U.S. House of Representatives Energy and Commerce Committee's Subcommittee on Oversight and Investigations demanded answers from Facebook (PDF) and were told that non-users didn't have "shadow profiles", but the contents of the reply were not made public. Just this past Friday, Facebook released an "Important Message" on a data leak they closed, in which information from members' "shadow profiles" could be obtained. [more inside]
Yahoo, on June 12, announced that it is releasing inactive IDs. Yahoo says they are "committed and confident," while others think it is a "spectacularly bad idea" and a "dirty trick."
The NFL announced a change to its bag policy Thursday and beginning with the 2013 season, only clear plastic, vinyl or PVC bags will be permitted inside NFL stadiums. [more inside]
The Pew Internet And American Life Project has a new report out on Teens, Social Media, and Privacy. danah boyd comments:
My favorite finding of Pew’s is that 58% of teens cloak their messages either through inside jokes or other obscure references, with more older teens (62%) engaging in this practice than younger teens (46%).[more inside]
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” Hackers get %90 of an MD5 password database using multiple analysis techniques including Markov chains, mask, combinator and hybrid attacks. These attacks combine dictionaries of previously-recovered passwords and passphrases with brute force and statistical analysis to expand the power of password cracking.
In southern Sweden, scene of recent sheep-killing incidents perpetrated by wolves, llamas are being introduced to see if they will kick wolf-butt and protect the sheep. In the US, the guard llama is becoming a more common "first line of defense" on ranches. [more inside]
Have you been looking for bike locks that work? Will only the best locks do? Perhaps you just need a secondary lock?
Practical Ethics: Enlightened Surveillance?
Surrendering on surveillance might be the least bad option – of all likely civil liberty encroachments, this seemed the less damaging and hardest to resist. But that’s an overly defensive way of phrasing it – if ubiquitous surveillance and lack of privacy are the trends of the future, we shouldn’t just begrudgingly accept them, but demand that society gets the most possible out of them.[more inside]
It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home. Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.” ~ KrebsonSecurity
Meet the men who spy on women through their webcams - "If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, "Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b" At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection."
Delta Airlines and other airline workers' unions have asked the TSA to reconsider their recent announcement to loosen security restrictions on airlines, effective April 25, that would allow passengers to carry small pocket knives, among other items. [more inside]
Twitter is experimenting with online shopping: "American Express card holders who connect their card numbers to their Twitter accounts can post on Twitter to trigger a purchase of select products, including discounted American Express gift cards, Kindle Fire tablets from Amazon.com Inc. and jewelry from designer Donna Karan. The program will roll out over the next few days." [more inside]
Silent Circle, a security start-up led by PGP creator Phil Zimmermann and two ex-Navy SEALs, has been teasing technology that purports to make mobile communications "virtually invulnerable to surveillance efforts" for a few months (previously). Now, they're pushing a "groundbreaking encrypted data transfer app that will enable people to send files securely from a smartphone or tablet at the touch of a button." The company has pledged not to comply with law enforcement surveillance requests, nor to provide backdoor access for the FBI.
What The Rails Security Issue Means For Your Startup summarizes the impact of recent arbitrary-code-execution security vulnerabilities in Ruby on Rails: "What Do We Do When Apocalyptically Bad Things Happen On Our Framework of Choice?"
It is June 2, 2010 and Mark Zuckerberg is sweating. He’s wearing his hoodie—he’s always wearing his hoodie—and he’s on stage and either the lights or the questions are too hot. … “Do you want to take off the hoodie?” asks Kara Swisher.The varied cultural resonances of an unassuming garment.
“I never take off the hoodie.”
The New York Times asks seven 'experts': Does makeup ultimately damage a woman’s self-esteem, or elevate it? [more inside]
(BBC) A security check on a US company has reportedly revealed one of its staff was outsourcing his work to China. [more inside]
The most-watched show in the history of the National Geographic Channel isn't Wild, Taboo or even the longest-running documentary series on cable tv: Explorer. It's Doomsday Preppers, a show that documents the "lives of otherwise ordinary Americans" as they prepare for the end of the world. [more inside]
Security experts agree that it’s only a matter of time before smartphones become the smart person’s murder weapon of choice.
Why 256 bit keys are long enough. A nice graphic explanation by Schneier why brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space. [more inside]
Sumit Suman recently visited a site, did not sign up for anything, did not connect via social media, but got a personal email from the site the next day. Here’s how they did it.