Tuesday, November 25, 2014

OpenStack 11/26/2014 (a.m.)

  • Don't miss the video. And if you have a web site, urge your host service to begin preparing for Let's Encrypt. (See video on why it's good for them.)

    Tags: surveillance state, encryption, https, let's-encrypt, nsa-reform

    • If we’ve learned one thing from the Snowden revelations, it’s that what can be spied on will be spied on. Since the advent of what used to be known as the World Wide Web, it has been a relatively simple matter for network attackers—whether it’s the NSA, Chinese intelligence, your employer, your university, abusive partners, or teenage hackers on the same public WiFi as you—to spy on almost everything you do online.

      HTTPS, the technology that encrypts traffic between browsers and websites, fixes this problem—anyone listening in on that stream of data between you and, say, your Gmail window or bank’s web site would get nothing but useless random characters—but is woefully under-used. The ambitious new non-profit Let’s Encrypt aims to make the process of deploying HTTPS not only fast, simple, and free, but completely automatic. If it succeeds, the project will render vast regions of the internet invisible to prying eyes.

    • The benefits of using HTTPS are obvious when you think about protecting secret information you send over the internet, like passwords and credit card numbers. It also helps protect information like what you search for in Google, what articles you read, what prescription medicine you take, and messages you send to colleagues, friends, and family from being monitored by hackers or authorities.

      But there are less obvious benefits as well. Websites that don’t use HTTPS are vulnerable to “session hijacking,” where attackers can take over your account even if they don’t know your password. When you download software without encryption, sophisticated attackers can secretly replace the download with malware that hacks your computer as soon as you try installing it.

    • Encryption also prevents attackers from tampering with or impersonating legitimate websites. For example, the Chinese government censors specific pages on Wikipedia, the FBI impersonated The Seattle Times to get a suspect to click on a malicious link, and Verizon and AT&T injected tracking tokens into mobile traffic without user consent. HTTPS goes a long way in preventing these sorts of attacks.

      And of course there’s the NSA, which relies on the limited adoption of HTTPS to continue to spy on the entire internet with impunity. If companies want to do one thing to meaningfully protect their customers from surveillance, it should be enabling encryption on their websites by default.

    • Let’s Encrypt, which was announced this week but won’t be ready to use until the second quarter of 2015, describes itself as “a free, automated, and open certificate authority (CA), run for the public’s benefit.” It’s the product of years of work from engineers at Mozilla, Cisco, Akamai, Electronic Frontier Foundation, IdenTrust, and researchers at the University of Michigan. (Disclosure: I used to work for the Electronic Frontier Foundation, and I was aware of Let’s Encrypt while it was being developed.)

      If Let’s Encrypt works as advertised, deploying HTTPS correctly and using all of the best practices will be one of the simplest parts of running a website. All it will take is running a command. Currently, HTTPS requires jumping through a variety of complicated hoops that certificate authorities insist on in order prove ownership of domain names. Let’s Encrypt automates this task in seconds, without requiring any human intervention, and at no cost.

    • The transition to a fully encrypted web won’t be immediate. After Let’s Encrypt is available to the public in 2015, each website will have to actually use it to switch over. And major web hosting companies also need to hop on board for their customers to be able to take advantage of it. If hosting companies start work now to integrate Let’s Encrypt into their services, they could offer HTTPS hosting by default at no extra cost to all their customers by the time it launches.
  • Tags: surveillance state, NSA, GCHQ, malware, Regin

    • Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

      Regin was found on infected internal computer systems and email servers at Belgacom, a partly state-owned Belgian phone and internet provider, following reports last year that the company was targeted in a top-secret surveillance operation carried out by British spy agency Government Communications Headquarters, industry sources told The Intercept.

      The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency.

    • The hacking operations against Belgacom and the European Union were first revealed last year through documents leaked by NSA whistleblower Edward Snowden. The specific malware used in the attacks has never been disclosed, however.

Posted from Diigo. The rest of Open Web group favorite links are here.

OpenStack 11/25/2014 (p.m.)

  • Tags: surveillance state, anti-spyware, Detekt, EFF

    • For more than two years, researchers and rights activists have tracked the proliferation and abuse of computer spyware that can watch people in their homes and intercept their e-mails. Now they’ve built a tool that can help the targets protect themselves.

      The free, downloadable software, called Detekt, searches computers for the presence of malicious programs that have been built to evade detection. The spyware ranges from government-grade products used by intelligence and police agencies to hacker staples known as RATs—remote administration tools. Detekt, which was developed by security researcher Claudio Guarnieri, is being released in a partnership with advocacy groups Amnesty International, Digitale Gesellschaft, the Electronic Frontier Foundation, and Privacy International.

      Guarnieri says his tool finds hidden spy programs by seeking unique patterns on computers that indicate a specific malware is running. He warns users not to expect his program (which is available only for Windows machines) to find all spyware, and notes that the release of Detekt could spur malware developers to further cloak their code.


Posted from Diigo. The rest of Open Web group favorite links are here.

Sunday, November 23, 2014

OpenStack 11/24/2014 (a.m.)

  • Tags: surveillance state, NSA, U.S., polls, sense-of-privacy, data privacy

    • What does it look like when a society loses its sense of privacy?

      In the almost 18 months since the Snowden files first received coverage, writers and critics have had to guess at the answer. Does a certain trend, consumer complaint, or popular product epitomize some larger shift? Is trust in tech companies eroding—or is a subset just especially vocal about it?

      Polling would make those answers clear, but polling so far has been… confused. A new study, conducted by the Pew Internet Project last January and released last week, helps make the average American’s view of his or her privacy a little clearer.

      And their confidence in their own privacy is ... low.

      The study's findings—and the statistics it reports—stagger. Vast majorities of Americans are uncomfortable with how the government uses their data, how private companies use and distribute their data, and what the government does to regulate those companies.

      No summary can equal a recounting of the findings. Americans are displeased with government surveillance en masse:   

    • A new study finds that a vast majority of Americans trust neither the government nor tech companies with their personal data.
    • What does it look like when a society loses its sense of privacy?

      In the almost 18 months since the Snowden files first received coverage, writers and critics have had to guess at the answer. Does a certain trend, consumer complaint, or popular product epitomize some larger shift? Is trust in tech companies eroding—or is a subset just especially vocal about it?

      Polling would make those answers clear, but polling so far has been… confused. A new study, conducted by the Pew Internet Project last January and released last week, helps make the average American’s view of his or her privacy a little clearer.

      And their confidence in their own privacy is ... low.

      The study's findings—and the statistics it reports—stagger. Vast majorities of Americans are uncomfortable with how the government uses their data, how private companies use and distribute their data, and what the government does to regulate those companies.

      No summary can equal a recounting of the findings. Americans are displeased with government surveillance en masse:   

        • According to the study, 70 percent of Americans are “at least somewhat concerned” with the government secretly obtaining information they post to social networking sites.
        • Eighty percent of respondents agreed that “Americans should be concerned” with government surveillance of telephones and the web.

        They are also uncomfortable with how private corporations use their data:

        • Ninety-one percent of Americans believe that “consumers have lost control over how personal information is collected and used by companies,” according to the study.
        • Eighty percent of Americans who use social networks “say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.”

        And even though they’re squeamish about the government’s use of data, they want it to regulate tech companies and data brokers more strictly: 64 percent wanted the government to do more to regulate private data collection.

        Since June 2013, American politicians and corporate leaders have fretted over how much the leaks would cost U.S. businesses abroad.

    • It’s clear the global community of Internet users doesn’t like to be caught up in the American surveillance dragnet,” Senator Ron Wyden said last month.

      At the same event, Google chairman Eric Schmidt agreed with him. “What occurred was a loss of trust between America and other countries,” he said, according to the Los Angeles Times. “It's making it very difficult for American firms to do business.”

      But never mind the world. Americans don’t trust American social networks. More than half of the poll’s respondents said that social networks were “not at all secure. Only 40 percent of Americans believe email or texting is at least “somewhat” secure.

      Indeed, Americans trusted most of all communication technologies where some protections has been enshrined into the law (though the report didn’t ask about snail mail). That is: Talking on the telephone, whether on a landline or cell phone, is the only kind of communication that a majority of adults believe to be “very secure” or “somewhat secure.”

    • (That may seem a bit incongruous, because making a telephone call is one area where you can be almost sure you are being surveilled: The government has requisitioned mass call records from phone companies since 2001. But Americans appear, when discussing security, to differentiate between the contents of the call and data about it.)

      Last month, Ramsey Homsany, the general counsel of Dropbox, said that one big thing could take down the California tech scene.

      “We have built this incredible economic engine in this region of the country,” said Homsany in the Los Angeles Times, “and [mistrust] is the one thing that starts to rot it from the inside out.”

      According to this poll, the mistrust has already begun corroding—and is already, in fact, well advanced. We’ve always assumed that the great hurt to American business will come globally—that citizens of other nations will stop using tech companies’s services. But the new Pew data shows that Americans suspect American businesses just as much. And while, unlike citizens of other nations, they may not have other places to turn, they may stop putting sensitive or delicate information online.

  • Tags: Openweb, enemies of the internet

    • Who are the enemies of the free and open Internet in 2014?

Posted from Diigo. The rest of Open Web group favorite links are here.

Friday, November 14, 2014

OpenStack 11/15/2014 (a.m.)

  • Tags: surveillance state, cyberwar, Stuxnet

    • “Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers.

      “No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.”

      Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door.

      A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.

    • They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.
    • Bencsáth was a teacher, not a malware hunter, and had never done such forensic work before. At the CrySyS Lab, where he was one of four advisers working with a handful of grad students, he did academic research for the European Union and occasional hands-on consulting work for other clients, but the latter was mostly run-of-the-mill cleanup work—mopping up and restoring systems after random virus infections. He’d never investigated a targeted hack before, let alone one that was still live, and was thrilled to have the chance. The only catch was, he couldn’t tell anyone what he was doing. Bartos’ company depended on the trust of customers, and if word got out that the company had been hacked, they could lose clients.

      The triage team had taken mirror images of the infected hard drives, so they and Bencsáth spent the rest of the afternoon poring over the copies in search of anything suspicious. By the end of the day, they’d found what they were looking for—an “infostealer” string of code that was designed to record passwords and other keystrokes on infected machines, as well as steal documents and take screenshots. It also catalogued any devices or systems that were connected to the machines so the attackers could build a blueprint of the company’s network architecture. The malware didn’t immediately siphon the stolen data from infected machines but instead stored it in a temporary file, like the one the triage team had found. The file grew fatter each time the infostealer sucked up data, until at some point the attackers would reach out to the machine to retrieve it from a server in India that served as a command-and-control node for the malware.

    • Bencsáth took the mirror images and the company’s system logs with him, after they had been scrubbed of any sensitive customer data, and over the next few days scoured them for more malicious files, all the while being coy to his colleagues back at the lab about what he was doing. The triage team worked in parallel, and after several more days they had uncovered three additional suspicious files.

      When Bencsáth examined one of them—a kernel-mode driver, a program that helps the computer communicate with devices such as printers—his heart quickened. It was signed with a valid digital certificate from a company in Taiwan (digital certificates are documents ensuring that a piece of software is legitimate). Wait a minute, he thought. Stuxnet—the cyberweapon that was unleashed on Iran’s uranium-enrichment program—also used a driver that was signed with a certificate from a company in Taiwan. That one came from RealTek Semiconductor, but this certificate belonged to a different company, C-Media Electronics. The driver had been signed with the certificate in August 2009, around the same time Stuxnet had been unleashed on machines in Iran.

  • Bookburning in the digital era.

    Tags: open web, Internet, censorship, UK

    • Internet companies have agreed to do more to tackle extremist material online following negotiations led by Downing Street.

      The UK’s major Internet service providers – BT, Virgin, Sky and Talk Talk – have this week committed to host a public reporting button for terrorist material online, similar to the reporting button which allows the public to report child sexual exploitation.

      They have also agreed to ensure that terrorist and extremist material is captured by their filters to prevent children and young people coming across radicalising material.

      The UK is the only country in the world with a Counter Terrorism Internet Referral Unit (CITRU) - a 24/7 law enforcement unit, based in the Met, dedicated to identifying and taking down extreme graphic material as well as material that glorifies, incites and radicalises.


Posted from Diigo. The rest of Open Web group favorite links are here.

Wednesday, November 05, 2014

OpenStack 11/05/2014 (p.m.)


Posted from Diigo. The rest of Open Web group favorite links are here.

Tuesday, November 04, 2014

OpenStack 11/04/2014 (p.m.)

  • Tags: surveillance state, Verizon, X-UIDH, tracker

    • Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent.

      Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs. Indeed, while we're concerned about Verizon's own use of the header, we're even more worried about what it allows others to find out about Verizon users. The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy. Worse still, Verizon doesn't let users turn off this "feature." In fact, it functions even if you use a private browsing mode or clear your cookies. You can test whether the header is injected in your traffic by visiting lessonslearned.org/sniff or amibeingtracked.com over a cell data connection.

      How X-UIDH Works, and Why It's a Problem

    • To compound the problem, the header also affects more than just web browsers. Mobile apps that send HTTP requests will also have the header inserted. This means that users' behavior in apps can be correlated with their behavior on the web, which would be difficult or impossible without the header. Verizon describes this as a key benefit of using their system. But Verizon bypasses the 'Limit Ad Tracking' settings in iOS and Android that are specifically intended to limit abuse of unique identifiers by mobile apps.
    • Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers.
    • We're also concerned that Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data. Only two months ago, the wireline sector of Verizon's business was hit with a $7.4 million fine by the Federal Communications Commission after it was caught using its "customers' personal information for thousands of marketing campaigns without even giving them the choice to opt out." With this header, it looks like Verizon lets its customers opt out of the marketing side of the program, but not from the disclosure of their browsing habits.

Posted from Diigo. The rest of Open Web group favorite links are here.

Monday, November 03, 2014

OpenStack 11/04/2014 (a.m.)

  • Tags: Internet, newspapers, Google-tax, Spain

    • Newspapers in Spain will now be able to demand a monthly fee from the search engine before it can list them on Google News
    • A similar law passed in Germany saw Google removing the affected newspapers from Google news altogether – before the publishers eventually came back and asked to be relisted after seeing their traffic plummet, a step they said they had to take because of the “overwhelming market power of Google”.
  • Get ready to fight TPP fast-tracking in member states. see also ‘Wikileaks’ free trade documents reveal ‘drastic’ Australian concessions.’ Source: The Guardian. http://goo.gl/hicb5h Remember that in the U.S., only Senate ratification is required. The measure will not go before the House before implementation. 

    Tags: globalization, Trans-Pacific Partnership, home-stretch

    • Talks on the TPP, which would create a massive free trade zone encompassing some 40 percent of global output, have long been stalled due partly to bickering between Japan and the United States -- the biggest economies in the TPP framework -- over removal of barriers for agricultural and automotive trade.

      The biggest sticking point has been Tokyo's proposed exceptions to tariff cuts on its five sensitive farm product categories -- rice, wheat, beef and pork, dairy products and sugar -- and safeguard measures it wants to introduce should imports of the products surge under the TPP, which aims for zero tariffs in principle.

      It is uncertain how much closer the two sides can move given that their recent working-level talks saw little progress, negotiation sources said.

    • A summit meeting of the Asia-Pacific Economic Cooperation forum scheduled for November in Beijing that Obama and leaders from other TPP countries are slated to join is seen as an occasion for concluding the TPP talks, which have entered their fifth year.

      But the odds on an agreement depend on whether Japan and the United States can bridge their gaps before that.

    • Hiroshi Oe, Japan's deputy chief TPP negotiator, has admitted that talks with his counterpart Wendy Cutler, Froman's top deputy, earlier this month in Tokyo made very little progress.

      One negotiation source said the hurdle for solving the outstanding bilateral problems is "extremely high," suggesting it is still premature to bring the talks to the ministerial level.

      Amari himself had been reluctant to hold a one-on-one meeting with Froman with the working-level negotiations failing to see enough progress.

      But he apparently decided to ramp up efforts in response to strong calls from Washington for arranging a meeting with Froman, who has said the two sides are "now at a critical juncture in this negotiation."

    • The TPP comprises Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, the United States and Vietnam.

Posted from Diigo. The rest of Open Web group favorite links are here.

Saturday, November 01, 2014

OpenStack 11/01/2014 (p.m.)


Posted from Diigo. The rest of Open Web group favorite links are here.