Sunday, October 19, 2014

NSA CTO Patrick Dowd Moonlighting For Private Security Firm

Current NSA CTO Patrick Dowd has taken a part-time position with former-NSA director Keith Alexander's security firm IronNet Cybersecurity — while retaining his position as chief technology officer for the NSA. The Guardian states that 'Patrick Dowd continues to work as a senior NSA official while also working part time for Alexander's IronNet Cybersecurity, a firm reported to charge up to $1m a month for advising banks on protecting their data from hackers. It is exceedingly rare for a US official to be allowed to work for a private, for-profit company in a field intimately related to his or her public function.' Some may give Alexander a pass on the possible conflict of interests as he's now retired, but what about a current NSA official moonlighting for a private security firm?

What Your Resume Needs If You Want a Job At Google

Jim Edwards writes at Business Insider that Google is so large and has such a massive need for talent that if you have the right skills, Google is really enthusiastic to hear from you — especially if you know how to use MatLab, a fourth-generation programming language that allows matrix manipulations, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs written in other languages, including C, C++, Java, Fortran and Python. The key is that data is produced visually or graphically, rather than in a spreadsheet. According to Jonathan Rosenberg , Google's former senior vice president for product management, being a master of statistics is probably your best way into Google right now and if you want to work at Google, make sure you can use MatLab. Big data — how to create it, manipulate it, and put it to good use — is one of those areas in which Google is really enthusiastic about. The sexy job in the next ten years will be statisticians. When every business has free and ubiquitous data, the ability to understand it and extract value from it becomes the complimentary scarce factor. It leads to intelligence, and the intelligent business is the successful business, regardless of its size. Rosenberg says that "my quote about statistics that I didn't use but often do is, 'Data is the sword of the 21st century.

Friday, October 17, 2014

NSA Exceptionally Controlled Information

ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies.
As part of the Intercept story on the NSA's using agents to infiltrate foreign companies and networks, it published a list of ECI compartments. It's just a list of code names and three-letter abbreviations, along with the group inside the NSA that is responsible for them. The descriptions of what they all mean would never be in a computer file, so it's only of value to those of us who like code names.
This designation is why there have been no documents in the Snowden archive listing specific company names. They're all referred to by these ECI code names.

Wednesday, October 15, 2014

Domestic Enforcement Agency Created Fake FB Page in Woman's Name

This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name.
The woman sued the government over this. Extra creepy was the government's defense in court: "Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic]."
The article was edited to say: "Update: Facebook has removed the page and the Justice Department said it is reviewing the incident." So maybe this is just an overzealous agent and not official DEA policy.
But as Marcy Wheeler said, this is a good reason to encrypt your cell phone.

 Flaw Allowed Hackers To Spy On NATO

Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday. "While technical indicators do not indicate whether the hackers have ties to the Russian government, Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime. For example, in December 2013, NATO was targeted with a malicious document on European diplomacy. Several regional governments in the Ukraine and an academic working on Russian issues in the United States were sent tainted emails that claimed to contain a list of pro-Russian extremist activities, according to iSight.

Firefox 33 Arrives With OpenH264 Support

Mozilla today officially launched Firefox 33 for Windows, Mac, Linux, and Android. Additions include OpenH264 support as well as the ability to send video content from webpages to a second screen. Firefox 33 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Full changelogs are available here: desktop and Android.

 Open Source Security Confidence Idealism

According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Renewable Energy  Coal Vs Wind

A leaked report shows wind is the cheapest energy source in Europe, beating the presumably dirt-cheap coal and gas by a mile. Conventional wisdom holds that clean energy is more expensive than its fossil-fueled counterparts. Yet cost comparisons show that renewable energy sources are often cheaper than their carbon-heavy competition. The report (PDF) demonstrates that if you were to take into account mining, pollution, and adverse health impacts of coal and gas, wind power would be the cheapest source of energy.

Tuesday, October 14, 2014

Secret Mission In Schools

This essay, "Grooming students for a lifetime of surveillance," talks about the general trends in student surveillance. Essay on the need for student privacy in online learning.

VeraCrypt is now revamped TrueCrypt

If you're looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt's API, drivers and parameter checking. According to the article, "In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations. What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said. While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force.

Sunday, October 12, 2014

Encrypting Your Voice

Article  But the company was founded by Lars Knudsen, so it can't possibly be.
I'm very keen.

Act Enforcement for Activism world

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.
Also note Sauter's new book, The Coming Swarm.

NSA Impact In Other Countries

The latest Intercept article on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It's also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated 2004, although there's no reason to believe that the NSA has changed its behavior since then.
The most controversial revelation in Sentry Eagle might be a fleeting reference to the NSA infiltrating clandestine agents into "commercial entities." The briefing document states that among Sentry Eagle's most closely guarded components are "facts related to NSA personnel (under cover), operational meetings, specific operations, specific technology, specific locations and covert communications related to SIGINT enabling with specific commercial entities (A/B/C)""
It is not clear whether these "commercial entities" are American or foreign or both. Generally the placeholder "(A/B/C)" is used in the briefing document to refer to American companies, though on one occasion it refers to both American and foreign companies. Foreign companies are referred to with the placeholder "(M/N/O)." The NSA refused to provide any clarification to The Intercept.
That program is SENTRY OSPREY, which is a program under SENTRY EAGLE.
The document makes no other reference to NSA agents working under cover. It is not clear whether they might be working as full-time employees at the "commercial entities," or whether they are visiting commercial facilities under false pretenses.
Least fun job right now: being the NSA person who fielded the telephone call from the The Intercept to clarify that (A/B/C)/(M/N/O) thing. "Hi. We're going public with SENTRY EAGLE next week. There's one thing in the document we don't understand, and we wonder if you could help us...." Actually, that's wrong. The person who fielded the phone call had no idea what SENTRY EAGLE was. The least fun job belongs to the person up the command chain who did.

Saturday, October 4, 2014

Security concerns in Firechat


Firechat is a secure wireless peer-to-peer chat app:
Firechat is theoretically resistant to the kind of centralized surveillance that the Chinese government (as well as western states, especially the US and the UK) is infamous for. Phones connect directly to one another, establish encrypted connections, and transact without sending messages to servers where they can be sniffed and possibly decoded.Firechat has security issues.

Next move after the own search engine

The NSA is building a private cloud with its own security features:
As a result, the agency can now track every instance of every individual accessing what is in some cases a single word or name in a file. This includes when it arrived, who can access it, who did access it, downloaded it, copied it, printed it, forwarded it, modified it, or deleted it.
[...]
"All of this I can do in the cloud but--in many cases--it cannot be done in the legacy systems, many of which were created before such advanced data provenance technology existed." Had this ability all been available at the time, it is unlikely that U.S. soldier Bradley Manning would have succeeded in obtaining classified documents in 2010.

Well Briefing With Snowdon Documents

Former NSA employee -- not technical director, as the link says -- explains how NSA bulk surveillance works, using some of the Snowden documents. Very interesting.
This week Microsoft announced the next version of its Operating system, dubbed WIndows 10, providing Windows 10 Technical Preview release under its "Insider Program" in order to collect feedback from users and help shape the final version of the operating system, but something really went WRONG!
Inside Microsoft’s Insider Program you'll get all the latest Windows preview builds as soon as they're available. In return, we want to know what you think. You’ll get an easy-to-use app to give us your feedback, which will help guide us along the way.” Microsoft website reads.
Well, how many of you actually read the “Terms of Service” and “Privacy Policy” documents before downloading the Preview release of Windows 10? I guess none of you, because most computer users have habit of ignoring that lengthy paragraphs and simply click "I Agree" and then "next", which is not at all a good practice.
Do you really know what permissions you have granted to Microsoft by installing Free Windows 10 Technical Preview edition? Of Course, YOU DON’T. Well, guess what, you've all but signed away your soul !!

PERMISSION TO KEYLOG
If you are unaware of Microsoft’s privacy policy, so now you should pay attention to what the policy says. Microsoft is watching your every move on the latest Windows 10 Technical Preview, Thanks to portions of Microsoft's privacy policy, which indicates that the technology giant is using keylogger to collect and use users’ data in a variety of astounding ways without the user being aware.
If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of] it for purposes such as improving performance, or [if you] enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features,” the privacy policy states.
Essentially by accepting the Windows 10 privacy policy you are allowing Microsoft to screen your files and log your keystrokes. This means, if you open a file and type, Microsoft have access to what you type, and the file info within.

 This could likely one of the reasons why the company insisted that Windows Technical Preview not be installed on computers that are used every day.
OTHER DATA COLLECTION
But Wait! Wait! Not just this, Microsoft says it may collect even more data. The company will be watching your apps for compatibility, and collect voice information when you use speech to text. This information will be used to improve speech processing, according to Microsoft.
"When you acquire, install and use the Program, Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks," the privacy policy states. "Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."
Though, technology companies continue to develop a fine line on the issue of privacy and data collection and based on the information which the Microsoft collects, it could have thousands of username and password combinations stored in a database somewhere. But we may well see a public feedback to this newest attempt to mine users data.
However, it is clearly known that they are not going to use those data to access users’ bank accounts or company's private network, but the fact that the company is collecting data by all means, could possibly open a way for someone to steal and misuse the information for their own purpose.

Although the feedback being collected in the Windows Technical Preview will only occur within the Technical Preview period, reported by WinBeta. Once Windows 10 launches to the public as RTM, the data Microsoft collects will be removed from the operating system.

If you wish to test it out, you can Download Windows 10 Preview Edition Here.

Security fear in china

The Chinese government checked ten thousand pigeons for "dangerous materials." Because fear.