thewayne: (Default)
and apparently did not have an IT background. Her LinkedIn profile has been deleted, and apparently an effort is being made to purge her from the internet. It won't be entirely successful, but it'll slow information retrieval down. The article mentions that she spent 14 years in industry, we don't know in what industry, which means she could have picked up a fair amount of IT knowledge, but not as much as if she'd studied IT and gotten a degree and a CISSP cert.

Also, scammers are calling people at random, claiming to be Equifax, wanting to verify your information. Obviously Equifax has better things to do right now than call you. Just hang up, don't give them your name or the time of day.

ETA:Apparently the Internet Archive Wayback Machine never cached her LinkedIn page, more's the pity. It says it has a page from September 9, but nothing is retrieved when you click on it.
thewayne: (Cyranose)
PRISM is/was an NSA intelligence-gathering program. It has been widely speculated that friendly governments spy on other countries so that said country doesn't violate laws about spying on their own people. And this happened in NZ. The activist was from Fiji, and was very active in trying to get democracy for Fiji and get rid of the prime minister. So in sweeps the NSA and PRISM to try and find dirt on him, which they did not find.

First Confirmed Prism Surveillance Target Was Democracy Activist (

Posted by manishs on Monday August 15, 2016 @08:00AM from the truth-is-out-there dept.
A new report by Television New Zealand in collaboration with The Intercept, based on leaks of former U.S. National Security Agency worker Edward Snowden has for the first time named a target of the NSA's controversial Prism program. The target was a middle-aged civil servant and pro-democracy activist named Tony Fullman. Fullman, who is originally from Fiji but has lived in New Zealand for decades, is an advocate for democracy in Fiji and a critic of Fijian prime minister Frank Bainimarama, who took power in a 2006 coup.

From a Fortune report:
According to The Intercept, the NSA in 2012 monitored Fullman's communications through the Prism program and passed on information to the New Zealand intelligence services. Around the same time, the New Zealand authorities raided Fullman's home and revoked his passport. The New Zealand intelligence services were not themselves allowed to spy on Fullman, who was a New Zealand citizen. However, as Snowden has repeatedly described, the agencies of many Anglophone countries spy on each other's behalf, in order to bypass their national legal restrictions. Fullman suggested in the article that people in the group may well have said violent things about Bainimarama, but this was just venting, not a plot. According to the report, they never suspected someone was listening into their communications. The NSA was said to be helping by analyzing Fullman's Facebook and Gmail activities. The 190 pages of intercepted documentation seen by The Intercept apparently didn't reveal evidence of a plot.
thewayne: (Cyranose)
First up, a movie written by an artificial intelligence. It's only 10 minutes long, but it's pretty interesting. An article on Ars Technica pointed me in this direction. These people set up an AI and fed it a few hundred movie scripts that they found on the internet, received some prompts from a film competition, and turned it loose.

Unfortunately I can't embed this video. A word of warning: it not only auto-plays, it starts a second video after it's done.

From Slashdot, "Creepy British startup Score Assured has brought the power of "big data" to plumb new depths. In order to rent from landlords who use their services, potential renters are "...required to grant it full access to your Facebook, LinkedIn, Twitter and/or Instagram profiles. From there, Tenant Assured scrapes your site activity, including entire conversation threads and private messages; runs it through natural language processing and other analytic software; and finally, spits out a report that catalogs everything from your personality to your 'financial stress level.'" This "stress level" is a deep dive to (allegedly) determine whether the potential renter will pay their bills using vague indicators like "online retail social logins and frequency of social logins used for leisure activities." To make it worse, the company turns over to the landlords' indicators that the landlords aren't legally allowed to consider (age, race, pregnancy status), counting on the landlords to "do the right thing." As if this isn't abusive enough, the candidates are not allowed to see nor challenge their report, unlike with credit reports. Landlords first, employers next...and then? As the co-founder says, "People will give up their privacy to get something they want" and, evidently, that includes a place to live and a job.

In late May, an apartment building in Salt Lake City told tenants living in the complex to "like" its Facebook page or they will be in breach of their lease."

So, if the UK Parliament doesn't put in some decent privacy laws, you've got a big problem there if this company and concept continues to exist. I think I would definitely be in favor of someone like Anonymous doxxing this company's board of directors.
thewayne: (Cyranose)
From Slashdot yesterday:

MIT Creates Tor Alternative That Floods Networks With Fake Data (
Posted by timothy on Sunday December 13, 2015 @08:22AM from the can't-we-just-use-trolls? dept.

An anonymous reader writes with word that MIT researchers "created an alternative to Tor, a network messaging system called Vuvuzela that pollutes the network with dummy data so the NSA won't know who's talking to who." Initial tests show the systems overhead adding a 44-second delay, but the network can work fine and preserve anonymity even it has more than 50% of servers compromised.

I've never used TOR, it'll be interesting to see how difficult this is to set up once it gets out in to the wild. I find the preservation of anonymity when half of the network is compromised to be quite interesting. I have no idea if 44 second latency is good or bad.
thewayne: (Cyranose)
I came across this on Slashdot a week ago. Quite interesting and it could have MAJOR effects on privacy, more specifically on whistle-blowing. If a whistleblower is secretly releasing negative information about the government, and their computer is leaking information all over the place, this could be quite bad for the whistler.

Windows 10 has the potential for undermining Tor and other proxy services. I know Tor is going through a redevelopment with other Tor-like systems forking off it, I'm sure they'll be factoring this in.

Overall, for my personal use, I think I'm going to stick with Windows 7 until I'm forced off it. But since all I'm doing with it is SQL Server and Access, that's no big deal.

Some smaller pirate sites have become concerned about Windows 10 system phoning home too many hints regarding that the users are accessing their site. Therefore, the pirate administrators have started blocking Windows 10 users from accessing the BitTorrent trackers that the sites host. The first ones to hit the alarm button were iTS, which have posted a statement and started redirecting Windows 10 users to a YouTube video called Windows 10 is a Tool to Spy on Everything You Do. Additionally, according to TorrentFreak, two other similar dark web torrent trackers are also considering following suit. "As we all know, Microsoft recently released Windows 10. You as a member should know, that we as a site are thinking about banning the OS from FSC," said one of the FSC staff. Likewise, in a message to their users, a BB admin said something similar: "We have also found [Windows 10] will be gathering information on users' P2P use to be shared with anti piracy group."
thewayne: (Cyranose)
Not only is Adobe sending usage information on what you're reading back to their HQ, they also seem to be scanning your entire eBook library and reporting on that.

Not only that, but they're sending it in clear text: no encryption.

This has tremendous implications on libraries that have clear policies, if not laws, that this information is not to be shared. If Adobe is gathering it, they could be in some deep legal doodoo.
thewayne: (Cyranose)
Very interesting tech. The ability to recover sound by bouncing a laser off of glass has been around for ages, this is different as it just uses a camera and would therefor be difficult to detect. You find a boundary, for example, between a blue and red object. Blue and red combine to make purple, and by watching how it shifts around purple you can reconstruct information.

It isn't easy. An ideal setup would have a camera that could record 2,000 to 6,000 frames per second (FPS), which is damn fast and requires a LOT of light: as the FPS goes up, so does the amount of light for a proper exposure. The real breakthrough by the researchers was to find a quirk in cell phone cameras, which top out at about 60 FPS but this glitch can be exploited to provide the same information.

The defense? Close the drapes.

Their findings will be presented at the Siggraph conference.
thewayne: (Cyranose)
There's a lot going on here, which is why I didn't post about it as soon as it became news. First, the good news. The police must now usually get a search warrant to search the phone of a person whom they arrest. There are a couple of exceptions, such as fear of evidence being remotely deleted or exigent circumstances, like if you're a suspect in a kidnapping. Most of the time those exceptions won't apply.

But that doesn't mean your data is sacrosanct. Consider what's going on in Florida, where stingray devices are being used to impersonate cell towers and are being used with impunity, usually without getting a search warrant. Police can still subpoena data from your cell provider, then again, at that point they've gone through legal channels and theoretically demonstrated probable cause. It's possible that at that point that searching your phone is irrelevant and just done for form's sake.

Still, it is a good thing. It's good to know that the Supremes recognize that cell phones, and smart phones in particular, are incredibly personal and hold a huge amount of sensitive information.

So what happens if you are stopped and/or arrested and police try to search your phone without a warrant? Let's face it, there's not much that you can do to stop it, the threat or use of physical force would be really stupid at that point. The two best things to do is to (A) lock your phone before your arrest if you can, and (B) loudly proclaim as often as possible, preferably in front of witnesses, "I do not consent to that search." Even if police ask you a yes/no question whether they can search your phone, reply with 'I do not consent'. They're good at asking double-negative questions, such as 'You don't mind if I search your phone, do you?' How do you answer that? Answering either yes or no can be construed as consent, as can not answering. So answer 'I do not consent to this search.' Same thing goes with your car, if police want to search your car you should not consent and force them to get a proper warrant with proof of probable cause.

Here's some info on exceptions that can allow police to search your phone:

But if there's one thing that this case has confirmed. Something which has been demonstrated time and again, is that the Supreme Court is very weak when it comes to understanding technology. One Justice was baffled that some people might carry more than one cell phone. I did that for work when I was on-call, until I asked 'Can I just forward the on-call phone to my cell?' Apparently no one, including management had thought of that. One Justice while hearing a case about patents and Ebay, suggested that he could program something like Ebay given a weekend, because it was just pictures and prices.

The Supreme Court didn't have a photocopier for 50 years after its invention. They don't use email much, and only do audio recordings of their public deliberations. They are techno-Luddites.

Part of the problem is that they are trained to reason via analogy, and that process is breaking down big-time. From the article: "... In past arguments, computers were analogized to typewriters, phone books and calculators. Video games were compared to films, comic books and Grimm’s fairy tales. Text messages were analogized to letters to the editor. A risk-hedging method was compared to horse-training and the alphabet. EBay was likened to a Ferris wheel, and also to the process of introducing a baker to a grocer. The list goes on. Scary stuff.
thewayne: (Cyranose)
The ACLU filed a public records request for all information about using stingray devices from the Sarasota PD and had an appointment to review the documentation, when the US Marshal Service went in and effectively raided the police department, taking all of the documents that the ACLU were going to view.

Something similar happened in Tallahassee after it was revealed that said department had used stingrays 200 times without telling a judge. The stingray manufacturer had made the police department sign non-disclosure agreements and the department thought that precluded telling judges. Interesting how corporations can now dictate law enforcement behavior.

A stingray is a piece of surveillance equipment that mimics a cell tower. It broadcasts a stronger signal than a tower which forces all of the cell phones in the area to link to it. By moving the tower around, you can triangulate and more accurately locate the phone with a specific number than is possible with tower information alone. The kerfuffle revolves around the detective getting a 'trap and trace' warrant which is effectively a phone tap, for deploying this stingray, rather than a probable cause warrant that is normally used with them.
thewayne: (Cyranose)
Thus spoke General Michael Hayden, former director of the NSA and the CIA. Metadata is information about information, in this case, collecting metadata about phone calls. It knows A called B on a certain date and time and for a certain amount of time. It then can go out 2-3 hops, A<->B is one, B then calls C is 2, C calls D E and F for three. So A never talks to F, but they are indelibly associated, so if one is labeled a terrorist, there's an extremely high chance the other is. But maybe it's just a neighborhood pizza joint that delivers.

And with every drone strike we radicalize more people to become terrorists, and we've given them an exceptionally bright and clear target: the USA. I guess winning hearts and minds is too wussy these days.
thewayne: (Cyranose)
Across the world the theft of smartphones has been a rising crime category while crime overall is trending down. I seem to recall that in New York City that it's the fastest growing crime. Law enforcement across the country and consumers have been begging for legislation requiring cell phone service providers to implement a kill switch, so if your phone is stolen, you can easily have it locked or wiped.

Both Android and iPhones have such capability, I'm not sure about the new generation of Windows smartphones. But you have to be aware of this capability and configure your phone before it's stolen for this to be effective, for iPhones and iPads you install a program called Find My Phone and link it to a free iCloud account: when your device is lost or stolen, you sign on to iCloud and you can lock the device, reformat it immediately, make it beep, display a message that says 'Hey! Return the phone from whence you got it!' or whatever. I don't know how you do this under Android, but I know the capability is there and the process is similar.

Additionally, iOS devices can be configured to wipe themselves after ten failed attempts to get past the security logon, I'm sure Android has a similar feature. So if you think you're going to be arrested, turn off your device and make it that much harder for your phone to be probed. Most smartphones these days are already encrypted but law enforcement forensic tools can typically get part that.

Law enforcement wants this, because it will reduce violent crime: a lot of people get hurt before surrendering their $400 phone. The Federal Department of Justice wants to put a kibosh on this. They say that there's too much of a risk that criminals could have co-conspirators wipe their phone before, and apparently this has happened where a drug gang actually had an IT department who knew to wipe devices if a dealer was arrested.

There's an easy way for law enforcement to preserve evidence. First, turn off the device. Next, in the case of a non-iOS device, remove the battery. Third, put the device in a Faraday bag. This blocks all signals from getting in or out of the device, thus preserving it for when the police get around to getting as search warrant. If the judge decides not to award the warrant or you're released, no harm no fowl. The chickens appreciate the no harm part.

So the Feds want to prevent a technology that would reduce violent crime by making the value of the stolen object pretty much nil, because it would represent a slight increase in the difficulty of doing their job. I wish I had that power, the next time that I get a tech support job I can make it illegal to hire idiots to make my job easier.
thewayne: (Cyranose)
Earlier this week the Russian President Vladimir Putin did an annual event which was effectively an open Q&A with the press. Edward Snowden asked him a question about whether Russia conducts mass surveillance on their people, Putin denied it. What a surprise.

In this editorial for The Guardian, Snowden explains that he wanted to get Putin on public record to open a dialog to get Russian journalists and privacy rights advocates to push the question further. Snowden goes on to say that Putin's answers were much like Obama's initial denials.

Personally, I don't know that Russia has the computer/software power to conduct mass surveillance. They probably accumulate a lot of surveillance information but don't have that great of resources for mining it. On the other hand, they have an excellent skill set for spying on targeted individuals, and anyone who stands up and needs to be hammered down will become a targeted individual.

In other news, Snowden's encrypted email provider, Lavabit, lost a contempt appeal. Lavabit provided end-to-end strong encryption, and when the FBI went after Snowden, they demanded all crypto keys, not just the ability to wire tap Snowden's emails. Lavabit unfortunately did sort of a Three Stooges routine in turning over the keys, staying within the letter of the order while clearly ignoring the intent. They were cited for contempt and have now lost, unfortunately because of their attempts to dodge the subpoena, they caused such a mess that the larger issue, that the FBI was overbroad in requesting crypto keys when they should and could have asked for just Snowden's info, was not part of the contempt ruling and wasn't examined.
thewayne: (Cyranose)
Edward Snowden was a featured speaker last month at both TED and SXSW, he teleconferenced in. From his talks, Wired came up with a list of ten things that can be done to improve security and privacy of our information. It's a pretty good list, but not one that the individual can do much with, it's pretty much entirely dependent on being implemented by ISPs and web sites and engineers. Still, it's not a bad start.
thewayne: (Cyranose)
There are several linux operating systems out there that are designed for privacy and secrecy. It's been acknowledged for a long time that one of the best ways to do such is to mount them on read-only media, like a CD or DVD, boot from the media, do what you need to do and shut down. Nothing is written to the local drive, so there's no forensic evidence from local computers to recover. Also, you're immune to malware being installed on your system since nothing can be written to your drive and the hard drive in the system is disconnected.

This is what Snowden did using a distribution called TAILS, it's a product of two anonymous groups working towards the same goal. You can load it on a thumb drive or CD/DVD, boot from it, and it provides you with a browser and Open Office installation and routes everything through TOR. It has other security features to keep you anonymous and encrypted. This, apparently, is how he communicated with the writers that he'd selected to send documents to.

Apparently it is not a casual installation and takes some configuration work to make it function properly. Not for casual players.

I think there are some networks where this wouldn't work, such as at my uni. Before you use a device on their network, you have to sign in to your student account and register the MAC address, then reboot your device. I think they're using a combination of MAC registry at the switch level and also perhaps a persistent cookie, though I haven't checked in to that. I suppose you could use TAILS to register the MAC address, which would be the address of the local computer's ethernet card, but you wouldn't be able to store the cookie, so I don't know how TAILS would work in an environment like that, or even if it could get out to the internet.
thewayne: (Cyranose)
I was thinking about the guy who just lost his @H Twitter handle. The comment in reply to his post talked about the attacker getting in to his Amazon account, going through his old orders, and finding an old address that was his parent's house. Once he had that, he started hitting public records repositories and building a history of the replier to build up a social engineering attack.

I decided it would be good to delete the two or three extra addresses that I had in Amazon, so I logged on and deleted them. And decided to check my order history. And there, in 1999, my oldest logged order with Amazon (though I don't know that it was my first), was the address of my old condo in Phoenix. My order history also includes my parent's address, and that of a few friends. It's all there.

I'm not sure what I'm going to do about this. I'm not a prime target for people wanting to steal this sort of information for social engineering attacks against me, I'm just not that important. All of the domains that I own are run through a privacy protection service, so you can't get my name and address information from my web sites, though that information is stored on some of my sites for business purposes. I'm thinking maybe set up a domain with a name that is not used anywhere, have no web site for it, and just use a mail service to toughen up the logins for various commercial web sites that I use, so if one is compromised they might have a harder time compromising other accounts.

But is it worth going to that extreme?
thewayne: (Cyranose)
This is interesting. One case involve an appeal from a man convicted of involvement of a gang shooting. He was pulled over for expired tags on his car, and a field search of his phone found pix of him posing in front of a car used in a shooting. The other is the case of a convicted drug dealer whose phone tied him to his house, where drugs were found. The interesting point of the latter is that it was not a smartphone.

In the case of the former, I don't think the police had probable cause to search the phone, they definitely didn't have a 'hot pursuit' basis such as in a kidnapping or Amber Alert. In the second, they had probable cause to subpoena telephone records, so why didn't they?

The basic problem is that smart phones are our lives. The cops can't search computers without a warrant, they shouldn't be able to search phones either.

The Court will hear oral arguments in April and issue a ruling by the end of June.
thewayne: (Cyranose)
The Seattle police department has a proven track record of being less than forthcoming when they institute surveillance measures. They installed 30 cameras in the port district for 'security' without owning up to it or saying how they are used. Most recently, they've installed a mesh wireless network downtown. Each box contains for wireless access points, and they talk to each other. And they can track and triangulate a smartphone's WiFi radio.

The city council passed a regulation that all systems capable of surveillance have to have detailed usage plans before the council within 30 days of installation. The report is expected around Thanksgiving, and the new police network, from a vendor known as Aruba, will have been up for nine months at that point.

The whole thing was funded by the Department of Homeland Security and feeds an intelligence fusion center, among other recipients.

There's a concept called geofencing. In it, a geographic point is defined, such as 'my parent's house', and under iPhone's iOS 6 and later you could tell it 'remind me to open the vent in the bedroom when I get to my parent's house.' I would imagine that Android phones have similar capability. It'd be cool if you could tell it 'Disable WiFi when I leave home, turn it on when I return.'
thewayne: (Cyranose)
The NSA, PRISM, and trying to keep your information private and secure

This is a whole bunch of links that I've been accumulating that talks about a lot of different facets of what's been going on since Edward Snowden blew the lid off of the PRISM spying and what the NSA and federal government has been doing.

First up, my fav security guy, Bruce Schneier. In this article “How to Remain Secure Against the NSA”, Bruce talks about precautions that you can take to improve your security, while acknowledging that if the NSA et al wants information about you, there's precious little that you can do about it.

Here we have a story by a man who was Microsoft's privacy chief from 2002 to 2011 who says he no longer trusts the company since the existence of PRISM was revealed. ”In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.”

There's only one problem with that: 99%+ of people can't read source code or really have the expertise to understand it and to also understand all of the other source code that it ties in to, as you have to evaluate every single part of the system to know whether or not it's secure. So we have to rely on others to tell us that this code is secure. Linux is probably secure, but lots of its code that relates to cryptography and communications is being reevaluated to look for back doors and a lot of the crypto code is being replaced with code that is more public and not backed by NIST.

MUCH more under the cut
Read more... )
thewayne: (Cyranose)
Basically, Russia will be employing a monitoring system akin to PRISM and firewalls akin to China. I think the only difference between Russia now and the USSR at its peak is now they're not quite as aggressive militarily and their borders are a little more open, and perhaps not as many people are being sent off to Siberia, but the full fallout of their anti-gay laws is yet to be seen.

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 20212223


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:37 pm
Powered by Dreamwidth Studios