Communications

Questioning the Dispute Over Key Escrow 82 82

Nicola Hahn writes: The topic of key escrow encryption has once again taken center stage as former Secretary of Homeland Security Michael Chertoff has spoken out against key escrow both at this year's Aspen Security Forum and in an op-ed published recently by the Washington Post. However, the debate over cryptographic back doors has a glaring blind spot. As the trove of leaks from Hacking Team highlights, most back doors are implemented using zero-day exploits. Keep in mind that the Snowden documents reveal cooperation across the tech industry, on behalf of the NSA, to make products that were "exploitable." Hence, there are people who suggest the whole discussion over key escrow includes an element of theater. Is it, among other things, a public relations gambit, in the wake of the PRISM scandal, intended to cast Silicon Valley companies as defenders of privacy?
United States

Germany Won't Prosecute NSA, But Bloggers 107 107

tmk writes: Despite plenty of evidence that the U.S. spied on German top government officials, German Federal Prosecutor General Harald Range has declined to investigate any wrongdoings of the secret services of allied nations like the NSA or the British GCHQ. But after plans of the German secret service "Bundesamt für Verfassungsschutz" to gain some cyper spy capabilities like the NSA were revealed by the blog netzpolitik.org, Hange started an official investigation against the bloggers and their sources. They are now being probed for possible treason charges.
Supercomputing

Obama's New Executive Order Says the US Must Build an Exascale Supercomputer 220 220

Jason Koebler writes: President Obama has signed an executive order authorizing a new supercomputing research initiative with the goal of creating the fastest supercomputers ever devised. The National Strategic Computing Initiative, or NSCI, will attempt to build the first ever exascale computer, 30 times faster than today's fastest supercomputer. Motherboard reports: "The initiative will primarily be a partnership between the Department of Energy, Department of Defense, and National Science Foundation, which will be designing supercomputers primarily for use by NASA, the FBI, the National Institutes of Health, the Department of Homeland Security, and NOAA. Each of those agencies will be allowed to provide input during the early stages of the development of these new computers."
Government

Two Years Later, White House Responds To 'Pardon Edward Snowden' Petition 596 596

An anonymous reader writes: In June of 2013, a petition was posted to Whitehouse.gov demanding that Edward Snowden receive a full pardon for his leaks about the NSA and U.S. surveillance practices. The petition swiftly passed 100,000 signatures — the point at which the White House said it would officially respond to such petitions. For two years, the administration was silent, but now they've finally responded. In short: No, Edward Snowden won't be receiving a pardon.

Lisa Monaco, the President's Advisor on Homeland Security and Counterterrorism, said, "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it. If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do: Challenge it, speak out, engage in a constructive act of protest, and — importantly — accept the consequences of his actions. He should come home to the United States, and be judged by a jury of his peers — not hide behind the cover of an authoritarian regime. Right now, he's running away from the consequences of his actions."
Government

NSA Releases Open Source Security Tool For Linux 105 105

Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.
Privacy

Anonymizing Wi-Fi Device Project Unexpectedly Halted 138 138

An anonymous reader notes that a project to develop an anonymizing Wi-Fi device has been canceled under mysterious circumstances. The device, called Proxyham, was unveiled a couple weeks ago by Rhino Security Labs. They said it would use low-frequency radio channels to connect a computer to public Wi-Fi hotspots up to 2.5 miles away, thus obscuring a user's actual location. But a few days ago the company announced it would be halting development and canceling a talk about it at Def Con, which would have been followed with a release of schematics and source code. They apologized, but appear to be unable to say anything further.

"In fact, all [the speaker] can say is that the talk is canceled, the ProxyHam source code and documentation will never be made public, and the ProxyHam units developed for Las Vegas have been destroyed. The banner at the top of the Rhino Security website promoting ProxyHam has gone away too. It's almost as if someone were trying to pretend the tool never existed." The CSO article speculates that a government agency killed the project and issued a gag order about it. A post at Hackaday calls this idea absurd and discusses the hardware needed to build a Proxyham. They say using it would be "a violation of the Computer Fraud & Abuse Act, and using encryption over radio violates FCC regulations. That’s illegal, it will get you a few federal charges — but so will blowing up a mailbox with some firecrackers." They add, "What you’re seeing is just the annual network security circus and it’s nothing but a show."
Government

Eric Holder Says DoJ Could Strike Deal With Snowden; Current AG Takes Hard Line 194 194

cold fjord writes with the report at Yahoo that Former Attorney General Eric Holder said today that a "possibility exists" for the Justice Department to cut a deal with ... Edward Snowden that would allow him to return to the United States ... Holder said "we are in a different place as a result of the Snowden disclosures" and that "his actions spurred a necessary debate" that prompted President Obama and Congress to change policies ... "I certainly think there could be a basis for a resolution that everybody could ultimately be satisfied with. I think the possibility exists." A representative of current Attorney General Loretta Lynch, though, said that there has been no change in the government's position ("This is an ongoing case so I am not going to get into specific details but I can say our position regarding bringing Edward Snowden back to the United States to face charges has not changed."), Holder's musings aside. As the article points out, too, "any suggestion of leniency toward Snowden would likely run into strong political opposition in Congress as well as fierce resistance from hard-liners in the intelligence community."
Crime

In Response to Open Letter, France Rejects Asylum For Julian Assange 146 146

Several outlets report that Julian Assange has requested, but been denied, political asylum in France, by means of an open letter published by Le Monde. From The Globe and Mail's coverage, linked above: Less than an hour after his letter was published by Le Monde's website, Hollande's office issued a statement saying the asylum request was rejected.

"France has received the letter from Mr. Assange. An in-depth review shows that in view of the legal and material elements of Mr Assange's situation, France cannot grant his request," the statement said.

"The situation of Mr. Assange does not present any immediate danger. He is also the target of a European arrest warrant," it noted.

Assange wrote in the letter that his youngest child is French, and so is the child’s mother. "I haven't been able to see them in five years, since the political persecution against me started," he said.
Worth noting: Assange's legal team says that Assange's letter has been mischaracterized, and that it is in fact not a request for asylum per se; instead, they assert, the letter merely expresses Assange's "willingness 'to be hosted in France if and only if an initiative was taken by the competent authorities.'"
Security

Amazon's New SSL/TLS Implementation In 6,000 Lines of Code 107 107

bmearns writes: Amazon has announced a new library called "s2n," an open source implementation of SSL/TLS, the cryptographic security protocols behind HTTPS, SSH, SFTP, secure SMTP, and many others. Weighing in at about 6k lines of code, it's just a little more than 1% the size of OpenSSL, which is really good news in terms of security auditing and testing. OpenSSL isn't going away, and Amazon has made clear that they will continue to support it. Notably, s2n does not provide all the additional cryptographic functions that OpenSSL provides in libcrypto, it only provides the SSL/TLS functions. Further more, it implements a relatively small subset of SSL/TLS features compared to OpenSSL.
Privacy

Surveillance Court: NSA Can Resume Bulk Surveillance 161 161

An anonymous reader writes: We all celebrated back in May when a federal court ruled the NSA's phone surveillance illegal, and again at the beginning of June, when the Patriot Act expired, ending authorization for that surveillance. Unfortunately, the NY Times now reports on a ruling from the Foreign Intelligence Surveillance Court, which concluded that the NSA may temporarily resume bulk collection of metadata about U.S. citizens's phone calls. From the article: "In a 26-page opinion (PDF) made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said that the Second Circuit was wrong, too. 'Second Circuit rulings are not binding' on the surveillance court, he wrote, 'and this court respectfully disagrees with that court's analysis, especially in view of the intervening enactment of the U.S.A. Freedom Act.' When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying that it would be prudent to see what Congress did as Section 215 neared its June 1 expiration."
Businesses

Cisco To Acquire OpenDNS 147 147

New submitter Tokolosh writes: Both Cisco and OpenDNS announced today that the former is to acquire the latter. From the Cisco announcement: "To build on Cisco's advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS' key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco's advanced threat protection capabilities across the full attack continuum—before, during and after an attack." With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?
Security

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers 65 65

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
United States

France Could Offer Asylum To Assange, Snowden 213 213

HughPickens.com writes: The Intercept reports that in the aftermath of the NSA's sweeping surveillance of three French presidents, French Justice Minister Christiane Taubira thinks National Security Agency whistleblower Edward Snowden and WikiLeaks founder Julian Assange might be allowed to settle in France. Taubira was asked about the NSA's surveillance of three French presidents, disclosed by WikiLeaks this week, and called it an "unspeakable practice." Taubira's comments echoed those in an editorial in France's leftist newspaper Libération that France should respond to the U.S.'s "contempt" for its allies by giving Edward Snowden asylum. France would send "a clear and useful message to Washington, by granting this bold whistleblower the asylum to which he is entitled," wrote editor Laurent Joffrin in an angry editorial titled "Un seul geste" — or "A single gesture." (google translate) If Paris offers Snowden asylum, it will be joining several other nations who have done so in the past, including Bolivia, Nicaragua and Venezuela. However, Snowden is still waiting in Moscow to hear from almost two dozen other countries where he has requested asylum.
Government

France, Up In Arms Over NSA Spying, Passes New Surveillance Law 80 80

An anonymous reader writes: French President Francois Hollande held an emergency meeting with top security officials to respond to WikiLeaks documents that say the NSA eavesdropped on French presidents. The documents published in Liberation and investigative website Mediapart include material that appeared to capture current president, François Hollande; the prime minister in 2012, Jean-Marc Ayrault; and former presidents Nicolas Sarkozy and Jacques Chirac, talking candidly about Greece's economy and relations with Germany. The Intercept reports: "Yet also today, the lower house of France's legislature, the National Assembly, passed a sweeping surveillance law. The law provides a new framework for the country's intelligence agencies to expand their surveillance activities. Opponents of the law were quick to mock the government for vigorously protesting being surveilled by one of the country's closest allies while passing a law that gives its own intelligence services vast powers with what its opponents regard as little oversight. But for those who support the new law, the new revelations of NSA spying showed the urgent need to update the tools available to France's spies."
United States

WikiLeaks: NSA Eavesdropped On the Last Three French Presidents 136 136

Earthquake Retrofit writes: The NY Times is reporting that WikiLeaks has released "material which appeared to capture officials in Paris talking candidly about Greece's economy, relations with Germany — and, ironically, American espionage." The information was leaked "a day before the French Parliament is expected to definitively pass a controversial security bill legalizing broad surveillance, particularly of terrorism suspects."
Security

New Snowden Leaks Show NSA Attacked Anti-Virus Software 98 98

New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them.
Privacy

Controversial GCHQ Unit Engaged In Domestic Law Enforcement, Online Propaganda 83 83

Advocatus Diaboli writes: Documents published by The Intercept on Monday reveal that a British spy unit purported by officials to be focused on foreign intelligence and counterterrorism, and notorious for using "controversial tactics, online propaganda and deceit,” focuses extensively on traditional law enforcement and domestic activities. The documents detail how the Joint Threat Research Intelligence Group (JTRIG) is involved in efforts against political groups it considers "extremist," Islamist activity in schools, the drug trade, online fraud, and financial scams. The story reads: "Though its existence was secret until last year, JTRIG quickly developed a distinctive profile in the public understanding, after documents from NSA whistleblower Edward Snowden revealed that the unit had engaged in 'dirty tricks' like deploying sexual 'honey traps' designed to discredit targets, launching denial-of-service attacks to shut down internet chat rooms, pushing veiled propaganda onto social networks, and generally warping discourse online."
China

Schneier: China and Russia Almost Definitely Have the Snowden Docs 157 157

cold fjord writes: Writing at Wired, Bruce Schneier states that he believes that China and Russia actually do have the Snowden documents, but that the path by which they got them may be different than what has been reported: "... The vulnerability is not Snowden; it's everyone who has access to the files. I've handled some of the Snowden documents myself, and even though I'm a paranoid cryptographer, I know how difficult it is to maintain perfect security. It's been open season on the computers of the journalists Snowden shared documents with since this story broke in July 2013. And while they have been taking extraordinary pains to secure those computers, it's almost certainly not enough to keep out the world's intelligence services. .... Which brings me to the second potential source of these documents to foreign intelligence agencies: the US and UK governments themselves. I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside."