Couple of technospying stories, first one historic, 2nd contemporary:

o [url=www.eetimes.com/document.asp?doc_id=1274748]Eavesdropping using microwaves - addendum[/url] | EETimes

Opens with the fascinating history of Russian math prodigy Leon Theremin and his passive cavity bugging device used to listen in on US ambassador Averill Harriman's office conversations, then proceeds to "modern applications".


o [url=https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/]Secret Malware in European Union Attack Linked to U.S. and British Intelligence[/url] | The Intercept
[quote]Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

Regin was found on infected internal computer systems and email servers at Belgacom, a partly state-owned Belgian phone and internet provider, following reports last year that the company was targeted in a top-secret surveillance operation carried out by British spy agency Government Communications Headquarters, industry sources told The Intercept.

The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency.

The hacking operations against Belgacom and the European Union were first revealed last year through documents leaked by NSA whistleblower Edward Snowden. The specific malware used in the attacks has never been disclosed, however.

The Regin malware, whose existence was first reported by the security firm Symantec on Sunday, is among the most sophisticated ever discovered by researchers. Symantec compared Regin to Stuxnet, a state-sponsored malware program developed by the U.S. and Israel to sabotage computers at an Iranian nuclear facility. Sources familiar with internal investigations at Belgacom and the European Union have confirmed to The Intercept that the Regin malware was found on their systems after they were compromised, linking the spy tool to the secret GCHQ and NSA operations.

Ronald Prins, a security expert whose company Fox IT was hired to remove the malware from Belgacom’s networks, told The Intercept that it was “the most sophisticated malware” he had ever studied.

“Having analyzed this malware and looked at the [previously published] Snowden documents,” Prins said, “I’m convinced Regin is used by British and American intelligence services.”

A spokesman for Belgacom declined to comment specifically about the Regin revelations, but said that the company had shared “every element about the attack” with a federal prosecutor in Belgium who is conducting a criminal investigation into the intrusion. “It’s impossible for us to comment on this,” said Jan Margot, a spokesman for Belgacom. “It’s always been clear to us the malware was highly sophisticated, but ever since the clean-up this whole story belongs to the past for us.”

In a hacking mission codenamed Operation Socialist, GCHQ gained access to Belgacom’s internal systems in 2010 by targeting engineers at the company. The agency secretly installed so-called malware “implants” on the employees’ computers by sending their internet connection to a fake LinkedIn page. The malicious LinkedIn page launched a malware attack, infecting the employees’ computers and giving the spies total control of their systems, allowing GCHQ to get deep inside Belgacom’s networks to steal data.

The implants allowed GCHQ to conduct surveillance of internal Belgacom company communications and gave British spies the ability to gather data from the company’s network and customers, which include the European Commission, the European Parliament, and the European Council. The software implants used in this case were part of the suite of malware now known as Regin.

One of the keys to Regin is its stealth: To avoid detection and frustrate analysis, malware used in such operations frequently adhere to a modular design. This involves the deployment of the malware in stages, making it more difficult to analyze and mitigating certain risks of being caught.

Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.

The use of hacking techniques and malware in state-sponsored espionage has been publicly documented over the last few years: China has been linked to extensive cyber espionage, and recently the Russian government was also alleged to have been behind a cyber attack on the White House. Regin further demonstrates that Western intelligence agencies are also involved in covert cyberespionage.[/quote]

[URL="http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/"]German researchers discover a flaw that could let anyone listen to your cell calls.[/URL]
[QUOTE]These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.[/QUOTE]
[QUOTE]The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function -- a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas.[/QUOTE]

[url=www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html]Prying Eyes: Inside the NSA's War on Internet Security[/url] | Spiegel Online
[quote]For the NSA, the breaking of encryption methods represents a constant conflict of interest. The agency and its allies do have their own secret encryption methods for internal use. But the NSA is also tasked with providing the US National Institute of Standards and Technology (NIST) with "technical guidelines in trusted technology" that may be "used in cost-effective systems for protecting sensitive computer data." In other words: Checking cryptographic systems for their value is part of the NSA's job. One encryption standard the NIST explicitly recommends is the Advanced Encryption Standard (AES). The standard is used for a large variety of tasks, from encrypting the PIN numbers of banking cards to hard disk encryption for computers.

One NSA document shows that the agency is actively looking for ways to break the very standard it recommends - this section is marked as "Top Secret" (TS): "Electronic codebooks, such as the Advanced Encryption Standard, are both widely used and difficult to attack cryptanalytically. The NSA has only a handful of in-house techniques. The TUNDRA project investigated a potentially new technique -- the Tau statistic -- to determine its usefulness in codebook analysis."

The fact that large amounts of the cryptographic systems that underpin the entire Internet have been intentionally weakened or broken by the NSA and its allies poses a grave threat to the security of everyone who relies on the Internet -- from individuals looking for privacy to institutions and companies relying on cloud computing. Many of these weaknesses can be exploited by anyone who knows about them -- not just the NSA.[/quote]

[url=boingboing.net/2015/01/13/what-david-cameron-just-propos.html]What David Cameron just proposed would endanger every Briton and destroy the IT industry[/url]: [i]David Cameron says there should be no "means of communication" which "we cannot read" -- and no doubt many in his party will agree with him, politically. But if they understood the technology, they would be shocked to their boots.[/i]

And on the "creeping prison state" and "unconstitutional police surveillance" fronts:

o [url=http://www.nakedcapitalism.com/2015/01/home-prison-lock-neighborhood-country.html]Your Home Is Your Prison: How to Lock Down Your Neighborhood, Your Country, and You[/url]
[i]
This post describes a particularly ugly face of the ever-increasing levels of surveillance to which we are all being subjected, namely new tools for monitoring criminals, including those whose cases looked weak or politically motivated. But its not just that surveillance is being used as an alternative to prison. In 2012, two school districts in Houston were already requiring students to wear electronic tags. And as this article warns, pre-crime is coming too.[/i]

Especially Wall-street-rentier-ish is the forcing of the thusly - "freed" people to pay the cost of their ongoing "soft" imprisonment, often to the tune of $1000 per month or more. Almost makes staying in the "hard" prison a desirable alternative - 3 square meals a day, free healthcare, no "ankle bracelet stigma", and a similar level of "privacy".

o [url=http://www.freep.com/story/news/2015/01/19/police-radar-see-through-walls/22007615/]U.S. Marshals use wall penetrating radar to see inside your house[/url]
[quote]At least 50 U.S. law enforcement agencies have secretly equipped their officers with radar devices that allow them to effectively peer through the walls of houses to see whether anyone is inside, a practice raising new concerns about the extent of government surveillance.

Those agencies, including the FBI and the U.S. Marshals Service, began deploying the radar systems more than two years ago with little notice to the courts and no public disclosure of when or how they would be used. The technology raises legal and privacy issues because the U.S. Supreme Court has said officers generally cannot use high-tech sensors to tell them about the inside of a person’s house without first obtaining a search warrant.

Current and former federal officials say the information is critical for keeping officers safe if they need to storm buildings or rescue hostages. But privacy advocates and judges have nonetheless expressed concern about the circumstances in which law enforcement agencies may be using the radars — and the fact that they have so far done so without public scrutiny.[/quote]

Peter Woit (via his [i]Not Even Wrong[/i] string-theory-skeptical blog) writes on the subject of the NSA's (alleged) backdooring of DUAL_EC_DRBG in elliptic-curve crypto, and the AMS' role in allowing the NSA to disseminate its 'official' version of the story unchallenged. (Link to Part I is in the article):

[url=www.math.columbia.edu/~woit/wordpress/?p=7457]The NSA, NIST and the AMS, Part II[/url]
[quote]The publication of the George and Wertheimer pieces by the AMS has created a situation where there are just two possibilities:

o Despite what experts believe and Snowden documents indicate, the NSA chose P and Q by a method that did not introduce a backdoor. For some reason though they are unwilling to state publicly that this is the case.
o P and Q were chosen with a backdoor, and the AMS has been now repeatedly been used to try and mislead the mathematics community about this issue.

I’ve contacted someone at the AMS to try and find out whether the question of a backdoor in P and Q was addressed in the refereeing process of the article, but been told that they won’t discuss this. I think this is an issue that now needs to be addressed by the AMS leadership, specifically by demanding assurances from Wertheimer that the NSA did not choose a backdoored P and Q. If this is the case I can see no reason why such assurances cannot be provided. If the NSA and Wertheimer won’t provide this, I think the AMS needs to immediately cut off its cooperative programs with the agency. There may be different opinions about the advisability of such programs, but I don’t think there can be any argument about the significance of the AMS being used by the NSA to mislead the mathematics community.[/quote]

More and War, The Tao of Washington By Tom Engelhardt
 

Editor, publisher, analyst, writer- all of these words, and more, describe Tom Engelhardt. His site hosts many insightful authors, and his articles are to the point and thought-provoking.

[URL="http://www.mersenneforum.org/More and War, The Tao of Washington"]More and War, The Tao of Washington[/URL]
[QUOTE]When it comes to the national security state, our capital has become a thought-free zone. The airlessness of the place, the unwillingness of leading players in the corridors of power to explore new ways of approaching crucial problems is right there in plain sight, yet remarkably unnoticed. Consider this the Tao of Washington.


Last week, based on a heavily redacted 231-page document released by the government in response to a Freedom of Information Act lawsuit, Charlie Savage, a superb reporter for the [I]New York Times[/I], [URL="http://www.nytimes.com/2015/01/12/us/politics/beyond-nsa-fbi-is-assuming-a-larger-surveillance-role-report-shows.html"]revealed[/URL] that the FBI has become a “significant player” in the world of warrantless surveillance, previously the bailiwick of the National Security Agency. The headline on his piece was: “FBI is broadening surveillance role, report shows.”


Here’s my question: In the last 13 years, can you remember a single headline related to the national security state that went “FBI [or fill in your agency of choice] is narrowing surveillance role [or fill in your role of choice], report shows”? Of course not, because when any crisis, problem, snafu or set of uncomfortable feelings, fears, or acts arises, including those by tiny groups of disturbed people or what are now called “lone wolf” terrorists, there is only one imaginable response: more money, more infrastructure, more private contractors, more surveillance, more weaponry, and more war. On a range of subjects, our post-9/11 experience should have taught us that [I]this[/I] -- whatever it is we’re doing -- is no solution to anything, but no such luck.
[/QUOTE]

[QUOTE=kladner;393188]Editor, publisher, analyst, writer- all of these words, and more, describe Tom Engelhardt. His site hosts many insightful authors, and his articles are to the point and thought-provoking.

[URL="http://www.mersenneforum.org/More and War, The Tao of Washington"]More and War, The Tao of Washington[/URL][/QUOTE]
[QUOTE]“It is difficult to get a [STRIKE]man[/STRIKE] TLA to understand something, when his salary depends on his not understanding it.”
― Upton Sinclair, [I]I, Candidate for Governor: And How I Got Licked[/I][/QUOTE]
Fixed that with TLA. I left the pronoun intact because Three Letter Agencies are people, my friend.

[QUOTE=only_human;393190]Fixed that with TLA. I left the pronoun intact because Three Letter Agencies are people, my friend.[/QUOTE]

ow [B]OW [SIZE=3]OW! [/SIZE][/B][B][SIZE=3][B][SIZE=3]:ouch2:[/SIZE][/B]:ouch1::digging:[/SIZE][/B]

Roll over! Good Doggie!
 

From The Guardian:
[URL="http://www.theguardian.com/technology/2015/jan/25/wikileaks-google-staff-emails-us-government"]WikiLeaks demands answers after Google hands staff emails to US government [/URL]

[QUOTE]Google took almost three years to disclose to the open information group [URL="http://www.theguardian.com/media/wikileaks"]WikiLeaks[/URL] that it had handed over emails and other digital data belonging to three of its staffers to the US government, under a secret search warrant issued by a federal judge.

WikiLeaks has written to Google’s executive chairman, Eric Schmidt, to protest that the search giant only revealed the warrants last month, having been served them in March 2012. In the letter, WikiLeaks says it is “astonished and disturbed” that [URL="http://www.theguardian.com/technology/google"]Google[/URL] waited more than two and a half years to notify its subscribers, potentially depriving them of their ability to protect their rights to “privacy, association and freedom from illegal searches”.

[URL="https://www.documentcloud.org/documents/1508759-wikileaks-letter-to-google.html"]The letter[/URL], written by WikiLeaks’ New York-based lawyer, Michael Ratner of the [URL="http://ccrjustice.org/"]Center For Constitutional Rights[/URL], asks Google to list all the materials it provided to the FBI. Ratner also asks whether the California-based company did anything to challenge the warrants and whether it has received any further data demands it has yet to divulge.

Google revealed to WikiLeaks on Christmas Eve – a traditionally quiet news period – that it had responded to a Justice Department order to hand over a catch-all dragnet of digital data including all emails and IP addresses relating to the three staffers. The subjects of the warrants were the investigations editor of WikiLeaks, the British citizen [URL="https://www.documentcloud.org/documents/1508760-wikileaks-harrison-warrant.html"]Sarah Harrison[/URL]; the spokesperson for the organisation, [URL="https://www.documentcloud.org/documents/1508761-wikileaks-hrafnsson-warrant.html"]Kristinn Hrafnsson[/URL]; and [URL="https://www.documentcloud.org/documents/1508762-wikileaks-farrell-warrant.html"]Joseph Farrell[/URL], one of its senior editors.

When it notified the WikiLeaks employees last month, Google said it had been unable to say anything about the warrants earlier as a gag order had been imposed. Google said the non-disclosure orders had subsequently been lifted, though it did not specify when.
[/QUOTE]

A perhaps surprising view from the right hand side of the pond
 

As noted by Alec Muffet on Twitter

[URL="http://www.bbc.co.uk/news/uk-31032926"]When the ex-head of MI5 has to speak up in favour of free speech in the UK, something's really gone wrong[/URL]

For those who don't recognize the name, Alec is a long-time security geek whom I've known for 20 years or more. Amongst his other achievements, he wrote Crack[sup]*[/sup], worked in Sun's security department for years and now works for Facebook. In his present role, he managed to get access to Facebook via Tor --- which led to rather interesting discussions about SSL certificates for an organization promoting anonymized access over https.

* As Alec says, he didn't invent the password problem, he only optimized it.

[QUOTE=xilman;393944]As noted by Alec Muffet on Twitter

[URL="http://www.bbc.co.uk/news/uk-31032926"]When the ex-head of MI5 has to speak up in favour of free speech in the UK, something's really gone wrong[/URL][/QUOTE]
[i]
"...speaking during a House of Lords debate on the bill, Baroness Manningham-Buller - who was head of the security service at the time of the 7/7 London bombings in 2005 - told peers the plan risked banning non-violent extremists from speaking at universities.
[/i]
That's not a bug, it's a feature.

NSA whistleblower William Binney receives Sam Adams award.

[QUOTE]The ceremony in Berlin featured a powerful line-up of fellow whistleblowers and former intelligence officers, who honoured Binney for “shining light into the darkest of corners of secret government and corporate power”[/QUOTE]Various articles: [URL]http://samadamsaward.ch/[/URL]

[url=https://medium.com/@NafeezAhmed/how-the-cia-made-google-e836451a959e]How the CIA made Google[/url]: [i]Inside the secret network behind mass surveillance, endless war, and Skynet[/i]
[quote]INSURGE INTELLIGENCE, a new crowd-funded investigative journalism project, breaks the exclusive story of how the United States intelligence community funded, nurtured and incubated Google as part of a drive to dominate the world through control of information. Seed-funded by the NSA and CIA, Google was merely the first among a plethora of private sector start-ups co-opted by US intelligence to retain ‘information superiority.’

The origins of this ingenious strategy trace back to a secret Pentagon-sponsored group, that for the last two decades has functioned as a bridge between the US government and elites across the business, industry, finance, corporate, and media sectors. The group has allowed some of the most powerful special interests in corporate America to systematically circumvent democratic accountability and the rule of law to influence government policies, as well as public opinion in the US and around the world. The results have been catastrophic: NSA mass surveillance, a permanent state of global war, and a new initiative to transform the US military into Skynet.[/quote]
The secretive Highlands Forum described in the article alas has little to do with such convivial pursuits as drinking single-malt whisky and tossing the caber. (They probably do a fair bit of the former after hours, but their work has more to do with tossing literal megatons of ordnance into various "threat" regions and tossing any semblance of rule of law and civilian control of of the military out the metaphorical window.)

GCHQ mass internet surveillance was unlawful, rules court
 

[QUOTE]
Mass surveillance of the internet by the monitoring agency GCHQ has not in the past been conducted within the law, the UK’s most secretive court has ruled. The Cheltenham-based organisation’s access to intercepted information obtained by the US National Security Agency (NSA) breached human rights laws, according to the Investigative Powers Tribunal (IPT). The critical judgment marks the first time, since the judicial oversight body was established in 2000, that it has upheld a complaint against any of the UK’s intelligence agencies.

[/QUOTE]Press article: [URL]http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa[/URL]

[QUOTE=Nick;394684]Press article: [URL]http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa[/URL][/QUOTE]Fall-out / follow-up from that.

[url]http://www.theguardian.com/uk-news/2015/feb/06/uk-security-services-capable-bypassing-encryption-draft-code[/url]

Latest from Mark Ames at Pando.com:

[url=pando.com/2015/02/07/how-the-aclu-ron-paul-and-a-former-eff-director-helped-jail-a-cia-whistleblower/]How the ACLU, Ron Paul and a former EFF Director helped jail a CIA whistleblower[/url]
[quote]CIA whistleblower John Kiriakou, who went public about torture programs and was later jailed for leaking the name of a covert CIA agent, was just released from prison to serve out the remaining months of his sentence under house arrest. Kiriakou is the first CIA spy ever jailed for leaking secrets, and only the second American ever convicted under a 1982 law making it a crime to publicly identify covert CIA agents.

The story of how that law, the “Intelligence Identities Protection Act,” came to be is an important and depressing story in its own right, one that’s been totally forgotten. And for good reason: Bad memories are best suppressed, until they creep back up and become a serious “now” problem, and you need to figure out how things got to this point.

The story behind the 1982 law used to jail Kiriakou fills in some of the blanks about how the modern secrecy apparatus was first put together beginning in the Reagan-Bush years. It also reveals the complicity and collaboration of our leading civil libertarians in creating the secrecy-and-censorship leviathan that these same civil libertarians claim to be fighting today on our behalf. Everyone from the ACLU, libertarian hero Ron Paul, even the first executive director of the Electronic Frontier Foundation was complicit in giving us the anti-whistleblower law that put John Kiriakou in prison.[/quote]

[QUOTE=ewmayer;395138]Latest from Mark Ames at Pando.com:

[URL="http://pando.com/2015/02/07/how-the-aclu-ron-paul-and-a-former-eff-director-helped-jail-a-cia-whistleblower/"]How the ACLU, Ron Paul and a former EFF Director helped jail a CIA whistleblower[/URL][/QUOTE]

Is that ever depressing. :sad:

Latest breaking news includes revelations of some truly stunning exploits by the "no such agency" folks. Ars Technica describes key findings based on years of sleuthing by the likes of Kaspersky labs:

[url=arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/]How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last[/url]: [i]"Equation Group" ran the most advanced hacking operation ever uncovered.[/i]
[quote]Beyond the technical similarities to the Stuxnet and Flame developers, Equation Group boasted the type of extraordinary engineering skill people have come to expect from a spy organization sponsored by the world's wealthiest nation. One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.[/quote]

All these buzz-terms like "military-grade disk wiping" are disappointing. Proper "military-grade disk wiping" would not use the firmware to wipe the surface. Does the word "degauss" mean anything to those authors?

Anyhow with an HDD being reprogrammed and thus sectioning off a portion for storing hidden data, it would show up as a loss of reported capacity. And if the smaller capacity was significant people would start to ask questions. Plus how does the drive decide [i]which[/i] data to place in the sectioned off portion? It is no easy task to figure out which data is useful and which is useless, and they can't just store it all and decide later.

Anyone using truecrypt (or similar software) would completely defeat this. All the drive will see is fully encrypted data.

[QUOTE=retina;395714]All these buzz-terms like "military-grade disk wiping" are disappointing. Proper "military-grade disk wiping" would not use the firmware to wipe the surface. Does the word "degauss" mean anything to those authors?.[/QUOTE]
The whole point of a firmware exploit like this is to defeat all but the "nuclear option" you describe, i.e. to render the HD vulnerable as long the user does not physically destroy it. Even degaussing the disk would not reveal or cure the infected firmware, would it?

[quote]Anyhow with an HDD being reprogrammed and thus sectioning off a portion for storing hidden data, it would show up as a loss of reported capacity. And if the smaller capacity was significant people would start to ask questions. Plus how does the drive decide [i]which[/i] data to place in the sectioned off portion? It is no easy task to figure out which data is useful and which is useless, and they can't just store it all and decide later.[/QUOTE]
You think anyone clever enough to implement a firmware exploit of the kind in play would somehow forget to also monkey with the capacity-reporting of the firmware in order to hide the secret storage? What you are saying is akin to "if someone installs malware on my machine, the OS utility [foo] will flag the change in kernel size..." - but what the group in question did is to completely rewrite the hard drives 'operating system'. So how are you measuring the capacity? You got some magic way to do that which bypasses the HD firmware?

Re. the "how do they decide what to store?" question, based on the other aspects of "precision targeting" described in the article, these folks obviously have a very good idea what they're looking for. And if they have indeed also covered their tracks w.r.to disguising loss of HD available, capacity, you think a 'stealthy loss' of a few MB (or even a few 100 MB) on a typical modern HD of 256GB or more is going to catch your attention?

In any event, I am looking forward to reading more about the details of the various exploits as they become available.

[QUOTE]Anyone using truecrypt (or similar software) would completely defeat this. All the drive will see is fully encrypted data.[/QUOTE]
And if the corrupted firmware installs a keylogger and catches the data as the user enters them? How does your faith-based magical encryption deal with that sort of pre-encrypted-data snooping?

[QUOTE=retina;395714]All these buzz-terms like "military-grade disk wiping" are disappointing. Proper "military-grade disk wiping" would not use the firmware to wipe the surface. Does the word "degauss" mean anything to those authors?[/QUOTE]More to the point, does the word "thermite" mean anything. Ernst has explained why.

[QUOTE=ewmayer;395723]So how are you measuring the capacity? You got some magic way to do that which bypasses the HD firmware?[/QUOTE]One approach might be to wipe the disk as thoroughly as possible. Don't bother putting a file system or anything like that on it. Then write reproducible but incompressible data sector by sector until the disk reports it is full. Needless to say you do this on a system unlikely to be compromised --- a Raspberry pi say. See how many sectors are written and check against the spec for the disk. If the reported capacity is less than the notional capacity, the disk is suspect. If they do match, read back and check all the sectors to ensure that one or more haven't been overwritten to leave space for hidden information. If you can't get all the data back the disk is definitely dodgy.

Of course, this is still far from perfect (the firmware can use bad-block reserves for example) but it picks up the amateurs.

Capacity loss should be evident. If it was falsely reported as the original size as stated on the cover then you would have the OS trying to put more data on there than is actually available. And if you are stealing just 100MB and reducing the reported capacity to show what is remaining then the user may wonder why.

I still stand by my comment about the "military-grade bullshit". For a home user I would agree that degaussing would be unlikely, but that is not military-grade. It doesn't make sense. For a reporter to use such buzz-terms is poor form IMO.

A key logger from an HDD interface? The ATA spec I read doesn't mention anything about uploading driver data to the host for execution. Unless you are talking about some sort of malware already in the host driver code? But that would have to come from a different vector. Perhaps if this is part of a larger package it might make sense, but on its own from an HDD it doesn't seem plausible. It is certainly possible to capture the truecrypt keys from memory but that also requires associated code running on the host in kernel mode. The HDD firmware could encrypt whatever data it wanted to before sending it off to the host for decryption but that would require pre-knowledge of the keys and algorithms used.

On SSDs, you have [URL="http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper05.html"]over-provisioning[/URL] to think about. Sometimes this over-provisioning is transparent to the user and even the interface.

<conspiracy-theory>Maybe "military-grade" erase techniques are purposely designed to stop most people from retrieving data but not all people. IOW, the obvious solution (physical destruction) is not desirable because then the NSA (?) wouldn't have any chance to read the drive.</conspiracy-theory>

[underlines mine]
[QUOTE=retina;395726]A key logger from an HDD interface? The ATA spec I read doesn't mention anything about uploading driver data to the host for execution. Unless you are talking about some sort of malware already in the host driver code? But that would have to come from a different vector. [u]Perhaps if this is part of a larger package it might make sense[/u], but on its own from an HDD it doesn't seem plausible. It is certainly possible to capture the truecrypt keys from memory but that also requires associated code running on the host in kernel mode. The HDD firmware could encrypt whatever data it wanted to before sending it off to the host for decryption but that would require pre-knowledge of the keys and algorithms used.[/QUOTE]

Which it is, as the AT piece lays out - we are discussing a fully-featured malware platform. The hidden HD storage for the keylogger would be just the storage-until-next-chance-to-upload-to-the-mother-ship component of such an exploit.

Here's a question for the HD wonks - is there any excess memory associated with the HD firmware which someone sophisticated enough to rewrite said firmware could use as a storage locker? If the targeting is highly specific and the upload opportunities reasonably frequent, one might only need a few kB of such off-disk storage to be useful for snooping purposes. Since the firmware needs to reside somewhere (e.g. in an EPROM) and needs to be updatable, I'm guessing there is such memory, I'm curious as to the rough amount and whether one can transfer data from the system to it dynamically. (The 'ROM' aspect would seem to indicate not, but since there is the 'P' preceding it such memory is in fact writable, the question is how the write interface works. Again, assume we are dealing with folks who in many cases seem to know as much or more about the HD programming as the manufacturers themselves, or at least who are capable of using said programming in ways the manufacturers probably never even considered.)

[QUOTE=ewmayer;395784]Again, assume we are dealing with folks who in many cases seem to know as much or more about the HD programming as the manufacturers themselves, or at least who are capable of using said programming in ways the manufacturers probably never even considered.)[/QUOTE]That sounds like valuable IP. Step 5, profit.

[QUOTE=only_human;395786]That sounds like valuable IP. Step 5, profit.[/QUOTE]

I like the way you think, my dear [i]Unterwäschenzwerg[/i] friend.

[QUOTE=ewmayer;395784]Here's a question for the HD wonks - is there any excess memory associated with the HD firmware which someone sophisticated enough to rewrite said firmware could use as a storage locker?[/QUOTE]I'm not an HDD person but I do know about the common forms of FLASH memories used. Their re-programmability is limited to only a few cycles (1000 in many cases). And erasure is usually only possible for the entire array at a time. It is possible to make it partitioned with each section independent but since this costs more it is not usually done for something that is expected to only need reprogramming a few times at most in its expected lifetime.

Stealing sectors from the over provisioning portion is still going to be noticeable because the host software can allocate and query from that region. At some point you would see the difference. However it may be more feasible to mark a few sectors as bad and use the spare sectors to replace them. This way everyone sees the entire capacity and unless the host deliberately tries to read the bad sectors no one would get suspicious. Although having too many bad sectors is also a sign of problems and the user may not be happy. But I guess it all comes down to vigilance. Perhaps most users never care to look at the numbers.

[QUOTE=kladner;395141]Is that ever depressing. :sad:[/QUOTE]

I'm afraid I have another depressing Ames piece to share, detailing the role of the "Vichy privacy advocates" at ACLU and EFF in passing another truly spectacular anti-privacy law:

[url=pando.com/2015/02/15/meet-the-serial-failures-in-charge-of-protecting-americas-online-privacy/]Meet the serial failures in charge of protecting America’s online privacy[/url]
[quote]Earlier this week, McClatchey published an article reminding readers of something that can’t be repeated enough: Thanks to the 1986 Electronic Communications Privacy Act, the government can read all your emails over 180 days old without a warrant. That’s what the law says — and yet it remains obscure enough that every time some national media reminds us, it still shocks the senses.[/quote]

[QUOTE=ewmayer;395810]I'm afraid I have another depressing Ames piece to share, detailing the role of the "Vichy privacy advocates" at ACLU and EFF in passing another truly spectacular anti-privacy law:[URL="http://pando.com/2015/02/15/meet-the-serial-failures-in-charge-of-protecting-americas-online-privacy/"].....[/URL][/QUOTE]

The author even calls it depressing. As an antidote, here is a Dilbert strip which isn't really on topic, but did come from a side link to the story. :smile:

[CENTER][URL="https://firstlook.org/theintercept/2015/02/19/great-sim-heist/"]"THE GREAT SIM HEIST[/URL]
HOW SPIES STOLE THE KEYS TO THE ENCRYPTION CASTLE"[/CENTER]

[QUOTE=only_human;395870][CENTER][URL="https://firstlook.org/theintercept/2015/02/19/great-sim-heist/"]"THE GREAT SIM HEIST[/URL]
HOW SPIES STOLE THE KEYS TO THE ENCRYPTION CASTLE"[/CENTER][/QUOTE]

Since I think a snip from the article for the benefit of workaday-inundated readers is warranted, here ya go:
[quote]American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.[/quote]
Another encryption-bypassing hack. I'm sensing a theme here...

That streaming camera that you put in your home to keep an eye on a pet, etcetera. Well, that camera may not be your friend:
"THE SPIES OF LIFE
[URL="http://fusion.net/story/50925/police-have-asked-dropcam-for-video-from-peoples-home-cameras/"]Police have asked Dropcam for video from people’s home cameras[/URL]"
[QUOTE]Dropcam, which makes popular $199 cameras that capture audio and video for live streams to smartphones or for storage in the cloud, tells Fusion that it has received a “limited number of law enforcement requests”—search warrants—for video from its customers’ cameras. The six-year-old company, which was purchased by Google-owned Nest Labs last year for more than $500 million, says it has only received these requests “in individual cases” and has not received “any broad-based government requests.” In other words, when law enforcement has come to Dropcam, it has been for eyes into a single home at a time, not a whole neighborhood.

“When we’ve received search warrants for Dropcam footage, we’ve provided notice to the email address associated with the account, unless compelled by a court not to do so,” said Thai. She says the requests so far have only been for stored footage not for access to a live video stream.[/QUOTE]

[QUOTE=only_human;395964]That streaming camera that you put in your home to keep an eye on a pet, etcetera. Well, that camera may not be your friend:[/QUOTE]

Et tu, [url=http://www.zerohedge.com/news/2015-02-20/we-messed-badly-lenovo-admits-putting-tracking-software-your-pc]Lenovo[/url]?

[url]http://spritesmods.com/?art=hddhack[/url]

One need not use any of the actual disc to store hacked firmware.

[QUOTE=ewmayer;395968]Et tu, [URL="http://www.zerohedge.com/news/2015-02-20/we-messed-badly-lenovo-admits-putting-tracking-software-your-pc"]Lenovo[/URL]?[/QUOTE]

[QUOTE][U][B]Because if Lenovo is doing this, are we supposed to be so naïve to presume that Google, Apple, AT&T, etc. are not?[/B][/U][/QUOTE]How is the company going to put things right with the customers? [I]We wonders, yes we wonders, my Precious.[/I] I also wonder if there are enough injured parties to launch a Class Action suit against Lenovo. I foresee many attorneys scarfing down a feast of fees, as there are bound to be suits already in progress, and many more to come.

From [URL="http://www.bloomberg.com/news/articles/2015-02-19/lenovo-says-it-messed-up-by-preloading-web-tracking-software"]Blooomberg[/URL]: [QUOTE]Superfish uses image-recognition algorithms that watch where users point on their screens and suggest ads based on the images they’re looking at. The software was included on some models of consumer laptops sold worldwide between September and December and was turned off in January after user complaints, Lenovo said. [/QUOTE]"Turned off," eh? That is not exactly comforting. Actually, it seems that-
[QUOTE]Lenovo Group Ltd. apologized to customers as it works with users to enable laptop computer owners to remove pre-installed software that potentially exposed them to hacking attacks and unauthorized activity monitoring. The biggest maker of personal computers said it was a mistake to have the software, made by a company called Superfish, included on Lenovo machines. Lenovo posted links on Twitter to its website with information about the software and removal instructions.
[/QUOTE]"And TRUST Us, this really, truly, pinky-swear, this [I]Really[/I] removes the malware, and doesn't just cover it up somehow." :ermm:

EDIT: It also really chaps my ass that the situation is being cast, at least sardonically, as "a very poor security-versus-user-experience trade-off.” Is it supposed to [I]IMPROVE[/I] my bleeding "User Experience" to have sneaky malware bombard me with targeted ads? :furious: [/LEWIS_BLACK]

[QUOTE=kladner;395971]EDIT: It also really chaps my ass that the situation is being cast, at least sardonically, as "a very poor security-versus-user-experience trade-off.” Is it supposed to [I]IMPROVE[/I] my bleeding "User Experience" to have sneaky malware bombard me with targeted ads? :furious:[/QUOTE]It probably did improve user experience, just that that user was not intended to be the person that bought the laptop.

ETA: Advertisers and marketeers won't be satisfied until every square millimetre of every surface your eyes and ears can see and hear is presenting their ads 24/7 for your viewing pleasure. I'm sure they would have Mars lit up also if they could so that people with telescopes can enjoy the ads also.

Ben Edelman's latest report is also relevant:
[QUOTE]In public statements, IronSource promises "empower software" through "faster" downloads, "smoother" installations, and increased "user trust." It sounds like a reasonable business -- free software for users in exchange for advertising. Yet a closer look at IronSource installations reveals ample cause for concern. Far from facilitating "user trust," IronSource installations are often strikingly deceptive: they promise to provide software IronSource and its partners have no legal right to redistribute (indeed, specifically contrary to applicable license agreements); they bundle all manner of adware that users have no reason to expect with genuine software; they bombard users with popup ads, injected banner ads, extra toolbars, and other intrusions. It's the very opposite of mainstream legitimate advertising. We are surprised to see such deceptive tactics from a large firm that is, by all indications, backed by distinguished investors and top-tier bankers.
[/QUOTE]Full details: [URL]http://www.benedelman.org/news/021815-1.html[/URL]

More man-in-the-middle experience [I]improvements[/I] are popping up:
[QUOTE][URL="http://arstechnica.com/security/2015/02/security-software-found-using-superfish-style-code-as-attacks-get-simpler/"]Security software found using Superfish-style code, as attacks get simpler[/URL]
Titles from security firms Lavasoft and Comodo leave users open to easier attacks.[/QUOTE]
[QUOTE]Two more software makers have been caught adding dangerous, Superfish-style man-in-the-middle code to the applications they publish. The development is significant because it involves AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet's Transport Layer Security certificates, making it the world's biggest certificate authority.[/QUOTE]
[QUOTE]Readers with either Lavasoft Ad-aware Web Companion or the stand-alone version of PrivDog should err on the side of caution and uninstall both the app and the underlying root certificate as soon as possible.[/QUOTE]

Asymmetric encryption
 

[URL="http://justsecurity.org/20304/transcript-nsa-director-mike-rogers-vs-yahoo-encryption-doors/"]Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors[/URL]

[QUOTE=xilman;396223][URL="http://justsecurity.org/20304/transcript-nsa-director-mike-rogers-vs-yahoo-encryption-doors/"]Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors[/URL][/QUOTE]Very unsatisfying. No answers at all, just waffle.

[QUOTE=retina;396224]Very unsatisfying. No answers at all, just waffle.[/QUOTE]Did you seriously expect anything else?

[QUOTE=xilman;396226]Did you seriously expect anything else?[/QUOTE]Normally I wouldn't, but since you posted it I thought there might be some semblance of value in it.

We're finding it difficult to scan so we'll destroy your legitimate business.

[url]https://torrentfreak.com/under-u-s-pressure-paypal-nukes-mega-for-encrypting-files-150227/[/url]

Those old encryption export restrictions have left a massive security hole. We've be hearing more about this one.
[QUOTE][URL="http://www.theregister.co.uk/2015/03/03/government_crippleware_freaks_out_tlsssl/"]New SSL attack: Apple, Android gear FREAK out, open up to spies[/URL]
OpenSSL, iOS and OS X tricked into using weak 1990s-grade encryption keys[/QUOTE]

I am unsure how this is different from other recent exploits that tricked clients into using weaker encryption.
[url]https://freakattack.com/[/url] is a test for it.
On my kindle fire tablet, [url]https://freakattack.com/clienttest.html[/url] tells me:
[Quote]
TLS Freak Attack: Client Check
Warning! Your client is vulnerable to CVE-2015-0204. Even though your client doesn't offer any RSA EXPORT suites, it can still be tricked into using one of them. We encourage you to upgrade your client.
If you're curious, your client currently offers the following cipher suites:

Cipher Suite
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RENEGO_PROTECTION_REQUEST[/QUOTE]

[QUOTE=only_human;396970]I am unsure how this is different from other recent exploits that tricked clients into using weaker encryption.
[url]https://freakattack.com/[/url] is a test for it.[/QUOTE]Require JS apparently. Anyhow I checked for this a long time ago with my FF 3.6.28 and made sure I couldn't be downgraded. I'm surprised this has only just become an issue. Perhaps the newer browsers have started becoming more insecure? :shock: Yet another reasons to stop the constant updating of features in browsers and start getting the bugs fixed.

[QUOTE=kladner;395971]How is the company going to put things right with the customers? [I]We wonders, yes we wonders, my Precious.[/I] I also wonder if there are enough injured parties to launch a Class Action suit against Lenovo. I foresee many attorneys scarfing down a feast of fees, as there are bound to be suits already in progress, and many more to come.

From [URL="http://www.bloomberg.com/news/articles/2015-02-19/lenovo-says-it-messed-up-by-preloading-web-tracking-software"]Blooomberg[/URL]: "Turned off," eh? That is not exactly comforting. Actually, it seems that-
"And TRUST Us, this really, truly, pinky-swear, this [I]Really[/I] removes the malware, and doesn't just cover it up somehow." :ermm:

EDIT: It also really chaps my ass that the situation is being cast, at least sardonically, as "a very poor security-versus-user-experience trade-off.” Is it supposed to [I]IMPROVE[/I] my bleeding "User Experience" to have sneaky malware bombard me with targeted ads? :furious: [/LEWIS_BLACK][/QUOTE]
[URL="http://www.theregister.co.uk/2015/03/03/lenovo_bagged_250k_from_superfish_deal_report/"]$250K: That's what Lenovo earned to RAT YOU OUT with Superfish[/URL]
[QUOTE]Forbes sources' now say Lenovo made between US$200,000 to US$250,000 from the deal to pre-install Superfish, a paltry amount given its net profit was US$253 million in the three months to December.[/QUOTE]
[QUOTE]The Superfish PR disaster has also snowballed into a lawsuit initiated by Californian woman Jessica Bennett, who filed against Lenovo and Superfish claiming the “malware” injected smut images into her Yoga laptop. ®[/QUOTE]

[QUOTE=retina;396977]Require JS apparently. Anyhow I checked for this a long time ago with my FF 3.6.28 and made sure I couldn't be downgraded. I'm surprised this has only just become an issue. Perhaps the newer browsers have started becoming more insecure? :shock: Yet another reasons to stop the constant updating of features in browsers and start getting the bugs fixed.[/QUOTE]
Perhaps so; [URL="http://www.extremetech.com/computing/200555-microsoft-internet-explorer-windows-vulnerable-to-freak-attack"]Internet Explorer 11 for Windows is vulnerable to FREAK attack[/URL]
[QUOTE]Affected operating systems include Windows Server 2003, Vista (all flavors), Server 2008, and all consumer versions of Windows, including Windows RT.

It appears that some Windows browsers are vulnerable while others aren’t — Internet Explorer 11, even when fully patched, still shows as vulnerable to the attack, while Firefox and Chrome don’t. The Microsoft workaround is shown below, but you’d best be comfortable with rooting around in the Group Policy Object Editor.

[B]. . .[/B]

Right now, the only fix is to manually tell Windows which ciphers are safe for use and which are not.

Google has already patched the version of Chrome for Mac to disable the problem, and Firefox is supposedly safe on all platforms. The formal iOS and OS X patches are still in the pipeline; Apple hasn’t provided an updated timeline for their release beyond “next week.”

As for how dangerous FREAK actually is, the practical risk appears to be relatively low. The greater problem is what FREAK [I]represents[/I]. It’s a flaw that only exists because governments attempted to mandate weak cryptography in the mistaken belief that it could retain control of security standards for the “good” guys without handing bad guys additional flaws or attack vectors. The fact that the problem has existed, undetected, for over a decade suggests that groups like the NSA and other security agencies could well have exploited it in targeted attacks –and these are precisely the kinds of threats that the NSA is supposed to be capable of guarding against.

Backdoors don’t have morals. They don’t distinguish between good guys and bad guys, or good governments versus bad governments. They break security models simply by virtue of existing. And they can’t be used to balance government oversight against user or corporate security.[/QUOTE]

[url=www.nakedcapitalism.com/2015/03/announcing-surveillance-valley-project.html]Announcing the Surveillance Valley Project[/url] | Yasha Levine, Pando Daily
[quote]For the past year-and-a-half I’ve been covering the “Surveillance Valley” beat for San Francisco-based Pando Daily, investigating the for-profit surveillance business that powers Silicon Valley, and the ways in which this technology is increasingly being used to monitor and control our lives.
...
Above all else, my reporting revealed how worried we all are at the growing, unchecked economic and political power of Silicon Valley — and how little any of us really know about what’s going on in the boardrooms and faceless server farm-warehouses that power big tech. The more I reported on Silicon Valley, the more I was convinced that big tech’s reliance on surveillance to expand and maintain its power is a vital issue that needed to be explored deeper and at greater length.

Now I’ve taken my reporting to the next level with an independent book project — and have launched a [url=https://www.kickstarter.com/projects/7331688/surveillance-valley-the-rise-of-the-google-militar][i]Kickstarter campaign[/i][/url] to get it going.

The book is called [url=http://surveillancevalley.net/][i]Surveillance Valley: The Rise of the Google-Military Complex[/i][/url].

* * * *

Since the start of the Internet revolution, we have been told that we are witnessing the dawn of a new and liberating technology — a technology that will decentralize power, topple entrenched bureaucracies, and bring more democracy and equality to the world. But the Internet did the exact opposite. It increased inequality, birthed massive global corporations, minted new billionaires (23 just last year in California), helped concentrate wealth and power, and expanded the reach of the U.S. National Security State.

How did a technology that supposedly held so such democratic promise so quickly devolve into the dystopian reality we see today? How is all this concentrated power affecting our democratic society? Where is it going? And where will it end?

These are some of the overarching questions that I will address in [i]Surveillance Valley[/i].[/quote]
He goes on to explain why no traditional publisher - once they find out the laundry list of Big Tech companies the book will cover - will have anything to do with the project. Think "Threatened loss of Amazon.com preferred pricing and/or sales privileges."

Security downgrade attacks are a consequence of the choice of defaults in SSL libraries; more often than not they err on the side of letting users customize the library as much as they want but by default allowing as many SSL-enabled web sites to work as possible, as long as they handle the protocol correctly. The downside to this is that SSL libraries are very difficult to configure correctly.

Those defaults are also counterintuitive sometimes; if you are using OpenSSL manually, for example, the default behavior upon receiving a server certificate signed by an untrusted root is to allow the connection to go through but log an error. If you don't like that default you have a lot of code to write. In fact a paper published two years ago showed how a huge number of libraries and commercial frameworks that wrap an SSL library have no protection from man-in-the-middle attacks because you can literally give them a garbage certificate signed by anybody and the connection won't be refused.

Today, Wikipedia and the ACLU are filing a lawsuit over NSA interception of and searching of text based traffic.
[URL="http://mobile.nytimes.com/2015/03/10/opinion/stop-spying-on-wikipedia-users.html?_r=0&referrer"]Stop Spying on Wikipedia Users[/URL] NYTimes opinion page
[QUOTE]The notion that the N.S.A. is monitoring Wikipedia’s users is not, unfortunately, a stretch of the imagination. One of the documents revealed by the whistle-blower Edward J. Snowden specifically identified Wikipedia as a target for surveillance, alongside several other major websites like CNN.com, Gmail and Facebook. The leaked slide from a classified PowerPoint presentation declared that monitoring these sites could allow N.S.A. analysts to learn “nearly everything a typical user does on the Internet.”

The harm to Wikimedia and the hundreds of millions of people who visit our websites is clear: Pervasive surveillance has a chilling effect. It stifles freedom of expression and the free exchange of knowledge that Wikimedia was designed to enable.

During the 2011 Arab uprisings, Wikipedia users collaborated to create articles that helped educate the world about what was happening. Continuing cooperation between American and Egyptian intelligence services is well established; the director of Egypt’s main spy agency under President Abdel Fattah el-Sisi boasted in 2013 that he was “in constant contact” with the Central Intelligence Agency.

So imagine, now, a Wikipedia user in Egypt who wants to edit a page about government opposition or discuss it with fellow editors. If that user knows the N.S.A. is routinely combing through her contributions to Wikipedia, and possibly sharing information with her government, she will surely be less likely to add her knowledge or have that conversation, for fear of reprisal.

And then imagine this decision playing out in the minds of thousands of would-be contributors in other countries. That represents a loss for everyone who uses Wikipedia and the Internet — not just fellow editors, but hundreds of millions of readers in the United States and around the world.

In the lawsuit we’re filing with the help of the American Civil Liberties Union, we’re joining as a fellow plaintiff a broad coalition of human rights, civil society, legal, media and information organizations. Their work, like ours, requires them to engage in sensitive Internet communications with people outside the United States.

That is why we’re asking the court to order an end to the N.S.A.’s dragnet surveillance of Internet traffic.[/QUOTE]
ACLU..org : HOME › KEEP AMERICA SAFE AND FREE › SURVEILLANCE & PRIVACY
[URL="https://www.aclu.org/national-security/wikimedia-v-nsa"]Wikimedia v. NSA: Challenge to Mass Surveillance Under the FISA Amendments Act[/URL]
[QUOTE]
[B]The ACLU has filed a lawsuit challenging the constitutionality of the NSA’s mass interception and searching of Americans’ international communications. At issue is the NSA's “upstream” surveillance, through which the U.S. government monitors almost all international – and many domestic – text-based communications. The ACLU’s lawsuit, filed in March 2015 in the U.S. District Court for the District of Maryland, is brought on behalf of nearly a dozen educational, legal, human rights, and media organizations that collectively engage in hundreds of billions of sensitive Internet communications and have been harmed by NSA surveillance.[/B]

The plaintiffs in the lawsuit are: Wikimedia Foundation, The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and The Washington Office on Latin America. These plaintiffs’ sensitive communications have been copied, searched, and likely retained by the NSA. Upstream surveillance hinders the plaintiffs’ ability to ensure the basic confidentiality of their communications with crucial contacts abroad – among them journalists, colleagues, clients, victims of human rights abuses, and the tens of millions of people who read and edit Wikipedia pages.

[URL="https://www.aclu.org/files/assets/wikimedia_v2c_nsa_-_complaint.pdf"]Read the complaint »[/URL] (PDF file)

Upstream surveillance, which the government claims is authorized by the FISA Amendments Act of 2008, is designed to ensnare all of Americans’ international communications, including emails, web-browsing content, and search engine queries. It is facilitated by devices installed, with the help of companies like Verizon and AT&T, directly on the internet “backbone” – the network of high-capacity cables, switches, and routers across which Internet traffic travels.

The NSA intercepts and copies private communications in bulk while they are in transit, and then searches their contents using tens of thousands of keywords associated with NSA targets. These targets, chosen by intelligence analysts, are never approved by any court, and the limitations that do exist are weak and riddled with exceptions. Under the FAA, the NSA may target any foreigner outside the United States believed likely to communicate “foreign intelligence information” – a pool of potential targets so broad that it encompasses journalists, academic researchers, corporations, aid workers, business persons, and others who are not suspected of any wrongdoing.

Through its general, indiscriminate searches and seizures of the plaintiffs’ communications, upstream surveillance invades their Fourth Amendment right to privacy, infringes on their First Amendment rights to free expression and association, and exceeds the statutory limits of the FAA itself. The nature of plaintiffs' work and the law’s permissive guidelines for targeting make it likely that the NSA is also retaining and reading their communications, from email exchanges between Amnesty staff and activists, to Wikipedia browsing by readers abroad.

The ACLU litigated an earlier challenge to surveillance conducted under the FAA – Clapper v. Amnesty – which was filed less than an hour after President Bush signed the FAA into law in 2008. In a 5-4 vote, the Supreme Court dismissed the case in February 2013 on the grounds that the plaintiffs could not prove they had been spied on. Edward Snowden has said that the ruling contributed to his decision to expose the full scope of NSA surveillance a few months later. Among his disclosures was upstream surveillance, the existence of which was later confirmed by the government.

Our clients advocate for human and civil rights, unimpeded access to knowledge, and a free press. Their work is essential to a functioning democracy. When their sensitive and privileged communications are monitored by the U.S. government, they cannot work freely and their effectiveness is curtailed – to the detriment of Americans and others around the world.[/QUOTE]

In other news:
[URL="https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/"]iSpy: THE CIA CAMPAIGN TO STEAL APPLE’S SECRETS[/URL]
[QUOTE]RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.

By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.

The CIA declined to comment for this story.

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”[/QUOTE]

Latest nuggets from Kaspersky labs:

[url=arstechnica.com/security/2015/03/new-smoking-gun-further-ties-nsa-to-omnipotent-equation-group-hackers/]New smoking gun further ties NSA to omnipotent “Equation Group” hackers[/url] | Ars Technica

o [url=www.theverge.com/2015/3/16/8226193/new-apple-macbook-usb-type-c-security-risk-badusb] The new MacBook's single port comes with a major security risk[/url] | The Verge
[quote]In practical terms, that means MacBook and Chromebook Pixel users are now exposed to what you might call a "borrowed charger" attack. The new chargers don't have the firmware needed to carry the BadUSB virus, but it would be easy for an attacker to install it herself, then spend a day in a coffee shop waiting for some unsuspecting target to plug in. From there, the bug would spread to every compatible device the target plugged into. Nearly everyone with a laptop has shared a power cable at some point — compared with the much smaller number who have plugged in a stranger's USB stick — so the attack could reach a lot of otherwise protected computers.[/quote]
Sounds like the firmware-exploit equivalent of unsafe sex...

o [url=www.uncomputing.org/?p=1633]‘Is It Compromised?’ Is the Wrong Question about US Government Funding of Tor[/url] | Uncomputing

[QUOTE=ewmayer;397968]Sounds like the firmware-exploit equivalent of unsafe sex...[/QUOTE]
Hehe... nice one!
To give my contribution to the topic, few weeks ago we brought in an antediluvian PowerEdge server from China (our Hong Kong branch, in fact), some colleague handcarry it (!! no joke, people go lengths to avoid customs), which we dismounted and recovered what we could from it (not much). It served us well for years, but it was not needed (not profitable) anymore. When playing with it, we found out it was trying to access the net when powered on, in spite of the fact that there was nor harddisk neither any nonvolatile memory. That is, directly from bios (!)

We knew that Dell employs lot of shit for anti-theft solutions, etc, but still, the activity and the things it wanted to reach seemed suspect and we looked into it. I guess (I can't be sure I am not dealing with some open-manage or theft-protection stuff, but I will get help soon in this direction from some friends) that it was for the first time in my life, and most probable for the last, when I put my nose into "deitybounce" (you can google for it, it is worth reading about). It was a PowerEdge manufactured for (in?) China in about 2008.

[url=https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/]Passphrases That You Can Memorize — But That Even the NSA Can't Guess[/url] - The Intercept

Not that they need to guess your pass-stuff if they are logging your keystrokes, but for the dwindling pool of people not yet on the sekrit 'persons of interest' list this seems a sound approach. Never thought the expression "you're really rolling the dice with this approach" would take on a positive connotation.

NSA's Backdoor Key from Lotus-Notes
 

[url]http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html[/url][quote]Before the US crypto export regulations were finally disolved the export version of Lotus Notes used to include a key escrow / backdoor feature called differential cryptography. The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key.[/quote] When things like this are happening it makes it hard to trust a US produced closed source software product.

[url=www.theatlantic.com/technology/archive/2015/03/supreme-court-if-youre-being-gps-tracked-youre-being-searched/389114/]U.S. Supreme Court: GPS Trackers Are a Form of Search and Seizure[/url] | The Atlantic
[quote]the Court has considered the Fourth Amendment quite a bit recently. In 2012, it ruled that placing a GPS tracker on a suspect’s car, without a warrant, counted as an unreasonable search. The following year, it said that using drug-sniffing dogs around a suspect’s front porch—without a warrant and without their consent—was also unreasonable, as it trespassed onto a person’s property to gain information about them.

Both of those cases involved suspects, but the ruling Monday made clear that it extends to those convicted of crimes, too.

But much remains unclear about how the Fourth Amendment interacts with digital technology. The Court so far has only ruled on cases where location information was collected by a GPS tracker. But countless devices today collect geographic information. Smartphones often contain their own GPS monitors and can triangulate their location from nearby cell towers; electronic toll-collection systems like E-ZPass register, by default, a car’s location and when it passed through a toll road.

Lynch, the EFF attorney, said that the justices seem to know that they’ll soon have to rule on whether this kind of geo-locational information is protected.

She also said that those questions are more fraught for the Court than ones just involving GPS tracker data. Some members of the Court, including Justice Antonin Scalia, argue the Fourth Amendment turns on whether the government has trespassed on someone’s private property. Other members—represented in arguments by Justices Sonia Sotomayor and Samuel Alito—say that people have a reasonable expectation to the privacy of their location data.[/quote]

=====================

[url=www.uncomputing.org/?p=1633]‘Is It Compromised?’ Is the Wrong Question about US Government Funding of Tor[/url] | Uncomputing
[quote]If you are asking how government funding compromises Tor and “internet freedom,” you are asking the wrong question. The right question is: [i]how do Tor and “internet freedom” serve the interests of those who fund them so generously[/i] -— and have virtually no history of funding (especially on an ongoing basis) projects that are contrary or even irrelevant to their interests? Why do major factions within the US Government so steadfastly promote an internet project whose supporters routinely insist that “the government sure does hate the Internet”?

We don’t have to look far or think that hard to develop answers to these questions. Just the other day, Shawn Powers and Michael Jablonski, authors of the new and fascinating-sounding book, [i]The Real Cyber War: The Political Economy of Internet Freedom[/i] (University of Illinois Press, 2015), announced the publication of their book by writing:
[i]
Efforts to create a universal internet built upon Western legal, political, and social preferences is driven by economic and geopolitical motivations rather than the humanitarian and democratic ideals that typically accompany related policy discourse. In fact, the freedom-to-connect movement is intertwined with broader efforts to structure global society in ways that favor American and Western cultures, economies, and governments.
[/i]
The inability of many Tor and “internet freedom” and even super-encryption supporters to understand (or at least, to talk as if they understand) this point of view is part of what is so disturbing about this whole situation. “Internet freedom” and “internet privacy” and even “Tor” have become like articles of religious faith: creeds whose fundamental tenets cannot be questioned, even if they also cannot be stated in anything like the clarity with which “freedom of the press” can be stated. The critique we need to consider is not merely that major powers are “paying lip service” to the idea of internet freedom; it is that [i]the idea itself is bankrupt[/i]: it is a propagandistic slogan in search of a meaning, a set of meaningful-sounding (but meaningless) words, like “right to work,” that exists only to serve a powerful and disturbing agenda (which is one direction that the outsize “internet freedom” funding provided by the US State Department, and Google’s triumphalist support for the idea, should raise questions for everyone). Indeed, if the putative freedom of information on which “the internet” (and Tor, and “internet freedom,” etc.) is supposedly based is going to mean anything–if it at [i]least[/i] entails the “freedom of speech” and “freedom of the press” that in my opinion it does not eclipse in especially legible ways–it has to mean being willing always to question our fundamental assumptions, making it beyond ironic that its fiercest champions work so hard to prevent us from doing just that.[/quote]

Our frenemies in Beijing appear to be working hard to catch up with the NSA/GCHQ alliance when it comes to offensive cyber operations against its own citizenry and those who would try to aid same in evading government censorship:

[url=http://www.nytimes.com/2015/04/11/technology/china-is-said-to-use-powerful-new-weapon-to-censor-internet.html]China Is Said to Use Powerful New Weapon to Censor Internet[/url] | NYT

And on a lighter surveillance note, an expert authority weighs in on [url=www.theonion.com/articles/the-pros-and-cons-of-body-cameras-for-police,38405/]The Pros And Cons Of Body Cameras For Police[/url].

This could have gone in the funny thread, but sometimes I need a laugh when I think about this topic.

[QUOTE=chappy;399958]This could have gone in the funny thread, but sometimes I need a laugh when I think about this topic.[/QUOTE]The old ones are indeed the best.

[url=www.theguardian.com/us-news/2015/apr/15/nsa-fbi-surveillance-patriot-action-section-215-expiration]NSA and FBI fight to retain spy powers as surveillance law nears expiration[/url] | US news | The Guardian
[quote]Section 215 is the authority claimed by the NSA since 2006 for its ongoing daily bulk collection of US phone records revealed by the Guardian in 2013 thanks to leaks from whistleblower Edward Snowden. While the Obama administration and US intelligence agencies last year supported divesting the NSA of its domestic phone metadata collection, a bill to do so failed in November.

But the FBI and its supporters fear that the expiration of Section 215 will cut deeper than the loss of bulk collection. The FBI is warning that it will lose access to investigative leads for domestic terrorism and espionage, such as credit card information, hotel records and more, outside normal warrant or subpoena channels.

While the briefings were not described as a platform for defending the controversial Section 215, they “offer an important opportunity to hear directly from analysts and operators who use Section 215 as part of their daily mission to protect the Nation from terrorist attacks,” according to an announcement for legislators sent by intelligence committee chairman Devin Nunes and Georgia Republican Lynn Westmoreland and obtained by the Guardian. [/quote]
The tone of the quoted snip from that "announcement for legislators" tells you all you need to know about the odds of meaningful reform coming from the current batch of congresscritters.

A bit of an old article, but I wasn't aware until I the National Geographic documentary "[I]De Tijd Vliegt"[/I].
22 B61 nuclear bombs (4 times more powerful as Hiroshima) at Volkel (Dutch airbase). If you look at Google maps, you can see.... a white space.
Naughty boys, those former prime ministers van Agt and Lubbers for admitting that :nuke:!
[URL]http://www.telegraph.co.uk/news/worldnews/europe/netherlands/10110527/22-pointless-US-nuclear-bombs-at-Dutch-airbase.html[/URL]

Lets fire them at ISIS, Iran, North Korea and a bunch of other countries and we'll have world peace. Oh wait, that is genocide, but we'll get away with it, just like America got away with Hiroshima and Nagasaki!

As if their existence and deployment isn't bad enough, the Wiki on this family of weapons (which seems to be the basis of the Telegraph's description,) includes the following discouraging bit:

[QUOTE]As of 2013, the Pentagon is asking for an $11 billion life-extension program for the B61 bomb, which would be the most ambitious and expensive nuclear warhead refurbishment in history. Congress is opposed to this effort for cost and timeline issues and questions for the B61's need. Cost estimates have doubled from $4 billion to $8 billion and production slipped from 2017 to 2020, then grew to $10 billion for life extension plus $1 billion for tail guidance kits and production was delayed to 2021. Sequestration budget cuts in early 2013 delay any start until 2020. The [URL="http://en.wikipedia.org/wiki/United_States_Senate_Appropriations_Subcommittee_on_Energy_and_Water_Development"]Senate Energy and Water Appropriations Subcommittee[/URL] stated that extending the life of B61s and consolidating its variants may not be a cheap and low-risk method to meet military requirements[/QUOTE]I have little doubt that this insane scheme will continue to resurface.

I did not expect this. A [URL="http://www.thesun.co.uk/sol/homepage/news/6429126/The-Sun-Whistleblower-Charter.html"]mass-circulation tabloid in the UK[/URL] has set up an [URL="https://nodd5fyasyj4jqgp.onion"]anonymous dropbox[/URL] for whistleblowers. It's accessible only through Tor and the paper has given instructions on how to acquire and use a Tor-enabled browser together with Tails Linux if desired.

[url]https://goodcrypto.com/news/2015/03/26/surveillance-system-used-for-censorship-in-europe/[/url] has just appeared in a security mailing list. The finger appeares to point at NSA and/or GCHQ but I don't expect to find out who is really to blame.

The post is rather long but the take-home message is that wget has a completely different set of vulnerabilities to browsers and will often succeed in the face of adversity.

[url]http://www.theblaze.com/stories/2015/04/21/jeb-bush-reveals-what-he-considers-to-be-the-best-part-of-the-obama-administration/[/url]


Hint, hint, it's the topic of the day!

[url=www.nakedcapitalism.com/2015/05/angela-merkels-nsa-nightmare-just-got-lot-worse.html]Angela Merkel’s NSA Nightmare Just Got A Lot Worse[/url] | naked capitalism
[quote]For Merkel, it is a dizzying reversal of roles and fortunes. In 2013 she was arguably the most high-profile victim of NSA surveillance when it was revealed that the NSA had targeted her cellphone. When confronted with Edward Snowden’s allegations of US National Security Agency mass surveillance of European citizens, Merkel famously said that “spying on friends is just not on.” According to official accounts, she even placed a “strongly worded phone call” to US President Barack Obama.[/quote]
Beyond the hypocrisy, especially appalling for someone who grew up in the former DDR, as Merkel did.

And blogger Ian Welsh weighs in on the DDR angle:

[url=www.ianwelsh.net/happiness-and-freedom-east-german-version/]Happiness and Freedom: East German Version[/url]
[quote]it’s a bad sign when you aren’t even considered a better place to live than East Germany, with its Stasi. The failures of the post-Soviet era are making that period look better and better. In Russia, there is a surge of nostalgia for the USSR, for reasons which are are remarkably similar. People are discovering that, as wonderful as Levis jeans are, there is a cost to the modern consumer society in terms of anomie, corruption, and economic precarity.

Though I think I like the bitter joke from 1990s Russia best:
[i]
Everything they (Communist authorities) told us about Communism was a lie. Unfortunately, everything they told us about Capitalism was the truth.[/i][/quote]
Some good reader comments to that one.

And by way of a "you simply can't make stuff like this up" counterpoint:

[url=http://www.euronews.com/2015/05/01/snowden-assange-and-manning-statues-unveiled-in-berlin/]Snowden, Assange and Manning statues unveiled in Berlin[/url] | Euronews

Inquiring minds want to know: Will Angie be laying a wreath in honor of the three champions of liberty?

[URL="http://www.bbc.co.uk/news/world-us-canada-32620742"]NSA phone data collection 'illegal', US court rules[/URL]

Paul beat me to it (I snarfed the links below this morning, but been offline since then doing more needful things), but allow me to pile on and add a Salon link about an interesting connection:

o [url=https://firstlook.org/theintercept/2015/05/07/appellate-court-rules-nsas-bulk-collection-phone-records-illegal/]NSA's Bulk Collection of Phone Records Is Illegal, Appeals Court Says[/url] - The Intercept

Good in the sense that the decision was unanimous and the opinions demolish more or less all of the government's key claims about constitutionality and standing (of the petitioners), but without an accompanying "cease and desist" (in some independently verifiable form, which the liars and spooks will never allow), I doubt anything will change in the near future. When they demolish or repurpose the ginormous NSA data center that's being built in Utah, that would be a clear sign of a change in practices.

o [url=www.salon.com/2015/05/05/it’s_pure_authoritarianism_glenn_greenwald_exposes_the_link_between_baltimores_uprising_and_the_nsa/]"It’s pure authoritarianism": Glenn Greenwald exposes the link between Baltimore's uprising and the NSA[/url] - Salon.com

[url=arstechnica.com/tech-policy/2015/05/worker-fired-for-disabling-gps-app-that-tracked-her-24-hours-a-day/]Worker fired for disabling GPS app that tracked her 24 hours a day [Updated][/url] | Ars Technica

[URL="http://www.bbc.co.uk/news/world-us-canada-32732258"]The US House of Representatives has voted to end the National Security Agency's bulk collection of Americans' phone records.[/URL]

Looks like it's now for the Senate to decide.

[QUOTE=xilman;402282][URL="http://www.bbc.co.uk/news/world-us-canada-32732258"]The US House of Representatives has voted to end the National Security Agency's bulk collection of Americans' phone records.[/URL]

Looks like it's now for the Senate to decide.[/QUOTE]

With what, if any, enforcement mechanism? Not that the spookmasters would ever lie to us or anything ... (cough, 'Clapper congressional testimony', cough).

======================

[url=www.nakedcapitalism.com/2015/05/cia-whistleblower-sentenced-to-42-months-based-on-metadata.html]CIA Whistleblower Sentenced to 42 Months Based on Metadata[/url] | naked capitalism

Wow, the standard of evidence here was pathetic -- was the judge asleep through this, or did he allow the prosecution to give the jury its instructions in his stead? "Certain unclassified-at-the-time documents which were later classified were found in defendant's possession ... ergo, defendant must have passed on highly classified documents, even though no evidence of possession of such documents was found."

The descent of the U.S. "justice" system into Kafkaesque hell continues. Is this one of the signal markers of empires in their death throes? We can only hope.

Another [URL="https://weakdh.org/"]downgrade attack[/URL] paper has been published recently. It might explain one of the stunts the NSA has allegedly pulled off.

[QUOTE]
If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks:

How is NSA defeating the encryption for widely used VPN protocols?[/QUOTE]

[url=https://medium.com/@MinneapoliSam/fleet-of-government-aircraft-flying-secret-missions-over-u-s-cities-84cbdf57dfbb]Fleet of Government Aircraft Flying Secret Missions over U.S. Cities[/url] — Medium

And related:

[url=https://www.schneier.com/blog/archives/2015/05/terrorist_risks_1.html]Terrorist Risks by City, According to Actual Data[/url] -- Bruce Schneier

[B]Terror trial collapses after security services 'refuse to disclose material'

[/B][QUOTE]
Gildo was arrested while transiting through Heathrow airport. He had not crossed the UK border and had not intended to enter Britain. He was charged with receiving terrorist training and weapons training in 2012 and 2013 and of possessing information likely to be useful to a terrorist.
The decision to drop the charges – the third time in a Syria-related case in the past six months – is embarrassing for the security and intelligence agencies. It seems they did not want to reveal their activities in Syria and Iraq and their role in helping opponents of the Assad regime.
[/QUOTE]

Press article: [URL]http://www.theguardian.com/uk-news/2015/jun/01/trial-swedish-man-accused-terrorism-offences-collapse-bherlin-gildo[/URL]

[QUOTE=Nick;403324][B]Terror trial collapses after security services 'refuse to disclose material'

[/B]

Press article: [URL]http://www.theguardian.com/uk-news/2015/jun/01/trial-swedish-man-accused-terrorism-offences-collapse-bherlin-gildo[/URL][/QUOTE]

It seems the UK still has some sense of justice under law. In the US, such niceties have been ignored where classified material is concerned.

Is that photo for real? It looks like from a movie, and I have the feeling I recognize some actors, the one with the gun, and the fat guy in the back, this one especially I associate in my mind with a funny support actor from action movies... :smile:

[QUOTE=LaurV;403383]Is that photo for real? It looks like from a movie, and I have the feeling I recognize some actors, the one with the gun, and the fat guy in the back, this one especially I associate in my mind with a funny support actor from action movies... :smile:[/QUOTE]
[URL]http://widerimage.reuters.com/photographer/muzaffar-salman[/URL]

[url=www.theonion.com/article/frustrated-nsa-now-forced-rely-mass-surveillance-p-50550]Frustrated NSA Now Forced To Rely On Mass Surveillance Programs That Haven’t Come To Light Yet[/url] | Der Zwiebel, Amerika's Tollste Zeitung

(Re. the comment-easter-egg at top of the page source ... it's so cute it brings tears to my eyes.)

[QUOTE=Nick;374565]60 years ago, the Bilderberg Group was founded by the late Dutch Prince Bernhard.
It is an annual meeting of more than 100 of the most powerful people from North America and Europe, both in the public and private sectors, and its meetings are private - until recently even their existence was secret. Up to now, journalists wanting to know who is attending had to try and spot people as they arrived. This year's meeting is taking place now, this time in Copenhagen, and the list of participants has been published:
[URL]http://bilderbergmeetings.org/participants.html[/URL]
A curious mix!
[/QUOTE]

It's that time of year again, the venue this time is Telfs-Buchen (Austria) and the new participants are:
[URL]http://www.bilderbergmeetings.org/participants2015.html[/URL]

[QUOTE]
Bilderberg 2015 has an extremely high-powered participant list, featuring a large number of senior politicians and public figures. With participants this powerful, and an agenda containing this many hot topics, the Telfs policy conference is sure to be covered in depth by the world’s press. And by “sure to be”, I mean probably won’t be. For reasons that, as ever, escape me.
[/QUOTE]Press article: [URL]http://www.theguardian.com/world/2015/jun/08/bilderberg-summit-forget-the-g7[/URL]

No romanian on that list, time for me to go there to ask what the hack are they thinking... :razz:

[QUOTE=LaurV;403855]No romanian on that list, time for me to go there to ask what the hack are they thinking... :razz:[/QUOTE]

[QUOTE=LaurV;403855]No romanian on that list, time for me to go there to ask what the hack are they thinking... :razz:[/QUOTE]

Lot of bloodsuckers, though. "Honorary Romanians," perhaps?

[i]Oh, life is a glorious cycle of song,
A medley of extemporanea;
And love is a thing that can never go wrong;
And I am [url=https://en.wikipedia.org/wiki/Marie_of_Romania]Marie of Romania[/url].[/i]
-- Dorothy Parker

Mathematics and Mass Surveillance
 

Here is a list of links on mathematics and mass surveillance from Tom Leinster in the n-Category Cafe blog:
[URL]https://golem.ph.utexas.edu/category/2014/07/math_and_mass_surveillance_a_r.html[/URL]

It's not new, but I have not come across it before, so maybe that's the case for others here as well.

[url=www.spiegel.de/international/world/spiegel-interview-with-wikileaks-head-julian-assange-a-1044399.html]SPIEGEL Interview with WikiLeaks Head Julian Assange[/url] - SPIEGEL ONLINE

A few regrettable typos ['Chomski' instead of Chomsky, 'cannon' in place of 'canon'], but otherwise excellent.

Note to U.S. 'cybersecurity' (ha, ha, ha) deciderers: If you want to keep your Top Secrets secret, consider spending a tiny fraction of what you do to conduct unconstitutional surveillance of your own citizenry on some actual security-cleared IT people, and stop handing out root access like Halloween candy to IT contractors, especially foreign-based ones, especially^n foreign-based ones from nations who would love such data and whose own intelligence services would love to have such data and who would otherwise have to spend $billions to obtain even a miniscule fraction of what y'all just HANDED OVER FOR FREE:

[url=arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/]Encryption “would not have helped” at OPM, says DHS official[/url]: [i]Attackers had valid user credentials and run of network, bypassing security.[/i]

Especially rich is the 'Congressional outrage' cited, because at the Ars piee goes on to note:
[quote]But some of the security issues at OPM fall on Congress' shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."[/quote]
Ah, a personal e-mail account - you mean like the one Hillary Clinton used to conduct classified state department business during her tenure as Secretart of State? Well, with 'leadership' like that...

[url=www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-phone/]Researchers Hack Air-Gapped Computer With Simple Cell Phone[/url] | WIRED
[quote]The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.

But researchers in Israel have devised a new method for stealing data that bypasses all of these protections -- using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a "breakthrough" in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately "change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals," says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.

The attack requires both the targeted computer and the mobile phone to have malware installed on them, but once this is done the attack exploits the natural capabilities of each device to exfiltrate data.[/quote]
All it takes is standard NSA-style supply-chain interdiction to preinstall the needed malware, and then even a pre-smartphone stupidCellPhone (or backpack-style dedicated receiver up to 30m away, likely farther with added refinements) suffices to snarf data.

I wonder how expensive it would be to retrofit existing building in order to use the rebar inside the reinforced concrete to turn the entire building - or perhaps just key parts of it - into a Faraday cage. And even if feasible, what kinds of continuous-power requirements would apply for such operation?

What would power be needed for with regard to a [URL="https://en.wikipedia.org/wiki/Faraday_cage"]Faraday cage[/URL]? Doesn't it just shunt power around its interior?

EDIT: I suspect that the gaps in rebar are too large. It does depend on what frequencies you want to interdict.

There is an absolutely fascinating process going on in das vierte Reich which I've been following for the last week or so. The latest development is that [URL="http://www.bbc.co.uk/news/world-europe-33772316"]Germany's justice minister has demanded the sacking of the chief prosecutor[/URL].

[QUOTE=xilman;407225]There is an absolutely fascinating process going on in das vierte Reich which I've been following for the last week or so. The latest development is that [URL="http://www.bbc.co.uk/news/world-europe-33772316"]Germany's justice minister has demanded the sacking of the chief prosecutor[/URL].[/QUOTE]
Some background (from the 1970s but still relevant):
[URL]http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1535&context=fss_papers[/URL]

Re. the Paul-linked shit-flinging (although it requires a non-grammatical extra 'n' to create a rhyming, 'Scheißenschmeißen' kinda has a nice ring to it) money snip for me is 'Critics have accused Mr Range of double standards, with the prosecutor earlier this year dropping an investigation into alleged tapping of Chancellor Merkel's phone by the the US National Security Agency over lack of evidence.' Seems to me they didn't look very hard for said evidence. But what they really need to do is to emulate the US and set up a secret court system with strictly one-sided argumentation to decide such tricky constitutional issues. It's all about 'modernization' of the judiciary, Germany!

=================

[url=https://www.schneier.com/blog/archives/2015/08/shooting_down_d.html]Shooting Down Drones[/url] - Schneier on Security

Note especially the commenter-linked wikipage 'Air Rights'. Using birdshot to bring down a peeping hoverdrone seems eminently justified to me - and if it causes damage or injury when it crashes to earth afterward, hold the operator liable. But of course neither our federal nor local governments will do any such privacy-must-have-primacy thing - as another reader notes, "They don't want to allow people to protect themselves from drones because they plan on ramping up the use of them.". Oh, and the 'requiring identifying markings' suggestion by the lawyer (Froomkin) is useless blahblahblah with respect to the kinds of drones which need to be shot down, and whose operators are almost by definition going to flout any such regulations.

Of course within not very many years these things are going to be first hummingbird and then bee-sized, and that ongoing miniaturization is gonna open a whole new can of worms. And yes, governments *will* be rushing to mass-deploy the mini ones for targeted assassination and even on the battlefield, which will raise an interesting conflict, because the most effective countermeasure at that point will likely be EMP weapons, which will fry all microelectronics in the vicinity, including those of the EMP users. I honestly hope I don't live long enough to see that nightmarish future come about.

[QUOTE=ewmayer;407317]But what they really need to do is to emulate the US and set up a secret court system with strictly one-sided argumentation to decide such tricky constitutional issues. It's all about 'modernization' of the judiciary, Germany![/QUOTE]Presumably that would need a secret state police as well. Otherwise, how are they going to investigate alleged crimes?

[QUOTE=ewmayer;407317]
[URL="https://www.schneier.com/blog/archives/2015/08/shooting_down_d.html"]Shooting Down Drones[/URL] - Schneier on Security
[/QUOTE]
Alternative suggestion: if a drone is invading your privacy, just start watching a Hollywood movie. If the drone doesn't go away, you can then unleash the studios on the operator for illegal copying.:wink:

[url]http://arstechnica.com/tech-policy/2015/08/atts-extreme-willingness-to-help-is-key-to-nsa-internet-surveillance/[/url]

[QUOTE]The cooperation involved a variety of classified programs that span decades, in one case more than 15 years before the September 11 terrorist attacks.[/QUOTE]

[QUOTE=Nick;407340]Alternative suggestion: if a drone is invading your privacy, just start watching a Hollywood movie. If the drone doesn't go away, you can then unleash the studios on the operator for illegal copying.:wink:[/QUOTE]

Love it.

[URL="http://laist.com/2015/08/18/how_the_lapd_has_been_hacking_our_p.php"]How The LAPD Has Been Hacking Our Phones For Years[/URL]
[QUOTE]The LAPD has had access to a device called a "dirtbox" for the past several years. This equipment allows them to intercept calls and text messages from numerous cellphones at once.

A "dirtbox" gets its name from the acronym of the company that makes them: Digital Receiver Technology, Inc., which is owned by The Boeing Co. These devices, which used by the military and the Justice Department, are also being used by police. Police departments in both Chicago and L.A. bought the equipment in 2005, according to an investigation by Reveal News. Los Angeles spent $260,000 on the equipment, using money from a homeland security grant to pay for the actual devices and a two-week training program on how to use it. Their reasoning was the same as it always is: to fight terrorism. Chicago, on the other hand, used funds from the controversial practice of asset forfeiture.

A dirtbox is something called a cell site simulator, and it works by mimicking a cell phone tower. Cell phones within range start using the dirtbox, and any information—voice calls, who you've called, texts, data you've sent—is intercepted and decrypted as it passes through. A dirtbox is capable of drawing from 200 cellphones at a time, and it can also jam signals. The Justice Department uses these devices, typically putting them on planes that U.S. Marshals fly around. In theory, if you're not a suspect, your phone information would be ignored.

Dirtboxes are similar to the Harris Corporation's StingRays, which the LAPD also employs, but dirtboxes are more powerful. Activist Freddy Martinez said a dirtbox is like a StingRay "on steroids."[/QUOTE]