Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Encryption

Generate Memorizable Passphrases That Even the NSA Can't Guess 256

Posted by timothy
from the exercise-for-the-reader dept.
HughPickens.com writes Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you'll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You'll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You'll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like "cap liz donna demon self", "bang vivo thread duct knob train", and "brig alert rope welsh foss rang orb". If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

After you've generated your passphrase, the next step is to commit it to memory.You should write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn't take more than two or three days before you no longer need the paper, at which point you should destroy it. "Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It's a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training."
Government

New Bill Would Repeal Patriot Act 185

Posted by Soulskill
from the would-also-bake-cookies-for-every-citizen dept.
schwit1 points out a new piece of bipartisan legislation that aims to repeal the Patriot Act and the FISA Amendments Act, which the NSA has used to justify broad domestic surveillance. House Representatives Thomas Massie (R-KY) and Mark Pocan (D-WI) introduced the bill yesterday, calling it the Surveillance State Repeal Act (PDF). Pocan said, "This isn't just tinkering around the edges. This is a meaningful overhaul of the system, getting rid of essentially all parameters of the Patriot Act." The bill also attempts to dramatically strengthen whistleblower protections, so situations like Edward Snowden's and Thomas Drake's don't happen in the future. This legislation is not expected to get the support of Congressional leaders, but supporters hope it will at least inspire some debate about several provisions of the Patriot Act coming up for renewal in June.
Canada

Leaked Snowden Docs Show Canada's "False Flag" Operations 202

Posted by samzenpus
from the it-wasn't-us dept.
An anonymous reader writes Documents leaked by NSA whistleblower Edward Snowden to the Canadian Broadcasting Corporation and The Intercept show the extent to which Communications Security Establishment Canada (CSEC) cooperates with the NSA — and perhaps most interestingly details CSEC's "false flag" operations, whereby cyberattacks are designed and carried out with the intention of attribution to another individual, group or nation state. The revelations come in the midst of Canadian controversy regarding the C-51 anti-terrorism bill.
Government

Government Spies Admit That Cyber Armageddon Is Unlikely 70

Posted by timothy
from the only-as-far-as-you-can-throw-them dept.
Nicola Hahn writes NSA director Mike Rogers spoke to a Senate Committee [Thursday], admonishing them that the United States should bolster its offensive cyber capabilities to deter attacks. Never mind that deterrence is problematic if you can't identify the people who attacked you. In the past a speech by a spymaster like Rogers would have been laced with hyperbolic intimations of the End Times. Indeed, for almost a decade mainstream news outlets have conveyed a litany of cyber doomsday scenarios on behalf of ostensibly credible public officials. So it's interesting to note a recent statement by the U.S. intelligence community that pours a bucket of cold water over all of this. According to government spies the likelihood of a cyber Armageddon is "remote." And this raises some unsettling questions about our ability to trust government officials and why they might be tempted to fall back on such blatant hyperbole.
Government

German Vice Chancellor: the US Threatened Us Over Snowden 337

Posted by Soulskill
from the apparently-that-works-pretty-well dept.
siddesu sends this report from The Intercept: German Vice Chancellor Sigmar Gabriel said this week in Homburg that the U.S. government threatened to cease sharing intelligence with Germany if Berlin offered asylum to NSA whistleblower Edward Snowden or otherwise arranged for him to travel to that country. 'They told us they would stop notifying us of plots and other intelligence matters,' Gabriel said.
Government

To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses 296

Posted by timothy
from the name-is-smith-john-smith dept.
An anonymous reader writes with this news snipped from The Register: Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted. 'We ship [boxes] to an address that has nothing to do with the customer, and then you have no idea who, ultimately, it is going to,' Stewart says.
Security

Ex-NSA Researcher Claims That DLL-Style Attacks Work Just Fine On OS X 93

Posted by timothy
from the it's-a-feature dept.
An anonymous reader writes Ex-NSA and NASA researcher Patrick Wardle claims to have developed a reliable technique of Shared Library replacement which renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been (via its 'DLL' shared libraries) for years. Speaking at CanSecWest, Wardle explained that Apple's refusal to encrypt software downloads via its App Store allows an attacker on the same network to inject a malicious 'dylib' (shared library) without altering the hash of the legitimate-but-vulnerable software, thereby leaving the Developer ID signature intact. Wardle ran a crafted Python script on a typical Mac and discovered 150 dylib-dependent applications, including Apple's own Xcode developer environment — revealed last week by Edward Snowden to be a priority target for the NSA due to its ability to propagate compromised software.
United Kingdom

GCHQ Builds a Raspberry Pi Super Computer Cluster 68

Posted by samzenpus
from the building-it-better dept.
mikejuk writes GCHQ, the UK equivalent of the NSA, has created a 66 Raspberry Pi cluster called the Bramble for "educational" purposes. What educational purposes isn't exactly clear but you do associate super computers with spooks and spies. It seems that there was an internal competition to invent something and three, unnamed, GCHQ technologists decided that other Pi clusters were too ad-hoc. They set themselves the target of creating a cluster that could be reproduced as a standard architecture to create a commodity cluster. The basic unit of the cluster is a set of eight networked Pis, called an "OctaPi". Each OctaPi can be used standalone or hooked up to make a bigger cluster. In the case of the Bramble a total of eight OctaPis makes the cluster 64 processors strong. In addition there are two head control nodes, which couple the cluster to the outside world. Each head node has one Pi, a wired and WiFi connection, realtime clock, a touch screen and a camera. This is where the story becomes really interesting. Rather than just adopt a standard cluster application like Hadoop, OctaPi's creators decided to develop their own. After three iterations, the software to manage the cluster is now based on Node.js, Bootstrap and Angular. So what is it all for? The press release says that: "The initial aim for the cluster was as a teaching tool for GCHQ's software engineering community....The ultimate aim is to use the OctaPi concept in schools to help teach efficient and effective programming."
Privacy

Senator: 'Plenty' of Domestic Surveillance We Still Don't Know About 107

Posted by Soulskill
from the they're-watching-you-right-now dept.
An anonymous reader writes: In a recent interview, Senator Ron Wyden (D-OR) has complained about the Obama administration's failure to shut down the NSA's bulk collection of phone metadata. This program and most other programs we've heard of were disclosed by Edward Snowden. But Snowden couldn't tell us everything. When asked if there were further domestic surveillance programs about which the public knows nothing, Senator Wyden said, "Yeah, there's plenty of stuff." The ones he knows about are classified, so he couldn't elaborate. "Even in cases where the public has been informed of government practices, Wyden warned the government still collects far too much information on millions of citizens with virtually no accountability."
Government

Mass Surveillance: Can We Blame It All On the Government? 123

Posted by timothy
from the moral-amoral-immoral dept.
Nicola Hahn writes Yet another news report has emerged detailing how the CIA is actively subverting low-level encryption features in mainstream hi-tech products. Responding to the story, an unnamed intelligence official essentially shrugged his shoulders and commented that "there's a whole world of devices out there, and that's what we're going to do." Perhaps this sort of cavalier dismissal isn't surprising given that leaked classified documents indicate that government intelligence officers view iPhone users as 'Zombies' who pay for their own surveillance.

The past year or so of revelations paints a pretty damning portrait of the NSA and CIA. But if you read the Intercept's coverage of the CIA's subversion projects carefully you'll notice mention of Lockheed Martin. And this raises a question that hasn't received much attention: what role does corporate America play in all of this? Are American companies simply hapless pawns of a runaway national security state? Ed Snowden has stated that mass surveillance is "about economic spying, social control, and diplomatic manipulation. They're about power." A sentiment which has been echoed by others. Who, then, stands to gain from mass surveillance?
Security

New Evidence Strengthens NSA Ties To Equation Group Malware 129

Posted by Soulskill
from the tax-funded-hacks dept.
An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
Cellphones

CIA Tried To Crack Security of Apple Devices 119

Posted by timothy
from the hey-fellas-we-were-expecting-you dept.
According to a story at The Guardian passed on by an anonymous reader, The CIA led sophisticated intelligence agency efforts to undermine the encryption used in Apple phones, as well as insert secret surveillance back doors into apps, top-secret documents published by the Intercept online news site have revealed. he newly disclosed documents from the National Security Agency's internal systems show surveillance methods were presented at its secret annual conference, known as the "jamboree."
Communications

Wikimedia Foundation Files Suit Against NSA and DOJ 103

Posted by timothy
from the marked-for-redaction dept.
jrepin sends along the news (excerpted from the Wikimedia Foundation's blog) that Today, the Wikimedia Foundation is filing suit against the National Security Agency (NSA) and the Department of Justice (DOJ) of the United States. The lawsuit challenges the NSA's mass surveillance program, and specifically its large-scale search and seizure of internet communications — frequently referred to as "upstream" surveillance. Our aim in filing this suit is to end this mass surveillance program in order to protect the rights of our users around the world. We are joined by eight other organizations and represented by the American Civil Liberties Union (ACLU).
Books

Book Review: Data and Goliath 51

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, author Bruce Schneier could have justifiably written an angry diatribe full of vitriol against President Obama and the NSA for their wholesale spying on innocent Americans and violations of myriad laws. Instead, he was written a thoroughly convincing and brilliant book about big data, mass surveillance and the ensuing privacy dangers facing everyone. A comment like what's the big deal? often indicates a naiveté about a serious significant underlying issue. The idea that if you have nothing to hide you have nothing to fear is a dangerously narrow concept on the value of privacy. For many people the notion that the NSA was performing spying on Americans was perceived as not being a big deal, since if a person is innocent, then what do they have to worry about. In the book, Schneier debunks that myth and many others, and defends the importance of privacy. Keep reading for the rest of Ben's review.
The Internet

NSA Director Argues For "Red Button" Autonomy Against Unattributed Cyber-Attacks 107

Posted by samzenpus
from the candy-like-shiny-red-button dept.
An anonymous reader writes U.S. Navy Adm. Michael S. Rogers — director of the National Security Agency and Commander of United States Cyber Command (USCYBERCOM) — has suggested that cyber-attacks can begin and escalate so quickly that USCYBERCOM would need powers to retaliate immediately, without (as it is currently obliged) referring the matter to the United States Strategic Command. In testimony to the "House Armed Services Committee on cyber operations and improving the military's cybersecurity posture" on March 4th, Adm. Rogers argues for "development of defensive options which do not require full attribution to meet the requirements of law and international agreement."
Government

New Zealand Spied On Nearly Two Dozen Pacific Countries 129

Posted by samzenpus
from the keep-your-eyes-on-your-own-paper dept.
An anonymous reader writes New documents from Edward Snowden indicate New Zealand undertook "full take" interception of communications from Pacific nations and forwarded the data to the NSA. The data, collected by New Zealand's Government Communications Security Bureau, was then fed into the NSA's XKeyscore search engine to allow analysts to trawl for intelligence. The New Zealand link helped flesh out the NSA's ambitions to intercept communications globally.
Privacy

Schneier: Either Everyone Is Cyber-secure Or No One Is 130

Posted by Soulskill
from the nobody's-safe-except-the-amish dept.
Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.
Encryption

FREAK Attack Threatens SSL Clients 89

Posted by Soulskill
from the another-day-another-vuln dept.
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
Data Storage

Ask Slashdot: How Does One Verify Hard Drive Firmware? 324

Posted by Soulskill
from the very-carefully dept.
An anonymous reader writes: In light of recent revelations from Kaspersky Labs about the Equation Group and persistent hard drive malware, I was curious about how easy it might be to verify my own system's drives to see if they were infected. I have no real reason to think they would be, but I was dismayed by the total lack of tools to independently verify such a thing. For instance, Seagate's firmware download pages provide files with no external hash, something Linux distributions do for all of their packages. Neither do they seem to provide a utility to read off the current firmware from a drive and verify its integrity.

Are there any utilities to do such a thing? Why don't these companies provide verification software to users? Has anyone compiled and posted a public list of known-good firmware hashes for the major hard drive vendors and models? This seems to be a critical hole in PC security. I did contact Seagate support asking for hashes of their latest firmware; I got a response stating, "...If you download the firmware directly from our website there is no risk on the file be tampered with." (Their phrasing, not mine.) Methinks somebody hasn't been keeping up with world events lately.
Privacy

NSA Spying Wins Another Rubber Stamp 87

Posted by Soulskill
from the once-more-unto-the-privacy-breach dept.
schwit1 sends this report from the National Journal: A federal court has again renewed an order allowing the National Security Agency to continue its bulk collection of Americans' phone records, a decision that comes more than a year after President Obama pledged to end the controversial program. The Foreign Intelligence Surveillance Court approved this week a government request to keep the NSA's mass surveillance of U.S. phone metadata operating until June 1, coinciding with when the legal authority for the program is set to expire in Congress. The extension is the fifth of its kind since Obama said he would effectively end the Snowden-exposed program as it currently exists during a major policy speech in January 2014. Obama and senior administration officials have repeatedly insisted that they will not act alone to end the program without Congress.