Sunday, December 25, 2016

OpenStack 12/25/2016 (p.m.)

  • Tags: digital-privacy, phone-hacking, law-enforcement, Cellebrite

    • This is part of a Motherboard mini-series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.

      When cops have a phone to break into, they just might pull a small, laptop-sized device out of a rugged briefcase. After plugging the phone in with a cable, and a few taps of a touch-screen, the cops have now bypassed the phone’s passcode. Almost like magic, they now have access to call logs, text messages, and in some cases even deleted data.

      State police forces and highway patrols in the US have collectively spent millions of dollars on this sort of technology to break into and extract data from mobile phones, according to documents obtained by Motherboard. Over 2,000 pages of invoices, purchase orders, communications, and other documents lay out in unprecedented detail how one company in particular has cornered the trade in mobile phone forensics equipment across the United States.

      Cellebrite, an Israel-based firm, sells tools that can pull data from most mobile phones on the market, such as contact lists, emails, and wiped messages. Cellebrite's products can also circumvent the passcode locks or other security protections on many current mobile phones. The gear is typically used to gather evidence from a criminal suspect's device after it has been seized, and although not many public examples of abuse are available, Cellebrite’s tools have been used by non-US authorities to prosecute dissidents.

      Previous reports have focused on federal agencies' acquisition of Cellebrite tools. But as smartphones have proliferated and increasingly become the digital center of our lives, the demand and supply of mobile forensics tools has trickled down to more local bodies.


Posted from Diigo. The rest of Open Web group favorite links are here.

Thursday, December 22, 2016

OpenStack 12/23/2016 (a.m.)

  • Tags: digital-privacy, ECJ, data-retention, litigation, civil-rights

    • The ECJ has ruled that governments cannot force telecom firms to keep all customer data. The ruling, which says the laws violate basic privacy rights, comes as governments call for greater powers for spy agencies.
    • The Court of Justice of the European Union (ECJ) ruled on Wednesday that laws allowing for the blanket collection and retention of location and traffic data are in breach of EU law.

      In their decision, the justices wrote that storing such data, which includes text message senders and recipients and call histories, allows for "very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained."

      "Such national legislation exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society," the Luxembourg-based court said.

      EU member states seeking to fight a "serious crime" are allowed to retain data in a targeted manner but must be subject to prior review by a court or independent body, the EU's top court said. Exceptions can be made in urgent cases.

      The decision came amidst growing calls from EU governments for security agencies to be given greater powers with the goal of preventing or investigating attacks. Privacy advocates, on the other hand, said mass data retention is ineffective in combating such crimes.

    • The court's decision was a response to challenges against data retention laws in Britain and Sweden on the ground that they were no longer valid after the court previously struck down an EU-wide data retention law in 2014.

      In Sweden, the law requires telecommunications companies to retain all their customers' traffic and location data, without exception, the ECJ said.

      British law allows authorities to ask firms to keep all communication data for a maximum 12-month period.

      In the UK, politicians filed a legal challenge against a surveillance law which passed in 2014, part of which was suspended by a British court. British lawmakers then passed the Investigatory Powers Act - the so-called "snooper's charter."

      A German data retention law, which came into effect at the end of 2015, requires telecommunications companies to store telephone and internet use for 10 weeks, after which point the data must be deleted.

      The German law also stipulates a shorter storage time of four weeks for location data which results from mobile phone calls. It remains to be seen what effect the ECJ ruling will have on Germany's blanket data retention measures.


Posted from Diigo. The rest of Open Web group favorite links are here.

Saturday, December 10, 2016

OpenStack 12/11/2016 (a.m.)

  • Tags: surveillance state, NSA, GCHQ, targets-on-board-cell-calls

    • In the trove of documents provided by former National Security Agency contractor Edward Snowden is a treasure. It begins with a riddle: “What do the President of Pakistan, a cigar smuggler, an arms dealer, a counterterrorism target, and a combatting proliferation target have in common? They all used their everyday GSM phone during a flight.”

      This riddle appeared in 2010 in SIDtoday, the internal newsletter of the NSA’s Signals Intelligence Directorate, or SID, and it was classified “top secret.” It announced the emergence of a new field of espionage that had not yet been explored: the interception of data from phone calls made on board civil aircraft. In a separate internal document from a year earlier, the NSA reported that 50,000 people had already used their mobile phones in flight as of December 2008, a figure that rose to 100,000 by February 2009. The NSA attributed the increase to “more planes equipped with in-flight GSM capability, less fear that a plane will crash due to making/receiving a call, not as expensive as people thought.” The sky seemed to belong to the agency.


Posted from Diigo. The rest of Open Web group favorite links are here.

Friday, December 09, 2016

OpenStack 12/09/2016 (p.m.)

  • I got a notice from Dropbox tonight that it is now certified under this program. This program is fallout from an E.U. Court of Justice decision following the Snowden disclosures, holding that the then existing U.S.-E.U. framework for ptoecting the rights of E.U. citozens' data were invalid because that framework did not adequately protect digital privacy rights. This new framework is intended to comoply with the court's decision but one need only look at section 5 of the agreement to see that it does not. Expect follow-on litigation. THe agreement is at https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg Section 5 lets NSA continue to intercept and read data from E.U. citizens and also allows their data to be disclosed to U.S. law enforcement. And the agreement adds nothing to U.S. citizens' digital privacy rights. In my view, this framework is a stopgap measure that will only last as long as it takes for another case to reach the Court of Justice and be ruled upon. The ox that got gored by the Court of Justice ruling was U.S. company's ability to store E.U. citizens' data outside the E.U. and to allow internet traffic from the E.U. to pass through the U.S. Microsoft had leadership that set up new server farms in Europe under the control of a business entity beyond the jurisdiction of U.S. courts. Other I/.S. internet biggies didn't follow suit. This framework is their lifeline until the next ruling by the Court of Justice.

    Tags: digital-privacy, EU-U>S>-Privacy-Shield-Framework

    • EU-U.S. Privacy Shield Program Overview

      The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination).

      The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework should review its requirements in their entirety. To assist in that effort, Commerce’s Privacy Shield Team has compiled resources and addressed frequently asked questions below.

      Resources
      Key New Requirements for Participating Organizations

      How to Join the Privacy Shield

      Privacy Policy FAQs

        Frequently Asked Questions


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Thursday, December 08, 2016

    OpenStack 12/09/2016 (a.m.)

    • I think it plain that we need a flat ban on the same company controlling both an ISP and a content company. Comcast, the ISP/content company has proved that it's willing to misuse its ISP powers to disfavor other content companies such as Hulu and Netflix via network throttling. AT&T plus Time Warner would undoubtedly do the same. And Comcast led the charge against net neutrality, attempting to expand its revenue base from its ISP subscribers to include new charges on content providing companies. We need a clean separation between ISPs and content companies.

      Tags: ISPs, content-delivery, AT&T, Time-Warner, Comcast

      • When AT&T and Time Warner announced their $85.4 billion deal in October, lawmakers greeted the acquisition frostily. Now their tone is changing.

        At a hearing on Capitol Hill on Wednesday that was being closely watched for how mega-mergers will be viewed in the coming Trump administration, members of a Senate Judiciary subcommittee that oversees regulatory agencies that decide on mergers said the deal merited tough scrutiny. The chief executives of AT&T and Time Warner were grilled at the hearing about a range of issues related to the deal.

        But in a change from previous comments, lawmakers also questioned whether traditional ways of evaluating mergers are growing outdated as Silicon Valley companies like Facebook and Google become massive media platforms that threaten the television industry. Their tone was more circumspect than those that immediately followed the deal’s announcement, when lawmakers had been more critical.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Wednesday, December 07, 2016

    OpenStack 12/07/2016 (p.m.)

    • Tags: banksters, financial-services, internet, Venezuela, arrests, cyberwar, war & peace

      • Venezuelan President Nicolas Maduro confirmed Saturday that the state intelligence service SEBIN arrested several directors from the Credicard financial transaction company on Friday night. 
      • The financial consortium is accused of having deliberately taken advantage of a series of cyber attacks on state internet provider CANTV Friday to paralyse its online payment platform–responsible for the majority of the country’s accredited financial transactions, according to its website.

        “We have proof that it was a deliberate act what Credicard did yesterday. Right now the main people responsible for Credicard are under arrest,” confirmed the president.

        The government says that millions of attempted purchases using in-store credit and debit card payment machines provided by the company were interrupted after its platform went down for the most part of the day. Authorities also maintain that the company waited longer than the established protocol of one hour before responding to the issues.

      • According to CANTV President Manuel Fernandez, Venezuela’s internet platform suffered at least three attacks from an external source on Friday, one of which was aimed at state oil company PDVSA. CANTV was notified of the attacks by international provider LANautilus, which belongs to Telecom Italia.

        Nonetheless, Fernandez denied that Credicard’s platform was affected by the interferences to CANTV’s service, underscoring that other financial transaction companies that rely on the state enterprise continued to be operative.

      • On Friday SEBIN Director Gustavo Gonzalez Lopez also openly accused members of the rightwing coalition, the Democratic Unity Roundtable (MUD), of being implicated in the incident.

        “Members of the MUD involved in the attack on electronic banking service,” he tweeted.

        “The financial war continues inside and outside the country, internally they are damaging banking operability,” he added.

        Venezuelan news source La Iguana has reported that the server administrator of Credicard is the company Dayco Host, which belongs to the D’Agostino family. Diana D’Angostino is married to veteran opposition politician, Henry Ramos Allup, president of the National Assembly.

        On Saturday, the government-promoted Productive Economy Council held an extraordinary meeting of political and business representatives to reject the attack on the country’s financial system.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Wednesday, November 23, 2016

    OpenStack 11/23/2016 (p.m.)


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Friday, November 04, 2016

    OpenStack 11/04/2016 (p.m.)

    • Article by James Bamford, the first NSA whistleblower and author of three books on the NSA.

      Tags: war & peace, cyberwar, U.S.-foreign-policy, Russia, Bamford

      • Last summer, cyber investigators plowing through the thousands of leaked emails from the Democratic National Committee uncovered a clue.

        A user named “Феликс Эдмундович” modified one of the documents using settings in the Russian language. Translated, his name was Felix Edmundovich, a pseudonym referring to Felix Edmundovich Dzerzhinsky, the chief of the Soviet Union’s first secret-police organization, the Cheka.

        It was one more link in the chain of evidence pointing to Russian President Vladimir Putin as the man ultimately behind the operation.

        During the Cold War, when Soviet intelligence was headquartered in Dzerzhinsky Square in Moscow, Putin was a KGB officer assigned to the First Chief Directorate. Its responsibilities included “active measures,” a form of political warfare that included media manipulation, propaganda and disinformation. Soviet active measures, retired KGB Major General Oleg Kalugin told Army historian Thomas Boghart, aimed to discredit the United States and “conquer world public opinion.”

        As the Cold War has turned into the code war, Putin recently unveiled his new, greatly enlarged spy organization: the Ministry of State Security, taking the name from Joseph Stalin’s secret service. Putin also resurrected, according to James Clapper, the U.S. director of national intelligence, some of the KGB’s old active- measures tactics. 

        On October 7, Clapper issued a statement: “The U.S. Intelligence community is confident that the Russian government directed the recent compromises of emails from U.S. persons and institutions, including from U.S. political organizations.” Notably, however, the FBI declined to join the chorus, according to reports by the New York Times and CNBC.

        A week later, Vice President Joe Biden said on NBC’s Meet the Press that "we're sending a message" to Putin and "it will be at the time of our choosing, and under the circumstances that will have the greatest impact." When asked if the American public would know a message was sent, Biden replied, "Hope not." 

        Meanwhile, the CIA was asked, according to an NBC report on October 14, “to deliver options to the White House for a wide-ranging ‘clandestine’ cyber operation designed to harass and ‘embarrass’ the Kremlin leadership.”

        But as both sides begin arming their cyberweapons, it is critical for the public to be confident that the evidence is really there, and to understand the potential consequences of a tit-for-tat cyberwar escalating into a real war. 

      • This is a prospect that has long worried Richard Clarke, the former White House cyber czar under President George W. Bush. “It’s highly likely that any war that began as a cyberwar,” Clarke told me last year, “would ultimately end up being a conventional war, where the United States was engaged with bombers and missiles.”

        The problem with attempting to draw a straight line from the Kremlin to the Clinton campaign is the number of variables that get in the way. For one, there is little doubt about Russian cyber fingerprints in various U.S. campaign activities. Moscow, like Washington, has long spied on such matters. The United States, for example, inserted malware in the recent Mexican election campaign. The question isn’t whether Russia spied on the U.S. presidential election, it’s whether it released the election emails.

        Then there’s the role of Guccifer 2.0, the person or persons supplying WikiLeaks and other organizations with many of the pilfered emails. Is this a Russian agent? A free agent? A cybercriminal? A combination, or some other entity? No one knows.

        There is also the problem of groupthink that led to the war in Iraq. For example, just as the National Security Agency, the Central Intelligence Agency and the rest of the intelligence establishment are convinced Putin is behind the attacks, they also believed it was a slam-dunk that Saddam Hussein had a trove of weapons of mass destruction. 

        Consider as well the speed of the political-hacking investigation, followed by a lack of skepticism, culminating in a rush to judgment. After the Democratic committee discovered the potential hack last spring, it called in the cybersecurity firm CrowdStrike in May to analyze the problem.

      • CrowdStrike took just a month or so before it conclusively determined that Russia’s FSB, the successor to the KGB, and the Russian military intelligence organization, GRU, were behind it. Most of the other major cybersecurity firms quickly fell in line and agreed. By October, the intelligence community made it unanimous. 

        That speed and certainty contrasts sharply with a previous suspected Russian hack in 2010, when the target was the Nasdaq stock market. According to an extensive investigation by Bloomberg Businessweek in 2014, the NSA and FBI made numerous mistakes over many months that stretched to nearly a year. 

        “After months of work,” the article said, “there were still basic disagreements in different parts of government over who was behind the incident and why.”  There was no consensus­, with just a 70 percent certainty that the hack was a cybercrime. Months later, this determination was revised again: It was just a Russian attempt to spy on the exchange in order to design its own. 

        The federal agents also considered the possibility that the Nasdaq snooping was not connected to the Kremlin. Instead, “someone in the FSB could have been running a for-profit operation on the side, or perhaps sold the malware to a criminal hacking group.” 

        Again, that’s why it’s necessary to better understand the role of Guccifer 2.0 in releasing the Democratic National Committee and Clinton campaign emails before launching any cyberweapons.

      • t is strange that clues in the Nasdaq hack were very difficult to find ― as one would expect from a professional, state-sponsored cyber operation. Conversely, the sloppy, Inspector Clouseau-like nature of the Guccifer 2.0 operation, with someone hiding behind a silly Bolshevik cover name, and Russian language clues in the metadata, smacked more of either an amateur operation or a deliberate deception.

        Then there’s the Shadow Brokers, that mysterious person or group that surfaced in August with its farcical “auction” to profit from a stolen batch of extremely secret NSA hacking tools, in essence, cyberweapons. Where do they fit into the picture? They have a small armory of NSA cyberweapons, and they appeared just three weeks after the first DNC emails were leaked. 

        On Monday, the Shadow Brokers released more information, including what they claimed is a list of hundreds of organizations that the NSA has targeted over more than a decade, complete with technical details. This offers further evidence that their information comes from a leaker inside the NSA rather than the Kremlin.

        The Shadow Brokers also discussed Obama’s threat of cyber retaliation against Russia. Yet they seemed most concerned that the CIA, rather than the NSA or Cyber Command, was given the assignment. This may be a possible indication of a connection to NSA’s elite group, Tailored Access Operations, considered by many the A-Team of hackers.

        “Why is DirtyGrandpa threating CIA cyberwar with Russia?” they wrote. “Why not threating with NSA or Cyber Command? CIA is cyber B-Team, yes? Where is cyber A-Team?” 

        Because of legal and other factors, the NSA conducts cyber espionage, Cyber Command conducts cyberattacks in wartime, and the CIA conducts covert cyberattacks. 

      • The Shadow Brokers connection is important because Julian Assange, the founder of WikiLeaks, claimed to have received identical copies of the Shadow Brokers cyberweapons even before they announced their “auction.” Did he get them from the Shadow Brokers, from Guccifer, from Russia or from an inside leaker at the NSA?

        Despite the rushed, incomplete investigation and unanswered questions, the Obama administration has announced its decision to retaliate against Russia.  But a public warning about a secret attack makes little sense. If a major cyber crisis happens in Russia sometime in the future, such as a deadly power outage in frigid winter, the United States could be blamed even if it had nothing to do with it. 

        That could then trigger a major retaliatory cyberattack against the U.S. cyber infrastructure, which would call for another reprisal attack ― potentially leading to Clarke’s fear of a cyberwar triggering a conventional war. President Barack Obama has also not taken a nuclear strike off the table as an appropriate response to a devastating cyberattack.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Sunday, October 30, 2016

    OpenStack 10/31/2016 (a.m.)

    • Tags: surveillance state, Endace, internet-intercept, equipment, intelligence-industry-complex

      • t was a powerful piece of technology created for an important customer. The Medusa system, named after the mythical Greek monster with snakes instead of hair, had one main purpose: to vacuum up vast quantities of internet data at an astonishing speed.

        The technology was designed by Endace, a little-known New Zealand company. And the important customer was the British electronic eavesdropping agency, Government Communications Headquarters, or GCHQ.

        Dozens of internal documents and emails from Endace, obtained by The Intercept and reported in cooperation with Television New Zealand, reveal the firm’s key role helping governments across the world harvest vast amounts of information on people’s private emails, online chats, social media conversations, and internet browsing histories.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Tuesday, October 25, 2016

    OpenStack 10/26/2016 (a.m.)

    • Tags: surveillance state, CloudFlare, censorship

      • Re: Major net hack - its not necessarily off topic. .gov is herding web sites into it's own little DNS animal farms so it can properly protect the public from that dangerous 'information' stuff in time of emergency. CloudFlare is the biggest abattoir... er, animal farm.

        CloudFlare is kind of like a protection racket. If you pay their outrageous fees, you will be 'protected' from DDoS attacks. Since CloudFlare is the preferred covert .gov tool of censorship and content control (when things go south), they are trying to drive as many sites as possible into their digital panopticons.

        Who the hell is Cloudflare?

        ISUCKER: BIG BROTHER INTERNET CULTURE

        On top of that, CloudFlare’s CEO Matthew Prince made a weird, glib admission that he decided to start the company only after the Department of Homeland Security gave him a call in 2007 and suggested he take the technology behind Project Honey Pot one step further…

        And that makes CloudFlare a whole different story: People who sign up for the service are allowing CloudFlare to monitor, observe and scrutinize all of their site’s traffic, which makes it much easier for intel or law enforcement agencies to collect info on websites and without having to hack or request the logs from each hosting company separately. But there’s more. Because CloudFlare doesn’t just passively monitor internet traffic but works like a dynamic firewall to selectively block traffic from sources it deems to be “hostile,” website operators are giving it a whole lotta power over who gets to see their content. The whole point of CloudFlare is to restrict access to websites from specific locations/IP addresses on the fly, without notifying or bothering the website owner with the details. It’s all boils down to a question of trust, as in: do you trust a shady company with known intel/law enforcement connections to make that decision?

      • And here is an added bonus for the paranoid: Because CloudFlare partially caches websites and delivers them to web surfers via its own servers, the company also has the power to serve up redacted versions of the content to specific users. CloudFlare is perfect: it can implement censorship on the fly, without anyone getting wise to it!

        Right now CloudFlare says it monitors nearly 1/5 of all Internet visits. [<-- this] An astounding claim for a company most people haven’t even heard of. And techie bloggers seem very excited about getting as much Internet traffic routed through them as possible!

        See? Plausable deniability. A couple of degrees of separation. Yet when the Borg Queen wants to start WWIII next year, she can order the DHS Stazi to order outfits like CloudFlare to do the proper 'shaping' of internet traffic to filter out unwanted information.

        How far is any expose of propaganda like Dusty Boy going to happen if nobody can get to sites like MoA? You'll be able to get to all kinds of tweets and NGO sites crying about Dusty Boy 2.0, but you won't see a tweet or a web site calling them out on their lies. Will you even know they interviewed Assad? Will you know the activist 'photographer' is a paid NGO shill or that he's pals with al Zenki? Nope, not if .gov can help it.

    • Tags: DDOS-attacks, Internet-of-things

      • Last month, we wrote about Bruce Schneier's warning that certain unknown parties were carefully testing ways to take down the internet. They were doing carefully configured DDoS attacks, testing core internet infrastructure, focusing on key DNS servers. And, of course, we've also been talking about the rise of truly massive DDoS attacks, thanks to poorly secured Internet of Things (IoT) devices, and ancient, unpatched bugs.

        That all came to a head this morning when large chunks of the internet went down for about two hours, thanks to a massive DDoS attack targeting managed DNS provider Dyn. Most of the down sites are back (I'm still having trouble reaching Twitter), but it was pretty widespread, and lots of big name sites all went down. Just check out this screenshot from Downdetector showing the outages on a bunch of sites:
      • You'll see not all of them have downtime (and the big ISPs, as always, show lots of complaints about downtimes), but a ton of those sites show a giant spike in downtime for a few hours.

        So, once again, we'd like to point out that this is as problem that the internet community needs to start solving now. There's been a theoretical threat for a while, but it's no longer so theoretical. Yes, some people point out that this is a difficult thing to deal with. If you're pointing people to websites, even if we were to move to a more distributed system, there are almost always some kinds of chokepoints, and those with malicious intent will always, eventually, target those chokepoints. But there has to be a better way -- because if there isn't, this kind of thing is going to become a lot worse.

    Posted from Diigo. The rest of Open Web group favorite links are here.

    Monday, October 24, 2016

    OpenStack 10/25/2016 (a.m.)

    • Tags: surveillance state, FISA-Court, opinions, disclosure, litigation, ACLU

      • The American Civil Liberties Union (ACLU) has filed a motion to reveal the secret court opinions with “novel or significant interpretations” of surveillance law, in a renewed push for government transparency.

        The motion, filed Wednesday by the ACLU and Yale Law School’s Media Freedom and Information Access Clinic, asks the Foreign Intelligence Surveillance Act (FISA) Court, which rules on intelligence gathering activities in secret, to release 23 classified decisions it made between 9/11 and the passage of the USA Freedom Act in June 2015.

        As ACLU National Security Project staff attorney Patrick Toomey explains, the opinions are part of a “much larger collection of hidden rulings on all sorts of government surveillance activities that affect the privacy rights of Americans.”

        Among them is the court order that the government used to direct Yahoo to secretly scanits users’ emails for “a specific set of characters.” Toomey writes:

        These court rulings are essential for the public to understand how federal laws are being construed and implemented. They also show how constitutional protections for personal privacy and expressive activities are being enforced by the courts. In other words, access to these opinions is necessary for the public to properly oversee their government.

      • Although the USA Freedom Act requires the release of novel FISA court opinions on surveillance law, the government maintains that the rule does not apply retroactively—thereby protecting the panel from publishing many of its post-9/11 opinions, which helped create an “unprecedented buildup” of secret surveillance laws.

        Even after National Security Agency (NSA) whistleblower Edward Snowden revealed the scope of mass surveillance in 2013, sparking widespread outcry, dozens of rulings on spying operations remain hidden from the public eye, which stymies efforts to keep the government accountable, civil liberties advocates say.

        “These rulings are necessary to inform the public about the scope of the government’s surveillance powers today,” the ACLU’s motion states.

        • Toomey writes that the rulings helped influence a number of novel spying activities, including:

          • The government’s use of malware, which it calls “Network Investigative Techniques”
          • The government’s efforts to compel technology companies to weaken or circumvent their own encryption protocols
          • The government’s efforts to compel technology companies to disclose their source code so that it can identify vulnerabilities
          • The government’s use of “cybersignatures” to search through internet communications for evidence of computer intrusions
          • The government’s use of stingray cell-phone tracking devices under the Foreign Intelligence Surveillance Act (FISA)
          • The government’s warrantless surveillance of Americans under FISA Section 702—a controversial authority scheduled to expire in December 2017
          • The bulk collection of financial records by the CIA and FBI under Section 215 of the Patriot Act

          Without these rulings being made public, “it simply isn’t possible to understand the government’s claimed authority to conduct surveillance,” Toomey writes.

          As he told The Intercept on Wednesday, “The people of this country can’t hold the government accountable for its surveillance activities unless they know what our laws allow. These secret court opinions define the limits of the government’s spying powers. Their disclosure is essential for meaningful public oversight in our democracy.”


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Tuesday, October 18, 2016

    OpenStack 10/19/2016 (a.m.)

    • Tags: surveillance state, Wikileaks, Assange, Ecuador, internet-access

      • Midway through releasing a series of damaging disclosures about U.S. presidential contender Hillary Clinton, WikiLeaks founder Julian Assange says his hosts at the Ecuadorean Embassy in London abruptly cut him off from the internet. The news adds another layer of intrigue to an extraordinary campaign.

        “We can confirm Ecuador cut off Assange’s internet access Saturday, 5pm GMT, shortly after publication of Clinton’s Goldman Sachs (speeches),” the group said in a message posted to Twitter late Monday.

    • Tags: surveillance state, fingerprints, phone-access, search-warrants, civil-liberties

      • Under the Fourth Amendment, Americans are protected from unreasonable searches and seizures, but according to one group of federal prosecutors, just being in the wrong house at the wrong time is cause enough to make every single person inside provide their fingerprints and unlock their phones.

        Back in 2014, a Virginia Circuit Court ruled that while suspects cannot be forced to provide phone passcodes, biometric data like fingerprints doesn’t have the same constitutional protection. Since then, multiple law enforcement agencies have tried to force individual suspects to unlock their phones with their fingers, but none have claimed the sweeping authority found in a Justice Department memorandum recently uncovered by Forbes.

      • In the court document filed earlier this year, federal prosecutors in California argued that a warrant for a mass finger-unlocking was constitutionally sound even though “the government does not know ahead of time the identity of every digital device or every fingerprint (or indeed, every other piece of evidence) that it will find in the search” because “it has demonstrated probable cause that evidence may exist at the search location.” Criminal defense lawyer Marina Medvin, however, disagreed.

        Advertisement

        Advertisement

        “They want the ability to get a warrant on the assumption that they will learn more after they have a warrant,” Medvin told Forbes. “This would be an unbelievably audacious abuse of power if it were permitted.”

        Unfortunately, other documents related to the case were not publicly available, so its unclear if the search was actually executed. Even so, Medvin believes the memorandum sets a deeply troubling precedent, using older case law regarding the collection of fingerprint evidence to request complete access to the “amazing amount of information” found on a cellphone.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Monday, October 17, 2016

    OpenStack 10/18/2016 (a.m.)

    • Investigation was instigated by Sen. Ron Wyden after receiving constituent complaints.

      Tags: cable-ISPs, Comcast, Xfinity, FCC, penalties, excess-charges

      • Comcast is being forced to pay the largest fine the FCC has ever levied against a cable operator. Its offense: Charging customers for services and equipment they didn't ask for.

        The company agreed to pay a $2.3 million civil penalty and to submit to a "compliance plan," in which regulators will monitor Comcast for the next five years to ensure it cleans up its act.

      • The FCC said it received over 1,000 complaints from customers, who said Comcast charged them for premium channels, cable boxes, DVRs or other products that they never ordered.

        In many cases, the FCC said, customers expressly told Comcast that they didn't want the add-on options, but they were charged anyway.

        Complaints also describe how customers spent "significant time and energy to attempt to remove the unauthorized charges" and get refunds, the commission said.

        The complaints spurred the FCC to launch an investigation nearly two years ago. Today's settlement marks the conclusion of the probe.

        Under the five-year compliance plan, Comcast must begin sending customers special notifications every time a new charge or service is added to their bill. The company also has to add a way for customers to easily "block the addition of new services or equipment to their accounts," according to an FCC press release.

      • Comcast (CMCSA) will also be required to compensate or address complaints from customers who have disputed charges, and it will be barred from referring an account to collections or suspending an account that has a disputed charge.

        Comcast agreed to the fine without admitting any guilt.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Sunday, October 16, 2016

    OpenStack 10/17/2016 (a.m.)

    • Bruce Schneier pointing to a massive security hole in the Internet of Things ("IoT").

      Tags: cybersecurity, Internet-of-things, DDOS

      • Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.

        In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other internet-connected systems to crash by overloading them with traffic. The "distributed" part means that other insecure computers on the internet—sometimes in the millions—are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire.

        Basically, it's a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender's capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win.

        What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things.

        Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Friday, October 07, 2016

    OpenStack 10/07/2016 (p.m.)

    • Tags: surveillance state, NSA, zero-day-exploits, leak, arrest, prosecution, Martin

      • A contractor working for the National Security Agency (NSA) was arrested by the FBI following his alleged theft of “state secrets.” More specifically, the contractor, Harold Thomas Martin, is charged with stealing highly classified source codes developed to covertly hack the networks of foreign governments, according to several senior law enforcement and intelligence officials. The Justice Department has said that these stolen materials were “critical to national security.”

        Martin was employed by Booz Allen Hamilton, the company responsible for most of the NSA’s most sensitive cyber-operations. Edward Snowden, the most well-known NSA whistleblower, also worked for Booz Allen Hamilton until he fled to Hong Kong in 2013 where he revealed a trove of documents exposing the massive scope of the NSA dragnet surveillance. That surveillance system was shown to have targeted untold numbers of innocent Americans.

        According to the New York Times, the theft “raises the embarrassing prospect” that an NSA insider managed to steal highly damaging secret information from the NSA for the second time in three years, not to mention the “Shadow Broker” hack this past August, which made classified NSA hacking tools available to the public.

      • Snowden himself took to Twitter to comment on the arrest. In a tweet, he said the news of Martin’s arrest “is huge” and asked, “Did the FBI secretly arrest the person behind the reports [that the] NSA sat on huge flaws in US products?” It is currently unknown if Martin was connected to those reports as well.
      • It also remains to be seen what Martin’s motivations were in removing classified data from the NSA. Though many suspect that he planned to follow in Snowden’s footsteps, the government will more likely argue that he had planned to commit espionage by selling state secrets to “adversaries.”

        According to the New York Times article on the arrest, Russia, China, Iran, and North Korea are named as examples of the “adversaries” who would have been targeted by the NSA codes that Martin is accused of stealing. However, Snowden revealed widespread US spying on foreign governments including several US allies such as France and Germany. This suggests that the stolen “source codes” were likely utilized on a much broader scale.


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Friday, September 16, 2016

    OpenStack 09/16/2016 (p.m.)

    • Tags: surveillance state, FBI, Comey, webcam-intercepts

      • The head of the FBI on Wednesday defended putting a piece of tape over his personal laptop's webcam, claiming the security step was a common sense one that most should take.  

        “There’s some sensible things you should be doing, and that’s one of them,” Director James Comey said during a conference at the Center for Strategic and International Studies.

        ADVERTISEMENT
        “You go into any government office and we all have the little camera things that sit on top of the screen,” he added. “They all have a little lid that closes down on them.

        “You do that so that people who don’t have authority don’t look at you. I think that’s a good thing.”

        Comey was pilloried online earlier this year, after he revealed that he puts a piece of tape over his laptop camera to keep away prying eyes. The precaution is a common one among security advocates, given the relative ease of hacking laptop cameras.  

      • But many found it ironic for Comey, who this year launched a high profile battle against Apple to gain access to data locked inside of the iPhone used by one of the San Bernardino, Calif., terrorists. Many viewed that fight as a referendum on digital privacy.

        Comey was “much mocked for that,” he acknowledged on Wednesday.

        But he still uses the tape on his laptop.

        “I hope people lock their cars,” he said. “Lock your doors at night… if you have an alarm system, you should use it.”

        “It’s not crazy that the FBI director cares about personal security as well,” the FBI director added. “So I think people ought to take responsibility for their own safety and security.”


    Posted from Diigo. The rest of Open Web group favorite links are here.

    Thursday, September 15, 2016

    OpenStack 09/16/2016 (a.m.)

    • If you want to take part, the action page is at https://www.pardonsnowden.org/

      Tags: surveillance-state, Snowden, Snowden-pardon

      • Prominent activists, lawmakers, artists, academics, and other leading voices in civil society, including Sen. Bernie Sanders (I-Vt.), are joining the campaign to get a pardon for National Security Agency (NSA) whistleblower Edward Snowden.

        “The information disclosed by Edward Snowden has allowed Congress and the American people to understand the degree to which the NSA has abused its authority and violated our constitutional rights,” Sanders wrote for the Guardian on Wednesday. “Now we must learn from the troubling revelations Mr. Snowden brought to light. Our intelligence and law enforcement agencies must be given the tools they need to protect us, but that can be done in a way that does not sacrifice our rights.”

        Pentagon Papers whistleblower Daniel Ellsberg, who co-founded the public interest journalism advocacy group Freedom of the Press Foundation, where Snowden is a board member, also wrote, “Ed Snowden should be freed of the legal burden hanging over him. They should remove the indictment, pardon him if that’s the way to do it, so that he is no longer facing prison.”

        Snowden faces charges under the Espionage Act after he released classified NSA files to media outlets in 2013 exposing the U.S. government’s global mass surveillance operations. He fled to Hong Kong, then Russia, where he has been living under political asylum for the past three years.

      • The Pardon Snowden campaign, supported by the American Civil Liberties Union (ACLU), Amnesty International, and Human Rights Watch (HRW), urgespeople around the world to write to Obama throughout his last four months in the White House.

    Posted from Diigo. The rest of Open Web group favorite links are here.

    OpenStack 09/15/2016 (p.m.)

    • Tags: surveillance state, Stingray, documentation

      • Harris Corp.’s Stingray surveillance device has been one of the most closely guarded secrets in law enforcement for more than 15 years. The company and its police clients across the United States have fought to keep information about the mobile phone-monitoring boxes from the public against which they are used. The Intercept has obtained several Harris instruction manuals spanning roughly 200 pages and meticulously detailing how to create a cellular surveillance dragnet.

        Harris has fought to keep its surveillance equipment, which carries price tags in the low six figures, hidden from both privacy activists and the general public, arguing that information about the gear could help criminals. Accordingly, an older Stingray manual released under the Freedom of Information Act to news website TheBlot.com last year was almost completely redacted. So too have law enforcement agencies at every level, across the country, evaded almost all attempts to learn how and why these extremely powerful tools are being used — though court battles have made it clear Stingrays are often deployed without any warrant. The San Bernardino Sheriff’s Department alone has snooped via Stingray, sans warrant, over 300 times.

      • The documents described and linked below, instruction manuals for the software used by Stingray operators, were provided to The Intercept as part of a larger cache believed to have originated with the Florida Department of Law Enforcement. Two of them contain a “distribution warning” saying they contain “Proprietary Information and the release of this document and the information contained herein is prohibited to the fullest extent allowable by law.”

         Although “Stingray” has become a catch-all name for devices of its kind, often referred to as “IMSI catchers,” the manuals include instructions for a range of other Harris surveillance boxes, including the Hailstorm, ArrowHead, AmberJack, and KingFish. They make clear the capability of those devices and the Stingray II to spy on cellphones by, at minimum, tracking their connection to the simulated tower, information about their location, and certain “over the air” electronic messages sent to and from them. Wessler added that parts of the manuals make specific reference to permanently storing this data, something that American law enforcement has denied doing in the past.

      • One piece of Windows software used to control Harris’s spy boxes, software that appears to be sold under the name “Gemini,” allows police to track phones across 2G, 3G, and LTE networks. Another Harris app, “iDen Controller,” provides a litany of fine-grained options for tracking phones. A law enforcement agent using these pieces of software along with Harris hardware could not only track a large number of phones as they moved throughout a city but could also apply nicknames to certain phones to keep track of them in the future. The manual describing how to operate iDEN, the lengthiest document of the four at 156 pages, uses an example of a target (called a “subscriber”) tagged alternately as Green Boy and Green Ben:
      • In order to maintain an uninterrupted connection to a target’s phone, the Harris software also offers the option of intentionally degrading (or “redirecting”) someone’s phone onto an inferior network, for example, knocking a connection from LTE to 2G:
      • A video of the Gemini software installed on a personal computer, obtained by The Intercept and embedded below, provides not only an extensive demonstration of the app but also underlines how accessible the mass surveillance code can be: Installing a complete warrantless surveillance suite is no more complicated than installing Skype. Indeed, software such as Photoshop or Microsoft Office, which require a registration key or some other proof of ownership, are more strictly controlled by their makers than software designed for cellular interception.

    Posted from Diigo. The rest of Open Web group favorite links are here.

    Tuesday, August 30, 2016

    OpenStack 08/31/2016 (a.m.)

    • The Archive Team Warrior is a virtual archiving appliance. You can run it to help with the ArchiveTeam archiving efforts. It will download sites and upload them to our archive — and it’s really easy to do! The warrior is a virtual machine, so there is no risk to your computer. The warrior will only use your bandwidth and some of your disk space. It will get tasks from and report progress to the Tracker. Basic usage The warrior runs on Windows, OS X and Linux using a virtual machine. You'll need one of: VirtualBox (recommended) VMware workstation/player (free-gratis for personal use) See below for alternative virtual machines Partners with and contributes lots of archives to the Wayback Machine. Here's how you can help by contributing some bandwidth if you run an always-on box with an internet connection.

      Tags: internet, history, archives, Internet-Archives, ArchiveTeam

        • HISTORY IS OUR FUTURE

          Archiveteam.jpg

          And we've been trashing our history

          Archive Team is a loose collective of rogue archivists, programmers, writers and loudmouths dedicated to saving our digital heritage. Since 2009 this variant force of nature has caught wind of shutdowns, shutoffs, mergers, and plain old deletions - and done our best to save the history before it's lost forever. Along the way, we've gotten attention, resistance, press and discussion, but most importantly, we've gotten the message out: IT DOESN'T HAVE TO BE THIS WAY.

          This website is intended to be an offloading point and information depot for a number of archiving projects, all related to saving websites or data that is in danger of being lost. Besides serving as a hub for team-based pulling down and mirroring of data, this site will provide advice on managing your own data and rescuing it from the brink of destruction.

          Currently Active Projects (Get Involved Here!)

          Archive Team recruiting

      • Archive Team is a loose collective of rogue archivists, programmers, writers and loudmouths dedicated to saving our digital heritage. Since 2009 this variant force of nature has caught wind of shutdowns, shutoffs, mergers, and plain old deletions - and done our best to save the history before it's lost forever. Along the way, we've gotten attention, resistance, press and discussion, but most importantly, we've gotten the message out: IT DOESN'T HAVE TO BE THIS WAY.

        This website is intended to be an offloading point and information depot for a number of archiving projects, all related to saving websites or data that is in danger of being lost. Besides serving as a hub for team-based pulling down and mirroring of data, this site will provide advice on managing your own data and rescuing it from the brink of destruction.

          • Deathwatch is where we keep track of sites that are sickly, dying or dead.
          • Fire Drill is where we keep track of sites that seem fine but a lot depends on them.
          • Projects is a comprehensive list of AT endeavors.
          • Philosophy describes the ideas underpinning our work.

          Some Starting Points

          • Software will assist you in regaining control of your data by providing tools for information backup, archiving and distribution.
          • Formats will familiarise you with the various data formats, and how to ensure your files will be readable in the future.
          • Storage Media is about where to get it, what to get, and how to use it.

    Posted from Diigo. The rest of Open Web group favorite links are here.

    Friday, August 26, 2016

    OpenStack 08/27/2016 (a.m.)

    • Tags: surveillance state, iPhone-exploit, exploits

      • 1. Executive Summary

        Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”).  On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.  We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product.  NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

        The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.  We are calling this exploit chain Trident.  Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.  

        We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.

        • The Trident Exploit Chain:

          • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution
          • CVE-2016-4655: An application may be able to disclose kernel memory
          • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges

          Once we confirmed the presence of what appeared to be iOS zero-days, Citizen Lab and Lookout quickly initiated a responsible disclosure process by notifying Apple and sharing our findings. Apple responded promptly, and notified us that they would be addressing the vulnerabilities. We are releasing this report to coincide with the availability of the iOS 9.3.5 patch, which blocks the Trident exploit chain by closing the vulnerabilities that NSO Group appears to have exploited and sold to remotely compromise iPhones.

          Recent Citizen Lab research has shown that many state-sponsored spyware campaigns against civil society groups and human rights defenders use “just enough” technical sophistication, coupled with carefully planned deception. This case demonstrates that not all threats follow this pattern.  The iPhone has a well-deserved reputation for security.  As the iPhone platform is tightly controlled by Apple, technically sophisticated exploits are often required to enable the remote installation and operation of iPhone monitoring tools. These exploits are rare and expensive. Firms that specialize in acquiring zero-days often pay handsomely for iPhone exploits.  One such firm, Zerodium, acquired an exploit chain similar to the Trident for one million dollars in November 2015.

          The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and prior known targeting of Mansoor by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting.

          Remarkably, this case marks the third commercial “lawful intercept” spyware suite employed in attempts to compromise Mansoor.  In 2011, he was targeted with FinFisher’s FinSpy spyware, and in 2012 he was targeted with Hacking Team’s Remote Control System.  Both Hacking Team and FinFisher have been the object of several years of revelations highlighting the misuse of spyware to compromise civil society groups, journalists, and human rights workers.


    Posted from Diigo. The rest of Open Web group favorite links are here.