In Memoriam of Aaron Swartz and his dream to make the world a better place
11/8/1986 – 01/11/2013
The announcement comes less than 24 hours after hacktivist group warned of a coordinated and targeted attack against the Islamic State in the wake of the deadly wave of terror attacks across Paris.
The hacking collective vowed to “unite humanity,” warning the terrorist group to “expect massive cyber-attacks.”
“Anonymous from all over the world will hunt you down,” the masked Anon spokesman in the video said. “You should know that we will find you and we will not let you go.”
ISIS responded to Anonymous’ video on Monday, calling the hacktivist group “idiots” and offering technical guidance to ISIS supporters in an effort to protect against Anonymous cyber-attacks.
In spite of the ISIS insults aimed at Anonymous, judging by the initial results, it seems the Islamic State is impotent to stop the hacktivist group from decimating the terror group’s social media outreach and recruitment efforts.
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.
Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. (CSCO) to Juniper Networks Inc. to provide patches for their systems.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”
Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.
Network World – The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who’s to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?
A German software engineer named Robin Seggelmann of Munster, Germany has reportedly accepted responsibility for inserting what experts are calling a mistake of catastrophic proportions into the open-source protocol OpenSSL used by millions of websites and servers, leaving them open to stealing data and passwords that many think has already been exploited by cyber-criminals and government intelligence agencies.
“Half a million websites are vulnerable, including my own,” wrote security expert Bruce Schneier in his blog, pointing to a tool to test for the Heartbleed Bug vulnerability. He described Heartbleed as a “catastrophic bug” in OpenSSL because it “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.” It compromises secret keys used to identify service providers and encrypt traffic, he pointed out. “This means anything in memory—SSL private keys, user keys, anything—is vulnerable.”
The Heartbleed Bug was discovered by security analysts from Google and Codenomicon and disclosed by the OpenSSL open-source group on April 7 as an OpenSSL Advisory and a fix prepared by OpenSSL open-source contributors Adam Langley and Bodo Miller. Across the world, companies and vendors have been scrambling to either patch their systems or assure users that their services weren’t using OpenSSL.
Microsoft for example, issued an advisory that “Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.”
But Microsoft added, “However, if you are using Microsoft Azure’s IaaS to host linux images, then you should make sure that your OpenSSL implementation is not vulnerable.”
Twitter also said its services weren’t impacted by Heartbleed. However, websites including Yahoo Mail, Yahoo Messenger and others were impacted. As news stories about the Heartbleed Bug filled the news, there was widespread concern and bewilderment in the general public, and it wasn’t uncommon to hear the problem described by people as a computer virus, rather than a software flaw.
Internet users have been warned to change all their computer and phone passwords following what could be a ‘catastrophic’ security breach.
Major technology firms have urged the public to immediately update their online security.
The alert is the result of the discovery of an internet bug called ‘Heartbleed’, which is able to bypass computer security settings.
LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren’t affected
If a password is in any dictionary in any language then it will take just three minutes to crack, warned computer expert Tony McDowell.
The worst passwords are the likes of ‘password’, ‘123456’, ‘qwerty’, or your child’s name. Using the same password for every site can leave you even more vulnerable to hackers, he added.
His advice is to use a phrase rather than a word. For example, use ‘nameisabella’ rather than just ‘Isabella’ – and use a mixture of letters and numbers.
A password of ‘name!saBe1la’ would take a year to crack, said Mr McDowell, managing director of Encription Ltd.
‘Most hackers give up after 24 hours unless it is something they really want to gain access to,’ he added.
Potentially vulnerable sites:
Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander
Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub
The tool is a guide to affected services; it is not a definitive list.
Sites listed as vulnerable may use unreported servers, meaning their status can’t be officially verified.
As a result, personal information such as passwords and credit card details has been accessible.
Published on Mar 10, 2014
Edward Snowden speaks about privacy and technology with the ACLU’s Ben Wizner and Christopher Soghoian at SXSW Interactive. -Links are below-
https://www.aclu.org/time-rein-survei… – Main “Time to Rein in the Surveillance State
https://www.aclu.org/time-rein-survei… – Patriot Act Info
https://www.aclu.org/time-rein-survei… – FISA Amendments
https://www.aclu.org/time-rein-survei… – FISA Court Info
Former National Security Agency contractor Edward Snowden speaks remotely to the South by Southwest Interactive conference in Austin, Texas, superimposed over an image of the Constitution. (Spencer Bakalar / Los Angeles Times / March 10, 2014)
AUSTIN, Texas — Edward Snowden brought no bombshells when he arrived to an excited round of applause Monday, his stubbled face relaxed as it was beamed in from across the continents for a “virtual conversation” about the vulnerability of personal data. His presence was event enough.
Public appearances by the former National Security Agency contractor and U.S. exile are rare, and this one was beamed in from an undisclosed location in Russia via several online proxies for his own security, a bit of technological cloak-and-dagger that could only add to his mystique for the three roomfuls of international tech specialists struggling to hear his words in video that was choppy and often inaudible.
His message still got through: Personal information is vulnerable not only to government prying but to growing numbers of outside infiltrators because companies have failed to adequately protect the data of their customers. His own exile after leaking to reporters secret information he had gathered while an NSA consultant has made him a central figure in that conversation, and he says he has no regrets.
“Would I do it again? Absolutely,” Snowden said into the camera, in response to one of several questions submitted to him via Twitter (#AskSnowden) and screened backstage at the South by Southwest Interactive conference. “I took an oath to support and defend the Constitution. And I saw the Constitution was being violated on a massive scale.”
He warned, “If we allow the NSA to continue unrestrained, every other government will accept that as a green light to do the same.”
The chosen Twitter questions were notably nonconfrontational for a figure often the subject of heated debate even among supporters. One asked whether the mass surveillance was driven by privatization. Another wondered about the potential for society to “reap benefits” from the “big data.” None asked about his life in Russia, or what further revelations might be coming.
The first question came from Timothy John Berners-Lee, a British scientist known as the inventor of the World Wide Web, who asked Snowden how he would create an accountability system for governance.
• Whistleblower patches in to Texas conference from Russia
• Snowden insists leaks have strengthened national security
Edward Snowden, the NSA whistleblower whose unprecedented leak of top-secret documents led to a worldwide debate about the nature of surveillance, insisted on Monday that his actions had improved the national security of the United States rather than undermined it, and declared that he would do it all again despite the personal sacrifices he had endured.
In remarks to the SXSW culture and technology conference in Texas, delivered by video link from his exile in Russia, Snowden took issue with claims by senior officials that he had placed the US in danger. He also rejected as demonstrably false the suggestions by some members of Congress that his files had found their way into the hands of the intelligence agencies of China or Russia.
Snowden spoke against the backdrop of an image of the US constitution, which he said he had taken an oath to protect but had seen “violated on a mass scale” while working for the US government. He accepted praise from Sir Tim Berners-Lee, the inventor of the world wide web, accorded the first question via Twitter, who described him as “acting profoundly in the public interest”.
The session provided a rare and extensive glimpse into the thoughts of Snowden, granted temporary asylum by Russia after the US revoked his passport. He struck back strongly against claims made again last week by the NSA director, General Keith Alexander, that his release of secret documents to the Guardian and other outlets last year had weakened American cyber-defences.
“These things are improving national security, these are improving the communications not just of Americans, but everyone in the world,” Snowden said. “Because we rely on the same standard, we rely on the ability to trust our communications, and without that, we don’t have anything.”
He added later that thanks to the more secure communication activity that had been encouraged by his disclosures, “the public has benefited, the government has benefited, and every society in the world has benefited”.
They said the sum contradicts Mt. Gox’s claim in a Japanese bankruptcy protection filing Feb. 28 that it had lost about 850,000 bitcoins.
Neither Karpeles nor Mt. Gox officials could immediately be reached to verify the claims.
Karpeles has maintained a low profile since the filing in Tokyo District Court. Mt. Gox, which pulled the plug on its website three days before the court filing, had announced that about 750,000 customer bitcoins it held are missing along with 100,000 of its own bitcoins and $27.3 million in customer deposits.
Karpeles’ blog was titled “Magical Tux in Japan—Geekness brought me to Japan!” Karpeles, who is French, often used the nickname “MagicalTux” when posting on public message or chat forums. His blog went offline on Sunday shortly after it was attacked.
Karpeles did not immediately answer a query sent to his personal email address.
The attackers claim to have obtained database records containing transaction details from Mt. Gox. They wrote they purposely withheld users’ personal data. Mt. Gox had as many as 1 million customers as of December.
The data included a screenshot of what appears to be an internal SQL database administration tool, Karpeles’ CV and a Windows executable called “TibanneBackOffice,” among many others. Mt. Gox is a subsidiary of Tibanne, a company owned by Karpeles.
The release of the data adds to the mysterious circumstances around Mt. Gox, which at one time was the largest exchange for buying and selling bitcoin.
Mt. Gox’s demise has enraged its out-of-pocket customers as efforts continue to derive clues from bitcoin’s public ledger, called the blockchain, that might indicate the fate of its virtual currency holdings.
Concerned about the government’s increasing surveillance powers but unimpressed with the congressional response in Washington so far, state lawmakers from both major political parties are now taking it upon themselves to protect the online and communication privacy of their constituents.
Meanwhile, individuals and privacy groups are planning their own grassroots response to mass surveillance, hoping to repeat past victories by harnessing the power of digital communications to ensure they are adequately protected from government overreach.
As the Associated Press reports Wednesday, efforts are now underway “in at least 14 states are a direct message to the federal government: If you don’t take action to strengthen privacy, we will.”
According to AP:
Republican and Democratic lawmakers have joined in proposing the measures, reflecting the unusual mix of political partnerships that have arisen since the NSA revelations that began in May. Establishment leadership has generally favored the programs, while conservative limited government advocates and liberal privacy supporters have opposed them.
Supporters say the measures are needed because technology has grown to the point that police can digitally track someone’s every move.
Devices such as license plate readers and cellphone trackers “can tell whether you stayed in a motel that specializes in hourly rates, or you stopped at tavern that has nude dancers,” said David Fidanque, director of the American Civil Liberties Union of Oregon.
“It’s one thing to know you haven’t violated the law, but it’s another thing to know you haven’t had every one of your moves tracked,” he said.
Next week, on February 11, privacy advocates and online freedom groups are mobilizing against NSA and other government surveillance in a day of action they’ve dubbed ‘The Day We Fight Back.’
According to Katitza Rodriguez at the Electronic Frontier Foundation, one of the groups organizing the action, those participating will be demanding “an end to mass surveillance in every country, by every state, regardless of boundaries or politics.”
Galvanized by what they see as 13 Principles of internet and communication freedoms, activists will use the day to call attention to those goals, lobby on their behalf with their representatives, and declare an end to the encroaching, unaccountable, and unregulated surveillance apparatus.
“The Principles spellout just why mass surveillance is a violation of human rights,” explained Rodriguez, and they “give sympathetic lawmakers and judges a list of fixes they could apply to the lawless Internet spooks. On the day we fight back, we want the world to sign onto those principles. We want politicians to pledge to uphold them. We want the world to see we care.”
Some of the biggest names in cryptography and computer science just released an open letter condemning the surveillance practices of the U.S government. “Media reports since last June have revealed that the US government conducts domestic and international surveillance on a massive scale, that it engages in deliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collection features,” said a statement posted to masssurveillance.info. “As leading members of the US cryptography and information-security research communities, we deplore these practices and urge that they be changed.”
In a speech last week, President Obama addressed concerns related to NSA’s 215 domestic phone records collection program, but he did not remark on reports that the U.S. government had weakened encryption as part of its practices.
An open letter today from a large group of professors – top US computer security and cryptography researchers – slams the damage to ecurity caused by NSA spying:
Inserting backdoors, sabotaging standards, and tapping commercial data-center links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities.
The value of society-wide surveillance in preventing terrorism is unclear, but the threat that such surveillance poses to privacy, democracy, and the US technology sector is readily apparent. Because transparency and public consent are at the core of our democracy, we call upon the US government to subject all mass-surveillance activities to public scrutiny and to resist the deployment of mass-surveillance programs in advance of sound technical and social controls. In finding a way forward, the five principles promulgated at http://reformgovernmentsurveillance.com/ [a site launched by Google, Apple, Microsoft, Twitter, Facebook, AOL, Yahoo and LinkedIn] provide a good starting point.
The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.
The Washington Post notes that these are some of the top names in computer cryptography and security, including heavyweights in the government.
Many other top security experts agree:
“By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers—whether they are foreign governments or criminals. As security expert Bruce Schneier explained, ‘It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.’”