A perhaps surprising view from the right hand side of the pond
 

As noted by Alec Muffet on Twitter

[URL="http://www.bbc.co.uk/news/uk-31032926"]When the ex-head of MI5 has to speak up in favour of free speech in the UK, something's really gone wrong[/URL]

For those who don't recognize the name, Alec is a long-time security geek whom I've known for 20 years or more. Amongst his other achievements, he wrote Crack[sup]*[/sup], worked in Sun's security department for years and now works for Facebook. In his present role, he managed to get access to Facebook via Tor --- which led to rather interesting discussions about SSL certificates for an organization promoting anonymized access over https.

* As Alec says, he didn't invent the password problem, he only optimized it.

[QUOTE=xilman;393944]As noted by Alec Muffet on Twitter

[URL="http://www.bbc.co.uk/news/uk-31032926"]When the ex-head of MI5 has to speak up in favour of free speech in the UK, something's really gone wrong[/URL][/QUOTE]
[i]
"...speaking during a House of Lords debate on the bill, Baroness Manningham-Buller - who was head of the security service at the time of the 7/7 London bombings in 2005 - told peers the plan risked banning non-violent extremists from speaking at universities.
[/i]
That's not a bug, it's a feature.

NSA whistleblower William Binney receives Sam Adams award.

[QUOTE]The ceremony in Berlin featured a powerful line-up of fellow whistleblowers and former intelligence officers, who honoured Binney for “shining light into the darkest of corners of secret government and corporate power”[/QUOTE]Various articles: [URL]http://samadamsaward.ch/[/URL]

[url=https://medium.com/@NafeezAhmed/how-the-cia-made-google-e836451a959e]How the CIA made Google[/url]: [i]Inside the secret network behind mass surveillance, endless war, and Skynet[/i]
[quote]INSURGE INTELLIGENCE, a new crowd-funded investigative journalism project, breaks the exclusive story of how the United States intelligence community funded, nurtured and incubated Google as part of a drive to dominate the world through control of information. Seed-funded by the NSA and CIA, Google was merely the first among a plethora of private sector start-ups co-opted by US intelligence to retain ‘information superiority.’

The origins of this ingenious strategy trace back to a secret Pentagon-sponsored group, that for the last two decades has functioned as a bridge between the US government and elites across the business, industry, finance, corporate, and media sectors. The group has allowed some of the most powerful special interests in corporate America to systematically circumvent democratic accountability and the rule of law to influence government policies, as well as public opinion in the US and around the world. The results have been catastrophic: NSA mass surveillance, a permanent state of global war, and a new initiative to transform the US military into Skynet.[/quote]
The secretive Highlands Forum described in the article alas has little to do with such convivial pursuits as drinking single-malt whisky and tossing the caber. (They probably do a fair bit of the former after hours, but their work has more to do with tossing literal megatons of ordnance into various "threat" regions and tossing any semblance of rule of law and civilian control of of the military out the metaphorical window.)

GCHQ mass internet surveillance was unlawful, rules court
 

[QUOTE]
Mass surveillance of the internet by the monitoring agency GCHQ has not in the past been conducted within the law, the UK’s most secretive court has ruled. The Cheltenham-based organisation’s access to intercepted information obtained by the US National Security Agency (NSA) breached human rights laws, according to the Investigative Powers Tribunal (IPT). The critical judgment marks the first time, since the judicial oversight body was established in 2000, that it has upheld a complaint against any of the UK’s intelligence agencies.

[/QUOTE]Press article: [URL]http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa[/URL]

[QUOTE=Nick;394684]Press article: [URL]http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa[/URL][/QUOTE]Fall-out / follow-up from that.

[url]http://www.theguardian.com/uk-news/2015/feb/06/uk-security-services-capable-bypassing-encryption-draft-code[/url]

Latest from Mark Ames at Pando.com:

[url=pando.com/2015/02/07/how-the-aclu-ron-paul-and-a-former-eff-director-helped-jail-a-cia-whistleblower/]How the ACLU, Ron Paul and a former EFF Director helped jail a CIA whistleblower[/url]
[quote]CIA whistleblower John Kiriakou, who went public about torture programs and was later jailed for leaking the name of a covert CIA agent, was just released from prison to serve out the remaining months of his sentence under house arrest. Kiriakou is the first CIA spy ever jailed for leaking secrets, and only the second American ever convicted under a 1982 law making it a crime to publicly identify covert CIA agents.

The story of how that law, the “Intelligence Identities Protection Act,” came to be is an important and depressing story in its own right, one that’s been totally forgotten. And for good reason: Bad memories are best suppressed, until they creep back up and become a serious “now” problem, and you need to figure out how things got to this point.

The story behind the 1982 law used to jail Kiriakou fills in some of the blanks about how the modern secrecy apparatus was first put together beginning in the Reagan-Bush years. It also reveals the complicity and collaboration of our leading civil libertarians in creating the secrecy-and-censorship leviathan that these same civil libertarians claim to be fighting today on our behalf. Everyone from the ACLU, libertarian hero Ron Paul, even the first executive director of the Electronic Frontier Foundation was complicit in giving us the anti-whistleblower law that put John Kiriakou in prison.[/quote]

[QUOTE=ewmayer;395138]Latest from Mark Ames at Pando.com:

[URL="http://pando.com/2015/02/07/how-the-aclu-ron-paul-and-a-former-eff-director-helped-jail-a-cia-whistleblower/"]How the ACLU, Ron Paul and a former EFF Director helped jail a CIA whistleblower[/URL][/QUOTE]

Is that ever depressing. :sad:

Latest breaking news includes revelations of some truly stunning exploits by the "no such agency" folks. Ars Technica describes key findings based on years of sleuthing by the likes of Kaspersky labs:

[url=arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/]How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last[/url]: [i]"Equation Group" ran the most advanced hacking operation ever uncovered.[/i]
[quote]Beyond the technical similarities to the Stuxnet and Flame developers, Equation Group boasted the type of extraordinary engineering skill people have come to expect from a spy organization sponsored by the world's wealthiest nation. One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.[/quote]

All these buzz-terms like "military-grade disk wiping" are disappointing. Proper "military-grade disk wiping" would not use the firmware to wipe the surface. Does the word "degauss" mean anything to those authors?

Anyhow with an HDD being reprogrammed and thus sectioning off a portion for storing hidden data, it would show up as a loss of reported capacity. And if the smaller capacity was significant people would start to ask questions. Plus how does the drive decide [i]which[/i] data to place in the sectioned off portion? It is no easy task to figure out which data is useful and which is useless, and they can't just store it all and decide later.

Anyone using truecrypt (or similar software) would completely defeat this. All the drive will see is fully encrypted data.

[QUOTE=retina;395714]All these buzz-terms like "military-grade disk wiping" are disappointing. Proper "military-grade disk wiping" would not use the firmware to wipe the surface. Does the word "degauss" mean anything to those authors?.[/QUOTE]
The whole point of a firmware exploit like this is to defeat all but the "nuclear option" you describe, i.e. to render the HD vulnerable as long the user does not physically destroy it. Even degaussing the disk would not reveal or cure the infected firmware, would it?

[quote]Anyhow with an HDD being reprogrammed and thus sectioning off a portion for storing hidden data, it would show up as a loss of reported capacity. And if the smaller capacity was significant people would start to ask questions. Plus how does the drive decide [i]which[/i] data to place in the sectioned off portion? It is no easy task to figure out which data is useful and which is useless, and they can't just store it all and decide later.[/QUOTE]
You think anyone clever enough to implement a firmware exploit of the kind in play would somehow forget to also monkey with the capacity-reporting of the firmware in order to hide the secret storage? What you are saying is akin to "if someone installs malware on my machine, the OS utility [foo] will flag the change in kernel size..." - but what the group in question did is to completely rewrite the hard drives 'operating system'. So how are you measuring the capacity? You got some magic way to do that which bypasses the HD firmware?

Re. the "how do they decide what to store?" question, based on the other aspects of "precision targeting" described in the article, these folks obviously have a very good idea what they're looking for. And if they have indeed also covered their tracks w.r.to disguising loss of HD available, capacity, you think a 'stealthy loss' of a few MB (or even a few 100 MB) on a typical modern HD of 256GB or more is going to catch your attention?

In any event, I am looking forward to reading more about the details of the various exploits as they become available.

[QUOTE]Anyone using truecrypt (or similar software) would completely defeat this. All the drive will see is fully encrypted data.[/QUOTE]
And if the corrupted firmware installs a keylogger and catches the data as the user enters them? How does your faith-based magical encryption deal with that sort of pre-encrypted-data snooping?