For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Privacy

Surveillance Court: NSA Can Resume Bulk Surveillance 146 146

An anonymous reader writes: We all celebrated back in May when a federal court ruled the NSA's phone surveillance illegal, and again at the beginning of June, when the Patriot Act expired, ending authorization for that surveillance. Unfortunately, the NY Times now reports on a ruling from the Foreign Intelligence Surveillance Court, which concluded that the NSA may temporarily resume bulk collection of metadata about U.S. citizens's phone calls. From the article: "In a 26-page opinion (PDF) made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said that the Second Circuit was wrong, too. 'Second Circuit rulings are not binding' on the surveillance court, he wrote, 'and this court respectfully disagrees with that court's analysis, especially in view of the intervening enactment of the U.S.A. Freedom Act.' When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying that it would be prudent to see what Congress did as Section 215 neared its June 1 expiration."
Businesses

Cisco To Acquire OpenDNS 140 140

New submitter Tokolosh writes: Both Cisco and OpenDNS announced today that the former is to acquire the latter. From the Cisco announcement: "To build on Cisco's advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS' key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco's advanced threat protection capabilities across the full attack continuum—before, during and after an attack." With Cisco well-embedded with the US security apparatus (NSA, CIA, FBI, etc.) is it time to seek out alternatives to OpenDNS?
Security

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers 64 64

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
United States

France Could Offer Asylum To Assange, Snowden 212 212

HughPickens.com writes: The Intercept reports that in the aftermath of the NSA's sweeping surveillance of three French presidents, French Justice Minister Christiane Taubira thinks National Security Agency whistleblower Edward Snowden and WikiLeaks founder Julian Assange might be allowed to settle in France. Taubira was asked about the NSA's surveillance of three French presidents, disclosed by WikiLeaks this week, and called it an "unspeakable practice." Taubira's comments echoed those in an editorial in France's leftist newspaper Libération that France should respond to the U.S.'s "contempt" for its allies by giving Edward Snowden asylum. France would send "a clear and useful message to Washington, by granting this bold whistleblower the asylum to which he is entitled," wrote editor Laurent Joffrin in an angry editorial titled "Un seul geste" — or "A single gesture." (google translate) If Paris offers Snowden asylum, it will be joining several other nations who have done so in the past, including Bolivia, Nicaragua and Venezuela. However, Snowden is still waiting in Moscow to hear from almost two dozen other countries where he has requested asylum.
Government

France, Up In Arms Over NSA Spying, Passes New Surveillance Law 80 80

An anonymous reader writes: French President Francois Hollande held an emergency meeting with top security officials to respond to WikiLeaks documents that say the NSA eavesdropped on French presidents. The documents published in Liberation and investigative website Mediapart include material that appeared to capture current president, François Hollande; the prime minister in 2012, Jean-Marc Ayrault; and former presidents Nicolas Sarkozy and Jacques Chirac, talking candidly about Greece's economy and relations with Germany. The Intercept reports: "Yet also today, the lower house of France's legislature, the National Assembly, passed a sweeping surveillance law. The law provides a new framework for the country's intelligence agencies to expand their surveillance activities. Opponents of the law were quick to mock the government for vigorously protesting being surveilled by one of the country's closest allies while passing a law that gives its own intelligence services vast powers with what its opponents regard as little oversight. But for those who support the new law, the new revelations of NSA spying showed the urgent need to update the tools available to France's spies."
United States

WikiLeaks: NSA Eavesdropped On the Last Three French Presidents 136 136

Earthquake Retrofit writes: The NY Times is reporting that WikiLeaks has released "material which appeared to capture officials in Paris talking candidly about Greece's economy, relations with Germany — and, ironically, American espionage." The information was leaked "a day before the French Parliament is expected to definitively pass a controversial security bill legalizing broad surveillance, particularly of terrorism suspects."
Security

New Snowden Leaks Show NSA Attacked Anti-Virus Software 98 98

New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them.
Privacy

Controversial GCHQ Unit Engaged In Domestic Law Enforcement, Online Propaganda 83 83

Advocatus Diaboli writes: Documents published by The Intercept on Monday reveal that a British spy unit purported by officials to be focused on foreign intelligence and counterterrorism, and notorious for using "controversial tactics, online propaganda and deceit,” focuses extensively on traditional law enforcement and domestic activities. The documents detail how the Joint Threat Research Intelligence Group (JTRIG) is involved in efforts against political groups it considers "extremist," Islamist activity in schools, the drug trade, online fraud, and financial scams. The story reads: "Though its existence was secret until last year, JTRIG quickly developed a distinctive profile in the public understanding, after documents from NSA whistleblower Edward Snowden revealed that the unit had engaged in 'dirty tricks' like deploying sexual 'honey traps' designed to discredit targets, launching denial-of-service attacks to shut down internet chat rooms, pushing veiled propaganda onto social networks, and generally warping discourse online."
China

Schneier: China and Russia Almost Definitely Have the Snowden Docs 157 157

cold fjord writes: Writing at Wired, Bruce Schneier states that he believes that China and Russia actually do have the Snowden documents, but that the path by which they got them may be different than what has been reported: "... The vulnerability is not Snowden; it's everyone who has access to the files. I've handled some of the Snowden documents myself, and even though I'm a paranoid cryptographer, I know how difficult it is to maintain perfect security. It's been open season on the computers of the journalists Snowden shared documents with since this story broke in July 2013. And while they have been taking extraordinary pains to secure those computers, it's almost certainly not enough to keep out the world's intelligence services. .... Which brings me to the second potential source of these documents to foreign intelligence agencies: the US and UK governments themselves. I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside."
Privacy

DuckDuckGo Sees Massive Growth In Post-Snowden World 112 112

DuckDuckGo, the privacy-oriented search engine, has been around for over six years. But when Edward Snowden revealed the extent of NSA surveillance in 2013, DuckDuckGo started a period of strong growth that hasn't slowed yet. The search engine has seen a 600% increase in traffic over the past two years, and they're now serving 3 billion searches a year. This shouldn't be a surprise — last month, a Pew survey found that 40% of American adults didn't want their search engine to retain information about them. But members of the general public are notoriously slow to change their privacy-related behavior. DuckDuckGo's growing popularity has led them to double their employee count since early 2014, now totaling 28 people. Their success is beginning to fuel speculation about an acquisition, with Apple's name being tossed around as a potential buyer.
United States

Is Surespot the Latest Crypto War Victim? 26 26

George Maschke writes: Patrick G. Eddington writes in a Christian Science Monitor op-ed about indications that the government may be snooping on users of Surespot, a free and open source encrypted messaging app for Android and iOS. Such users include, but are hardly limited to, Islamic State militants. He writes in the piece: "Has encrypted chat service Surespot been compromised by the US government? Surespot user and former Army intelligence officer George Maschke recently published a provocative theory suggesting the answer is yes. Mr. Maschke’s key pieces of evidence are intriguing. In May 2014, he e-mailed 2Fours LLC, which is Surespot’s parent company, asking whether the company had ever received a National Security Letter (NSL), a court order to provide information, or other government request to cooperate in an investigation. He was assured in writing that 2Fours had received no such requests. That changed in November 2014, when Surespot’s founder, Adam Patacchiola, told Maschke via e-mail that 'we have received an e-mail asking us how to submit a subpoena to us which we haven’t received yet.'"
Encryption

US Lawmakers Demand Federal Encryption Requirements After OPM Hack 91 91

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
Communications

Should Edward Snowden Trust Apple To Do the Right Thing? 196 196

Nicola Hahn writes: As American lawmakers run a victory lap after passing the USA Freedom Act of 2015, Edward Snowden has published an op-ed piece which congratulates Washington on its "historic" reform. He also identifies Apple Inc. as a champion of user privacy. Snowden states: "Basic technical safeguards such as encryption — once considered esoteric and unnecessary — are now enabled by default in the products of pioneering companies like Apple, ensuring that even if your phone is stolen, your private life remains private." This sort of talking point encourages the perception that Apple has sided with users in the battle against mass surveillance. But there are those who question Snowden's public endorsement of high-tech monoliths. Given their behavior in the past is it wise to assume that corporate interests have turned over a new leaf and won't secretly collaborate with government spies?
Crime

Amazon Publishes Opaque Transparency Report 22 22

Mark Wilson writes: Post-Snowden there is great interest in just what involvement the government has with technology firms. There are frequent requests from government agencies for information about users and the likes of Google, Snapchat and even the NSA itself have all released transparency reports that reveal, in broad strokes, the number of requests for data they have received. Amazon is the latest company to release a transparency report — although the term really should be used in the loosest possible sense. The report includes scant details about the number of subpoenas, search warrants, court orders, and national security requests received in the first five months of 2015. The report is so vague as to be virtually meaningless.
China

Report: Russia and China Crack Encrypted Snowden Files 546 546

New submitter garyisabusyguy writes with word that, according to London's Sunday Times, "Russia and China have cracked the top-secret cache of files stolen by the fugitive US whistleblower Edward Snowden, forcing MI6 to pull agents out of live operations in hostile countries, according to senior officials in Downing Street, the Home Office and the security services," and suggests this non-paywalled Reuters version, too. "MI6 has decided that it is too dangerous to operate in Russia or China," writes the submitter. "This removes intelligence capabilities that have existed throughout the Cold War, and which may have helped to prevent a 'hot' nuclear war. Have the actions of Snowden, and, apparently, the use of weak encryption, made the world less safe?"
Communications

Germany Abandons Investigation Into NSA Spying on Chancellor Merkel 81 81

After the purported eavesdropping by the NSA on German chancellor Angela Merkel's telephone commnunications, the German government opened an investigation. However, writes Bruce66423: A lack of evidence means that the investigation has now ended. Our congratulations to the NSA for covering their tracks so well. Note that it was announced on a Friday evening, which is universally recognised as the time to release the news you don't want to get attention. Also at The Guardian and the BBC; from the Guardian's version: The investigation came after Der Spiegel reported in October 2013 that the NSA had a database containing Merkel’s personal phone number. Merkel publicly expressed outrage and dispatched a team of senior German intelligence officers to Washington, supposedly to extract a ”no spy” agreement. When the row was its height, the chancellor said: “The charges are grave and have to be cleared up.” ... The White House, responding to the Der Spiegel story in 2013, said it was not spying on Merkel at present and nor would it in the future, but refused to say whether it had in the past, which was interpreted by some as an admission of guilt.
Government

White House Asks FISA Court To Ignore 2nd Circuit's Decision On Bulk Surveillance 165 165

schwit1 sends news that the Obama Administration has made a legal request to the Foreign Intelligence Surveillance court to ignore a ruling from the Second Circuit Court of Appeals making bulk surveillance illegal. The government says it's doing so to create an "orderly transition" between now and the beginning of USA Freedom Act provisions in six months. Their legal argument is that the Circuit Court's rulings are only binding for lower courts — the FISA court is secretive and separated from the normal legal process, so it doesn't necessarily fit in the normal court hierarchy.

ACLU deputy legal director Jameel Jaffer said, "While the FISA court isn’t formally bound by the second circuit’s ruling, it will certainly have to grapple with the second circuit’s interpretation of the ‘relevance’ requirement. The [court] will also have to consider whether Congress effectively adopted the second circuit’s interpretation of the relevance requirement when it passed the USA Freedom Act." The issue is further complicated because the Circuit Court did not actually issue an injunction against bulk surveillance, deferring instead to the congressional debate already underway about the Patriot Act and USA Freedom Act.
Businesses

US Tech Companies Expected To Lose More Than $35 Billion Over NSA Spying 236 236

Patrick O'Neill writes: Citing significant sales hits taken by big American firms like Apple, Intel, Microsoft, Cisco, Salesforce, Qualcomm, IBM, and Hewlett-Packard, a new report says losses by U.S. tech companies as a result of NSA spying and Snowden's whistleblowing "will likely far exceed" $35 billion. Previously, the Information Technology and Innovation Foundation put the estimate lower when it predicted the losses would be felt mostly in the cloud industry. The consequences are being felt more widely and deeply than previously thought, however, so the number keeps rising.