Aug 11
Keep It In Your Pants
Posted in: Today's Chili
I got pepper sprayed Friday, not 100 feet from my front door. Just in front of the little fenced-in lot at 25th & Horace. In broad daylight.
     |
Aug 10
As we store and transport more and more information online, we’ve gradually come to realize how easy it is for others to access that information without our permission. From Facebook’s privacy policies to the ongoing NSA leaks, it seems like the ordinary online user has enough reason to log out. Well, I’ve got more bad news for you: anyone can build a powerful spying tool using off the shelf parts, and for under $60 (USD).
Brendan O’Connor is the founder of security and software consultancy company Malice Afterthought. Last week he made headlines when he shared how he built F-BOMB, a small device that runs a software that he calls CreepyDOL . The DOL stands for Distributed Object Locator and “Creepy” with a capital ‘C’ is the perfect word to describe it. O’Connor built the F-BOMB using the popular Raspberry Pi microcomputer and added a Wi-Fi sensor to the device. The cost? $57 (USD). He built 10 F-BOMBs and hooked them up to Reticle, a “command & control system” that he made. Finally he hooked it up to a “data visualization system,” which you can see in the image above and in O’Connor’s video below:
In case the video wasn’t clear enough, the F-BOMB can gather a disturbing amount of wireless data. As New York Times reported – and as the video above proves – with the F-BOMB you can find out not only information on a wireless device but what the user is currently using or accessing through the device: geolocation, websites, email addresses, programs and more.
In my brief chat with O’Connor, he revealed that the device can snoop on wireless devices within about 160ft. He can add other sensors to the F-BOMB as well as adapt it to snoop on wired connections. Further, O’Connor said the F-BOMB is a passive device, so you have no way of knowing if it’s snooping on you. Finally, I asked O’Connor if the situation really is as hopeless for consumers as the New York Times article seemed to indicate. Here’s what he said:
Yes, it really is that hopeless. There are vulnerabilities in all the relevant layers of the stack. The application developers need to stop leaking so much data outside encryption envelopes (e.g., why does iMessage send hardware make and model, and iOS version, unencrypted?). iOS (I’m picking on it here because I use it, but the same problem is larger) should have OS-level support for blocking all non-VPN traffic until a VPN connection is established (once it’s up, the connection is opaque, but while it’s going up, I’ve usually got all the data I need). And the low-level protocol needs to stop encouraging devices to *beacon out all their known networks constantly*. So since there needs to be culture-level shifts at all the layers of the stack, yes, for end-users, the situation is hopeless at the moment.”
In other words, not only is it possible to make a surveillance tool that is small and cheap, the devices that we use are practically inviting prying eyes to take a look at our data. It falls upon us as end users to nag Apple, Microsoft, Google and other companies who create the hardware and software that we use to step their security game up. It would be foolish to believe that they know nothing about the disaster that they’re courting (with our privacy and security at stake). But for some reason they’re not doing anything about it, nor are they telling us how much danger we’re in.
O’Connor intends to sell F-BOMBs soon. Fellow black hats and tinkerers can sign up at Malice Afterthought’s website to find out more about the F-BOMB and when it will go on sale. Ars Technica also has a thorough technical report on the F-BOMB. As for the rest of us? I guess we’d better start learning how to communicate telepathically.
[via Brendan O’Connor & The New York Times via Infoneer Pulse]
Aug 10
“Here’s where it all happens for Apple developers” reads the tagline, but that’s not been the case for much of the last few weeks. This morning, Apple’s advising that its developer centre is now fully restored, after being taken offline due to intruder attempts. Hopefully for real this time. In any case, Cupertino’s offering up a month’s extended membership in return for the inconvenience, as outlined in the official statement past the break. Now, back to it…
Source: Apple
Aug 09
President Obama recently addressed surveillance issues in light of the Edward Snowden leaks and fallout that has resulted since then. At the same time the president made his statement, the Department of Justice and the NSA released documents discussing the topic, justifying the programs and attempting to explain its actions as necessary for the safety […]
Aug 09
NSA releases outline of security programs, says it ‘only’ touches 1.6 percent of internet traffic
Posted in: Today's Chili
Even as President Obama proposes a review of NSA procedures and oversight, the organization published a seven page document laying out in broad terms what it does, how it does it and why it thinks that’s OK. As Ars Technica points out, the memo claims “We do not need to sacrifice civil liberties for the sake of national security; both are integral to who we are as Americans. NSA can and will continue to conduct its operations in a manner that respects both.” While many would argue those points in light of the many programs recently uncovered, the NSA has a response there also:
According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review. The net effect is that NSA analysts look at 0.00004% of the world’s traffic in conducting their mission – that’s less than one part in a million. Put another way, if a standard basketball court represented the global communications environment, NSA’s total collection would be represented by an area smaller than a dime on that basketball court.
Other sections go on to detail how it believes American citizen’s information could be picked up, and what it does to identify and minimize that data. Particularly illuminating is the six point process (listed after the break) by which it applies Executive Order 12333, considered “the foundational authority by which NSA collects, retains, analyzes, and disseminates foreign signals intelligence information” alongside the Foreign Intelligence Service Act of 1978 (FISA). It’s highly doubtful that any of these points will change your level of comfort with the policies and programs revealed or feelings about their need to change, but reading the document linked below may give some insight about how and why they were created.
Filed under: Internet
Via: Ars Technica
Source: NSA (PDF)
Aug 09
Malware certainly exists for Linux, but it’s more frequently targeted at servers than everyday PCs. Unfortunately, regular users now have more reason to worry: a rare instance of a Linux desktop trojan, Hand of Thief, has surfaced in the wild. The code swipes banking logins and other web sign-in details, creates a backdoor and prevents access to both antivirus tools and virtual machines. It’s known to work with common browsers like Chrome and Firefox as well as 15 Linux distributions, including Debian, Fedora and Ubuntu. Thankfully, Hand of Thief is partly neutered by its limited attack methods; it relies on social engineering to fool victims into installing the software themselves. Even so, the trojan is a reminder that we shouldn’t be complacent about security, regardless of which platform we use.
[Thanks, Dreyer]
Filed under: Internet, Software
Via: ZDNet
Source: RSA
Aug 09
Silent Circle, an email provider which guarantees end-to-end secure email, has announced that it’s going the same way as Edward Snowden’s beloved Lavabit
| |
Aug 08
Silent Circle follows Lavabit’s example, shuts down its secure email service
Posted in: Today's Chili
Silent Circle’s thing has always been the promise of end-to-end secure communications, and that drive is apparently causing it to shut down the Silent Mail email service. Reasons cited in a blog post by CTO Jon Callas include the insecure nature of email protocols and preemptively avoiding the outside (read: FISA) pressures that prompted Lavabit to close its doors. Silent Circle says it hadn’t received any “subpoenas, warrants, security letters, or anything else”. Still, CEO Michael Janke tells TechCrunch he believed the government would come knocking due to certain high profile users of the service. Its phone, video and text products remain operational and claim to be “secure as ever”, if you’re wondering.
Filed under: Internet
Source: Silent Circle
Aug 08
It looks like Edward Snowden is going to have to find a new email service as the one he supposedly used — Lavabit — has abruptly closed its doors. The company’s owner, Ladar Levison, posted an open letter on the site today, saying, “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.” Levison also claimed to be unable to speak to the specifics surrounding the situation, stating that a Congressionally approved gag order prevented him from doing so. While Lavabit’s situation seems pretty dire, it might not be curtains just yet. In his message, Levison stated that he would take his fight to reinstate Lavabit to the Fourth Circuit Court of Appeals. To read the missive in full, head on over to the source link below.
Filed under: Internet
Via: Boing Boing
Source: Lavabit
Aug 07
Google’s Android Device Manager has gone live, offering smartphone users a way to remotely track their phone or tablet, as well as secure it if it’s lost or stolen. The free service, unveiled last Friday, supports multiple Android devices per account, showing where they are, when they were last used, and – if factory reset […]
Who's in charge here?
This is site is run by Sascha Endlicher, M.A., during ungodly late night hours. Wanna know more about him? Connect via Social Media by jumping to about.me/sascha.endlicher.