On December 8, 2014, President Obama met with students participating in an “Hour of Code” event at the White House, which is really cool and all that, but somebody in the room is playing Angry Birds and the sound effects are louder than the people’s voices, and I have to admit I cracked up every time the birds won a round.
There are so many deranged stories coming out of the right wing these days that it’s hard to keep up; so I just caught up on the latest ridiculous allegations by former CBS News reporter Sharyl Attkisson.
Attkisson released a video that she says shows her computer being “hacked” by super-secret government agents, trying to stop her courageous reporting on Benghazi. There’s her video, up above.
Attkisson’s claims are utterly ludicrous, folks. If some unknown entities actually had access to this computer, they’d simply wipe her files — not simulate the Delete key right in front of her eyes while she was working. In fact, this is such a brain-dead claim that I’m amazed anyone actually takes it seriously.
What’s probably happening in this video is a stuck Delete key. Maybe she was eating too many potato chips and crumbs got lodged in her keyboard. Or maybe there’s some kind of software conflict. Or maybe she outright faked this video; it wouldn’t be difficult. But this is not how “hacking” works.
Here’s the statement just released by Apple on the theft of celebrities’ photos from their iCloud accounts.
Apple Media Advisory
Update to Celebrity Photo Investigation
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud(r) or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at support.apple.com.
Following up on our post about the wildly exaggerated claims made about the purported XKeyScore source code released in Germany this week by hacker Jacob Applebaum, here’s a very interesting post by cybersecurity expert Robert Graham with evidence that the code may have been at least partly faked: Errata Security: Validating XKeyScore Code.
The burning questions about the XKeyScore “source code” is whether it’s real, and whether it come from Snowden. The Grugq (@thegrugq) has some smart insight into this, and I have my own expertise with deep-packet-inspection code. I thought I’d write up our expert analysis to the questions.
TL;DR: we believe the code partly fake and that it came from the Snowden treasure trove.
A slightly longer summary is:
- The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.
- The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is "fake".
- The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.
- The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code - if fake, it's not completely so.
Here’s a point that jumped out at me immediately upon looking at the code: all over the Internet, people are claiming that the code identifies linuxjournal.com as an “exremist forum” — but that’s simply false. As I tweeted two days ago:
By the way, folks? It's another falsehood that the NSA considers http://t.co/0o8VJWSyxq to be an “extremist forum.”
There's a comment in the code that says TAILS is “advocated by extremists on extremist forums.” It does NOT call linuxjournal “extremist.”
Every time one of these NSA stories comes out, it's rife with misrepresentations and distortions like this.
Graham’s post agrees with this evaluation:
Another misrepresentation in the story is that the source calls the Linux Journal an extremist forum. That’s not true.
A comment does say that TAILS is “a comsec mechanism advocated by extremists on extremist forums”. This is true, as the picture (from the Grugq) demonstrates on the right: it’s a picture from an ISIS/jihad forum advocating the use of TAILS. But nowhere does it claim that the Linux Journal is one of those extremists — that’s something willfully made up by the authors of the story.
That the story already misrepresents the meaning of this source code hints that it may already be misrepresenting the provenance.
Most of the coverage of the Heartbleed bug has focused on the security problems for websites, but there’s another avenue of attack now being exploited by hackers: the Virtual Private Network (VPN) systems used by many large and small businesses.
Security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.
The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.
This disastrous security hole in OpenSSL may have more effect on these kinds of semi-closed systems than on easily upgraded web servers, because the people who use VPNs and other types of networking applications and devices may not even realize they’re relying on the buggy versions of OpenSSL, and it may be difficult (or even impossible in some cases) to update the software.
But web servers are still a big problem as well; the Washington Post’s Brian Fung points out that we may be seeing some large scale disruptions of the Internet in the not too distant future: Heartbleed Is About to Get Worse, and It Will Slow the Internet to a Crawl.
Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.
The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.
“Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into,” said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council. “The kinds of bad things it enables is largely limited only by the imagination of the bad guys.”
Please note! We got out in front of the rush to revoke/reissue our SSL certificates right away, the day the bug was announced, so Little Green Footballs is not vulnerable to the problem described in the Washington Post article.
The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.
There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.
The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.
Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
And about that noobish speculation:
A number of conspiracy theorists have speculated the bug was inserted maliciously.
Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.
“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.
Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)
Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.
And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.
Hateful and even violent speech is familiar online; what’s unusual are data-driven efforts to diminish them. Experiments so far have produced intriguing results including: some ‘trolls’ recant or apologize in response to counterspeech, and small changes in platform architecture can improve online discourse norms. In this talk Susan Benesch — founder of the Dangerous Speech Project and professor of American University’s School of International Service — discusses early research and experiments into managing and responding to hateful speech online, especially in climates where online speech may be tied to offline violence.
More info on this event here: cyber.law.harvard.edu
October 14, 2012, Felix Baumgartner ascended more than 24 miles above Earth’s surface to the edge of space in a stratospheric balloon. Millions across the globe watched as he opened the door of the capsule, stepped off the platform, and broke the speed of sound while free falling safely back to Earth. Felix set three world records that day—and inspired us all to reach beyond the limits of our own realities, and reimagine our potential to achieve the incredible.
GoPro was honored to be a part of this epic achievement, with seven HERO2 cameras documenting every moment. From the airless freeze of outer space, to the record-breaking free fall and momentous return to ground—see it all through Felix’s eyes as captured by GoPro, and experience this incredible mission like never before. No one gets you closer than this.
Shot 100% on the HD HERO2(r) camera from gopro.com.
East of the River
“Wilderness is Their Home Now”
Additional Music Courtesy of ExtremeMusic
The Internet Archive
A Chicago computer hacker tied to the group known as Anonymous was sentenced Friday to 10 years in prison for cyberattacks on various government agencies and businesses, including a global intelligence company.
Jeremy Hammond, 28, was handed the maximum term for the December 2011 hacking of Strategic Forecasting, an attack his lawyers contend was driven by concern about the role of private firms in gathering intelligence domestically and abroad.
…resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online.Prosecutors say the hack of Strategic Forecasting, or Stratfor, resulted in the theft of 60,000 credit card numbers and records for 860,000 clients, which were then uploaded online. Hammond admitted being behind it in May.
He also admitted to hacking several law enforcement agencies and organizations, including the Arizona Department of Public Safety, and releasing personal details of officers as part of an attack by the Anonymous-affiliated group LulzSec.
Remember Lavabit, the “secure email” service that was closed down by its owner Ladar Levison, ostensibly to avoid complying with a government request to access their “secure emails?” Specifically, emails from one of their most famous clients, Edward Snowden?
Something that always bothered me about the story: Lavabit claimed on their home page (see screenshot above) that their system was designed so that even their administrators couldn’t read users’ emails. I assumed this meant they were using some kind of public/private key scheme to encrypt emails, so that they would be encrypted while on Lavabit’s servers in a form that could not be decrypted even by Lavabit.
So how then could the government read those emails without the private keys of each user? Well, it turns out that Lavabit’s claim they couldn’t read emails simply wasn’t true. Their basic design was not secure at all, as cryptographer Moxie Marlinspike explains: Op-Ed: Lavabit’s Primary Security Claim Wasn’t Actually True.
If, as Lavabit said, it wasn’t capable of reading its users’ e-mails, how could it have been in a position to provide those plaintext e-mails to the US government?
Unfortunately, Lavabit’s primary security claim wasn’t actually true. As Ladar himself explained in this blog post, the system consisted of four basic steps:
- At account creation time, the user selected a login passphrase and transmitted it to the server.
- The server generated a keypair for that user, encrypted the private key with the login passphrase the user had selected, and stored it on the server.
- For every incoming e-mail the user received, the server would encrypt it with the user’s public key, and store it on the server.
- When the user wanted to retrieve an e-mail, they would transmit their password to the server, which would avert its eyes from the plaintext encryption password it had just received, use it to decrypt the private key (averting its eyes), use the private key to decrypt the e-mail (again averting its eyes), and transmit the plaintext e-mail to the user (averting its eyes one last time).
Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out. The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.
The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all. Whether it was or not makes little difference.
So the claim on Lavabit’s home page that they couldn’t read stored emails was simply false. The promise of security they made to their users was a lie. They promised not to read the emails, but breaking that promise would have been trivially easy with the way their system was built — and that’s why the feds wanted access.
It’s not clear whether the Lavabit crew consciously understood the system’s shortcomings and chose to misrepresent them, or if it really believed it built something based on can’t rather than won’t. One way or the other, in the security world, a product that uses the language of cryptography to fundamentally misrepresent its capabilities is the basic definition of snake oil.
Yep. And it raises the issue of whether Lavabit’s owner is telling the truth about the real reasons for shutting down his business, as well.