TwitterFacebook

Is the XKeyScore Code Released in Germany Faked?

Expert analysis uncovers serious misrepresentations and possible fakery
Technology • Views: 25,407

Following up on our post about the wildly exaggerated claims made about the purported XKeyScore source code released in Germany this week by hacker Jacob Applebaum, here’s a very interesting post by cybersecurity expert Robert Graham with evidence that the code may have been at least partly faked: Errata Security: Validating XKeyScore Code.

The burning questions about the XKeyScore “source code” is whether it’s real, and whether it come from Snowden. The Grugq (@thegrugq) has some smart insight into this, and I have my own expertise with deep-packet-inspection code. I thought I’d write up our expert analysis to the questions.

TL;DR: we believe the code partly fake and that it came from the Snowden treasure trove.

A slightly longer summary is:

  1. The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.
  2. The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is "fake".
  3. The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.
  4. The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code - if fake, it's not completely so.

Here’s a point that jumped out at me immediately upon looking at the code: all over the Internet, people are claiming that the code identifies linuxjournal.com as an “exremist forum” — but that’s simply false. As I tweeted two days ago:

Graham’s post agrees with this evaluation:

Another misrepresentation in the story is that the source calls the Linux Journal an extremist forum. That’s not true.

A comment does say that TAILS is “a comsec mechanism advocated by extremists on extremist forums”. This is true, as the picture (from the Grugq) demonstrates on the right: it’s a picture from an ISIS/jihad forum advocating the use of TAILS. But nowhere does it claim that the Linux Journal is one of those extremists — that’s something willfully made up by the authors of the story.

That the story already misrepresents the meaning of this source code hints that it may already be misrepresenting the provenance.

Exactly. Something smells very fishy here. Read the whole thing. And for those interested in the highly technical details, here’s Graham’s post going through the code line by line.

This Is Bad: Heartbleed Attack Targets VPN Service

Bad craziness
Technology • Views: 15,497
Image via snoopsmaus

Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.

Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.

But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”

UPDATE at 4/18/14 6:22:46 pm

Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.

Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Technology • Views: 11,748
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Susan Benesch on Troll Wrastling for Beginners: Data-Driven Methods to Decrease Hatred Online

Technology • Views: 16,574

YouTube

Hateful and even violent speech is familiar online; what’s unusual are data-driven efforts to diminish them. Experiments so far have produced intriguing results including: some ‘trolls’ recant or apologize in response to counterspeech, and small changes in platform architecture can improve online discourse norms. In this talk Susan Benesch — founder of the Dangerous Speech Project and professor of American University’s School of International Service — discusses early research and experiments into managing and responding to hateful speech online, especially in climates where online speech may be tied to offline violence.

More info on this event here: cyber.law.harvard.edu

Felix Baumgartner’s 24-Mile High Space Jump, Captured by His GoPro Camera

Baumgartner was wearing a GoPro camera, and the footage is incredible
Technology • Views: 16,863

YouTube

October 14, 2012, Felix Baumgartner ascended more than 24 miles above Earth’s surface to the edge of space in a stratospheric balloon. Millions across the globe watched as he opened the door of the capsule, stepped off the platform, and broke the speed of sound while free falling safely back to Earth. Felix set three world records that day—and inspired us all to reach beyond the limits of our own realities, and reimagine our potential to achieve the incredible.

GoPro was honored to be a part of this epic achievement, with seven HERO2 cameras documenting every moment. From the airless freeze of outer space, to the record-breaking free fall and momentous return to ground—see it all through Felix’s eyes as captured by GoPro, and experience this incredible mission like never before. No one gets you closer than this.

Shot 100% on the HD HERO2(r) camera from gopro.com.

Music
East of the River
“Wilderness is Their Home Now”
“Satellites”
eastoftheriveruk.bandcamp.com

Additional Music Courtesy of ExtremeMusic
extrememusic.com

Special Thanks
Red Bull
Ed Herlihy
The Internet Archive
archive.org

Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

While pretending to be about freedom these groups are really about getting personal info and credit cards
Technology • Views: 16,710

A Chicago computer hacker tied to the group known as Anonymous was sentenced Friday to 10 years in prison for cyberattacks on various government agencies and businesses, including a global intelligence company.

Jeremy Hammond, 28, was handed the maximum term for the December 2011 hacking of Strategic Forecasting, an attack his lawyers contend was driven by concern about the role of private firms in gathering intelligence domestically and abroad.

…resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Prosecutors say the hack of Strategic Forecasting, or Stratfor, resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Hammond admitted being behind it in May.

He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, and releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.

More: Jeremy Hammond, Hacker for Anonymous, Sentenced to 10 Years

Remember Lavabit, the “Secure Email” Service That Shut Down? It Was Totally Insecure.

“The basic definition of snake oil”
Technology • Views: 19,341

Remember Lavabit, the “secure email” service that was closed down by its owner Ladar Levison, ostensibly to avoid complying with a government request to access their “secure emails?” Specifically, emails from one of their most famous clients, Edward Snowden?

Something that always bothered me about the story: Lavabit claimed on their home page (see screenshot above) that their system was designed so that even their administrators couldn’t read users’ emails. I assumed this meant they were using some kind of public/private key scheme to encrypt emails, so that they would be encrypted while on Lavabit’s servers in a form that could not be decrypted even by Lavabit.

So how then could the government read those emails without the private keys of each user? Well, it turns out that Lavabit’s claim they couldn’t read emails simply wasn’t true. Their basic design was not secure at all, as cryptographer Moxie Marlinspike explains: Op-Ed: Lavabit’s Primary Security Claim Wasn’t Actually True.

If, as Lavabit said, it wasn’t capable of reading its users’ e-mails, how could it have been in a position to provide those plaintext e-mails to the US government?

Unfortunately, Lavabit’s primary security claim wasn’t actually true. As Ladar himself explained in this blog post, the system consisted of four basic steps:

  1. At account creation time, the user selected a login passphrase and transmitted it to the server.
  2. The server generated a keypair for that user, encrypted the private key with the login passphrase the user had selected, and stored it on the server.
  3. For every incoming e-mail the user received, the server would encrypt it with the user’s public key, and store it on the server.
  4. When the user wanted to retrieve an e-mail, they would transmit their password to the server, which would avert its eyes from the plaintext encryption password it had just received, use it to decrypt the private key (averting its eyes), use the private key to decrypt the e-mail (again averting its eyes), and transmit the plaintext e-mail to the user (averting its eyes one last time).

Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out. The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.

The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all. Whether it was or not makes little difference.

So the claim on Lavabit’s home page that they couldn’t read stored emails was simply false. The promise of security they made to their users was a lie. They promised not to read the emails, but breaking that promise would have been trivially easy with the way their system was built — and that’s why the feds wanted access.

It’s not clear whether the Lavabit crew consciously understood the system’s shortcomings and chose to misrepresent them, or if it really believed it built something based on can’t rather than won’t. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.

Yep. And it raises the issue of whether Lavabit’s owner is telling the truth about the real reasons for shutting down his business, as well.

Ars Technica’s Crazy in-Depth Review of OS X 10.9 Mavericks

Excuse me while I tech out
Technology • Views: 14,795

Apple released the latest version of Mac OS today, code-named Mavericks, and after installing it I feel like I’m at a highly dangerous, potentially lethal surfing spot with insanely gigantic waves. (OK, not rly.) Good thing I read John Siracusa’s incredibly in-depth article on this new operating system before getting my shorts wet: OS X 10.9 Mavericks: The Ars Technica Review.

Mavericks is the first California-themed release of OS X, named after “places that inspire us here in California,” according to Craig Federighi, who says this naming scheme is intended to last for at least the next 10 years. The pressure is on for Mavericks to set a new direction for the Mac platform.

According to Apple, Mavericks has a dual focus. Its first and most important goal is to extend battery life and improve responsiveness. Secondarily, Mavericks aims to add functionality that will appeal to “power users” (Apple’s words), a group that may be feeling neglected after enduring two releases of OS X playing iOS dress-up.

Is that enough for Mavericks to live up to its major-release version number and to kick off the next phase of OS X’s life? Let’s find out.

Breaking Greenwald Bombshell: Spy Agencies Crack Encryption Methods!

Only since the dawn of human history
Technology • Views: 19,391

Greenwald and the Guardian’s latest bombshell breaking story on the NSA uses a fear-mongering tactic that’s been common throughout their bombshell breaking stories — a seemingly deliberate intention to confuse and conflate the ability to do something with the act of doing something.

The breathless headline: US and UK Spy Agencies Defeat Privacy and Security on the Internet.

The overheated lead paragraphs:

US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

And not a hint of acknowledgment that in order to decrypt any US citizen’s information for any purpose, the government still needs to get an individual warrant. (This time, a search for “warrant” in the article returned no results.)

The bombshell comes down to this: spy agencies crack encryption schemes.

“Since the beginning of human history,” the Guardian did not add.

UPDATE at 9/5/13 2:07:00 pm

Greenwald boasts that he ignored government requests not to publish the article:

Major Cyber Attack Traced to Phishing Emails

Insecure
Technology • Views: 16,494
Image via Shutterstock

In yesterday’s post about the hacking attack against the New York Times, Twitter, Huffington Post, and many other top websites, I speculated that it could have been the result of a DNS cache poisoning exploit, but the hackers gained access to these sites’ DNS records with a much more prosaic method: they tricked people into giving up their logins and passwords.

Melbourne IT, an Australian firm that allows website owners to buy addresses such as latimes.com, said the downtime suffered by the New York Times website Tuesday began when hackers gained access to the user name and password of one of the company’s sales partners.

Using those reseller’s credentials, hackers changed the records that tell computers around the world from where to download web pages when someone types nytimes.com into an Internet browser.

[Updated, 8:27 a.m. Aug. 28: The U.S.-based sales partner’s credentials ended up in the hackers’ hands after a targeted phishing attack was directed at the firm’s staff, Melbourne IT Chief Technology Officer Bruce Tonkin said early Wednesday. Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials.

“We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords,” Tonkin said in an email. “We have also temporarily suspended access to affected user accounts until passwords have been changed.”]

Late Tuesday, Melbourne IT spokesman Tony Smith said the company was reviewing how to improve security.

You’d better believe they’re reviewing security procedures — this is supposed to be one of the most high-end DNS service providers on the planet. It’s a bit gob-smacking they had employees naïve enough to give away their passwords to a phishing email.

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Or... you can just click this button to open the Pages posting window right away.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
rhit
Israel Supporters Caused the War in Gaza
Many of the Israel supporters are the cause of the current war in Gaza. You caused this war out of love and empathy. You caused this war because you could imagine the pain of your son, your brother Israel Supporters ...

4 minutes ago
Views: 3 • Comments: 0
Tweets: 0 • Rating: 0
Randall Gross
Wisconsin Supreme Court to Rule Thursday on Union Law, Voter ID
The Wisconsin Supreme Court Thursday is expected to issue three historic rulings affecting union bargaining, election law and same-sex couples. Set for release this morning are long-awaited opinions on whether Gov. Scott Walker's labor law is constitutional, whether voters ...

9 hours, 22 minutes ago
Views: 151 • Comments: 0
Tweets: 2 • Rating: 0
Rightwingconspirator
The Stark Beauty Of The Flaw In the Gem. Literally.
It's late, I'm beat and just signed off from a good discussion in Obdi's Page tonight. But I ran across this after signing out and had to share it. I found a kindred style of photography from a part of ...

16 hours, 5 minutes ago
Views: 121 • Comments: 2
Tweets: 1 • Rating: 5
CriticalDragon1177
Skepchick - Food is for White Liberals What Sex Is For The Religious Right
An interesting commentary by Julia Burke, on the obsession some people on the far left have with food, and how it is similar to how some people on right feel about sex. Do you agree? Do you think the analogy ...

23 hours, 56 minutes ago
Views: 267 • Comments: 5
Tweets: 1 • Rating: 1
EiMitch
Cracked: 5 Reasons The Classic American Summer is Totally Dead
They could've called this article "Look at how 'supply-side' economics, anti-environmentalism, and all-around pro-oligarch legislation and ideology has destroyed some of the most iconic, classic Americana." cracked.com Oh, and gentrification-based laws are also robbing us of the classic ice-cream truck ...

1 day ago
Views: 185 • Comments: 0
Tweets: 0 • Rating: 0
_RememberTonyC
Qatar, Bergdahl, and Hamas
One thing we have learned in the current conflict is that Hamas has three main sponsors: Turkey, Iran, and Qatar. So when Bergdahl was released and the five taliban bigs were released into the "custody" of Qatar, we basically handed ...

1 day, 18 hours ago
Views: 179 • Comments: 0
Tweets: 0 • Rating: 0
Skip Intro
Outside Money Drives a Deluge of Political Ads
WASHINGTON -- An explosion of spending on political advertising on television -- set to break $2 billion in congressional races, with overall spots up nearly 70 percent since the 2010 midterm election -- is accelerating the rise of moneyed ...

3 days, 4 hours ago
Views: 231 • Comments: 1
Tweets: 4 • Rating: 3
Romantic Heretic
Preventing Poverty Not Allowed As A Goal for Charity
The Canada Revenue Agency (Canada's equivalent of the IRS) has told OXFAM Canada that it cannot list 'preventing poverty' as a goal, only 'alleviating' it. The reason is "Relieving poverty is charitable, but preventing it is not." This is just ...

6 days, 1 hour ago
Views: 521 • Comments: 12
Tweets: 0 • Rating: 5
FemNaziBitch
Safer Era Tests Wisdom of ‘Broken Windows’ Focus on Minor Crime
While the apparent chokehold fueled much of the initial public outcry, community leaders have begun asking whether focusing police officers so intently on such petty offenses makes sense in a city that is far different and far safer than ...

6 days, 8 hours ago
Views: 411 • Comments: 2
Tweets: 0 • Rating: 1
Mentis Fugit
Frisson
Over at the quirky Riddled blog, I encountered this music video link. I have the album, but I had last listened long ago, and I had forgotten the lyrics. The lengthy, moody intro slowly drew me back thirty five years, ...

1 week, 1 day ago
Views: 290 • Comments: 0
Tweets: 0 • Rating: 0
 Frank says:

Sometimes you got to get sick before you can feel better.