A new story based on the Snowden documents and published in the German newspaper Süddeutsche Zeitung shows how the GCHQ worked with Cable & Wireless — acquired by Vodafone in 2012 — to eavesdrop on Internet and telecommunications traffic. New documents on the page, and here.
This is a creepy story. The FBI wanted access to a hotel guest’s room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant.
From the motion to suppress:
The next time you call for assistance because the internet service in your home is not working, the “technician” who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and — when he shows up at your door, impersonating a technician — let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have “consented” to an intrusive search of your home.
Basically, the agents snooped around the hotel room, and gathered evidence
that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians.
More coverage of the case here.
This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can’t be sure they are not government agents in disguise, then we’ve lost quite a lot of our freedom and liberty.
Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.
Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses.
Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week.
Reuters is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program.
The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing the calling records of nearly every American fundamentally changed the character of the agency, which is supposed to eavesdrop on foreigners, not Americans.
Hacker News thread.
Announcing Let’s Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.
This is an absolutely fantastic idea.
The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.
Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
- Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
- Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
- Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
- Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.
Whatapp is now offering end-to-end message encryption:
Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device.
I don’t know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives me some confidence that it’s a robust implementation.
The NSA recently declassified a report on the Eurocrypt ’92 conference. Honestly, I share some of the writer’s opinions on the more theoretical stuff. I know it’s important, but it’s not something I care all that much about.
New article on the NSA’s efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman.
The interesting story of how engineers at Ford Motor Co. invented the superconducting quantum interference device, or SQUID.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Last month, for the first time since US export restrictions on cryptography were relaxed over a decade ago, the US government has fined a company for exporting crypto software without a license.
No one knows what this means.
Pew Research has released a new survey on American’s perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I’ve read. As Cory Doctorow likes to say, we’ve reached “peak indifference to surveillance.”
Orin Kerr has a new article that argues for narrowly constructing national security law:
This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a “rule of lenity,” ambiguity in the powers granted to the executive branch in the sections of the United States Code on national security surveillance should trigger a narrow judicial interpretation in favor of the individual and against the State. A rule of lenity would push Congress to be the primary decision maker to balance privacy and security when technology changes, limiting the rulemaking power of the secret Foreign Intelligence Surveillance Court. A rule of lenity would help restore the power over national security surveillance law to where it belongs: The People.
This is certainly not a panacea. As Jack Goldsmith rightly points out, more Congressional oversight over NSA surveillance during the last decade would have gained us more NSA surveillance. But it’s certainly better than having secret courts make the rules after only hearing one side of the argument.
Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. “Darkhotel” is the name the group and its techniques has been given.
This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew’s most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.
Good article. This seems pretty obviously a nation-state attack. It’s anyone’s guess which country is behind it, though.
Targets in the spear — phishing attacks include high-profile executives — among them a media executive from Asiaas well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. “All nuclear nations in Asia,” Raiu notes. “Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.” Recently there has been a spike in the attacks against the U.S. defense industry.
We usually infer the attackers from the target list. This one isn’t that helpful. Pakistan? China? South Korea? I’m just guessing.
I’m not sure why this is news, except that it makes for a startling headline. (Is the New York Times now into clickbait?) It’s not as if people are throwing squid onto the field, as Detroit hockey fans do with octopus.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Chicago is doing random explosives screenings at random L stops in the Chicago area. Compliance is voluntary:
Police made no arrests but one rider refused to submit to the screening and left the station without incident, Maloney said.
Passengers can decline the screening, but will not be allowed to board a train at that station. Riders can leave that station and board a train at a different station.
I have to wonder what would happen if someone who looks Arab refused to be screened. And what possible value this procedure has. Anyone who has a bomb in their bag would see the screening point well before approaching it, and be able to walk to the next stop without potentially arousing suspicion.
Interesting paper by Melissa Hathaway: “Connected Choices: How the Internet Is Challenging Sovereign Decisions.”
Abstract: Modern societies are in the middle of a strategic, multidimensional competition for money, power, and control over all aspects of the Internet and the Internet economy. This article discusses the increasing pace of discord and the competing interests that are unfolding in the current debate concerning the control and governance of the Internet and its infrastructure. Some countries are more prepared for and committed to winning tactical battles than are others on the road to asserting themselves as an Internet power. Some are acutely aware of what is at stake; the question is whether they will be the master or the victim of these multilayered power struggles as subtle and not-so-subtle connected choices are being made. Understanding this debate requires an appreciation of the entangled economic, technical, regulatory, political, and social interests implicated by the Internet. Those states that are prepared for and understand the many facets of the Internet will likely end up on top.