Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jmHow the CIA used Crypto AG encryption devices to spy on countries for decades - Washington Post2020-02-11T13:59:19+00:00
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
jmThe operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history. “It was the intelligence coup of the century,” the CIA report concludes. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”
It is worth noting that Ireland was a victim to this snooping as well:
During the sensitive Anglo-Irish negotiations of 1985, the NSA's British counterpart, GCHQ, was able to decipher the coded diplomatic traffic being sent between the Irish embassy in London and the Irish Foreign Ministry in Dublin. It was reported in the Irish press that Dublin had purchased a cryptographic system from Crypto AG worth more than a million Irish pounds. It was also reported that the NSA routinely monitored and deciphered the Irish diplomatic messages.
]]>cryptography us nsa gchq crypto-ag surveillance cia spying spieshttps://pinboard.in/https://pinboard.in/u:jm/b:e04cc7fad5e7/Give Up the Ghost: A Backdoor by Another Name | Just Security2019-01-08T16:30:57+00:00
https://www.justsecurity.org/62114/give-ghost-backdoor/
jmThey’re talking about adding a “feature” that would require the user’s device to selectively lie about whether it’s even employing end-to-end encryption, or whether it’s leaking the conversation content to a third (secret) party. Is the security code displayed by your device a mathematical representation of the two keys involved, or is it a straight-up lie? Furthermore, what’s to guarantee that the method used by governments to insert the “ghost” key into a conversation without alerting the users won’t be exploited by bad actors?
Despite the GCHQ authors’ claim, the ghost will require vendors to disable the very features that give our communications systems their security guarantees in a way that fundamentally changes the trust relationship between a service provider and its users. Software and hardware companies will never be able to convincingly claim that they are being honest about what their applications and tools are doing, and users will have no good reason to believe them if they try.
And, as we’ve seen already seen, GCHQ will not be the only agency in the world demanding such extraordinary access to billions of users’ software. Australia was quick to follow the UK’s lead, and we can expect to see similar demands, from Brazil and the European Union to Russia and China. (Note that this proposal would be unconstitutional were it proposed in the United States, which has strong protections against governments forcing actors to speak or lie on its behalf.)
We must reject GCHQ’s newest “ghost” proposal for what it is: a mandated encryption backdoor that weakens the security properties of encrypted messaging systems and fundamentally compromises user trust.
]]>crypto ghost gchq security backdoors ukhttps://pinboard.in/https://pinboard.in/u:jm/b:793a8dc59f04/MPs’ private emails are routinely accessed by GCHQ2016-06-02T11:09:31+00:00
http://www.computerweekly.com/news/450297574/MPs-private-emails-are-routinely-accessed-by-GCHQ
jmsnowden privacy mps uk politics gchq nsa haruspex messagelabs symantec microsoft parliamenthttps://pinboard.in/https://pinboard.in/u:jm/b:45ffe0eeb67f/The problems with forcing regular password expiry2016-04-19T16:55:31+00:00
https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry
jm
The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis. CESG now recommend organisations do not force regular password expiry.
]]>cesg recommendations guidelines security passwords expiry uk gchqhttps://pinboard.in/https://pinboard.in/u:jm/b:17124f78ef0e/GCHQ intervenes to prevent catastrophically insecure UK smart meter plan - The Inquirer2016-04-08T09:21:45+00:00
http://m.theinquirer.net/inquirer/news/2451793/gchq-intervenes-to-prevent-catastrophically-insecure-uk-smart-meter-plan
jm
GCHQ barged in after spooks cast their eyes over the plans and realised that power companies were proposing to use a single decryption key for communications from the 53 million smart meters that will eventually be installed in the UK.
holy crap.]]>gchq security smart-meters power uk electricity gas infrastructurehttps://pinboard.in/https://pinboard.in/u:jm/b:7f86ce3b622f/GCHQ's Spam Problem2016-02-05T13:15:57+00:00
http://motherboard.vice.com/en_uk/read/gchqs-spam-problem
jmspam anti-spam gchq funny boing-boing sigint snowden surveillancehttps://pinboard.in/https://pinboard.in/u:jm/b:9191635e58f3/Exclusive: Snowden intelligence docs reveal UK spooks' malware checklist / Boing Boing2016-02-03T14:02:06+00:00
https://boingboing.net/2016/02/02/doxxing-sherlock-3.html
jmThe problem with this is that once you accept this framing, and note the happy coincidence that your paymasters just happen to have found a way to spy on everyone, the conclusion is obvious: just mine all of the data, from everyone to everyone, and use an algorithm to figure out who’s guilty. The bad guys have a Modus Operandi, as anyone who’s watched a cop show knows. Find the MO, turn it into a data fingerprint, and you can just sort the firehose’s output into ”terrorist-ish” and ”unterrorist-ish.”
Once you accept this premise, then it’s equally obvious that the whole methodology has to be kept from scrutiny. If you’re depending on three ”tells” as indicators of terrorist planning, the terrorists will figure out how to plan their attacks without doing those three things.
This even has a name: Goodhart's law. "When a measure becomes a target, it ceases to be a good measure." Google started out by gauging a web page’s importance by counting the number of links they could find to it. This worked well before they told people what they were doing. Once getting a page ranked by Google became important, unscrupulous people set up dummy sites (“link-farms”) with lots of links pointing at their pages.
]]>adversarial-classification classification surveillance nsa gchq cory-doctorow privacy snooping goodharts-law google anti-spam filtering spying snowdenhttps://pinboard.in/https://pinboard.in/u:jm/b:4d0273cfe1c7/Big Brother is born. And we find out 15 years too late to stop him - The Register2015-12-18T10:21:05+00:00
http://www.theregister.co.uk/2015/12/16/big_brother_born_ntac_gchq_mi5_mass_surveillance_data_slurping/?page=2
jmDuring the passage of RIPA, and in many debates since 2000, Parliament was asked to consider and require data retention by telephone companies, claiming that the information was vital to fighting crime and terrorism. But Prime Minister Tony Blair and successive Home Secretaries David Blunkett and Jack Straw never revealed to Parliament that at the same time, the government was constantly siphoning up and storing all telephone call records at NTAC.
As a result, MPs and peers spent months arguing about a pretence, and in ignorance of the cost and human rights implications of what successive governments were doing in secret.
]]>ripa big-brother surveillance preston uk gchq mi5 law snoopinghttps://pinboard.in/https://pinboard.in/u:jm/b:60d4dadb7f74/Big Brother Watch on Twitter: "Anyone can legally have their phone or computer hacked by the police, intelligence agencies, HMRC and others #IPBill https://t.co/3ZS610srCJ"2015-12-14T11:52:35+00:00
https://twitter.com/bbw1984/status/675680272952651776
jmhmrc police gchq uk hacking security law-enforcement evidence lawhttps://pinboard.in/https://pinboard.in/u:jm/b:8fc1124628e2/ECJ ruling on Irish privacy case has huge significance2015-10-08T14:32:41+00:00
http://www.irishtimes.com/business/ecj-ruling-on-irish-privacy-case-has-huge-significance-1.2382895#.VhZ7SUKxHq1.twitter
jmThe only current way to comply with EU law, the judgment indicates, is to keep EU data within the EU. Whether those data can be safely managed within facilities run by US companies will not be determined until the US rules on an ongoing Microsoft case.
Microsoft stands in contempt of court right now for refusing to hand over to US authorities, emails held in its Irish data centre. This case will surely go to the Supreme Court and will be an extremely important determination for the cloud business, and any company or individual using data centre storage. If Microsoft loses, US multinationals will be left scrambling to somehow, legally firewall off their EU-based data centres from US government reach.
(cough, Amazon)]]>aws hosting eu privacy surveillance gchq nsa microsoft irelandhttps://pinboard.in/https://pinboard.in/u:jm/b:f6c19f468809/The Surveillance Elephant in the Room…2015-10-08T14:06:16+00:00
https://paulbernal.wordpress.com/2015/10/07/the-surveillance-elephant-in-the-room/
jmAnd behind that elephant there are other elephants: if US surveillance and surveillance law is a problem, then what about UK surveillance? Is GCHQ any less intrusive than the NSA? It does not seem so – and this puts even more pressure on the current reviews of UK surveillance law taking place. If, as many predict, the forthcoming Investigatory Powers Bill will be even more intrusive and extensive than current UK surveillance laws this will put the UK in a position that could rapidly become untenable. If the UK decides to leave the EU, will that mean that the UK is not considered a safe place for European data? Right now that seems the only logical conclusion – but the ramifications for UK businesses could be huge.
[....] What happens next, therefore, is hard to foresee. What cannot be done, however, is to ignore the elephant in the room. The issue of surveillance has to be taken on. The conflict between that surveillance and fundamental human rights is not a merely semantic one, or one for lawyers and academics, it’s a real one. In the words of historian and philosopher Quentin Skinner “the current situation seems to me untenable in a democratic society.” The conflict over Safe Harbor is in many ways just a symptom of that far bigger problem. The biggest elephant of all.
]]>ec cjeu surveillance safe-harbor schrems privacy europe us uk gchq nsahttps://pinboard.in/https://pinboard.in/u:jm/b:0ded0164867c/From Radio to Porn, British Spies Track Web Users’ Online Identities2015-09-28T10:44:14+00:00
https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/
jmsurveillance gchq security privacy law uk ireland karma-police snoopinghttps://pinboard.in/https://pinboard.in/u:jm/b:fa717c5f6646/How the NSA Converts Spoken Words Into Searchable Text - The Intercept2015-05-05T15:34:15+00:00
https://firstlook.org/theintercept/2015/05/05/nsa-speech-recognition-snowden-searchable-text/
jmTo Phillip Rogaway, a professor of computer science at the University of California, Davis, keyword-search is probably the “least of our problems.” In an email to The Intercept, Rogaway warned that “When the NSA identifies someone as ‘interesting’ based on contemporary NLP methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting'; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.' If the algorithms NSA computers use to identify threats are too complex for humans to understand, it will be impossible to understand the contours of the surveillance apparatus by which one is judged. All that people will be able to do is to try your best to behave just like everyone else.”
]]>privacy security gchq nsa surveillance machine-learning liberty future speech nlp pattern-analysis cshttps://pinboard.in/https://pinboard.in/u:jm/b:37f63be6fcc7/EU-US data pact skewered in court hearing2015-03-25T11:09:40+00:00
https://euobserver.com/justice/128131
jmA lawyer for the European Commission told an EU judge on Tuesday (24 March) he should close his Facebook page if he wants to stop the US snooping on him, in what amounts to an admission that Safe Harbour, an EU-US data protection pact, doesn’t work.
]]>safe-harbour privacy data-protection ecj eu ec surveillance facebook nsa gchqhttps://pinboard.in/https://pinboard.in/u:jm/b:d892e51d8424/The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle2015-02-19T22:01:09+00:00
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
jmWith [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
[...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.
]]>encryption security crypto nsa gchq gemalto smartcards sim-cards privacy surveillance spyinghttps://pinboard.in/https://pinboard.in/u:jm/b:d5dc63088777/Sign up for Privacy International's anti-surveillance campaign2015-02-17T10:32:51+00:00
https://www.privacyinternational.org/illegalspying
jmHave you ever made a phone call, sent an email, or, you know, used the internet? Of course you have!
Chances are, at some point over the past decade, your communications were swept up by the U.S. National Security Agency. The NSA then shares information with the UK Government's intelligence agency GCHQ by default. A recent court ruling found that this sharing was unlawful. But no one could find out if their records were collected and then illegally shared between these two agencies… until now!
Because of our recent victory against the UK intelligence agency in court, now anyone in the world — yes, ANYONE, including you — can find out if GCHQ illegally received information about you from the NSA. Join our campaign by entering your details below to find out if GCHQ illegally spied on you, and confirm via the email we send you. We'll then go to court demanding that they finally come clean on unlawful surveillance.
]]>gchq nsa spying surveillance internet phone uk law campaign privacy-internationalhttps://pinboard.in/https://pinboard.in/u:jm/b:0e4fa5f21c99/UK-US surveillance regime was unlawful ‘for seven years’ | UK news | The Guardian2015-02-06T15:00:03+00:00
http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa
jmThe regime that governs the sharing between Britain and the US of electronic communications intercepted in bulk was unlawful until last year, a secretive UK tribunal has ruled.
The Investigatory Powers Tribunal (IPT) declared on Friday that regulations covering access by Britain’s GCHQ to emails and phone records intercepted by the US National Security Agency (NSA) breached human rights law.
]]>gchq surveillance uk nsa law tribunalshttps://pinboard.in/https://pinboard.in/u:jm/b:5e1fbd5d6403/EFF’s Game Plan for Ending Global Mass Surveillance2015-01-30T22:28:26+00:00
https://www.eff.org/deeplinks/2015/01/effs-game-plan-ending-global-mass-surveillance
jmFor years, we’ve been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we’re laying out the plan, so you can understand how all the pieces fit together—that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference.
This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistleblowers help shine light on surveillance abuses.
]]>eff privacy nsa surveillance gchq law policy us-politicshttps://pinboard.in/https://pinboard.in/u:jm/b:4bf8872e27be/Debunking The Dangerous “If You Have Nothing To Hide, You Have Nothing To Fear”2015-01-24T23:57:45+00:00
http://falkvinge.net/2012/07/19/debunking-the-dangerous-nothing-to-hide-nothing-to-fear/
jmThere are at least four good reasons to reject this argument solidly and uncompromisingly: The rules may change, it’s not you who determine if you’re guilty, laws must be broken for society to progress, and privacy is a basic human need.
]]>nsa politics privacy security surveillance gchq rick-falkvinge societyhttps://pinboard.in/https://pinboard.in/u:jm/b:0aa725657c6d/How to Catch a Terrorist - The New Yorker2015-01-24T21:28:18+00:00
http://www.newyorker.com/magazine/2015/01/26/whole-haystack
jmBy flooding the system with false positives, big-data approaches to counterterrorism might actually make it harder to identify real terrorists before they act. Two years before the Boston Marathon bombing, Tamerlan Tsarnaev, the older of the two brothers alleged to have committed the attack, was assessed by the city’s Joint Terrorism Task Force. They determined that he was not a threat. This was one of about a thousand assessments that the Boston J.T.T.F. conducted that year, a number that had nearly doubled in the previous two years, according to the Boston F.B.I. As of 2013, the Justice Department has trained nearly three hundred thousand law-enforcement officers in how to file “suspicious-activity reports.” In 2010, a central database held about three thousand of these reports; by 2012 it had grown to almost twenty-eight thousand. “The bigger haystack makes it harder to find the needle,” Sensenbrenner told me. Thomas Drake, a former N.S.A. executive and whistle-blower who has become one of the agency’s most vocal critics, told me, “If you target everything, there’s no target.”
]]>terrorism false-positives filtering detection jttf nsa fbi surveillance gchqhttps://pinboard.in/https://pinboard.in/u:jm/b:7511e50e15ec/Amazing comment from a random sysadmin who's been targeted by the NSA2015-01-18T08:07:00+00:00
https://news.ycombinator.com/item?id=8905321
jm'Here's a story for you.
I'm not a party to any of this. I've done nothing wrong, I've never been suspected of doing anything wrong, and I don't know anyone who has done anything wrong. I don't even mean that in the sense of "I pissed off the wrong people but technically haven't been charged." I mean that I am a vanilla, average, 9-5 working man of no interest to anybody. My geographical location is an accident of my birth. Even still, I wasn't accidentally born in a high-conflict area, and my government is not at war. I'm a sysadmin at a legitimate ISP and my job is to keep the internet up and running smoothly.
This agency has stalked me in my personal life, undermined my ability to trust my friends attempting to connect with me on LinkedIn, and infected my family's computer. They did this because they wanted to bypass legal channels and spy on a customer who pays for services from my employer. Wait, no, they wanted the ability to potentially spy on future customers. Actually, that is still not accurate - they wanted to spy on everybody in case there was a potentially bad person interacting with a customer.
After seeing their complete disregard for anybody else, their immense resources, and their extremely sophisticated exploits and backdoors - knowing they will stop at nothing, and knowing that I was personally targeted - I'll be damned if I can ever trust any electronic device I own ever again.
You all rationalize this by telling me that it "isn't surprising", and that I don't live in the [USA,UK] and therefore I have no rights.
I just have one question.
Are you people even human?'
]]>nsa via:ioerror privacy spying surveillance linkedin sysadmins gchq securityhttps://pinboard.in/https://pinboard.in/u:jm/b:2e2b4bfd43e0/Schneier on Security: Why Data Mining Won't Stop Terror2015-01-12T15:07:56+00:00
https://www.schneier.com/essays/archives/2005/03/why_data_mining_wont.html
jmThis unrealistically accurate system will generate 1 billion false alarms for every real terrorist plot it uncovers. Every day of every year, the police will have to investigate 27 million potential plots in order to find the one real terrorist plot per month. Raise that false-positive accuracy to an absurd 99.9999 percent and you're still chasing 2,750 false alarms per day -- but that will inevitably raise your false negatives, and you're going to miss some of those 10 real plots.
Also, Ben Goldacre saying the same thing: http://www.badscience.net/2009/02/datamining-would-be-lovely-if-it-worked/]]>internet scanning filtering specificity statistics data-mining terrorism law nsa gchq false-positives false-negativeshttps://pinboard.in/https://pinboard.in/u:jm/b:40691f3d07b8/Why Ireland must protect privacy of Irish emails and internet usage from surveillance2014-12-21T23:17:44+00:00
http://www.irishtimes.com/opinion/why-ireland-must-protect-privacy-of-irish-emails-and-internet-usage-from-surveillance-1.2044384
jmIt’s now over a year since Edward Snowden went public with evidence of mass surveillance and extensive abuses by the NSA, GCHQ and other intelligence agencies. In other countries these revelations prompted parliamentary inquiries, diplomatic representations and legislation. In Ireland the only response was a promise [..] to help extradite Mr Snowden should he land here.
]]>ireland politics edward-snowden extradition privacy nsa gchq spying surveillance tj-mcintyrehttps://pinboard.in/https://pinboard.in/u:jm/b:4bec05cdac69/Operation Socialist: How GCHQ Spies Hacked Belgium’s Largest Telco2014-12-15T14:15:28+00:00
https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/
jmGCHQ maintains a huge repository named MUTANT BROTH that stores billions of these intercepted cookies, which it uses to correlate with IP addresses to determine the identity of a person. GCHQ refers to cookies internally as “target detection identifiers.”
]]>privacy gchq surveillance belgacom regin uk spying belgium isps cookies malwarehttps://pinboard.in/https://pinboard.in/u:jm/b:1a7b0e124ddb/State sanctions foreign phone and email tapping2014-12-06T09:08:58+00:00
http://www.irishtimes.com/business/technology/state-sanctions-phone-and-email-tapping-1.2027844
jmForeign law enforcement agencies will be allowed to tap Irish phone calls and intercept emails under a statutory instrument signed into law by Minister for Justice Frances Fitzgerald.
Companies that object or refuse to comply with an intercept order could be brought before a private “in camera” court.
The legislation, which took effect on Monday, was signed into law without fanfare on November 26th, the day after documents emerged in a German newspaper indicating the British spy agency General Communications Headquarters (GCHQ) had directly tapped undersea communications cables between Ireland and Britain for years.
]]>ireland law gchq surveillance mlats phone-tappinghttps://pinboard.in/https://pinboard.in/u:jm/b:2d6b0bccc801/TJ McIntyre on Twitter: "Irish government gives public network contract to the firm that spies on Irish cables for GCHQ"2014-12-02T15:56:37+00:00
https://twitter.com/tjmcintyre/status/539787080856264704
jmirish ireland government spying surveillance vodafone gchqhttps://pinboard.in/https://pinboard.in/u:jm/b:a3e3cdb6202a/Wired on "Regin"2014-11-24T17:50:47+00:00
http://www.wired.com/2014/11/mysteries-of-the-malware-regin/
jmThe researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.
“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless,” writes Symantec in its report about Regin.
Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform’s main file.
]]>regin malware security hacking exploits nsa gchq symantec espionagehttps://pinboard.in/https://pinboard.in/u:jm/b:4c948b39bbfe/FBI's "Suicide Letter" to Dr. Martin Luther King, Jr., and the Dangers of Unchecked Surveillance2014-11-17T00:01:03+00:00
https://www.eff.org/deeplinks/2014/11/fbis-suicide-letter-dr-martin-luther-king-jr-and-dangers-unchecked-surveillance
jmThe entire letter could have been taken from a page of GCHQ’s Joint Threat Research and Intelligence Group (JTRIG)—though perhaps as an email or series of tweets. The British spying agency GCHQ is one of the NSA’s closest partners. The mission of JTRIG, a unit within GCHQ, is to “destroy, deny, degrade [and] disrupt enemies by discrediting them.” And there’s little reason to believe the NSA and FBI aren’t using such tactics.
The implications of these types of strategies in the digital age are chilling. Imagine Facebook chats, porn viewing history, emails, and more made public to discredit a leader who threatens the status quo, or used to blackmail a reluctant target into becoming an FBI informant. These are not far-fetched ideas. They are the reality of what happens when the surveillance state is allowed to grow out of control, and the full King letter, as well as current intelligence community practices illustrate that reality richly.
]]>fbi surveillance mlk history blackmail snooping gchq nsahttps://pinboard.in/https://pinboard.in/u:jm/b:35a53b2fced5/Yes, Isis exploits technology. But that’s no reason to compromise our privacy | Technology | The Observer2014-11-10T15:40:42+00:00
http://www.theguardian.com/technology/2014/nov/09/isis-exploits-technology-no-reason-compromise-privacy
jmFrom the very beginning, Isis fanatics have been up to speed on [social media]. Which raises an interesting question: how come that GCHQ and the other intelligence agencies failed to notice the rise of the Isis menace until it was upon us? Were they so busy hoovering metadata and tapping submarine cables and “mastering the internet” (as the code name of one of their projects puts it) that they didn’t have time to see what every impressionable Muslim 14-year-old in the world with an internet connection could see?
]]>gchq guardian encryption nsa isis technology social-media snooping surveillancehttps://pinboard.in/https://pinboard.in/u:jm/b:27fe5cfc0208/"Crypto Won't Save You Either"2014-05-16T23:22:11+00:00
http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf
jmcrypto cryptography security exploits nsa gchq dual_ec_drbg rsahttps://pinboard.in/https://pinboard.in/u:jm/b:defc06280451/Using AWS in the context of Australian Privacy Considerations2014-04-22T15:31:01+00:00
http://d0.awsstatic.com/whitepapers/compliance/Using_AWS_in_the_context_of_Australian_Privacy_Considerations.pdf
jmamazon aws security law privacy data-protection ec2 s3 nsa gchq five-eyeshttps://pinboard.in/https://pinboard.in/u:jm/b:fa71e8fac6a6/Theresa May warns Yahoo that its move to Dublin is a security worry2014-03-21T10:05:51+00:00
http://www.theguardian.com/technology/2014/mar/20/theresa-may-yahoo-dublin-security-worry
jm"There are concerns in the Home Office about how Ripa will apply to Yahoo once it has moved its headquarters to Dublin," said a Whitehall source. "The home secretary asked to see officials from Yahoo because in Dublin they don't have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard and the national crime agency. They regard this as a very serious issue."
There's priorities for you!]]>ripa gchq guardian uk privacy data-protection ireland dublin london spying surveillance yahoohttps://pinboard.in/https://pinboard.in/u:jm/b:fcf8a64ffa35/NSA surveillance recording every single voice call in at least 1 country2014-03-18T16:11:05+00:00
http://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html
jmnsa surveillance gchq telephones phone bugginghttps://pinboard.in/https://pinboard.in/u:jm/b:fb7e035e5e65/How the NSA Plans to Infect 'Millions' of Computers with Malware - The Intercept2014-03-12T17:25:29+00:00
https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/
jmThe implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.” In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.”
Great. Automated malware deployment to millions of random victims. See also the "I hunt sysadmins" section further down...]]>malware gchq nsa oversight infection expert-systems turbine false-positives the-intercept surveillancehttps://pinboard.in/https://pinboard.in/u:jm/b:24f41bcf95c4/An online Magna Carta: Berners-Lee calls for bill of rights for web2014-03-12T14:31:37+00:00
http://www.theguardian.com/technology/2014/mar/12/online-magna-carta-berners-lee-web
jmfreedom gchq nsa censorship internet privacy web-we-want human-rights timbl tim-berners-leehttps://pinboard.in/https://pinboard.in/u:jm/b:983f432ff7f4/Latest Snowden leak: GCHQ spying on Wikileaks users2014-02-18T10:09:12+00:00
https://firstlook.org/theintercept/article/2014/02/18/snowden-docs-reveal-covert-surveillance-and-pressure-tactics-aimed-at-wikileaks-and-its-supporters/
jm“How could targeting an entire website’s user base be necessary or proportionate?” says Gus Hosein, executive director of the London-based human rights group Privacy International. “These are innocent people who are turned into suspects based on their reading habits. Surely becoming a target of a state’s intelligence and security apparatus should require more than a mere click on a link.” The agency’s covert targeting of WikiLeaks, Hosein adds, call into question the entire legal rationale underpinning the state’s system of surveillance. “We may be tempted to see GCHQ as a rogue agency, ungoverned in its use of unprecedented powers generated by new technologies,” he says. “But GCHQ’s actions are authorized by [government] ministers. The fact that ministers are ordering the monitoring of political interests of Internet users shows a systemic failure in the rule of law."
]]>gchq wikileaks snowden privacy spying surveillance politicshttps://pinboard.in/https://pinboard.in/u:jm/b:a9c7615558aa/"IMSI Catcher" used in London2014-02-11T23:13:47+00:00
http://www.theverge.com/2013/12/30/5256636/nsa-tailored-access-jacob-appelbaum-speech-30c3
jm'One case involved Julian Assange's current home at the Ecuadorian Embassy in London, where visitors were surprised to receive welcome messages from a Ugandan telephone company. It turned out the messages were coming from a foreign base station device installed on the roof, masquerading as a cell tower for surveillance purposes. Appelbaum suspects the GCHQ simply forgot to reformat the device from an earlier Ugandan operation.'
via T.J. McIntyre.]]>surveillance nsa privacy imsi-catchers gchq london uganda mobile-phones julian-assange ecuador embassieshttps://pinboard.in/https://pinboard.in/u:jm/b:8a86d05b4d1d/QuakeNet IRC Network- Article - PRESS RELEASE: IRC NETWORKS UNDER SYSTEMATIC ATTACK FROM GOVERNMENTS2014-02-06T17:14:50+00:00
https://www.quakenet.org/articles/102-press-release-irc-networks-under-systematic-attack-from-governments
jmYesterday we learned ... that GCHQ, the British intelligence agency, are performing persistent social and technological attacks against IRC networks. These attacks are performed without informing the networks and are targeted at users associated with politically motivated movements such as "Anonymous". While QuakeNet does not condone or endorse and actively forbids any illegal activity on its servers we encourage discussion on all topics including political and social commentary. It is apparent now that engaging in such topics with an opinion contrary to that of the intelligence agencies is sufficient to make people a target for monitoring, coercion and denial of access to communications platforms. The ... documents depict GCHQ operatives engaging in social engineering of IRC users to entrap themselves by encouraging the target to leak details about their location as well as wholesale attacks on the IRC servers hosting the network. These attacks bring down the IRC network entirely affecting every user on the network as well as the company hosting the server. The collateral damage and numbers of innocent people and companies affected by these forms of attack can be huge and it is highly illegal in many jurisdictions including the UK under the Computer Misuse Act.
]]>quakenet ddos security gchq irc anonymoushttps://pinboard.in/https://pinboard.in/u:jm/b:147941753e8b/GCHQ slide claiming that they DDoS'd anonymous' IRC servers2014-02-05T10:05:42+00:00
https://twitter.com/mikko/status/430974617013219328/photo/1
jmddos history security gchq dos anonymous irc hackinghttps://pinboard.in/https://pinboard.in/u:jm/b:97cde0b28ddc/Ryan Lizza: Why Won’t Obama Rein in the N.S.A.? : The New Yorker2013-12-09T15:17:04+00:00
http://www.newyorker.com/reporting/2013/12/16/131216fa_fact_lizza?currentPage=all
jmThe history of the intelligence community, though, reveals a willingness to violate the spirit and the letter of the law, even with oversight. What’s more, the benefits of the domestic-surveillance programs remain unclear. Wyden contends that the N.S.A. could find other ways to get the information it says it needs. Even Olsen, when pressed, suggested that the N.S.A. could make do without the bulk-collection program. “In some cases, it’s a bit of an insurance policy,” he told me. “It’s a way to do what we otherwise could do, but do it a little bit more quickly.”
In recent years, Americans have become accustomed to the idea of advertisers gathering wide swaths of information about their private transactions. The N.S.A.’s collecting of data looks a lot like what Facebook does, but it is fundamentally different. It inverts the crucial legal principle of probable cause: the government may not seize or inspect private property or information without evidence of a crime. The N.S.A. contends that it needs haystacks in order to find the terrorist needle. Its definition of a haystack is expanding; there are indications that, under the auspices of the “business records” provision of the Patriot Act, the intelligence community is now trying to assemble databases of financial transactions and cell-phone location information. Feinstein maintains that data collection is not surveillance. But it is no longer clear if there is a distinction.
]]>nsa gchq surveillance spying privacy dianne-feinstein new-yorker journalism long-reads us-politics probable-causehttps://pinboard.in/https://pinboard.in/u:jm/b:ad3b726393db/Mike Hearn - Google+ - The packet capture shown in these new NSA slides shows…2013-11-05T22:31:27+00:00
https://plus.google.com/u/0/+MikeHearn/posts/LW1DXJ2BK8k
jmThe packet capture shown in these new NSA slides shows internal database replication traffic for the anti-hacking system I worked on for over two years. Specifically, it shows a database recording a user login.
This kind of confirms my theory that the majority of interesting traffic for the NSA/GCHQ MUSCULAR sniffing system would have been inter-DC replication. Was, since it sounds like that stuff's all changing now to use end-to-end crypto...]]>google crypto security muscular nsa gchq mike-hearn replication sniffing spying surveillancehttps://pinboard.in/https://pinboard.in/u:jm/b:ed764e56ac46/It’s time for Silicon Valley to ask: Is it worth it?2013-11-01T00:08:47+00:00
http://pandodaily.com/2013/10/31/its-time-for-silicon-valley-to-ask-is-it-worth-it/
jmThese companies and their technologies are built on data, and the data is us. If we are to have any faith in the Internet, we have to trust them to protect it. That’s a relationship dynamic that will become only more intertwined as the Internet finds its way into more aspects of our daily existences, from phones that talk to us to cars that drive themselves.
The US’s surveillance programs threaten to destroy that trust permanently.
America’s tech companies must stand up to this pervasive and corrosive surveillance system. They must ask that difficult question: “Is it worth it?”
]]>silicon-valley tech nsa gchq spying surveillance internet privacy data-protectionhttps://pinboard.in/https://pinboard.in/u:jm/b:cdb1728b9d10/The US fears back-door routes into the net because it's building them too | Technology | The Observer2013-10-13T21:09:26+00:00
http://www.theguardian.com/technology/2013/oct/13/us-scared-back-door-routes-computers-snowden-nsa?CMP=twt_gu
jmone of the most obvious inferences from the Snowden revelations published by the Guardian, New York Times and ProPublica recently is that the NSA has indeed been up to the business of inserting covert back doors in networking and other computing kit.
The reports say that, in addition to undermining all of the mainstream cryptographic software used to protect online commerce, the NSA has been "collaborating with technology companies in the United States and abroad to build entry points into their products". These reports have, needless to say, been strenuously denied by the companies, such as Cisco, that make this networking kit. Perhaps the NSA omitted to tell DARPA what it was up to? In the meantime, I hear that some governments have decided that their embassies should no longer use electronic communications at all, and are returning to employing couriers who travel the world handcuffed to locked dispatch cases. We're back to the future, again.
]]>politics backdoors snowden snooping networking cisco nsa gchqhttps://pinboard.in/https://pinboard.in/u:jm/b:179eb9c9496b/GCHQ report on 'MULLENIZE' program to 'stain' anonymous electronic traffic2013-10-04T21:25:33+00:00
http://apps.washingtonpost.com/g/page/world/gchq-report-on-mullenize-program-to-stain-anonymous-electronic-traffic/502/
jmgchq nsa snooping sniffing surveillance user-agent http browsers leakshttps://pinboard.in/https://pinboard.in/u:jm/b:1836ffc3861d/Attacking Tor: how the NSA targets users' online anonymity2013-10-04T16:31:54+00:00
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
jmAs part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.
whoa, I missed this before.]]>nsa gchq packet-injection attacks security backbone http latencyhttps://pinboard.in/https://pinboard.in/u:jm/b:0a1aea658272/The Snowden files: why the British public should be worried about GCHQ2013-10-03T21:12:06+00:00
http://www.theguardian.com/world/2013/oct/03/edward-snowden-files-john-lanchester
jmWhen the Guardian offered John Lanchester access to the GCHQ files, the journalist and novelist was initially unconvinced. But what the papers told him was alarming: that Britain is sliding towards an entirely new kind of surveillance society
]]>john-lanchester gchq guardian surveillance snooping police-state nsa privacy governmenthttps://pinboard.in/https://pinboard.in/u:jm/b:f6bdda50f454/Necessary and Proportionate -- In Which Civil Society is Caught Between a Cop and a Spy2013-09-12T21:24:11+00:00
https://medium.com/weird-future/9b913057c28c
jmModern telecommunications technology implied the development of modern telecommunications surveillance, because it moved the scope of action from the physical world (where intelligence, generally seen as part of the military mission, had acted) to the virtual world—including the scope of those actions that could threaten state power. While the public line may have been, as US Secretary of State Henry Stimson said in 1929, “gentlemen do not open each other’s mail”, you can bet that they always did keep a keen eye on the comings and goings of each other’s shipping traffic.
The real reason that surveillance in the context of state intelligence was limited until recently was because it was too expensive, and it was too expensive for everyone. The Westphalian compromise demands equality of agency as tied to territory. As soon as one side gains a significant advantage, the structure of sovereignty itself is threatened at a conceptual level — hence Oppenheimer as the death of any hope of international rule of law. Once surveillance became cheap enough, all states were (and will increasingly be) forced to attempt it at scale, as a reaction to this pernicious efficiency. The US may be ahead of the game now, but Moore’s law and productization will work their magic here.
]]>government telecoms snooping gchq nsa surveillance law politics intelligence spying internethttps://pinboard.in/https://pinboard.in/u:jm/b:c815633d2fdb/NSA: Possibly breaking US laws, but still bound by laws of computational complexity2013-09-11T21:42:58+00:00
http://www.scottaaronson.com/blog/?p=1517
jmI didn’t clearly explain that there’s an enormous continuum between, on the one hand, a full break of RSA or Diffie-Hellman (which still seems extremely unlikely to me), and on the other, “pure side-channel attacks” involving no new cryptanalytic ideas. Along that continuum, there are many plausible places where the NSA might be. For example, imagine that they had a combination of side-channel attacks, novel algorithmic advances, and sheer computing power that enabled them to factor, let’s say, ten 2048-bit RSA keys every year. In such a case, it would still make perfect sense that they’d want to insert backdoors into software, sneak vulnerabilities into the standards, and do whatever else it took to minimize their need to resort to such expensive attacks. But the possibility of number-theoretic advances well beyond what the open world knows certainly wouldn’t be ruled out. Also, as Schneier has emphasized, the fact that NSA has been aggressively pushing elliptic-curve cryptography in recent years invites the obvious speculation that they know something about ECC that the rest of us don’t.
]]>ecc rsa crypto security nsa gchq snooping sniffing diffie-hellman pki key-lengthhttps://pinboard.in/https://pinboard.in/u:jm/b:aca1fd6e4fb2/How the NSA Spies on Smartphones2013-09-09T20:57:25+00:00
http://www.spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.html
jmOne of the US agents' tools is the use of backup files established by smartphones. According to one NSA document, these files contain the kind of information that is of particular interest to analysts, such as lists of contacts, call logs and drafts of text messages. To sort out such data, the analysts don't even require access to the iPhone itself, the document indicates. The department merely needs to infiltrate the target's computer, with which the smartphone is synchronized, in advance. Under the heading "iPhone capability," the NSA specialists list the kinds of data they can analyze in these cases. The document notes that there are small NSA programs, known as "scripts," that can perform surveillance on 38 different features of the iPhone 3 and 4 operating systems. They include the mapping feature, voicemail and photos, as well as the Google Earth, Facebook and Yahoo Messenger applications.
and, of course, the alternative means of backup is iCloud.... wonder how secure those backups are.]]>nsa surveillance gchq iphone smartphones backups icloud securityhttps://pinboard.in/https://pinboard.in/u:jm/b:0dd393492c81/How Advanced Is the NSA's Cryptanalysis — And Can We Resist It?2013-09-08T21:06:52+00:00
http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/
jmAssuming the hypothetical NSA breakthroughs don’t totally break public-cryptography — and that’s a very reasonable assumption — it’s pretty easy to stay a few steps ahead of the NSA by using ever-longer keys. We’re already trying to phase out 1024-bit RSA keys in favor of 2048-bit keys. Perhaps we need to jump even further ahead and consider 3072-bit keys. And maybe we should be even more paranoid about elliptic curves and use key lengths above 500 bits.
One last blue-sky possibility: a quantum computer. Quantum computers are still toys in the academic world, but have the theoretical ability to quickly break common public-key algorithms — regardless of key length — and to effectively halve the key length of any symmetric algorithm. I think it extraordinarily unlikely that the NSA has built a quantum computer capable of performing the magnitude of calculation necessary to do this, but it’s possible. The defense is easy, if annoying: stick with symmetric cryptography based on shared secrets, and use 256-bit keys.
]]>bruce-schneier cryptography wired nsa surveillance snooping gchq cryptanalysis crypto future key-lengthshttps://pinboard.in/https://pinboard.in/u:jm/b:d291541b9f3f/Big data is watching you2013-09-08T20:38:32+00:00
https://twitter.com/darachennis/status/376357502968791040/photo/1
jmvia:darachennis street-art graffiti big-data snooping spies gchq nsa arthttps://pinboard.in/https://pinboard.in/u:jm/b:59781f974844/Perhaps I'm out of step and Britons just don't think privacy is important | Henry Porter | Comment is free | The Observer2013-09-08T20:37:12+00:00
http://www.theguardian.com/commentisfree/2013/sep/07/britons-privacy-not-important?CMP=twt_gu
jmThe debate has been stifled in Britain more successfully than anywhere else in the free world and, astonishingly, this has been with the compliance of a media and public that regard their attachment to liberty to be a matter of genetic inheritance. So maybe it is best for me to accept that the BBC, together with most of the newspapers, has moved with society, leaving me behind with a few old privacy-loving codgers, wondering about the cause of this shift in attitudes. Is it simply the fear of terror and paedophiles? Are we so overwhelmed by the power of the surveillance agencies that we feel we can't do anything? Or is it that we have forgotten how precious and rare truly free societies are in history?
]]>privacy uk politics snooping spies gchq society nsa henry-porterhttps://pinboard.in/https://pinboard.in/u:jm/b:14be9cdacc93/Schneier on Security: The NSA Is Breaking Most Encryption on the Internet2013-09-05T22:15:21+00:00
http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
jmThe new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics.
It's joint reporting between the Guardian, the New York Times, and ProPublica.
I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my two essays on today's revelations.
Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.
]]>encryption communication government nsa security bruce-schneier crypto politics snooping gchq guardian journalismhttps://pinboard.in/https://pinboard.in/u:jm/b:2617942fe6b5/GCHQ tapping at least 14 EU fiber-optic cables2013-08-28T22:23:11+00:00
http://international.sueddeutsche.de/post/59603415442/british-officials-have-far-reaching-access-to-internet
jmSüddeutsche Zeitung (SZ) had already revealed in late June that the British had access to the cable TAT-14, which connects Germany with the USA, UK, Denmark, France and the Netherlands. In addition to TAT-14, the other cables that GCHQ has access to include Atlantic Crossing 1, Circe North, Circe South, Flag Atlantic-1, Flag Europa-Asia, SeaMeWe-3 and SeaMeWe-4, Solas, UK France 3, UK Netherlands-14, Ulysses, Yellow and the Pan European Crossing.
]]>sz germany cables fiber-optic tapping snooping tat-14 eu politics gchqhttps://pinboard.in/https://pinboard.in/u:jm/b:d553525b1ddc/David Miranda, schedule 7 and the danger that all reporters now face | Alan Rusbridger | Comment is free | The Guardian2013-08-19T22:29:24+00:00
http://www.theguardian.com/commentisfree/2013/aug/19/david-miranda-schedule7-danger-reporters
jmThe man was unmoved. And so one of the more bizarre moments in the Guardian's long history occurred – with two GCHQ security experts overseeing the destruction of hard drives in the Guardian's basement just to make sure there was nothing in the mangled bits of metal which could possibly be of any interest to passing Chinese agents. "We can call off the black helicopters," joked one as we swept up the remains of a MacBook Pro.
Whitehall was satisfied, but it felt like a peculiarly pointless piece of symbolism that understood nothing about the digital age. We will continue to do patient, painstaking reporting on the Snowden documents, we just won't do it in London. The seizure of Miranda's laptop, phones, hard drives and camera will similarly have no effect on Greenwald's work.
The state that is building such a formidable apparatus of surveillance will do its best to prevent journalists from reporting on it. Most journalists can see that. But I wonder how many have truly understood the absolute threat to journalism implicit in the idea of total surveillance, when or if it comes – and, increasingly, it looks like "when".
We are not there yet, but it may not be long before it will be impossible for journalists to have confidential sources. Most reporting – indeed, most human life in 2013 – leaves too much of a digital fingerprint. Those colleagues who denigrate Snowden or say reporters should trust the state to know best (many of them in the UK, oddly, on the right) may one day have a cruel awakening. One day it will be their reporting, their cause, under attack. But at least reporters now know to stay away from Heathrow transit lounges.
]]>nsa gchq surveillance spying snooping guardian reporters journalism uk david-miranda glenn-greenwald edward-snowdenhttps://pinboard.in/https://pinboard.in/u:jm/b:51a61b027f2b/Liberty issues claim against British Intelligence Services over PRISM and Tempora privacy scandal2013-06-25T21:04:13+00:00
http://www.liberty-human-rights.org.uk/media/press/2013/liberty-issues-claim-against-british-intelligence-servic.php
jmJames Welch, Legal Director for Liberty, said:
“Those demanding the Snoopers’ Charter seem to have been indulging in out-of-control snooping even without it – exploiting legal loopholes and help from Uncle Sam.
“No-one suggests a completely unpoliced internet but those in power cannot swap targeted investigations for endless monitoring of the entire globe.”
Go Liberty! Take note, ICCL, this is how a civil liberties group engages with internet issues.]]>prism nsa gchq surveillance liberty civil-liberties internet snoopinghttps://pinboard.in/https://pinboard.in/u:jm/b:5a437425f21a/