Tag: over-the-place

FreeBSD won’t use Intel & Via’s hardware random number generators, believes NSA has compromised them

The maintainers of the security-conscious FreeBSD operating system have declared that they will no longer rely on the random number generators in Intel and Via’s chips , on the grounds that the NSA likely has weakened these opaque hardware systems in order to ease surveillance. The decision is tied to the revelations of the BULLRUN/EDGEHILL programs, wherein the NSA and GCHQ spend $250M/year sabotaging security in standards, operating systems, software, and networks. “For 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random,” FreeBSD developers said. “It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more.” In separate meeting minutes, developers specifically invoked Snowden’s name when discussing the change. “Edward Snowdon [sic] — v. high probability of backdoors in some (HW) RNGs,” the notes read, referring to hardware RNGs. Then, alluding to the Dual EC_DRBG RNG forged by the National Institute of Standards and Technology and said to contain an NSA-engineered backdoor, the notes read: “Including elliptic curve generator included in NIST. rdrand in ivbridge not implemented by Intel… Cannot trust HW RNGs to provide good entropy directly. (rdrand implemented in microcode. Intel will add opcode to go directly to HW.) This means partial revert of some work on rdrand and padlock.” “We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say [Dan Goodin/Ars Technica]        

Read the original post:
FreeBSD won’t use Intel & Via’s hardware random number generators, believes NSA has compromised them

Life from the near future of location surveillance

In Meet Jack. Or, What The Government Could Do With All That Location Data , the ACLU’s Jay Stanley presents a slide deck from the near future in which a government intelligence service presents a glowing account of how it convicted “Jack R Benjamin” of DUI pre-crime, by watching all the places he went, all the people he interacted with, and using an algorithm to predict that he would commit a DUI, and, on that basis, to peer into every corner of his personal life. The use of the slide deck is inspired here, echoing as it does the Snowden leaks (Snowden had been tasked with consolidating training documents from across the NSA, which is why he had access to such a wide variety of documents, and why they’re all in powerpoint form). And the kind of data-mining here is not only plausible, it’s likely — it’s hard to imagine cops not availing themselves of this capability. Just out of curiosity, who else has been visiting Mary Smith’s house? Looks like Mary has a few close friends. Wonder if Mr. Benjamin is aware of this Bill Montgomery character who spent a few nights with her? Going back to the main screen, looks like Mr. Benjamin is quite a union activist. Perhaps we should notify George over at BigCorp (he serves at the Fusion Center with us). Just in case our man has been involved in the trouble they’ve been having over there. Meet Jack. Or, What The Government Could Do With All That Location Data [Jay Stanley/ACLU] ( via MeFi )        

Follow this link:
Life from the near future of location surveillance

Spooks of Warcraft: how the NSA infiltrated gamespace

A new Snowden leak details how he NSA and GCHQ tasked its agents to infiltrate Second Life, World of Warcraft, and other MMOs to find jihadis and spy on them. The battalions of undercover orcs did indeed take much of gamespace, but there’s no evidence they ever spotted a plot. I was once questioned by members of an “unnamed branch of the State Department” at a games and public diplomacy event about the likelihood that jihadis were playing MMOs; and I said something like, “Sure, of course. Everyone plays MMOs.” I didn’t realize they’d take it all quite so much to heart. The absurdity of sending spies to infiltrate Warcraft can best be understood as a natural outflow of the doctrine that holds that if any two bad guys, anywhere in the world, can communicate in such a way that the NSA can’t listen in on them, all of society will crumble. Once you set yourself the insane task of eavesdropping on all conversations, everywhere, always, it’s inevitable that you’ll send Secret Squirrel and his pals to Azeroth. At the request of GCHQ, the NSA had begun a deliberate effort to extract World of Warcraft metadata from their troves of intelligence, and trying to link “accounts, characters and guilds” to Islamic extremism and arms dealing efforts. A later memo noted that among the game’s active subscribers were “telecom engineers, embassy drivers, scientists, the military and other intelligence agencies”. The UK agency did not stop at World of Warcraft, though: by September a memo noted GCHQ had “successfully been able to get the discussions between different game players on Xbox Live”. Meanwhile, the FBI, CIA, and the Defense Humint Service were all running human intelligence operations – undercover agents – within the virtual world of Second Life. In fact, so crowded were the virtual worlds with staff from the different agencies, that there was a need to try to “deconflict” their efforts – or, in other words, to make sure each agency wasn’t just duplicating what the others were doing. By the end of 2008, such human intelligence efforts had produced at least one usable piece of intelligence, according to the documents: following the successful takedown of a website used to trade stolen credit card details, the fraudsters moved to Second Life – and GCHQ followed, having gained their first “operational deployment” into the virtual world. This, they noted, put them in touch with an “avatar [game character] who helpfully volunteered information on the target group’s latest activities”. Second Life continued to occupy the intelligence agencies’ thoughts throughout 2009. One memo noted the game’s economy was “essentially unregulated” and so “will almost certainly be used as a venue for terrorist laundering and will, with certainty, be used for terrorist propaganda and recruitment”. Revealed: spy agencies’ covert push to infiltrate virtual world of online games [James Ball/The Guardian]        

See the article here:
Spooks of Warcraft: how the NSA infiltrated gamespace

Botnet of 20,000 point-of-sale machines

Details are emerging about Stardust, a piece of malicious software that targets point-of-sale credit-card processing machines. Stardust has reportedly compromised over 20,000 PoS machines and turned them into a easy-to-control botnet. The malware’s masters can monitor the botnet in realtime and issue fine-grained commands to its components, harvesting a titanic volume of payment card details. The discovery comes as researchers from a separate security firm called Arbor Networks published a blog post on Tuesday reporting an active PoS compromise campaign. The advisory is based on two servers found to be hosting Dexter and other PoS malware. Arbor researchers said the campaign looks to be most active in the Eastern Hemisphere. There was no mention of a botnet or of US restaurants or retailers being infected, so the report may be observing a campaign independent from the one found by IntelCrawler. It remains unclear how the attackers manage to initially infect PoS terminals and servers that make up the botnet. In the past, criminals have targeted known vulnerabilities in applications that many sellers of PoS software use to remotely administer customer systems. Weak administrator passwords, a failure to install security updates in a timely fashion, or unknown vulnerabilities in the PoS applications themselves are also possibilities. Credit card fraud comes of age with advances in point-of-sale botnets [Dan Goodin/Ars Technica]        

Read this article:
Botnet of 20,000 point-of-sale machines

Crowfunded prize for first open jailbreak of Ios 7

Elizabeth Stark writes, “We’re pleased to announce the Device Freedom Prize : a crowdfunded reward for the first developer(s) who release an open source iOS 7 jailbreak. Providing users the ability to control their devices is crucial in an age where we’re increasingly dependent on our mobile phones. An open source jailbreak provides users the capability to install what they want on their own devices, the ability to audit the code they’re using to do so, and enables disabled users to more easily use their devices .” “We’ve assembled a judging panel of awesome folks that care a lot about these issues, including Boing Boing’s own Cory Doctorow; Kyle Wiens, CEO of iFixit; Biella Coleman, Professor and Author of Coding Freedom, and Chris Maury, Accessibility Advocate. Contribute to the prize to help make an open source iOS jailbreak a reality.” Is iOS7 jailbroken yet? ( Thanks, Elizabeth ! )        

Taken from:
Crowfunded prize for first open jailbreak of Ios 7

Terabyte laptop SDDs for $435!

For the second half of the 1990s, my standard advice to people buying computers was to max out the RAM as the cheapest, best way to improve their computers’ efficiency. The price/performance curve hit its stride around 1995, and after decades when a couple gigs of RAM would cost more than the server you were buying it for, you could max out all the RAM slots in any computer for a couple hundred bucks. Operating systems, though, were still being designed for RAM-starved computers, and when you dropped a gig or two of RAM in a machine, it screamed . It’s still good practice to max out your RAM, but it doesn’t get you much of a dividend. The turbo-charger of the 2010s is solid-state disk-drives, and they’re screaming up the same price/performance curve that RAM traversed twenty years ago. Two years ago, I traded my laptop drive for a 400GB SDD, spending as much on the drive as I had on the machine, and it was worth every penny. My laptop battery-life nearly doubled, and I stopped getting watch-cursors altogether; no matter what task I performed, it was done instantly. In October, I bought a one terabyte SDD for a ridiculous $435 — about a third of what I paid for a 600GB drive a little over a year ago! — and having run it for two months now, I’m prepared to pronounce it good. I wasn’t familiar with the manufacturer, Crucial, but they got very good reviews on Amazon, and at that price I was prepared to give them the benefit of the doubt. My machine — a Thinkpad X230 running Ubuntu 13.10 — chugs along with nary a beach-ball, and I can go six to eight hours on a six-cell battery with full brightness, and continuous Wifi and Bluetooth usage. I’m rough on my computer, and it’s taken plenty of knocks and bumps without any noticeable impact on the drive. To accompany the new drive, I bought a pair of $78 Toshiba USB3 1TB drives (one for backing up at the office, the other for my travel bag). They’re nothing near as fast as the SDD, but combined with the USB3 bus, they’re plenty quick for daily incremental backups, which take less than five minutes. If your storage needs aren’t as massy as mine, there’s a whole line of Crucial SDDs, 480GB for $269 , 240GB for $140 and so on. They all come with three year warranties, though I haven’t had cause to get service for my drive yet (knock wood). The drive is 7mm high, and comes with an easy-to-fit adapter for 9mm enclosures. I was less impressed with the adapter I bought to copy the files over; it was fiddly and prone to losing its connection. Ultimately, I slapped the new drive into a case in order to make the transfer. Crucial M500 960GB SATA 2.5-Inch 7mm (with 9.5mm adapter/spacer) Internal Solid State Drive CT960M500SSD1        

More here:
Terabyte laptop SDDs for $435!

Apps come bundled with secret Bitcoin mining programs, paper over the practice with EULAs

Researchers at Malwarebytes have discovered that some programs covertly install Bitcoin-mining software on users’ computers , papering over the practice by including sneaky language in their license agreements allowing for “computer calculations, security.” The malicious programs include YourFreeProxy from Mutual Public, AKA We Build Toolbars, LLC, AKA WBT. YourFreeProxy comes with a program called Monitor.exe, which repeatedly phones home to WBT, eventually silently downloading and installing a Bitcoin mining program called “jhProtominer.” So now that we have proof that a PUP is installing miners on users systems, do they do it without ever letting the user know? Well not exactly, their EULA specifically covers a section on Computer Calculations: COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates. Their explanation is basically the purpose of Bitcoin Miners and that they will install this software on the system, run it, use up your system resources and finally keep all rewards from the effort YOUR system puts in. Talk about sneaky. In my opinion, PUPs have gone to a new low with the inclusion of this type of scheme, they already collected information on your browsing and purchasing habits with search toolbars and redirectors. They assault users with pop-up ads and unnecessary software to make a buck from their affiliates. Now they are just putting the nails in the coffin by stealing resources and driving user systems to the grave. Potentially Unwanted Miners – Toolbar Peddlers Use Your System To Make BTC [Adam Kujawa/Malwarebytes] ( via /. )        

Originally posted here:
Apps come bundled with secret Bitcoin mining programs, paper over the practice with EULAs

New CC licenses: tighter, shorter, more readable, more global

Creative Commons has released version 4.0 of its sharing-friendly, easy-to-use copyright licenses . The new licenses represent a significant improvement over earlier versions. They work in over 60 jurisdictions out of the box, without having to choose different versions depending on which country you’re in; they’re more clearly worded; they eliminate confusion over jurisdiction-specific rights like the European database right and moral rights. They clarify how license users are meant to attribute the works they use; provide for anonymity in license use; and give license users a 30 day window to correct violations, making enforcement simpler. Amazingly, they’re also shorter than the previous licenses, and easier to read, to boot. 30-day window to correct license violations All CC licenses terminate when a licensee breaks their terms, but under 4.0, a licensee’s rights are reinstated automatically if she corrects a breach within 30 days of discovering it. The cure period in version 4.0 resembles similar provisions in a some other public licenses and better reflects how licensors and licensees resolve compliance issues in practice. It also assures users that provided they act promptly, they can continue using the CC-licensed work without worry that they may have lost their rights permanently. Increased readability The 4.0 license suite is decidedly easier to read and understand than prior versions, not to mention much shorter and better organized. The simplified license structure and use of plain language whenever possible increases the likelihood that licensors and reusers will understand their rights and obligations. This improves enforceability of the licenses and reduces confusion and disagreement about how the licenses operate. Clarity about adaptations The BY and BY-NC 4.0 licenses are clearer about how adaptations are to be licensed, a source of confusion for some under the earlier versions of those licenses. These licenses now clarify that you can apply any license to your contributions you want so long as your license doesn’t prevent users of the remix from complying with the original license. While this is how 3.0 and earlier versions are understood, the 4.0 licenses make it abundantly clear and will help remixers in understanding their licensing obligations. What’s New in 4.0        

More:
New CC licenses: tighter, shorter, more readable, more global

TSA blows a billion bucks on unscientific "behavioral detection" program, reinvents phrenology

10 years and $900M later, the TSA’s behavioral analysis program is a debacle . Here’s the US General Accountability Office on the program : “Ten years after the development of the SPOT program, TSA cannot demonstrate the effectiveness of its behavior detection activities. Until TSA can provide scientifically validated evidence demonstrating that behavioral indicators can be used to identify passengers who may pose threat to aviation security, the agency risks funding activities [that] have not been determined to be effective.” Basically, the TSA has spent a decade and nearly a billion dollars reinventing phrenology. I feel safer already. For the report, GAO auditors looked at the outside scientific literature, speaking to behavioral researchers and examining meta-analyses of 400 separate academic studies on unmasking liars. That literature suggests that “the ability of human observers to accurately identify deceptive behavior based on behavioral cues or indicators is the same as or slightly better than chance (54 percent).” That result holds whether or not the observer is a member of law enforcement. It turns out that all of those signs you instinctively “know” to indicate deception usually don’t. Lack of eye contact for instance simply does not correlate with deception when examined in empirical studies. Nor do increases in body movements such as tapping fingers or toes; the literature shows that people’s movements actually decrease when lying. A 2008 study for the Department of Defense found that “no compelling evidence exists to support remote observation of physiological signals that may indicate fear or nervousness in an operational scenario by human observers.” TSA’s got 94 signs to ID terrorists, but they’re unproven by science [Nate Anderson/Ars Technica]        

Continued here:
TSA blows a billion bucks on unscientific "behavioral detection" program, reinvents phrenology

Glowing 3D printed squid filled with bioluminescent soup

Rebecca Klee and Siouxsie Wiles’s “Living Light” is a 3D printed hollow squid filled with bioluminescent bacteria. They’ve thoroughly documented their build-process, and the project is really shaping up to be gorgeous. From the lab to the park ( via O’Reilly Radar )        

Continue reading here:
Glowing 3D printed squid filled with bioluminescent soup