by Mike Masnick
Tue, Nov 18th 2014 12:40pm
by Mike Masnick
Fri, Nov 14th 2014 1:25pm
from the fail dept
That's why it was really interesting to see the NY Times publish a piece encouraging news organization to "embrace HTTPS," detailing why it's a good idea, and knocking down many of the excuses that some have used not to move forward. The piece is co-authored by Rajiv Pant, the CTO of the NY Times. Thus, you'd expect that the NY Times has SSL, right? Wrong. Hell, just try to visit that very article with the HTTPS version and you get:
by Michael Ho
Thu, Nov 13th 2014 5:00pm
from the urls-we-dig-up dept
- Some password systems allow for convenient variable-length passwords, so users can choose if they want an 8-character password that requires special characters, numbers and an upper/lowercase mix or if they would prefer an all lowercase 20-character password. Allowing for really long passwords makes it possible for people to pick strings like "correct battery horse staple" (which is probably a very insecure password now). [url]
- If you have a gazillion passwords in a plaintext file somewhere, you might want to try a password manager. But if you're not that paranoid about your passwords, you probably can't be bothered to set up a password manager, either. [url]
- Ultimately, humans probably should not be choosing their own passwords for the best security. There really isn't anything preventing people from choosing bad passwords, and longer passwords don't necessarily make for better ones. (eg. facebookpasswordmyname) [url]
by Glyn Moody
Thu, Nov 13th 2014 11:25am
from the is-that-really-a-good-idea? dept
The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.Techdirt has written about Vupen a couple of times recently, and emphasized why buying such zero-day vulnerabilities to use for surveillance purposes without passing them on to be fixed makes the Internet much less safe for everyone. According to a related story in Der Spiegel (original in German), the BND hopes to apply zero-days to undermine the main encryption technology used to protect online communications, the Secure Sockets Layer (SSL) protocol. As The Local writes:
Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.SIT means that not only will the privacy of millions of people be at risk, but so will their economic activities and that of all the companies that use SSL to carry out online transactions.
"Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group.
"There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."
The BND's move is particularly worrying, since it could well encourage spy agencies in other nations to follow suit, thus starting a bidding war for serious software flaws. That, in its turn, will encourage even more people to find and sell zero-days, rather than report them, reducing security online. It's probably too much to hope that government agencies would ever agree to give up acquiring and using software bugs in this way, but they should at least be required to limit their use so as to minimize the serious harm they could wreak across the entire Internet.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
by Glyn Moody
Fri, Nov 7th 2014 12:22pm
from the and-what-can-they-do-about-it? dept
Microsoft, Apple and Mozilla among others, trust CNNIC (China Internet Network Information Center) to protect your communications on their platforms by default, regardless of whether or not you are in China. CNNIC has implemented (and tried to mask) internet censorship, produced malware and has very bad security practices. Tech-savvy users in China have been protesting the inclusion of CNNIC as a trusted certificate authority for years. In January 2013, after Github was attacked in China, we publicly called for the the revocation of the trust certificate for CNNIC. In light of the recent spate of man-in-the-middle (MITM) attacks in China, and in an effort to protect user privacy not just in China but everywhere, we again call for revocation of CNNIC Certificate Authority.Although the logic of revoking CNNIC as a trusted certificate authority might seem inarguable, the consequences of doing so are likely to be serious. For example, the Chinese government might decide to ban the use of any browser that did not include CNNIC. That's hard to police, but the threat alone would be enough to dissuade any software company from removing CNNIC's certificate from its browser.
Perhaps the best solution is simply making users aware of the issue, and explaining how they can remove any certificate authority they have doubts about. And not just for China: these problems can arise in any country where a local trusted certificate authority is under the direct -- or indirect -- control of the government.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
by Mike Masnick
Wed, Oct 29th 2014 12:40pm
from the best-cybersecurity-folks? dept
U.S. officials were alerted to the breach by an ally, sources said.Wait a second. After all we've been told about the brilliant minds at the NSA/US Cyber Command and their "cybersecurity" skills -- it seems immensely troubling that (1) the US didn't catch this themselves and (2) that some other country did catch it. So, uh, just why is some "ally" monitoring the White House's network?
As for the rest of the report, as the Washington Post notes, this isn't even that big of a deal. Foreign state hackers are always going to try to breach US government computers, and sometimes they're going to succeed. That's the nature of the beast. But, it does seem profoundly odd that it was discovered by some other country.
by Tim Cushing
Thu, Oct 23rd 2014 9:18am
from the the-S's-stand-for-'stupid' dept
You don't have to be affiliated with any known terrorist group to be added to the government's terrorist watchlist. The Intercept's publication of the numbers behind the massive amount of people the government's keeping an eye on made that perfectly clear. A full 40% of the list -- 288,000 people -- are there without any particular justification. The agencies making these nominations clearly can't articulate why certain people should receive enhanced searches and questioning each and every time they seek to board a domestic flight. But they nominate these people anyway, using something no more scientific (or counter-terroristic) than a hunch.
Kashmir Hill at Forbes has a great profile of (not-very-anonymous-after-all) blogger Peter Young, who has received the dreaded SSSS designation from the TSA. Ringing up 4 S's means every TSA agent thinks you're a terrorist and every visit to the airport means extra patdowns and questioning. Young has been detailing the humdrum existence of your everyday terrorist over at his blog, "Jetsetting Terrorist," where he notes that his decidedly non-terroristic appearance causes the consternation and confusion at smaller airports where 4-S designations are few and far between. Not that being a jetsetting terrorist doesn't have its upsides…
He discovers some of the hidden benefits of being labeled a terrorist: his boarding pass is a ticket to the front of the security line. He realizes he can turn the confusion over his flying status into a free flight and drink vouchers.He also speculates as to why those on the terrorist watchlist aren't allowed to sit by emergency exits.
Terrorists hate humans so much we would physically block exit points in the event of a crash and/or fire."Stupid rules vacant of any rationale" aptly describes a large swath of the Terrorist Watchlist, including Young's 4-S status, which prevents him from utilizing technological advancements like checking in electronically using a mobile device or a kiosk.
They make you do that weird verbal confirmation thing after the fight attendant recites that exit row speech, and we’re known for only speaking Arabic.
The TSA just likes making stupid rules vacant of any rationale.
As far as Young can tell, it's a nearly two-decade-old misdemeanor that's keeping him from traveling without additional molestation.
His full time job is running an online business, but he is also a prominent animal activist; the latter is what garners him the extra TLC from the TSA. The property crime for which he was convicted dates back to 1997 when he went on a cross-country road trip freeing minks from fur farms in three states. His weapon of mass destruction was a pair of bolt cutters. On the lam for a number of years, he was apprehended and tried in 2005, and found guilty of “animal extortion terrorism.”"Animal extortion terrorism" isn't covered under the guidelines for the Terrorism Watchlist. In fact, Young was only ever convicted of a misdemeanor (pleading down from a felony) and served on two years for his federal crime. But that's still enough to make him a feared traveler, one who is never to be trusted, not even 17 years removed from the "crime spree" that first drew the government's attention. While the prosecutor tried to connect Young with a group the DHS actually recognizes as domestic terrorists (the Animal Liberation Front), it didn't stick. Young denies any connection with the animal rights extremists.
There's another reason Young is blogging about his experiences: this very public outing of his TSA-stained laundry makes it that much tougher for the US government to simply "disappear" him, air travel-wise.
According to the Intercept, there were 16 people on the No-Fly list in 2001; in 2013, it had exploded to 47,000. “I’m worried the government will slowly move people from the Selectee list to the No-Fly list,” Young says. “I want a podium to speak from in case that does happen to me.”As has been noted here, the No-Fly list is an unconstitutional joke. The "redress process" is so horribly ineffective that a court actually declared it to be a violation of Americans' civil rights. The Terrorism Watchlist is not only broader, but it's possibly more damaging. While it won't actually prevent you from flying (provided you don't mind every trip to the airport being the Full TSA Security Theater Experience), it does open your life up to a whole lot more government scrutiny.
In addition to data like fingerprints, travel itineraries, identification documents and gun licenses, the rules encourage screeners to acquire health insurance information, drug prescriptions, “any cards with an electronic strip on it (hotel cards, grocery cards, gift cards, frequent flyer cards),” cellphones, email addresses, binoculars, peroxide, bank account numbers, pay stubs, academic transcripts, parking and speeding tickets, and want ads. The digital information singled out for collection includes social media accounts, cell phone lists, speed dial numbers, laptop images, thumb drives, iPods, Kindles, and cameras. All of the information is then uploaded to the TIDE database.This is from the same rulebook and documents that admitted that nearly 300,000 of the 680,000 people on the government's Terrorist Watchlist have "no recognized terrorist group affiliation." Just another ridiculous facet of the Dept. of Homeland Security's security theater: loading up on unrelated "extras" just so it can boast it has a "cast of thousands" (and demand a budget of billions!). No terrorism experience necessary. Enjoy your flight!
Screeners are also instructed to collect data on any “pocket litter,” scuba gear, EZ Passes, library cards, and the titles of any books, along with information about their condition—”e.g., new, dog-eared, annotated, unopened.” Business cards and conference materials are also targeted, as well as “anything with an account number” and information about any gold or jewelry worn by the watchlisted individual. Even “animal information”—details about pets from veterinarians or tracking chips—is requested. The rulebook also encourages the collection of biometric or biographical data about the travel partners of watchlisted individuals.
by Mike Masnick
Thu, Oct 16th 2014 2:07pm
from the not-how-it-works dept
Unfortunately, the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it “Going Dark,” and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so.Of course, many of us look at that encryption itself as a public safety issue on the other side. Greater encryption allows people to communicate safely, securely and privately -- which is an important public safety consideration. The simple fact is that crimes have been committed throughout human history without the ability of law enforcement to eavesdrop on people. It's merely an accident of history that so much communication recently has had backdoors and holes by which eavesdropping was even possible. Closing those doors doesn't mean law enforcement can't solve crimes, and it's silly to mandate backdoors when it's not necessary and can create more problems.
We face two overlapping challenges. The first concerns real-time court-ordered interception of what we call “data in motion,” such as phone calls, e-mail, and live chat sessions. The second challenge concerns court-ordered access to data stored on our devices, such as e-mail, text messages, photos, and videos—or what we call “data at rest.” And both real-time communication and stored data are increasingly encrypted.
Comey seems particularly annoyed that the tech industry is locking stuff up in response to the Snowden revelations, because he argues, that's blocking all sorts of other stuff he'd like to have access to:
In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications. That is not true. And unfortunately, the idea that the government has access to all communications at all times has extended—unfairly—to the investigations of law enforcement agencies that obtain individual warrants, approved by judges, to intercept the communications of suspected criminals.Again, there's an interesting sense of entitlement there. There's lots of information law enforcement would like to have, and even may legally have the right to have, but which they cannot have. And that's been true throughout history, and law enforcement has survived and crimes have been stopped and criminals caught and prosecuted. What Comey is advocating here is to make everyone less safe just in case law enforcement wants it. That's a problem.
Some believe that the FBI has these phenomenal capabilities to access any information at any time—that we can get what we want, when we want it, by flipping some sort of switch. It may be true in the movies or on TV. It is simply not the case in real life.
It frustrates me, because I want people to understand that law enforcement needs to be able to access communications and information to bring people to justice. We do so pursuant to the rule of law, with clear guidance and strict oversight. But even with lawful authority, we may not be able to access the evidence and the information we need.
Bizarrely, Comey is quite upset that companies are now marketing the fact that they keep you secure.
Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?The cost of privacy and trust. Which are, you know, kind of important too...
And then he goes back to his simply wrong declaration that this is about making people "above the law." But that's not true. There is no legal requirement that this information be available. It's not above the law at all. Being above the law means ignoring the law and getting away with it. But, to Comey, being above the law is apparently doing stuff that makes the FBI's job marginally more difficult.
I hope you know that I’m a huge believer in the rule of law. But I also believe that no one in this country should be above or beyond the law. There should be no law-free zone in this country. I like and believe very much that we need to follow the letter of the law to examine the contents of someone’s closet or someone’s cell phone. But the notion that the marketplace could create something that would prevent that closet from ever being opened, even with a properly obtained court order, makes no sense to me.And then there's this: He's not a scaremonger, but you should be afraid:
I think it’s time to ask: Where are we, as a society? Are we no longer a country governed by the rule of law, where no one is above or beyond that law? Are we so mistrustful of government—and of law enforcement—that we are willing to let bad guys walk away...willing to leave victims in search of justice?
I’ve never been someone who is a scaremonger. But I’m in a dangerous business.And, of course, he wants Congress to step in and fix things for him, making everyone less safe:
We also need a regulatory or legislative fix to create a level playing field, so that all communication service providers are held to the same standard and so that those of us in law enforcement, national security, and public safety can continue to do the job you have entrusted us to do, in the way you would want us to.A "level field"? Really? The field has been tilted strongly towards the FBI and NSA for well over a decade. It's only now, with further encryption, that it's been leveling out...
by Mike Masnick
Mon, Oct 13th 2014 10:38am
Revealed: ISPs Already Violating Net Neutrality To Block Encryption And Make Everyone Less Safe Online
from the scary-news dept
The first example you may have actually heard about. It got some attention back in July, when entrepreneur Colin Nederkoorn released a video showing how Verizon was throttling his Netflix connection, which was made obvious when he logged into a VPN and suddenly his Netflix wasn't stuttering and the throughput was much higher. That video got a lot of attention (over half a million views) and highlighted the nature of the interconnection fight in which Verizon is purposely allowing Netflix streams coming via Level 3 to clog. As most people recognize, in a normal scenario, using a VPN should actually slow down your connection somewhat thanks to the additional encryption. However, the fact that it massively sped up the Netflix connection shows just how much is being throttled when Verizon knows it's Netflix traffic. Nederkoorn actually was using Golden Frog's VyprVPN in that video, so it actually makes Golden Frog look good -- but the company notes that it really shows one way in which "internet access providers are 'mismanaging' their networks to their own users' detriment."
But the second example Golden Frog provides is much scarier and much more pernicious, and it has received almost no attention.
In the second instance, Golden Frog shows that a wireless broadband Internet access provider is interfering with its users’ ability to encrypt their SMTP email traffic. This broadband provider is overwriting the content of users’ communications and actively blocking STARTTLS encryption. This is a man-in-the-middle attack that prevents customers from using the applications of their choosing and directly prevents users from protecting their privacy.They demonstrate this with the following graphic:
Golden Frog performed tests using one mobile wireless company’s data service, by manually typing the SMTP commands and requests, and monitoring the responses from the email server in issue. It appears that this particular mobile wireless provider is intercepting the server’s banner message and modifying it in-transit from something like “220 [servername] ESMTP Postfix” to “200 ********************.” The mobile wireless provider is further modifying the server’s response to a client command that lists the extended features supported by the server. The mobile wireless provider modifies the server’s “250-STARTTLS” response (which informs the client of the server’s capacity to enable encryption). The Internet access provider changes it to “250-XXXXXXXA.” Since the client does not receive the proper acknowledgement that STARTTLS is supported by the server, it does not attempt to turn on encryption. If the client nonetheless attempts to use the STARTTLS command, the mobile wireless provider intercepts the client’s commands to the server and changes it too. When it detects the STARTTLS command being sent from the client to the server, the mobile wireless provider modifies the command to “XXXXXXXX.” The server does not understand this command and therefore sends an error message to the client.As Golden Frog points out, this is "conceptually similar" to the way in which Comcast was throttling BitTorrent back in 2007 via packet reset headers, which kicked off much of the last round of net neutrality concerns. The differences here are that this isn't about blocking BitTorrent, but encryption, and it's a mobile internet access provider, rather than a wired one. This last point is important, since even the last net neutrality rules did not apply to wireless broadband, and the FCC is still debating if it should apply any new rules to wireless.
After reading the Golden Frog filing, the answer should be that it is absolutely necessary to apply the rules to wireless, because practices like these put us all at risk by undermining the encryption that keeps us all safe. As Golden Frog notes:
Absent enforceable Commission rules, broadband providers can (and at least one already does) block and discriminate against entirely acceptable Internet uses. In this case, users are not just losing their right to use the applications and services of their choosing, but also their privacy. It is not at clear that this type of encryption blocking would be forbidden for fixed broadband Internet access, under the proposed rules’ exception for reasonable network management. This example involves mobile wireless broadband, however, and it is clear that the proposed rules would not prohibit the activity. STARTLLS encryption does not constitute “a lawful website” or “an application that compete[s] with the provider’s voice or video telephony services[.]”11 The proposed rules on their face do not prohibit mobile broadband Internet access providers from blocking user efforts to maintain privacy through encryption.Furthermore, Golden Frog concludes:
The claim that rules banning blocking and unreasonable discrimination are solutions in search of a problem is flatly wrong. There have been problems in the past and there are problems now. The proposed rules do not resolve all of the problems identified in the NPRM. Further broadband Internet access providers are still interfering with beneficial and privacy-enhancing applications users want to employ.This is incredibly important -- just at a time when we need stronger encryption and privacy online, the FCC may undermine it with weak net neutrality rules that allow this type of behavior to continue.
A few months ago, I got into a conversation with a well-known internet entrepreneur/investor, who asked about possible "compromise" rules on net neutrality, suggesting that maybe it's okay to throttle Netflix traffic because there's so much of it. He argued that, perhaps there could be some threshold, and if your traffic was above that threshold it's okay to throttle it. After some back and forth, I asked the hypothetical about encryption: what if, at a time when more and more encryption is important, such a rule was in place, and overall encrypted traffic passed that threshold, then suddenly access providers could throttle all encrypted traffic, doing tremendous damage to security and privacy. What I didn't realize was that some access providers are effectively already attacking privacy and encryption in this manner.
by Tim Cushing
Wed, Oct 8th 2014 12:10pm
from the stupid-stupid-stupid dept
Rightscorp, the supposed new face in copyright enforcement, is currently trying to shake down alleged infringers for $20/infringement, using smaller ISPs (or those not signed up for the Six Strikes program) as middlemen for its small-time settlement services. Rightscorp issues scary-looking settlement letters to internet subscribers, informing them that they have been caught torrenting movie or music files and giving them a chance to pay for their (allegedly) illicitly-obtained goods through its website.
Each settlement letter (forwarded from the ISP to the customer) contains a unique link to a $20 settlement offer, which can be paid online.
Techdirt reader Andrew Jenson informs us that Rightscorp's "secure" settlement site isn't all that secure.
Rightscorp posts variables using hidden form elements rather than sessions, cookies, or something similar. This sort of lax security policy could lead to someone easily gaining access to and having a field day with the Rightscorp database which contains confidential and personal information.If anyone's posted a link from a settlement letter on the web, anyone else can access it.
Rightscorp lets Google index secure pages for anyone to find. Simply Google “rightscorp miramax” and you will find the following indexed.
Down at the bottom of the form, you'll see some more false assurances about your data. There's a pretty little picture of a lock by the fields for your credit card info, but it doesn't link anywhere or signify anything.
In fact, Chrome has to block content from the non-secure Digital Rights Corp. website (there are links back to the corporate website all over the "secure" site) in order to call the site "secure."
Loading this script kills the security.
Verified here by "Inspect element."
Jenson notes that Rightscorp uses a "cheap GoDaddy SSL certificate with no extended validation," not exactly the sort of thing you want to hear when being asked for credit card information. Jenson adds:
Imagine if someones personal details had been entered. They would be open for the world to see.You don't have to imagine it. It's acutally happening.
While digging around for URLs to verify Johnson's claims, I soon discovered that if someone has actually paid a settlement fee to Rightscorp, it allows the settlement receipt, along with the subscriber's name and address, to sit there openly available to anyone who comes looking.
I found four different settlements involving four different people simply by searching for publicly-posted settlement URLs using "https://secure.rightscorp.com/settle" as the search term. Some results linked to pending settlement offers but others led directly to the terms of paid settlements, which included the name and address of the accused infringer.
I informed Rightscorp of this security issue, giving the company a chance to fix this before we published. I received a response from Robert Steele, the president of the company, stating:
The name and address at that URL will be redacted in about 15 minutes. Thank you for bringing this to our attention.That Rightscorp responded to an issue within an hour of it being raised is a good sign. Unfortunately, Steele and his IT team seemed to have missed the point of my first email. I sent an email back re-informing him that it's not a single URL that's affected. It's every single URL it's issued to alleged infringers. Any one of these can be accessed by anybody. I received this from Robert Steele about a half hour later:
They have all been redacted. There are no live links providing this information. Thank you again for bringing this to our attention. Our system is not providing any names and addresses to the public as you now assert.So, this leak has been fixed (or at least, redacted -- the pages are still publicly available). And anyone can still access open settlements, which still makes it appear as though Rightscorp cares little for the privacy and security of the internet users it's targeting.
Remember, this is a company with grand designs on controlling the internet activities of repeat infringers (via browser hijacking) who aren't swayed by its $20/per file offers. It also appears to be bullying smaller ISPs into handing over user data, using a supposed "loophole" in the DMCA to send tons of subpoenas without actually filing lawsuits. This is the same company that claims to have a revolutionary new way to track repeat infringers, even across multiple IP addresses. But for all of its supposed technical prowess and "revolutionary" shakedown techniques, it seemingly can't be bothered to provide actual security for settlement payments or subscriber data.
The worst part is that it's those who have paid Rightscorp that were being protected the least. Their names and addresses were publicly available and linked to infringing activity. Just because Rightscorp managed to convert IP addresses into subscribers by abusing subpoenas and bullying ISPs doesn't mean it can simply leave that information laying around in the open. Maybe it felt those subscribers deserved to be named and shamed. Maybe it just didn't care as long as there was an easy way for infringers to pay up (direct link, accessible by anyone). Or maybe it just half-assed together its payment processing as cheaply as it could in order to maintain a healthier profit margin. Either way, it's more evidence that Rightscorp runs a shoddy (and shady) business, one whose success relies greatly on the ignorance of others.