The petition to repeal the Surveillance laws has know passed 119,000 signatures.
'A bill allowing UK intelligence agencies and police unprecedented levels of power regarding the surveillance of UK citizens has recently passed and is awaiting royal assent, making it law.
This means it's not too late!
This is an absolute disgrace to both privacy and freedom and needs to stop!'
Jim Killock, director of the Open Rights Group, wrote in a blog post for the Huffington Post that "not all of the bill is completely bad" but that the issue of data retention and security needed addressing.
He described the creation of a database of internet connection records that was searchable by the authorities as "incredibly intrusive".
The black hat hacker who claimed responsibility for the Hacking Team hack has published details on how he did the hack. The Hacking Team are a group who services include helping Governments spear phish their opponents. Some say this is reason enough for them to be taken down.
The hacker says that he discarded the idea of spear-phishing Hacking Team, writing that even though the technique is "responsible for the majority of hacks these days... I didn't want to try to spear phish Hacking Team, as their whole business is helping governments spear phish their opponents, so they'd be much more likely to recognise and investigate a spear phishing attempt."
To make things challenging, Hacking Team appears to have secured their networks quite well.The Hacking Team did not expose much to the outside world an up-to-date version of Joomla, "a mail server, a couple routers, two VPN appliances, and a spam filtering appliance."
So, the hacker explains, three options presented themselves: "look for a zero-day in Joomla, look for a zero-day in postfix, or look for a zero-day in one of the embedded devices."
"A zero-day in an embedded device seemed like the easiest option," the hacker added, "and after two weeks of work reverse engineering, I got a remote root exploit."
From there he manage to get deeper into their systems. I include out of interest a copy of how he did it
Interested to note that he decided against attacking Joomla.
In my recent article /news/28-tor-talk-pulled it seems there was more going on as expected.
In a court case it has been revealed that the FBI made the security researchers hand over data to help identify the people suspected of using Tor, and those people after the talk did not go ahead were raided.
I leave it there to draw your own conclusions but as mentioned keeping Tor and the related software update is important. The FBI were of course going after the admins of Silk Road 2.0 and other sites which could be a good thing. What do you think?, comments please.
A talk at the Blackhat conference in the USA about TOR was pulled. A statement on The Blackhat website explains -
'For more than 16 years, Black Hat has provided a venue for attendees and the larger community to find the very latest in information security research, developments and trends. We strive to deliver one of the most empirically selected lineups of content in the industry. One of our selected talks, "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" by CERT/Carnegie Mellon researcher Alexander Volynkin was scheduled for a Briefing at Black Hat USA this August in Las Vegas. Late last week, we were informed by the legal counsel for the Software Engineering Institute (SEI) and Carnegie Mellon University that: "Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release."''
Further to that a follow up message from Roger Dingledine, one of Tor's creators, subsequently posted a message to a mailing list confirming that he and his colleagues had "no idea the talk would be pulled".
1) We did not ask Black Hat or CERT to cancel the talk. We did (and > > still do) have questions for the presenter and for CERT about some > > aspects of the research >> Does that imply that the exploited "weakness" is not yet fully > understood by you (core developers)? (which also would imply that > there is no "fix" yet) I think I have a handle on what they did, and how to fix it. We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything. The main reason for trying to be delicate is that I don't want to discourage future researchers from telling us about neat things that they find. I'm currently waiting for them to answer their mail so I can proceed. > Also (if you can anticipate that ahead of the coordinated disclosures): >> Should relay ops get ready to deploy a critical patch? > Should users get ready to update their Tor Browser Bundles soon? > Will there be a "fix" at all? Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world. And of course these things are never as simple as "close that one bug and you're 100% safe". Less vague sentences soon I hope, --Roger'
All very strange. My suggestion keep up todate on the TOR bundle software software.
The latest revelations from the Snowden Files by Glenn Greenwald over at The Intercept details GCHQ's capabilities in its Joint Threat Research Intelligence Group (JTRIG)
Here are the programs Greenwald highlights:
- “Change outcome of online polls” (UNDERPASS)
- “Mass delivery of email messaging to support an Information Operations campaign” (BADGER) and “mass delivery of SMS messages to support an Information Operations campaign” (WARPARTH)
- “Disruption of video-based websites hosting extremist content through concerted target discovery and content removal.” (SILVERLORD)
- “Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.” (MINIATURE HERO)
- “Find private photographs of targets on Facebook” (SPRING BISHOP)
- “A tool that will permanently disable a target’s account on their computer” (ANGRY PIRATE)
- “Ability to artificially increase traffic to a website” (GATEWAY) and “ability to inflate page views on websites” (SLIPSTREAM)
- “Amplification of a given message, normally video, on popular multimedia websites (Youtube)” (GESTATOR)
- “Targeted Denial Of Service against Web Servers” (PREDATORS FACE) and “Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG” (ROLLING THUNDER)
- “A suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk)” (ELATE)
- “Ability to spoof any email address and send email under that identity” (CHANGELING)
- “For connecting two target phone together in a call” (IMPERIAL BARGE)