recentpopularlog in

juliusbeezer : security   211

« earlier  
Hacker group uses Google Translate to hide phishing sites | ZDNet
The trick isn't complex at all. The idea is that phishing groups send their normal phishing emails, but instead of linking directly to their phishing page's domain, they pass the phishing page URL through Google Translate and use the newly generated Google Translate URL instead.

This Google Translate URL for the phishing page is then used inside the email instead of a direct link to the phishing site.

This means that when users press any buttons or links inside the phishing emails, they're redirected to the Google Translate portal, where the phishing page loads with the regular Google Translate toolbar at the top of the page.
security  google  translation 
february 2019 by juliusbeezer
Do Not Let Criminals Steal Your Cellphone Number With This Scam | Inc.com
Because it works - and, if they can steal your number, it does not matter how much security software you have on your phone - they gain access to your texts, calls, and more. It does not matter if you use an iPhone or Android or something else - stealing your number circumvents not only the security on your device, but also the second factor authentication texts that are so commonly used for improved security by banks, social media companies, Google, etc. They can also send texts as you - likely allowing them to scam some of your friends and relatives into installing malware by sending some link to be clicked, or even into sending them money to deal with an emergency situation.
security  telephony 
november 2018 by juliusbeezer
How to Digitally Sign a File in Linux using GnuPg (Digital Signatures)
As many organizations move away from paper documents to digital documents, digital signatures are required to manage any sensitive digital documents. Digital signatures can be used to authenticate the source of the message, such that the receiver can decide whether to trust the sender or not. Now-a-days it is most widely used for software distribution and financial transactions.

In public key cryptography, it is possible to use a private key to sign a file. Anyone who has the corresponding public key can check whether the file was signed by the private key. Anyone who doesn’t have the private key cannot forge such a signature.

Digital signatures can be used for sender authentication and non-repudiation. The signer can’t claim that they didn’t sign the document.
tools  security 
october 2018 by juliusbeezer
Abine Blur: passwords, payments, & privacy
Blur was created with one simple mission: to make it easier
to manage and protect your identity without sacrificing convenience.
security  identity  privacy  tools  finance 
october 2017 by juliusbeezer
Decent Security
This article is a list of best practices for home router WiFi security. [Page last updated 2017-05-08]
security  wifi  networking  router 
october 2017 by juliusbeezer
Wikileaks Founder Blasts Twitter's Soft Censorship - Bitsonline
Julian Assange, the rogue editor of Wikileaks who is living as a refugee in the Ecuadorian embassy in London, has blasted Twitter over its increasing use of soft censorship. He highlighted a growing trend within mainstream media companies and platforms where dissenting viewpoints are labeled as offensive, or “fake news”.
The latest event seems to be an inconspicuous change in his account security settings; modifying them without his consent to ensure the images and tweets he posts are labeled as offensive or disturbing — and therefore not shown. In the era of clicks and eyeballs, this dramatically reduces the reach of his content.
twitter  assange  censorship  attention  security 
october 2017 by juliusbeezer
Researchers hack a self-driving car by putting stickers on street signs - Autoblog
Researchers at University of Washington, University of Michigan, Stony Brook University, and UC Berkeley have figured out how to hack self-driving cars by putting stickers on street signs. Starting by analyzing the algorithm the vision system uses to classify images, they used a number of different attacks to manipulate signs in order to trick machine learning models into misreading them. For instance, they printed up stickers to trick the vision system an autonomous car would use into reading a stop sign as a 45-mile-per-hour sign, the consequences of which would obviously be very bad in the real world.

In the paper, "Robust Physical-World Attacks on Machine Learning Models," the authors demonstrated four different ways they were able to disrupt the way machines read and classify these signs using only a color printer and a camera. The most troubling part about these experiments is that they all appear very subtle to the human eye, camouflaged as graffiti, art, or incorporated into the sign's imagery.
driverless  security 
august 2017 by juliusbeezer
How to set up a VPN in 10 minutes for free (and why you urgently need one)
The most common way people get VPNs is through a monthly service. There are a ton of these. Ultimately, you must trust the company running the VPN, because there’s no way to know what they’re doing with your data.

As I said, some VPNs are improperly configured, and may leak personally identifying data.

Before you buy a VPN, read up on how it compares to others here. Once you buy a VPN, the best way to double check that it’s working properly is to visit ipleak.net while using the VPN.
privacy  security 
april 2017 by juliusbeezer
Italy Proposes Astonishingly Sensible Rules To Regulate Government Hacking Using Trojans | Techdirt
A Telephone Wiretapping Warrant is required to listen a Whatsapp call.

A Remote Search and Seizure Warrant is required to acquire files on remote devices.

An Internet Wiretapping Warrant is required to record web browsing sessions.

The same kind of warrant that would be required for planting a physical audio surveillance bug is required to listen to the surrounding environment with the device’s microphone.

Those kinds of legal safeguards are welcome,
security  surveillance  law  italy 
april 2017 by juliusbeezer
How to Run a Rogue Government Twitter Account With an Anonymous Email Address and a Burner Phone
Using Tor Browser is the easiest way to get started, but it’s not perfect. For instance, a hacker who knows about a vulnerability in Tor Browser can discover your real IP address by tricking you into visiting a website they control, and exploiting that vulnerability — the FBI has done this in the past. For this reason, it’s important to always immediately update Tor Browser when you get prompted.

You can also protect yourself from Tor Browser security bugs by using an operating system that’s designed to protect your anonymity, such as Tails or Qubes with Whonix, (I’ve written about the latter here). This is more work for you, but it might be worth it. Personally, I’m using Qubes with Whonix.
security  privacy  twitter 
february 2017 by juliusbeezer
Basic Security Guide (Tech Solidarity)
Basic security precautions for non-profits and journalists in the United States, early 2017.
Don't:

Don't send any sensitive information by email.
journalism  security  privacy 
february 2017 by juliusbeezer
Official Google Webmaster Central Blog: Protect your site from user generated spam
There are many ways of securing your site’s forums and comment threads and making them unattractive to spammers:
spam  security 
february 2017 by juliusbeezer
An Introduction to the Shorewall Firewall Tool | Linux.com | The source for Linux information
Shorewall is a high-level configuration tool for Netfilter. Shorewall works by reading configuration files (with the help of iptables, iptables-restore, ip, and tc) found in /etc/shorewall. The primary files used are:
linux  security  tools 
february 2017 by juliusbeezer
Best Linux Server Security Tutorials on Linux.com | Linux.com | The source for Linux information
These and other useful security tips for running your own Linux server, or accessing your server remotely, can be found in the collection of tutorials, below.

Here, we’ve combed through hundreds of tutorials published over the past few years and picked some of the best articles for anyone who wants to improve their Linux server security.
linux  tools  security 
february 2017 by juliusbeezer
Why YubiKey Wins | Yubico
Historically there has always been a trade-off between high security, great usability, and low cost. The YubiKey changes this.
security  hardware 
january 2017 by juliusbeezer
What's a YubiKey? Cheap, Solid Security | News & Opinion | PCMag.com
This Disqus comment at the foot of one of a slew of articles I pulled on Yubikey et al struck me as having the best quality/brevity ratio of the lot.
If you're running Android on your phone, you can download the Google Authenticator and hook it up to LastPass, instead of using a Yubikey. You then manually read the OTP's out of Google Authenticator and type then into LastPass. Or even better - install Google Authenticator on your laptop, then program a hotkey to obtain the OTP from your phone via Bluetooth. This last option is way more convenient than having to drag out a Yubikey all the time.
security  hardware  commenting 
january 2017 by juliusbeezer
Yubikey Neo Teardown | HexView
Many vendors go long ways to ensure physical security of their devices. Chemical-resistant epoxy compounds, capacitive sensors, temperature sensors, light sensors are among popular choices. Yubikey choice: some standard pressure molding polyamide (or whatever it is) plastic that is easily dissolvable in acetone. So, we gave a brand new Neo an acetone bath, and after about 30 minutes of stirring, a perfectly clean PCB was fished out. Since no internal components were reactive to acetone, the board was in perfect working condition. On the bottom of the container, after milky-gray acetone solution settled down, we discovered a layer of white pordery substance which is a fiber reinforcement material added to the plastic to improve its rigidity.
security  hardware 
january 2017 by juliusbeezer
In Response to Guardian’s Irresponsible Reporting on WhatsApp: A Plea for Responsible and Contextualized Reporting on User Security | technosociology
Activists and journalists communicate a lot with ordinary people, and need to be certain that their messages are communicated as reliably as possible, using the same system as their recipient will use–hence the advantage of WhatsApp with its huge user base.

WhatsApp’s behavior around key exchange when phone or SIM cards are changed is an acceptable trade-off if the priority is message reliability. People do not have a free choice in what apps to use; they gravitate towards ones with the largest user base (the ones the people they want to connect to are using) and to ones that are seamless to use. Causing unnecessary and unwarranted concern about WhatsApp is likely to make many users give up on the idea of using secure apps altogether. Again, think of causing alarmist doubts over vaccines in general because of a very rare threat of side effects to a few
security  guardian  journalism  informationmastery  surveillance 
january 2017 by juliusbeezer
Leak at WikiLeaks: A Dispatch Disaster in Six Acts - SPIEGEL ONLINE
When David Leigh of the Guardian finally found himself sitting across from WikiLeaks founder Julian Assange, as the British journalist recounts in his book "Inside Julian Assange's War on Secrecy", the two agreed that Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.

Assange placed the file on a server and wrote down the password on a slip of paper -- but not the entire password. To make it work, one had to complete the list of characters with a certain word. Can you remember it? Assange asked. Of course, responded Leigh.

It was the first step in a disclosure that became a worldwide sensation. As a result of Leigh's meeting with Assange, not only the Guardian, but also the New York Times, SPIEGEL and other media outlets published carefully chosen -- and redacted -- dispatches. Editors were at pains to black out the names of informants who could be endangered by the publication of the documents
guardian  wikileaks  assange  informationmastery  security 
january 2017 by juliusbeezer
Guardian’s "WikiLeaks: Secrets and Lies" Documentary:
Completely obscures the fact that David Leigh was responsible for the publication of the unredacted cables, and says that this was an incomprehensible and reprehensible decision made by WikiLeaks.
Does not disclose that David Leigh violated a written legal agreement between WikiLeaks and The Guardian that the material would not be passed to third parties (The New York Times), published before the publishing date, or be kept in an insecure manner. David Leigh has admitted that he deliberately went behind the editor (and his brother-in-law) Alan Rusbridger’s back to break the agreement, inorder to try to avoid liability for breach of contract, in a case study by Columbia University: http://jrnetsolserver.shorensteincente.netdna-cdn.com/wp-content/uploads/2011/09/Wikileaks-Case-Study.pdf
security  wikileaks  guardian  journalism  informationmastery  digitalhumanities  digitarightsmanagement 
january 2017 by juliusbeezer
Can we have medical privacy, cloud computing and genomics all at the same time? | Isaac Newton Institute for Mathematical Sciences
"The collection, linking and use of data in biomedical research and health care: ethical issues" is a report from the Nuffield Bioethics Council, published last year. It took over a year to write. Our working group came from the medical profession, academics, insurers and drug companies. As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the care.data catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically?

We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.

Since medicine is the canary in the mine, we hope that the privacy lessons can be of value elsewhere – from consumer data to law enforcement and human rights.
healthcarerecordsystems  privacy  security  uk  politics  eu 
january 2017 by juliusbeezer
Trump Promises a Revelation on Hacking - NYTimes.com
Mr. Trump, who does not use email, also advised people to avoid computers when dealing with delicate material. “It’s very important, if you have something really important, write it out and have it delivered by courier, the old-fashioned way, because I’ll tell you what, no computer is safe,” Mr. Trump said.

“I don’t care what they say, no computer is safe,” he added. “I have a boy who’s 10 years old; he can do anything with a computer. You want something to really go without detection, write it out and have it sent by courier.”
security  internet 
january 2017 by juliusbeezer
Panopticlick | About
Setting your browser to unblock ads from websites that commit to respecting Do Not Track rewards companies that are respecting user privacy, incentivizing more companies to respect Do Not Track in order to have their ads shown at all. By preserving privacy-friendly ads, sites that rely on advertising funding can continue to thrive without adjusting their core business model, even as they respect users’ privacy choices.

Over time, we believe we can shift the norms on the Web to ensure privacy and respect for users comes first. But that can only happen if online advertisers are incentivized to respect user choices.

You can help us by installing EFF’s Privacy Badger.
Is it possible to defend against browser fingerprinting?

Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal. In practice, the most realistic protection is using the Tor Browser, which has put a lot of effort into reducing browser fingerprintability.
security  privacy  tools  internet 
december 2016 by juliusbeezer
Intelligence figures fear Trump reprisals over assessment of Russia election role | US news | The Guardian
Legislators overseeing the CIA and other intelligence agencies have told the Guardian they will be vigilant about reprisals from Donald Trump over an internal assessment that Russia intervened in the 2016 election to ensure Trump’s victory...

Fears of retaliation rose within US intelligence agencies over a tense weekend that saw Trump publicly dismiss not only the assessment but the basic competence of the intelligence apparatus.

“When the president-elect’s transition team is attempting to discredit the entire intelligence community [IC], it has never been more important for the IC and Congress to guard against possible political pressure or retaliation against intelligence analysts,” Ron Wyden, an Oregon Democrat on the Senate intelligence committee, told the Guardian.
us  politics  coding  software  security 
december 2016 by juliusbeezer
I'm giving up on PGP
All in all, I should be the perfect user for PGP. Competent, enthusiast, embedded in a similar community.

But it just didn't work.

First, there's the adoption issue others talked about extensively. I get at most 2 encrypted emails a year.

Then, there's the UX problem. Easy crippling mistakes. Messy keyserver listings from years ago. "I can't read this email on my phone". "Or on the laptop, I left the keys I never use on the other machine".

But the real issues I realized are more subtle. I never felt confident in the security of my long term keys. The more time passed, the more I would feel uneasy about any specific key. Yubikeys would get exposed to hotel rooms. Offline keys would sit in a far away drawer or safe. Vulnerabilities would be announced. USB devices would get plugged in.

A long term key is as secure as the minimum common denominator of your security practices over its lifetime. It's the weak link.
security  tools  attention  coding 
december 2016 by juliusbeezer
UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor • The Register
In short, what the law's passage through Parliament has done to the UK government's ability to force tech companies and telcos to introduce backdoors into their technologies is make it slower and a little tougher.

Does it prevent the UK government from breaking encryption? It absolutely does not. In fact, it foresees it.

Does it mean that customers will be made aware that their communications and traffic are compromised by a backdoor? No, it does not. All of the checks and balances are safely contained within the upper levels of government and the judiciary.
uk  politics  law  surveillance  security 
december 2016 by juliusbeezer
Neutralizing Intel’s Management Engine | Hackaday
Intel’s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we can’t even look at the code. When — not ‘if’ — the ME is finally cracked open, every computer running on a recent Intel chip will have a huge security and privacy issue. Intel’s Management Engine is the single most dangerous piece of computer hardware ever created.
security  hardware 
november 2016 by juliusbeezer
The FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant | Motherboard
However, even though they had administrative control of the site, investigators were unable to see the real IP address of Playpen's visitors, because users typically connected to it through the Tor network.

In order to circumvent that anonymity, the FBI deployed what it calls a network investigative technique (NIT), or a piece of malware. That malware, which included a Tor Browser exploit, broke into the computer of anyone who visited certain child pornography threads on Playpen. It then sent the suspect's real IP address back to the FBI.
security  surveillance  law  tor 
november 2016 by juliusbeezer
DSHR's Blog: Lurking Malice in the Cloud
13.7% of Amazon S3 repositories and 5.5% of Google repositories that we inspected turned out to be either compromised or completely malicious. Among those compromised are popular cloud repositories such as Groupon’s official bucket. Altogether, 472 such legitimate repositories were considered to be contaminated, ... infecting 1,306 legitimate websites, including Alexa top 300 sites like groupon.com, Alexa top 5,000 sites like space.com, etc.

The details are in Section 4.2 of the paper. Briefly, many of the compromised repositories had:

a misconfiguration flaw ... which allows arbitrary content to be uploaded and existing data to be modified without proper authorization.

Because the legitimate renters of the bucket had not been sufficiently careful to fully define the bucket's access policy:

by default, ... the cloud only checks whether the authorization key (i.e., access key and secret key) belongs to an S3 user, not the authorized party for this specific bucket: in other words, anyone, as long as she is a legitimate user of the S3, has the right to upload/modify, delete and list the resources in the bucket and download the content.
amazon  google  internet  security 
november 2016 by juliusbeezer
How to encrypt your entire life in less than an hour
In this article, I will show you how you can protect yourself by leveraging state-of-the-art encryption. In a single sitting, you can make great strides toward securing your privacy.
privacy  security 
november 2016 by juliusbeezer
Why the Investigatory Powers Act is a privacy disaster waiting to happen | Ars Technica UK
The mere existence of ICRs is problematic, since it represents continuous surveillance of everything we do online. Ready access to ICRs by the police, without the need for a warrant, is clearly troubling from a privacy point of view. But even setting those issues aside, there's another major problem that has barely been discussed, probably because the politicians simply don't understand the technology that will be involved in implementing the system...
The government factsheet quoted above explains that ICRs are created and held by ISPs and telecoms. However, the government intends to create centralised software that will allow queries to be made across multiple databases using "request filters". That presumably means that a single program will have access to all ICR databases, creating a tempting target for those wishing to gain access to the information stored in the UK's ICRs.
privacy  security 
november 2016 by juliusbeezer
Your Government Wants to Militarize Social Media to Influence Your Beliefs | Motherboard
From 2013 to 2015, Thales partnered with the National Research Council (NRC) of Canada and MediaMiser, an Ottawa-based media monitoring company, to develop tools for security agencies “to automatically process the huge amounts of textual information circulating at any given time, in any number of languages, on blogs, news feeds, social networks and the like.”
The tool is all about “real-time surveillance”: social media information coming into the system is “immediately analysed” using Big Data algorithms and techniques “to detect changes, trends or anomalies” and “identify potentially dangerous entities”.

The tool is already so powerful, claims Thales, that it takes just 5 to 10 seconds for new information appearing on the web “to show up in the system, so intelligence analysts have up-to-the minute insights into situations as they evolve.”
privacy  security  socialmedia  facebook  twitter 
november 2016 by juliusbeezer
Should Google be scrubbing servers to prepare for President Trump? - The Verge
a lesser-known CEO was suggesting a more unorthodox response for tech companies in the Trump era: stop collecting so much data.

The comments came from Pinboard CEO Maciej Ceglowski, a longtime critic of data collection on the web. According to Ceglowski, the only sane response to a Trump presidency was to get rid of as much stored user data as possible. “If you work at Google or Facebook,” he wrote on Pinboard’s Twitter account, “please start a meaningful internal conversation about giving people tools to scrub their behavioral data.” Both companies declined to comment.
security  privacy  pinboard 
november 2016 by juliusbeezer
Unsecured speeding cameras wide open to smart city hackers
The Russian researchers explored the security vulnerabilities related to smart city technology using the Shodan search engine. They suspected many cities are deploying IoT devices to jump on the smart city bandwagon without fully examining how secure the technology is.

In their research they found many instances of traffic cameras that were vulnerable to hackers, made by vendors like Redflex Traffic Systems.

“We found speedcam IP addresses by pure chance… We decided to check that passwords were being used,” said Vladimir Dashchenko and Denis Makrushin from Kaspersky Lab.

“Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well.”
security  road_safety 
october 2016 by juliusbeezer
Le monde selon Telegram : Reflets
Ces différents DC ne sont pas des « proxies », des intermédiaires qui iraient éparpiller façon puzzle les données de chaque utilisateur dans plusieurs lieux physiques. Les données sont stockées dans le DC choisi, la documentation de MTProto l’indique très clairement : « les données de l’utilisateur s’accumulent dans le DC avec lequel l’utilisateur est associé ».
telegram  security  coding 
october 2016 by juliusbeezer
seatpost tracker
Covert GPS Tracker for headset of bicycle.
Notifies you by SMS if your bicycle moves.
Live online tracking of your bicycle.
Pre-pay SIM card included (no contract required) and unlimited online tracking at an ongoing cost of £3.50 per month.
Lightweight, large battery and waterproof.
Functions as a tail light.
cycling  security 
september 2016 by juliusbeezer
Best GPS Bike Trackers and Smart Locks | 2016 Listings and Reviews
Best GPS Bike Trackers and Smart Locks
Find and compare the best bicycle tracking devices and locks. Fight theft, get sent an alarm alert, and increase your bike security.
cycling  security 
september 2016 by juliusbeezer
Now You Can Hide Your Smart Home on the Darknet | WIRED
Freitas’ setup doesn’t merely turn your smart home hub into a normal Tor hidden service, which are usually designed to allow anyone access to a website while routing the traffic over Tor’s network of thousands of volunteer computers to prevent visitors from knowing where the computer that hosts the site is physically located. Instead, the smart home system uses a lesser-known feature of Tor called an authenticated hidden service. Tor’s intermediary computers can’t connect to the destination computer at all without you implementing a certain passcode, which Freitas describes as a “cookie.” You can still get to your baby monitor via an app or the web, but a potential hacker won’t even be able to find it. “If you add authentication, only people with this cookie can even connect to” your smart home hub, says Freitas. “Without it, Tor doesn’t even let you route to that service.”

This will make your smart home safer, but much more annoying to set up. The system requires any device you use to manage your smart home hub has to run Tor and include the right code in what’s known as the Tor relay configuration file. And altering those Torrc files represents just one of the janky steps required to set up the system. In fact the Guardian Project hasn’t even tested that configuration on iOS devices yet—so far only on a desktop TorBrowser and the Android Tor app Orbot.
tor  security 
july 2016 by juliusbeezer
German nuclear plant infected with computer viruses, operator says | Reuters
A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday.

The Gundremmingen plant, located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE.

The viruses, which include "W32.Ramnit" and "Conficker", were discovered at Gundremmingen's B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.
nukes  security 
april 2016 by juliusbeezer
How Clinton’s email scandal took root - The Washington Post
But Clinton kept using her private BlackBerry — and the basement server.

The server was nothing remarkable, the kind of system often used by small businesses, according to people familiar with its configuration at the end of her tenure. It consisted of two off-the-shelf server computers. Both were equipped with antivirus software. They were linked by cable to a local Internet service provider. A firewall was used as protection against hackers.
Four computer-security specialists interviewed by The Post said that such a system could be made reasonably secure but that it would need constant monitoring by people trained to look for irregularities in the server’s logs.

“For data of this sensitivity . . . we would need at a minimum a small team to do monitoring and hardening,” said Jason Fossen, a computer-security specialist at the SANS Institute, which provides cybersecurity training around the world.
email  security  surveillance  tools 
march 2016 by juliusbeezer
Apple Encryption Engineers, if Ordered to Unlock iPhone, Might Resist - The New York Times
“The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe,” Mr. Cook wrote.

Apple declined to comment.

The fear of losing a paycheck may not have much of an impact on security engineers whose skills are in high demand. Indeed, hiring them could be a badge of honor among other tech companies that share Apple’s skepticism of the government’s intentions.

“If someone attempts to force them to work on something that’s outside their personal values, they can expect to find a position that’s a better fit somewhere else,” said Window Snyder, the chief security officer at the start-up Fastly and a former senior product manager in Apple’s security and privacy division.
software  programming  us  security  privacy  apple 
march 2016 by juliusbeezer
Orbot: Proxy with Tor – Android Apps on Google Play
Orbot is a free proxy app that empowers other apps to use the internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by bouncing through a series of computers around the world. Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.
surveillance  security  tor  android 
march 2016 by juliusbeezer
How Tim Cook Became a Bulwark for Digital Privacy - The New York Times
Mr. Cook’s ideas about civic duty were partly formed during his childhood in rural Alabama. In a speech at the United Nations in 2013, he recounted how Ku Klux Klansmen had once burned a cross on the lawn of a black family’s home and how he yelled for them to stop. “This image was permanently imprinted in my brain, and it would change my life forever,” he said.

At Apple, which he joined as a senior executive in 1998, Mr. Cook was a quiet figure for much of the period when he worked for Mr. Jobs, a showman who prized secrecy at the company. After Mr. Jobs stepped down because of ailing health, Mr. Cook began making Apple more open, publishing an annual report on suppliers and working conditions for more than a million factory workers.
apple  business  openness  security  surveillance 
february 2016 by juliusbeezer
Introducing the Keybase filesystem
As a proof-of-concept, https://keybase.pub is a website that serves static content straight out of /keybase/public. You can see my plan.txt file at https://keybase.pub/chris/plan.txt. The site is also a work-in-progress.
tools  internet  server  security 
february 2016 by juliusbeezer
About Kali Linux | Kali Linux
Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.
linux  security  networking  tools 
january 2016 by juliusbeezer
Fuming Google tears Symantec a new one over rogue SSL certs • The Register
In September it emerged that Symantec's subsidiary Thawte generated a number of SSL certs for internal testing purposes.

One of these certificates masqueraded as a legit cert for Google.com, meaning it could be used to trick web browsers into thinking they had connected to Google's site when really the browser had connected to a potentially malicious server.
security  google  internet 
december 2015 by juliusbeezer
Automated Scanning of Firefox Extensions is Security Theater (And Here’s Code to Prove It) – Dan Stillman
we’ve been asking on the Mozilla add-ons mailing list that Zotero be whitelisted for extension signing. If you haven’t been following that discussion, 1) lucky you, and 2) you can read my initial post about it, which gives some context. The upshot is that, if changes aren’t made to the signing process, we’ll have no choice but to discontinue Zotero for Firefox when Firefox 43 comes out, because, due to Zotero’s size and complexity, we’ll be stuck in manual review forever and unable to release timely updates to our users, who rely on Zotero for time-sensitive work and trust us to fix issues quickly.
firefox  zotero  software  development  security 
november 2015 by juliusbeezer
The End of the Internet Dream? — Backchannel — Medium
For better or for worse, we’ve prioritized things like security, online civility, user interface, and intellectual property interests above freedom and openness. The Internet is less open and more centralized. It’s more regulated. And increasingly it’s less global, and more divided. These trends: centralization, regulation, and globalization are accelerating. And they will define the future of our communications network, unless something dramatic changes.
internet  security  dccomment  attention  agnotology 
november 2015 by juliusbeezer
How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again | Motherboard
Reproducible builds rely in part on David A. Wheeler's solution to this problem, Diverse Double-Compiling.

"You need two compilers," Lunar explained, "with one that you somehow trust. Then you build the compiler under test twice, once with each compiler, and then you use the compilers that you just built to build the compiler under test again.

"If the output is the same, then no backdoors," he added. "But for this scheme to work, you need to be able to compare that both build outputs are the same. And that’s exactly what we are enabling when having reproducible builds."

According to Lunar, 83 percent of Debian packages are now built reproducibly, and more join the party every day.
linux  security  software  surveillance 
november 2015 by juliusbeezer
The Snooper’s Charter would devastate computer security research in the UK | Ars Technica UK
What would I do if I found that backdoor today? The ethical thing is to check my results with trusted colleagues, tell my client, determine what the best remedial action is, tell whoever is in charge of that aspect of the router software, allow time for a patch to propagate out, then tell the world what happened. It’s interesting, but not immediately important, to work out who did the attack. Fix first, ask questions later.

Let’s look at that in a world where the Snooper's Charter has become law. I find the backdoor and tell a colleague. She doesn’t answer my e-mail, but I get a knock at the door—turns out that GCHQ was behind the attack. I am now banned forever from mentioning to anyone what I found—or that I found anything. The backdoor is later exploited by the bad guys and my client is hit. Why didn’t you find it, they ask? I can only shrug. Soon, my consultancy is in disarray. If I’m sued for incompetence, I cannot defend myself. I can write no papers, warn no people.
surveillance  privacy  security  uk  politics 
november 2015 by juliusbeezer
An Introduction to Uncomplicated Firewall (UFW) | Linux.com
a much simpler front end for iptables is ready to help get your system as secure as you need.

That front end is Uncomplicated Firewall (UFW). UFW provides a much more user-friendly framework for managing netfilter and a command-line interface for working with the firewall. On top of that, if you’d rather not deal with the command line, UFW has a few GUI tools that make working with the system incredibly simple.
tools  security  linux 
october 2015 by juliusbeezer
Stop Malvertising | Al Jazeera America
But the far more pressing problem with online ads has to do with their security or lack thereof. As online publishing has flourished, ads and their surveillance-based business model have made the Internet an exceedingly dangerous place. And most advertisers seem content to keep it that way.

Just last month, Forbes was forced to shut down its website after hackers hijacked its advertising network to serve malware to the site’s visitors. Less than a week later, the same type of attack compromised the ad networks of three of the most heavily trafficked porn sites on the Internet, affecting a combined monthly audience of more than 1 billion users. A month earlier, another malware campaign infected the ad network of Yahoo, which serves an estimated 6.9 billion monthly visitors. The same thing happened in January to Google’s AdSense platform, which generates almost one-quarter of the data giant’s revenue. Before that it was DoubleClick, another ad network owned by Google.
security  internet  advertising 
october 2015 by juliusbeezer
Troy Hunt: Here’s what Ashley Madison members have told me
Interesting review of web security expert's correspondence around Ashley Madison data breach
privacy  security 
august 2015 by juliusbeezer
Goodbye, Android | Motherboard
As security researcher Nicholas Weaver put it in a (now deleted) tweet, ”Imagine if Windows patches had to pass through Dell and your ISP before they came to you? And neither cared? That is called Android.”

In 2013, the American Civil Liberties Union filed a complaint with the Federal Trade Commission arguing that major wireless carriers were leaving users vulnerable to hackers and cybercriminals by failing to quickly push critical security updates to their customers’ Android phones.

Things have changed little since then. Google now has a bit more control over some updates thanks to Google Play Services, a set of APIs that live outside the OS, and which get automatically updated in the background. But security has not improved as much.
android  security 
july 2015 by juliusbeezer
Police raid programmer who reported flaw in Argentinian e-voting system | Ars Technica UK
Local police have raided the home of an Argentinian programmer who reported a flaw in an e-voting system that was used this weekend for local elections in Buenos Aires. The police took away all of his devices that could store data. According to a report in the newspaper La Nación, Joaquín Sorianello had told the company MSA, which makes the Vot.ar e-voting system, about the problem after he discovered information on the protected Twitter account @FraudeVotar. This revealed that the SSL certificates used to encrypt transmissions between the voting stations and the central election office could be easily downloaded, potentially allowing fraudulent figures to be sent.
politics  open  security 
july 2015 by juliusbeezer
Attribution is hard — The Message — Medium
But if you want to change bad outcomes of systemic problems, coming up with systemic answers requires systemic attribution. And don’t ever look for enforcement bodies like the police to look for systemic answers. Prevention is by necessity an existential threat to retaliatory actions. “Bear Hunter” would be a pretty cool handle for anonymously closing malls with tweeted bomb threats, but it’s not a job title anymore, and no one in their right mind wants it to be. Cybercop can head in the same direction with a little more Cyber Consumer Protection, even if that sounds much less sexy. (And lets be honest, Cybercop is much lamer than Bear Hunter anyway.)

Before this gets called victim blaming, that is about a way of attributing as well. “Victim blaming” describes where we believe the agency is. The ecology of malware shares more features in common simple biology than drunk frat boys. Telling corporations to secure their damn networks and products isn’t victim blaming anymore than telling doctors to wash their damn hands is.
security  internet 
june 2015 by juliusbeezer
Un groupement d'hébergeurs français demande l'abandon du projet "boîtes noires" au Premier ministre, Manuel Valls.
De plus, les hébergeurs français n’hébergent pas que des clients français : ils accueillent des clients étrangers qui viennent se faire héberger en France : l'Allemagne, la Grande-Bretagne, l’Espagne, la Pologne, les États-Unis, le Brésil, etc. En tout 30 à 40 % du chiffre d’affaire de nos hébergeurs est réalisé par ce biais. Ces clients viennent parce qu’il n’y a pas de Patriot Act en France, que la protection des données des entreprises et des personnes est considérée comme importante. Si cela n’est plus le cas demain en raison de ces fameuses « boîtes noires », il leur faudra entre 10 minutes et quelques jours pour quitter leur hébergeur français. Pour nous le résultat est sans appel : nous devrons déménager nos infrastructures, nos investissements et nos salariés là où nos clients voudront travailler avec nous.


Reims, Rennes, Roubaix, Paris, Brest, Toulouse, Rodez, Figeac, Grenoble, Montceau les Mines, Strasbourg et Gravelines sont autant de villes où nous supprimerons des emplois au lieu d’en créer des centaines dans les années qui viennent. Ce sont des milliers d’emplois induits par le Cloud Computing, le Big Data, les objets connectés ou la ville intelligente que les startups et les grandes entreprises iront aussi créer ailleurs.
security  surveillance  france 
april 2015 by juliusbeezer
Les hébergeurs français : « On sort un bazooka pour tuer une mouche » - Rue89 - L'Obs
Les principaux hébergeurs français (OVH, Gandi, etc.) ont publié une lettre ouverte assassine, dans laquelle, tout en jurant ne pas être contre la loi, ils s’inquiètent des conséquences des fameuses « boîtes noires » sur leurs activités.
internet  france  security  surveillance 
april 2015 by juliusbeezer
We can de-anonymize programmers from coding style. What are the implications?
Today I’ll talk about applications and explain how source code authorship attribution can be used in software forensics, plagiarism detection, copyright or copyleft investigations, and other domains.

Security vs. privacy. Identifying the authors of source code is a security-enhancing method that has applications in software forensics. Most of the post will focus on these applications. But before getting to that, I should mention that it is a double-edged sword. Security-enhancing techniques are often also privacy infringing, depending on how they’re used.
software  programming  development  anonymity  security  coding  corpus 
april 2015 by juliusbeezer
Introduction: A New World of News - Committee to Protect Journalists
This guide details what journalists need to know in a new and changing world. It is aimed at local and international journalists of varied levels of experience. The guide outlines basic preparedness for new journalists taking on their first assignments around the world, offers refresher information for mid-career journalists returning to the field, and provides advice on complex issues such as digital security and threat assessment for journalists of all experience levels.
journalism  security 
april 2015 by juliusbeezer
A court case so secret, US Govt says it can't go on - Business - NZ Herald News
the court said, it was "convinced that further litigation of this action would impose an unjustifiable risk of disclosing state secrets."

That is, even if the court were to block discovery of any actual state secret, the mere fact of the lawsuit would have a tendency to endanger national security - even if the trial took place entirely in secret.

The court thus came perilously close to saying that the case should be dismissed because it might be embarrassing to the Government.

The trial judge, Edgardo Ramos, admitted that the outcome was "harsh."

As he put it, "plaintiffs not only do not get their day in court, but cannot be told why".

This formulation captures exactly why the case violates the rule of law.

Dismissing a lawsuit between private parties without giving a reason is the very opposite of the judicial function, which relies fundamentally on reason-giving.

Where no reasons are given, we aren't in the realm of legal decision-making.

We're in the universe of absolutism or autocracy.
security  law  nz  confidentiality 
march 2015 by juliusbeezer
Edward Snowden tells you what encrypted messaging apps you should use
As for Android options, Snowden suggested two programs, Redphone and TextSecure. Both are designed by Open Whisper Systems and both allow users to make encrypted phone calls and send secure text messages. The NSA, Der Spiegel revealed in December, classifies services like Redphone as a “threat” to surveillance.
security  surveillance 
march 2015 by juliusbeezer
Are Your Devices Hardwired For Betrayal? | Electronic Frontier Foundation
We are thus faced with one of the most pernicious computer security problems we have ever seen. Our hardware devices could be riddled with malware, and we have no way of knowing. We have no way to assure ourselves that we have control over the machines that we use every day of our lives. The very foundation of our technology is rotten and full of termites. The problem of firmware-based malware must be addressed immediately.
security  hardware 
march 2015 by juliusbeezer
Dear NSA, I Don't Think You Meant Yottabytes
Several media reports claim that the NSA’s Utah data center may ultimately be able to store data on the scale of yottabytes because, you know, they think they’re totally going to need yottabytes. To put this into perspective, a yottabyte would require about a trillion 1tb hard drives and data centers the size of both Rhode Island and Delaware combined. Plus, a trillion hard drives is more than a thousand times the number of hard drives produced each year. In other words, at current manufacturing rates it would take more than a thousand years to produce that many drives.
security  surveillance  hardware  energy  funny 
february 2015 by juliusbeezer
UK-US surveillance regime was unlawful ‘for seven years’ | UK news | The Guardian
An “order” posted on the IPT’s website early on Friday declared: “The regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities … contravened Articles 8 or 10” of the European convention on human rights.

Article 8 relates to the right to private and family life; article 10 refers to freedom of expression.

The decision, in effect, refines an earlier judgment issued by the tribunal in December, when it ruled that Britain’s current legal regime governing data collection through the internet by intelligence agencies – which has been recently updated to ensure compliance – did not violate the human rights of people in the UK.
security  surveillance 
february 2015 by juliusbeezer
furbo.org · Fear China
Blocking China

I’m a big believer in the power of an open and freely accessible Internet: I don’t take blocking traffic from innocent people lightly. But in this case, it’s the only thing that worked. If you get a DDOS like what I’ve described above, this should be the first thing you do.

The first step is to get a list of all the IP address blocks in the country. At present that’s 5,244 separate zones. You’ll then need to feed them to your firewall
china  dns  internet  security 
february 2015 by juliusbeezer
F-16s Scrambled to Escort Jets After Twitter Bomb Threat - ABC News
An apparent bomb threat against two passenger flights that was tweeted today resulted in two F-16 fighter jets being scrambled to escort the two airliners.

The two flights were both enroute to Hartsfeld-Jackson International Airport in Atlanta, where they landed safely NORAD said.

"When the threat came in through Twitter, something was suspicious enough about it to make that determination that caused someone to elevate it to the point that it caused the scramble of the fighter jets
twitter  security  aéroport 
january 2015 by juliusbeezer
Financial Cryptography 2015 | Light Blue Touchpaper
The opening keynote was by Gavin Andresen, chief scientist of the Bitcoin Foundation, and his title was “What Satoshi didn’t know.” The main unknown six years ago when bitcoin launched was whether it would bootstrap; Satoshi thought it might be used as a spam filter or a practical hashcash. In reality it was someone buying a couple of pizzas for 10,000 bitcoins. Another unknown when Gavin got involved in 2010 was whether it was legal; if you’d asked the SEC then they might have classified it as a Ponzi scheme, but now their alerts are about bitcoin being used in Ponzi schemes. The third thing was how annoying people can be on the Internet; people will abuse your system for fun if it’s popular.
bitcoin  security  internet 
january 2015 by juliusbeezer
Library workers under scrutiny | Local | The Register-Guard | Eugene, Oregon
Two University of Oregon librarians — who likely are also UO archivists — are under investigation in the leak of 22,000 documents sent and received by UO presidents between 2010 and 2014.

The presidential documents were placed in the library’s open archives without redacting student names, which the university assumes violates the Family Educational Rights and Privacy Act.

In early December, an unnamed professor requested — and received — a copy of the archives. So far, he has released only one document, which contained no student names but a revelation about an administrative proposal to disband the University Senate.

The university gave the professor until 5 p.m. Thursday to return the electronic file containing the trove of documents.
archiving  UO  library  security  confidentiality 
january 2015 by juliusbeezer
Government Set Up A Fake Facebook Page In This Woman’s Name - BuzzFeed News
The account was actually set up by U.S. Drug Enforcement Administration Special Agent Timothy Sinnigen.

Not long before, law enforcement officers had arrested Arquiett, alleging she was part of a drug ring. A judge, weighing evidence that the single mom was a bit player who accepted responsibility, ultimately sentenced Arquiett to probation. But while she was awaiting trial, Sinnigen created the fake Facebook page using Arquiett’s real name, posted photos from her seized cell phone, and communicated with at least one wanted fugitive — all without her knowledge.
police  us  surveillance  security  facebook 
january 2015 by juliusbeezer
Why Does the NSA Engage in Mass Surveillance of Americans When It’s Statistically Impossible for Such Spying to Detect Terrorists? » CounterPunch: Tells the Facts, Names the Names
To know if mass surveillance will work, Bayes’ theorem requires three estimations:

1) The base-rate for terrorists, i.e. what proportion of the population are terrorists.

2) The accuracy rate, i.e., the probability that real terrorists will be identified by NSA;

3) The misidentification rate, i.e., the probability that innocent citizens will be misidentified by NSA as terrorists.

No matter how sophisticated and super-duper are NSA’s methods for identifying terrorists, no matter how big and fast are NSA’s computers, NSA’s accuracy rate will never be 100% and their misidentification rate will never be 0%. That fact, plus the extremely low base-rate for terrorists, means it is logically impossible for mass surveillance to be an effective way to find terrorists.
security  surveillance  statistics  politics 
january 2015 by juliusbeezer
Has David Cameron really gone to war on encryption?: | News | TechRadar
Unlike Cameron, GCHQ and the police do understand the technology – but they also, almost certainly, understand the ineffectiveness of this kind of thing in terms of catching the real terrorists, something known by experts for a long time, as this piece from 2006 makes clear. It is also almost certain that they know – as, in this case, does Cameron – that mass surveillance and a restriction on encryption would be effective in monitoring "ordinary" people. It would work against protestors and dissenters – and they've shown a desire to do this in the past from wanting to shut down Twitter at times of unrest to monitoring social networks in order to "head off" badger cull protests. Getting backdoors to encryption would aid in this kind of thing – it is a key tool for an authoritarian.
security  surveillance  CharlieHebdo 
january 2015 by juliusbeezer
About freenode: IRC Servers
Tor users represent much less than 1% of our total userbase. We appreciate your accessing freenode via the Tor hidden service; however, we have a limited amount of staffer time to troubleshoot and resolve issues. If we have to restart the hidden service, that means disconnecting all the currently-connected Tor users, so we prefer to avoid that if possible.
tor  internet  tools  security  surveillance 
january 2015 by juliusbeezer
Secure Messaging Scorecard | Electronic Frontier Foundation
5. Is the code open to independent review?

This criterion requires that sufficient source-code has been published that a compatible implementation can be independently compiled. Although it is preferable, we do not require the code to be released under any specific free/open source license. We only require that all code which could affect the communication and encryption performed by the client is available for review in order to detect bugs, back doors, and structural problems.

Note: when tools are provided by an operating system vendor, we only require code for the tool and not the entire OS. This is a compromise, but the task of securing OSes and updates to OSes is beyond the scope of this project.
security  surveillance  tools  internet 
january 2015 by juliusbeezer
Manuel Valls et la réforme sécuritaire qui s'esquisse - Libération
Manuel Valls a annoncé avoir chargé le ministre de l’Intérieur de lui remettre «dans les huit jours des propositions de renforcement» qui «devront concerner notamment Internet et les réseaux sociaux, plus que jamais utilisés pour l’embrigadement, la mise en contact et l’acquisition de techniques permettant de passer à l’acte ». Annonce applaudie d’un bout à l’autre de l’hémicycle, alors même que les auteurs de l’attentat contre Charlie Hebdo présentent le profil de jeunes radicalisés non en ligne, mais au contact «IRL» de mentors salafistes.

Dès le lendemain de l’attentat, la sortie accélérée d’un des décrets d’application de la loi contre le terrorisme adoptée en octobre dernier était pourtant déjà dans les tuyaux. Il permet le blocage administratif des sites «provoquant à des actes de terrorisme ou en faisant l’apologie», ainsi que des sites pédopornographiques, par l’intermédiaire de l’Office central de lutte contre la criminalité liée aux technologies de l’information et de la communication (OCLCTIC), et devrait être publié sous dix jours. La loi prévoit également de renforcer la responsabilité des éditeurs et des hébergeurs, qui seront tenus de mettre à disposition des internautes un dispositif de signalement des contenus faisant l'apologie du terrorisme, et de signaler les dénonciations justifiées à l'OCLCTIC.
internet  france  security  surveillance  police 
january 2015 by juliusbeezer
66-Year-Old British Rock Guitarist Jailed for Joining Anonymous in Hacking Attack
Commander was one of the 13 individuals charged last year being members of the notorious “Anonymous” in attacking US financial institutions. He was initially charged 10 years imprisonment but later, the case was downgraded to misdemeanor. On Friday, ‘Jake’ Commander was charged 10 days at the Alexandria jail, having credit of 1 day already served after the arrest.

Geoffrey ‘Jake’ Commander did not try to argue that he does not know what he does, although he said that his decision to partake from the hack was “impulsive, spurious and foolish.” He stayed adamant but the act was a protest practice against the US financial institutions, which he though “brought the country to its knees”.
spectacle  security  internet 
january 2015 by juliusbeezer
Six condamnations à de la prison ferme pour apologie du terrorisme - Libération
Pharos, la Plateforme d’harmonisation, d’analyse, de recoupement et d’orientation des signalements, un site Internet géré par le ministère de l’Intérieur et destiné à recevoir les signalements de quiconque souhaiterait alerter les autorités d’un contenu ou d’un comportement illicite sur Internet. D’après Le Monde, Bernard Cazeneuve, ministre de l’Intérieur, a indiqué aux préfets que 12 600 messages faisant l’apologie des attentats ont été recensés sur les réseaux sociaux depuis l’attaque.
security  surveillance  france  politics  law 
january 2015 by juliusbeezer
TwitLonger — When you talk too much for Twitter
The tragedy in Paris is another example of where competent targeted surveillance, not mass surveillance, was needed.

The attackers were well known jihadis. This is not a case of needing to collect a global interception haystack in order to find a needle. The alleged needle in question, Cherif Kouachi, had already been convicted of terrorism offences and served 18 months in prison for it. Both brothers were already on terrorism lists. Far from hiding messages under rocks or using encryption, the alleged conspirators communicated hundreds of times before and during the attacks — on regular phones. The offices of Charlie Hebdo had received many death threats and had been firebombed in 2011 a week after publishing cartoons of the prophet Muhammad. The French mass surveillance system is already one of the most pervasive; its primary purpose, like all such systems, is geopolitics.

Mass surveillance addiction doesn’t come for free. In France it thieved skilled human and financial resources from targeted monitoring of obvious—the front of the Charlie Hebdo building and people walking out of prison with a terrorism conviction in one hand and numerous jihadi contacts in the other.
security  surveillance  france  wikileaks  CharlieHebdo 
january 2015 by juliusbeezer
« earlier      
per page:    204080120160

Copy this bookmark:





to read