Government snooping, backdoors and #necessaryhashtags

[retina]

Quote:

Originally Posted by xilman

Did you seriously expect anything else?

Normally I wouldn't, but since you posted it I thought there might be some semblance of value in it.

[xilman]

We're finding it difficult to scan so we'll destroy your legitimate business.

https://torrentfreak.com/under-u-s-p...-files-150227/

[only_human]

Those old encryption export restrictions have left a massive security hole. We've be hearing more about this one.

Quote:

New SSL attack: Apple, Android gear FREAK out, open up to spies
OpenSSL, iOS and OS X tricked into using weak 1990s-grade encryption keys

I am unsure how this is different from other recent exploits that tricked clients into using weaker encryption.
https://freakattack.com/ is a test for it.
On my kindle fire tablet, https://freakattack.com/clienttest.html tells me:

Quote:

TLS Freak Attack: Client Check
Warning! Your client is vulnerable to CVE-2015-0204. Even though your client doesn't offer any RSA EXPORT suites, it can still be tricked into using one of them. We encourage you to upgrade your client.
If you're curious, your client currently offers the following cipher suites:

Cipher Suite
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RENEGO_PROTECTION_REQUEST

[retina]

Quote:

Originally Posted by only_human

I am unsure how this is different from other recent exploits that tricked clients into using weaker encryption.
https://freakattack.com/ is a test for it.

Require JS apparently. Anyhow I checked for this a long time ago with my FF 3.6.28 and made sure I couldn't be downgraded. I'm surprised this has only just become an issue. Perhaps the newer browsers have started becoming more insecure? Yet another reasons to stop the constant updating of features in browsers and start getting the bugs fixed.

[only_human]

Quote:

Originally Posted by kladner

How is the company going to put things right with the customers? We wonders, yes we wonders, my Precious. I also wonder if there are enough injured parties to launch a Class Action suit against Lenovo. I foresee many attorneys scarfing down a feast of fees, as there are bound to be suits already in progress, and many more to come.

From Blooomberg: "Turned off," eh? That is not exactly comforting. Actually, it seems that-
"And TRUST Us, this really, truly, pinky-swear, this Really removes the malware, and doesn't just cover it up somehow."

EDIT: It also really chaps my ass that the situation is being cast, at least sardonically, as "a very poor security-versus-user-experience trade-off.” Is it supposed to IMPROVE my bleeding "User Experience" to have sneaky malware bombard me with targeted ads? [/LEWIS_BLACK]

$250K: That's what Lenovo earned to RAT YOU OUT with Superfish

Quote:

Forbes sources' now say Lenovo made between US$200,000 to US$250,000 from the deal to pre-install Superfish, a paltry amount given its net profit was US$253 million in the three months to December.

Quote:

The Superfish PR disaster has also snowballed into a lawsuit initiated by Californian woman Jessica Bennett, who filed against Lenovo and Superfish claiming the “malware” injected smut images into her Yoga laptop. ®

[only_human]

Quote:

Originally Posted by retina

Require JS apparently. Anyhow I checked for this a long time ago with my FF 3.6.28 and made sure I couldn't be downgraded. I'm surprised this has only just become an issue. Perhaps the newer browsers have started becoming more insecure? Yet another reasons to stop the constant updating of features in browsers and start getting the bugs fixed.

Perhaps so; Internet Explorer 11 for Windows is vulnerable to FREAK attack

Quote:

Affected operating systems include Windows Server 2003, Vista (all flavors), Server 2008, and all consumer versions of Windows, including Windows RT.

It appears that some Windows browsers are vulnerable while others aren’t — Internet Explorer 11, even when fully patched, still shows as vulnerable to the attack, while Firefox and Chrome don’t. The Microsoft workaround is shown below, but you’d best be comfortable with rooting around in the Group Policy Object Editor.

. . .

Right now, the only fix is to manually tell Windows which ciphers are safe for use and which are not.

Google has already patched the version of Chrome for Mac to disable the problem, and Firefox is supposedly safe on all platforms. The formal iOS and OS X patches are still in the pipeline; Apple hasn’t provided an updated timeline for their release beyond “next week.”

As for how dangerous FREAK actually is, the practical risk appears to be relatively low. The greater problem is what FREAK represents. It’s a flaw that only exists because governments attempted to mandate weak cryptography in the mistaken belief that it could retain control of security standards for the “good” guys without handing bad guys additional flaws or attack vectors. The fact that the problem has existed, undetected, for over a decade suggests that groups like the NSA and other security agencies could well have exploited it in targeted attacks –and these are precisely the kinds of threats that the NSA is supposed to be capable of guarding against.

Backdoors don’t have morals. They don’t distinguish between good guys and bad guys, or good governments versus bad governments. They break security models simply by virtue of existing. And they can’t be used to balance government oversight against user or corporate security.

[ewmayer]

Announcing the Surveillance Valley Project | Yasha Levine, Pando Daily

Quote:

For the past year-and-a-half I’ve been covering the “Surveillance Valley” beat for San Francisco-based Pando Daily, investigating the for-profit surveillance business that powers Silicon Valley, and the ways in which this technology is increasingly being used to monitor and control our lives.
...
Above all else, my reporting revealed how worried we all are at the growing, unchecked economic and political power of Silicon Valley — and how little any of us really know about what’s going on in the boardrooms and faceless server farm-warehouses that power big tech. The more I reported on Silicon Valley, the more I was convinced that big tech’s reliance on surveillance to expand and maintain its power is a vital issue that needed to be explored deeper and at greater length.

Now I’ve taken my reporting to the next level with an independent book project — and have launched a Kickstarter campaign to get it going.

The book is called Surveillance Valley: The Rise of the Google-Military Complex.

* * * *

Since the start of the Internet revolution, we have been told that we are witnessing the dawn of a new and liberating technology — a technology that will decentralize power, topple entrenched bureaucracies, and bring more democracy and equality to the world. But the Internet did the exact opposite. It increased inequality, birthed massive global corporations, minted new billionaires (23 just last year in California), helped concentrate wealth and power, and expanded the reach of the U.S. National Security State.

How did a technology that supposedly held so such democratic promise so quickly devolve into the dystopian reality we see today? How is all this concentrated power affecting our democratic society? Where is it going? And where will it end?

These are some of the overarching questions that I will address in Surveillance Valley.

He goes on to explain why no traditional publisher - once they find out the laundry list of Big Tech companies the book will cover - will have anything to do with the project. Think "Threatened loss of Amazon.com preferred pricing and/or sales privileges."

[jasonp]

Security downgrade attacks are a consequence of the choice of defaults in SSL libraries; more often than not they err on the side of letting users customize the library as much as they want but by default allowing as many SSL-enabled web sites to work as possible, as long as they handle the protocol correctly. The downside to this is that SSL libraries are very difficult to configure correctly.

Those defaults are also counterintuitive sometimes; if you are using OpenSSL manually, for example, the default behavior upon receiving a server certificate signed by an untrusted root is to allow the connection to go through but log an error. If you don't like that default you have a lot of code to write. In fact a paper published two years ago showed how a huge number of libraries and commercial frameworks that wrap an SSL library have no protection from man-in-the-middle attacks because you can literally give them a garbage certificate signed by anybody and the connection won't be refused.

[only_human]

Today, Wikipedia and the ACLU are filing a lawsuit over NSA interception of and searching of text based traffic.
Stop Spying on Wikipedia Users NYTimes opinion page

Quote:

The notion that the N.S.A. is monitoring Wikipedia’s users is not, unfortunately, a stretch of the imagination. One of the documents revealed by the whistle-blower Edward J. Snowden specifically identified Wikipedia as a target for surveillance, alongside several other major websites like CNN.com, Gmail and Facebook. The leaked slide from a classified PowerPoint presentation declared that monitoring these sites could allow N.S.A. analysts to learn “nearly everything a typical user does on the Internet.”

The harm to Wikimedia and the hundreds of millions of people who visit our websites is clear: Pervasive surveillance has a chilling effect. It stifles freedom of expression and the free exchange of knowledge that Wikimedia was designed to enable.

During the 2011 Arab uprisings, Wikipedia users collaborated to create articles that helped educate the world about what was happening. Continuing cooperation between American and Egyptian intelligence services is well established; the director of Egypt’s main spy agency under President Abdel Fattah el-Sisi boasted in 2013 that he was “in constant contact” with the Central Intelligence Agency.

So imagine, now, a Wikipedia user in Egypt who wants to edit a page about government opposition or discuss it with fellow editors. If that user knows the N.S.A. is routinely combing through her contributions to Wikipedia, and possibly sharing information with her government, she will surely be less likely to add her knowledge or have that conversation, for fear of reprisal.

And then imagine this decision playing out in the minds of thousands of would-be contributors in other countries. That represents a loss for everyone who uses Wikipedia and the Internet — not just fellow editors, but hundreds of millions of readers in the United States and around the world.

In the lawsuit we’re filing with the help of the American Civil Liberties Union, we’re joining as a fellow plaintiff a broad coalition of human rights, civil society, legal, media and information organizations. Their work, like ours, requires them to engage in sensitive Internet communications with people outside the United States.

That is why we’re asking the court to order an end to the N.S.A.’s dragnet surveillance of Internet traffic.

ACLU..org : HOME › KEEP AMERICA SAFE AND FREE › SURVEILLANCE & PRIVACY
Wikimedia v. NSA: Challenge to Mass Surveillance Under the FISA Amendments Act

Quote:

The ACLU has filed a lawsuit challenging the constitutionality of the NSA’s mass interception and searching of Americans’ international communications. At issue is the NSA's “upstream” surveillance, through which the U.S. government monitors almost all international – and many domestic – text-based communications. The ACLU’s lawsuit, filed in March 2015 in the U.S. District Court for the District of Maryland, is brought on behalf of nearly a dozen educational, legal, human rights, and media organizations that collectively engage in hundreds of billions of sensitive Internet communications and have been harmed by NSA surveillance.

The plaintiffs in the lawsuit are: Wikimedia Foundation, The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and The Washington Office on Latin America. These plaintiffs’ sensitive communications have been copied, searched, and likely retained by the NSA. Upstream surveillance hinders the plaintiffs’ ability to ensure the basic confidentiality of their communications with crucial contacts abroad – among them journalists, colleagues, clients, victims of human rights abuses, and the tens of millions of people who read and edit Wikipedia pages.

Read the complaint » (PDF file)

Upstream surveillance, which the government claims is authorized by the FISA Amendments Act of 2008, is designed to ensnare all of Americans’ international communications, including emails, web-browsing content, and search engine queries. It is facilitated by devices installed, with the help of companies like Verizon and AT&T, directly on the internet “backbone” – the network of high-capacity cables, switches, and routers across which Internet traffic travels.

The NSA intercepts and copies private communications in bulk while they are in transit, and then searches their contents using tens of thousands of keywords associated with NSA targets. These targets, chosen by intelligence analysts, are never approved by any court, and the limitations that do exist are weak and riddled with exceptions. Under the FAA, the NSA may target any foreigner outside the United States believed likely to communicate “foreign intelligence information” – a pool of potential targets so broad that it encompasses journalists, academic researchers, corporations, aid workers, business persons, and others who are not suspected of any wrongdoing.

Through its general, indiscriminate searches and seizures of the plaintiffs’ communications, upstream surveillance invades their Fourth Amendment right to privacy, infringes on their First Amendment rights to free expression and association, and exceeds the statutory limits of the FAA itself. The nature of plaintiffs' work and the law’s permissive guidelines for targeting make it likely that the NSA is also retaining and reading their communications, from email exchanges between Amnesty staff and activists, to Wikipedia browsing by readers abroad.

The ACLU litigated an earlier challenge to surveillance conducted under the FAA – Clapper v. Amnesty – which was filed less than an hour after President Bush signed the FAA into law in 2008. In a 5-4 vote, the Supreme Court dismissed the case in February 2013 on the grounds that the plaintiffs could not prove they had been spied on. Edward Snowden has said that the ruling contributed to his decision to expose the full scope of NSA surveillance a few months later. Among his disclosures was upstream surveillance, the existence of which was later confirmed by the government.

Our clients advocate for human and civil rights, unimpeded access to knowledge, and a free press. Their work is essential to a functioning democracy. When their sensitive and privileged communications are monitored by the U.S. government, they cannot work freely and their effectiveness is curtailed – to the detriment of Americans and others around the world.

[only_human]

In other news:
iSpy: THE CIA CAMPAIGN TO STEAL APPLE’S SECRETS

Quote:

RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.

By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.

The CIA declined to comment for this story.

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”

[ewmayer]

Latest nuggets from Kaspersky labs:

New smoking gun further ties NSA to omnipotent “Equation Group” hackers | Ars Technica