Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

Famed Security Researcher 'Mudge' Creates New Algorithm For Measuring Code Security (theintercept.com) 37

Peiter "Mudge" Zatko and his wife, Sarah, a former NSA mathematician, have started a nonprofit in the basement of their home "for testing and scoring the security of software... He says vendors are going to hate it." Slashdot reader mspohr shares an article from The Intercept: "Things like address space layout randomization [ASLR] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code]," says Sarah. "Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]..." The lab's initial research has found that Microsoft's Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on "ancient compilers" that either don't have modern protective measures or don't have them turned on by default...

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example -- Chrome, Safari, and Firefox -- Chrome came out on top, with Firefox on the bottom. Google's Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went "above and beyond in making things even more robust." Firefox, by contrast, "had turned off [ASLR], one of the fundamental safety features in their compilation."

The nonprofit was funded with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, and also looks at the number of external libraries called, the number of branches in a program and the presence of high-complexity algorithms.
The Military

Russian Government Gets 'Hacked Back', Attacks Possibly Launched By The NSA (bbc.com) 117

An anonymous reader write: Russian government bodies have been hit by a "professional" cyber attack, according to the country's intelligence service, which said the attack targeted state organizations and defense companies, as well as Russia's "critically important infrastructures". The agency told the BBC that the powerful malware "allowed those responsible to switch on cameras and microphones within the computer, take screenshots and track what was being typed by monitoring keyboard strokes."
ABC News reports that the NSA "is likely 'hacking back' Russia's government-linked cyber-espionage teams "to see once and for all if they're responsible for the massive breach at the Democratic National Committee, according to three former senior intelligence officials... Robert Joyce, chief of the NSA's shadowy Tailored Access Operations, declined to comment on the DNC hack specifically, but said in general that the NSA has technical capabilities and legal authorities that allow the agency to 'hack back' suspected hacking groups, infiltrating their systems to gather intelligence about their operations in the wake of a cyber attack... In some past unrelated cases...NSA hackers have been able to watch from the inside as malicious actors conduct their operations in real time."
Communications

Snowden Questions WikiLeaks' Methods of Releasing Leaks (pcworld.com) 160

An anonymous reader quotes a report from PCWorld: Former U.S. National Security Agency contractor, Edward Snowden, has censured WikiLeaks' release of information without proper curation. On Thursday, Snowden, who has embarrassed the U.S. government with revelations of widespread NSA surveillance, said that WikiLeaks was mistaken in not at least modestly curating the information it releases. "Democratizing information has never been more vital, and @Wikileaks has helped. But their hostility to even modest curation is a mistake," Snowden said in a tweet. WikiLeaks shot back at Snowden that "opportunism won't earn you a pardon from Clinton [and] curation is not censorship of ruling party cash flows." The whistleblowing site appeared to defend itself earlier on Thursday while referring to its "accuracy policy." In a Twitter message it said that it does "not tamper with the evidentiary value of important historical archives." WikiLeaks released nearly 20,000 previously unseen DNC emails last week, which suggest that committee officials had favored Clinton over her rival Senator Bernie Sanders. The most recent leak consists of 29 voicemails from DNC officials.
Crime

Gary Johnson: I'd Consider Pardoning Snowden, Chelsea Manning (vocativ.com) 251

An anonymous reader writes from a report via Vocativ: [Vocativ reports:] "The U.S.'s most popular third-party presidential candidate says he would 'consider' pardoning the highest profile convicts of computer-related crimes in the country, including Chelsea Manning, Ross Ulbricht, and Jeremy Hammond. Libertarian candidate Gary Johnson, a former governor of New Mexico, also reiterated his possible willingness to pardon Edward Snowden, the former National Security Agency analyst who gave a cache of agency documents to journalists in 2013." "Having actually served as a governor and administered the power to grant pardons and clemency, Gary Johnson is very conscious and respectful of the need for processes for using that authority," Joe Hunter, Johnson's communications director, told Vocativ in a statement. "However, he has made it clear on numerous occasions that he would 'look seriously at' pardoning Edward Snowden, based on public information that Snowden's actions did not cause actual harm to any U.S. intelligence personnel. Likewise, he has said he would look favorably on pardoning Ross Ulbricht, consistent with his broader and long-standing commitment to pardon nonviolent drug offenders, whistleblowers, and others imprisoned under unjust and ill-advised laws," Hunter said. When Vocativ asked specifically about Chelsea Manning, Jeremy Hammond, Barrett Brown, and Matthew Keys, Hunter responded: "The same goes for the other individuals you have mentioned -- and hundreds, if not thousands, like them. Gov. Johnson finds it to be an outrage that the U.S. has the highest incarceration rate in the developed world, and announced in 2012 that, as President, he would promptly commence the process of pardoning nonviolent offenders who have done no real harm to others." The Green Party candidate Jill Stein has also shared her thoughts on pardoning Edward Snowden and Chelsea Manning. Not only would she pardon Snowden, but she said she would appoint him to her cabinet.
Government

Edward Snowden At Comic-Con: 'I Live a Surprisingly Free Life' (theguardian.com) 52

An anonymous reader writes from a report via The Guardian: Director Oliver Stone talked to whistleblower Edward Snowden in front of an audience at a question and answer session on Thursday evening. He compared Snowden's anxiety over his own appearance in his Snowden biopic film "Snowden" to that of Donald Trump, who was cut from one of his films six years before. Snowden replied: "I'd like to avoid that association." At the event, Snowden did also shed some light on his personal life, years after his revelation of the NSA's secret surveillance of the American public's internet activity resulted in criminal charges under the Espionage Act that led to his exile in Russia. "I can confirm that I am not living in a box," Snowden said. "I actually live a surprisingly free life. This was not the most likely outcome. I didn't actually expect to make it out of Hawaii. I thought it was incredibly risky. I had a lot of advantages in doing what I did; I worked for the CIA on the human intelligence side, I worked for the NSA on the signals intelligence side, and I taught counterintelligence. This is not something that's covered that well in the media. I was about as well placed as anybody could be, and I still thought I was going to get rolled up at the airport and that there were going to be knocks on the doors of the journalists." When asked what he thought about Gordon-Levitt's performance in the film where he plays Edward Snowden, Snowden responded: "This is one of the things that's kind of crazy and surreal about this kind of experience: I don't think anybody looks forward to having a movie made about themselves, especially someone who is a privacy advocate. Some of my family members have said, 'He sounds just like you!' I can't hear it myself but if he can pass the family test he's doing all right." Snowden agreed to participate on the film because he thought it could raise awareness in ways his own advocacy could not. Snowden was also in the news recently for developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions.
Privacy

Edward Snowden's New Research Aims To Keep Smartphones From Betraying Their Owners (theintercept.com) 107

Smartphones become indispensable tools for journalists, human right workers, and activists in war-torn regions. But at the same time, as Intercept points out, they become especially potent tracking devices that can put users in mortal danger by leaking their location. To address the problem, NSA whistleblower Edward Snowden and hardware hacker Andrew "Bunnie" Huang have been developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. "We have to ensure that journalists can investigate and find the truth, even in areas where governments prefer they don't," Snowden told Intercept. "It's basically to make the phone work for you, how you want it, when you want it, but only when." Snowden and Huang presented their findings in a talk at MIT Media Lab's Forbidden Research event Thursday, and published a detailed paper. From the Intercept article: Snowden and Huang have been researching if it's possible to use a smartphone in such an offline manner without leaking its location, starting with the assumption that "a phone can and will be compromised." [...] The research is necessary in part because most common way to try and silence a phone's radio -- turning on airplane mode -- can't be relied on to squelch your phone's radio traffic. Fortunately, a smartphone can be made to lie about the state of its radios. The article adds: According to their post, the goal is to "provide field-ready tools that enable a reporter to observe and investigate the status of the phone's radios directly and independently of the phone's native hardware." In other words, they want to build an entirely separate tiny computer that users can attach to a smartphone to alert them if it's being dishonest about its radio emissions. Snowden and Haung are calling this device an "introspection engine" because it will inspect the inner-workings of the phone. The device will be contained inside a battery case, looking similar to a smartphone with an extra bulky battery, except with its own screen to update the user on the status of the radios. Plans are for the device to also be able to sound an audible alarm and possibly to also come equipped with a "kill switch" that can shut off power to the phone if any radio signals are detected.Wired has a detailed report on this, too.
Government

Jill Stein Pledges To Pardon Snowden and Appoint Him To Her Cabinet (zerohedge.com) 177

Iamthecheese writes: Trump hates him. Clinton misrepresented him. Most mainstream media outlets call him a traitor and worse. But if you vote Stein, Snowden will be in the presidential Cabinet. "The presumptive Green Party presidential nominee Dr. Jill Stein promises to grant NSA whistleblower Edward Snowden -- who many describe as a true American hero -- not just a full pardon, but a promotion to the upper echelons of government should she win the White House," reports Zero Hedge. "[Snowden] has done an incredible service to our country at great cost to himself for having to live away from his family, his friends, his job, his network, to basically live as an expatriate," Stein asserted during a town hall live-streamed to supporters on her Facebook page, US Uncut reported. "I would say not only bring Snowden back, but bring him into my administration as a member of the Cabinet," she continued, "because we need people who are part of our national security administration who are really, very patriotic. If we're really going to protect our American security, we also have to protect our Constitutional rights, and that includes our right to privacy." Her pardons would also extend to CIA whistleblower John Kiriakou and Chelsea Manning. Kiriakou first revealed proof of waterboarding and various other torture tactics employed by the government, while Manning leaked the Afghan War Diary and Iraq War Logs, which included footage of U.S. helicopter airmen deliberately gunning down journalists, to Wikileaks. Reddit co-founder and MIT student, Aaron Swartz, who leaked academic research to the public, would also receive a pardon under her presidency. "[Swartz] was a proponent of free and liberated internet and for sharing our resources on that internet, who was basically hounded into suicide by a very oppressive Department of Justice. So, he -- in my mind -- is another one of these heroes that we need to remember and be very thankful for."
Security

Maxthon Web Browser Sends Sensitive Data To China (securityweek.com) 119

Reader wiredmikey writes: Security experts have discovered that the Maxthon web browser collects sensitive information and sends it to a server in China. Researchers warn that the harvested data could be highly valuable for malicious actors. Researchers at Fidelis Cybersecurity and Poland-based Exatel recently found that Maxthon regularly sends a file named ueipdata.zip to a server in Beijing, China, via HTTP. Further analysis (PDF) revealed that ueipdata.zip contains an encrypted file named dat.txt. This file stores information on the operating system, CPU, ad blocker status, homepage URL, websites visited by the user (including online searches), and installed applications and their version number. Interestingly, In 2013, after the NSA surveillance scandal broke, the company boasted about its focus on privacy and security, and the use of strong encryption.
It's funny.  Laugh.

TOS Agreements Require Giving Up First Born -- and Users Gladly Consent 195

An anonymous reader shares an Ars Technica report: A recent study concludes what everybody already knows: nobody reads the lengthy terms of service and privacy policies that bombard Internet users every day. Nobody understands them. They're too long, and they often don't make sense. A study out this month made the point all too clear. Most of the 543 university students involved in the analysis didn't bother to read the terms of service before signing up for a fake social networking site called "NameDrop" that the students believed was real. Those who did glossed over important clauses. The terms of service required them to give up their first born, and if they don't yet have one, they get until 2050 to do so. The privacy policy said that their data would be given to the NSA and employers. Of the few participants who read those clauses, they signed up for the service anyway. "This brings us to the biggest lie on the Internet, which anecdotally, is known as 'I agree to these terms and conditions,'" the study found. The paper is called "The biggest lie on the Internet: Ignoring the privacy policies and terms of service policies of social networking services".This reminds me of a similar thing F-Secure security firm did in 2014. It asked London residents to give them their first child in exchange of free Wi-Fi access. The company, for the record, didn't collect any children.
The Military

Stuxnet/Cyberwar Documentary Reviewer: 'The U.S. Has Pwned Iran' (networkworld.com) 138

Slashdot reader alphadogg quotes an article from Network World: The new documentary about Stuxnet, "Zero Days", says the U.S. had a far larger cyber operation against Iran called Nitro Zeus that has compromised the country's infrastructure and could be used as a weapon in any future war. Quoting unnamed sources from inside the NSA and CIA, the movie says the Nitro Zeus program has infiltrated the systems controlling communications, power grids, transportation and financial systems, and is still ready to "disrupt, degrade and destroy" that infrastructure if a war should break out with Iran...

For the more technically inclined, the film contains some riveting interviews with researchers at Symantec who devoted their lives to unraveling the code line by line to figure out what it did, how it did it, who created it and what the target was. It was also a bit chilling in that after they figured out that governments were behind the worm they worried that the researchers themselves might be targeted to keep them silent. One Friday night, says Symantec researcher Eric Chien, he said to his research partner Liam O Murchu, "I'm not suicidal. If I should show up dead on Monday, it wasn't me."

In the film former NSA and CIA director Gen. Michael Hayden says "This stuff is hideously over classified."
Privacy

US Terrorist Conviction Appealed Over Use of NSA Data (independent.co.uk) 101

The Independent newspaper reports that the warrantless NSA surveillance programs revealed by Edward Snowden are facing a constitutional challenge in court for the first time: Lawyers for Mohamed Mohamud have argued that surveillance evidence used to convict the Somali-American man, found guilty of plotting to bomb a Christmas tree-lighting ceremony, was gathered in a manner that was unconstitutional. The lawyers laid out their arguments on Wednesday before a panel of judges of the 9th US Circuit Court of Appeals in Portland, close to the plaza where Mohamud tried detonating a fake bomb that was part of an undercover operation...

Stephen Sady, Mohamud's lawyer, urged the court to grant his client a new trial on the grounds that the evidence used against Mohamud should never have been permitted in the courtroom. Mr Sady told the judges that using surveillance information on foreigners, which does not require a warrant, to spy on any Americans they communicate with was "an incredible diminution of the privacy rights of all Americans⦠That is a step that should never be taken."

Last year saw a record number of wiretaps authorized by state and federal judges -- 4,148, more than twice as many as the 1,773 that took place in 2005 -- and not a single request was rejected. (More than 95% were for cellphones, and 81% for narcotics investigations.) But The Independent notes that U.S. law enforcement officials have admitted they also "incidentally" collect information about Americans without a warrant, and then sometimes later use that information in criminal investigations. In Mohamud's case, which dates back to 2010, "There's no doubt he tried to explode a car bomb in America," writes Slashdot reader Bruce66423, arguing that this case "elegantly demonstrates the issue of how far legal rights should overwhelm common sense."
Government

Interview With An 'NSA Hacker' Published By The Intercept (theintercept.com) 93

The Intercept published a 4,000 word article based on a journalist's three-hour interview with an "NSA hacker" who recently left the agency for a career in cybersecurity. Offering a portrait of life within the U.S. intelligence agency, "Lamb" says he worked on "ridiculously cool projects that I'll never forget... Technically challenging things are just inherently interesting to me."

He's the author of some of the memos leaked by Edward Snowden about how the NSA tries to identify Tor users or break into sys-admin accounts. ("One of his memos outlined the ways the NSA reroutes (or "shapes") the internet traffic of entire countries, and another memo was titled "I Hunt Sysadmins.") "If you tell me, 'This can't be done,' I'm going to try and find a way to do it."

It's interesting that he ended one memo with "Current mood: devious" and wrote in another that Tor "generally makes for sad analysts". But in his interview, he warns that "There is no real safe, sacred ground on the internet. Whatever you do on the internet is an attack surface of some sort and is just something that you live with."
The Courts

President Obama Should Pardon Edward Snowden Before Leaving Office (theverge.com) 383

An anonymous reader writes from a report via The Verge: Ever since Edward Snowden set in motion the most powerful public act of whistleblowing in U.S. history, he has been living in exile in Russia from the United States. An article in this week's New York Magazine looks at how Snowden may have a narrow window of opportunity where President Obama could pardon him before he leaves office. Presumably, once he leaves office, the chances of Snowden being pardoned by Hillary Clinton or Donald Trump are miniscule. Obama has said nothing in the past few years to suggest he's interested in pardoning Snowden. Not only would it contradict his national security policy, but it will severely alienate the intelligence community for many years to come. With that said, anyone who values a free and secure internet believes pardoning Snowden would be the right thing to do. The Verge reports: "[Snowden] faces charges under the Espionage Act, which makes no distinction between delivering classified files to journalists and delivering the same files to a foreign power. For the first 80 years of its life, it was used almost entirely to prosecute spies. The president has prosecuted more whistleblowers under the Espionage Act than all president before him combined. His Justice Department has vastly expanded the scope of the law, turning it from a weapon against the nation's enemies to one that's pointed against its own citizens. The result will be less scrutiny of the nation's most powerful agencies, and fewer forces to keep them in check. With Snowden's push for clemency, the president has a chance to complicate that legacy and begin to undo it. It's the last chance we'll have."
Communications

Snowden Finally Identified As Target of Investigation That Ended Lavabit (washingtontimes.com) 77

An anonymous reader quotes a report from The Washington Times: Three years after a government investigation forced the shuttering of Lavabit, a Texas-based email provider, its CEO revealed Friday that an account belonging to Edward Snowden spurred the probe that put his company out of business. "Ladar Levison shut down his encrypted webmail service in August 2013 amid an FBI investigation focused on one of his company's nearly half-a-million customers," reports The Washington Times. "A gag-order that has just recently been vacated in federal has legally prevented him up until now from confirming the account in question was registered to none other than the NSA contractor attributed with one of the largest intelligence leaks in U.S. history. U.S. District Judge Claude Hilton nullified the mandatory non-disclosure orders in a June 13 court filing that went unnoticed until Lavabit released a statement Friday. Officially, the consent order approved by Judge Hilton in the Eastern District of Virginia earlier this month removes all gag-orders concerning Lavabit and Mr. Levison with regards to a grand jury investigation that led the FBI to Mr. Snowdenâ(TM)s email account. 'While Iâ(TM)m pleased that I can finally speak freely about the target of the investigation, I also know the fight to protect our collective freedom is far from over,' Mr. Levison said in a statement. He said he plans to discuss the case further during the DefCon security conference in Las Vegas this summer."
Encryption

Smartphone Users Are Paying For Their Own Surveillance (truth-out.org) 85

Nicola Hahn writes: While top secret NSA documents continue to trickle into the public sphere, tech industry leaders have endeavored to reassure anxious users by extolling the benefits of strong encryption. Rising demand among users for better privacy protection signifies a growth market for the titans of Silicon Valley -- this results in a tendency to frame the issue of cybersecurity in terms of the latest mobile device. Yet whistleblowers from our intelligence services offer dire warnings that contrast sharply with feel good corporate talking points. Edward Snowden, for example, noted that under mass surveillance we're essentially "tagged animals" who pay for our own tags. There's an argument to be made that the vast majority of network-connected gadgets enable monitoring far more than they protect individual liberty. In some instances, the most secure option is to opt out.
Privacy

The NSA Would Be Eliminated Under President Gary Johnson (thehill.com) 412

An anonymous reader writes: Libertarian presidential nominee Gary Johnson says he'd sign an executive order eliminating America's National Security Agency if he wins the 2016 election. And he's also forcefully arguing that domestic surveillance of internet activity and phone calls in the United States is worse than in China. Johnson took issue with an interviewer at The Daily Beast who pointed out that China monitors political dissidents, saying "What do you call the NSA and the satellites that are trained on us and the fact that 110 million Verizon users are having everything we do on our cell phones being data-collected?"

Johnson also wants to abolish the Internal Revenue Service, replacing both income taxes and corporate taxes with a single federal consumption tax, and says he'd be willing to sign legislation eliminating the Department of Education, the Department of Housing and Urban Development, and the Department of Commerce, which he says fuels "crony capitalism". "I'll sign legislation to eliminate any federal agency that they present me with."

Johnson has also said that if he were elected President, he'd pardon Edward Snowden.
Government

NSA Couldn't Hack San Bernardino Shooter's iPhone; Now Working On Exploiting IoT (theintercept.com) 90

The FBI did turn to NSA when it was trying to hack into the San Bernardino shooter's iPhone, according to an NSA official. But to many's surprise, one of the world's most powerful intelligence agencies couldn't hack into that particular iPhone 5c model. "We don't do every phone, every variation of phone," said Richard Ledgett, the NSA's deputy director. "If we don't have a bad guy who's using it, we don't do that." According to Ledgett, apparently the agency has to prioritize its resources and thus it doesn't know how to get into every popular gadget. According to the report, the agency is now looking to exploit Internet of Things, including biomedical devices. The Intercept reports: Biomedical devices could be a new source of information for the NSA's data hoards -- "maybe a niche kind of thing ... a tool in the toolbox," he said, though he added that there are easier ways to keep track of overseas terrorists and foreign intelligence agents. When asked if the entire scope of the Internet of Things -- billions of interconnected devices -- would be "a security nightmare or a signals intelligence bonanza," he replied, "Both."
Government

NSA Releases New Snowden Documents (vice.com) 155

An anonymous reader writes: Hundreds of internal NSA documents have been declassified and released to VICE in response to their FOIA lawsuit. They're now sharing them all online, calling it "an extraordinary behind-the-scenes look at the efforts by the NSA, the White House, and US Senator Dianne Feinstein to discredit Snowden [that] call into question aspects of the U.S. government's long-running narrative about Snowden's time at the NSA." The documents officially confirm that Snowden had also worked with the CIA, and show a vigorous internal discussion about how to respond to Snowden's leaks that apparently led the NSA to erroneously assert that Snowden hadn't voiced his objections about the surveillance of U.S. citizens within the NSA before going public.

Living in Russia now, Snowden himself refused to comment on the new releases, with his attorney saying Snowden "believes the NSA is still playing games with selective releases, and [he] therefore chooses not to participate in this effort. He doesn't trust that the intelligence community will operate in good faith."

The EFF is also marking the three-year anniversary of Snowden's leaks, saying they led directly to the first legislation curtailing the NSA's power in over 30 years and changed the way the world perceives government surveillance. Snowden was inspired in part by a desire to keep the internet free, saying in 2014 that "I remember what the Internet was like before it was being watched, and there's never been anything in the history of man that's like it."
The Internet

Yahoo Becomes First Company To Disclose FBI National Security Letters (tumblr.com) 74

Yahoo has disclosed receipt of three national security letters (FBI requests for data that Yahoo is typically barred from sharing) and published redacted copies of the letters online for anyone to see. The company says that the move "marks the first time any company has publicly acknowledged receiving an NSL following the reforms of the USA Freedom Act." The bill was created last year allowing companies to gag orders relating to National Security Letters. Engadget reports: It takes some doing to get permission to acknowledge the receipt of a letter, too -- Yahoo says that the FBI needs to review if the nondisclosure provision is still necessary for each specific NSL before allowing a company to publish it, and even then certain information needs to be redacted before being made available to the public. Still, when companies do get these gag orders lifted, it allows them to notify the investigated parties that the FBI was looking into their data, and it's a big win for transparency overall.
Role Playing (Games)

The NSA's Delightfully D&D-inspired Guide To the Internet (muckrock.com) 43

"The NSA has a well-earned reputation for being one of the tougher agencies to get records out of, making those rare FOIA wins all the sweeter..." according to Muckrock.com, and "the fact that the records in question just so happen to be absolutely insane are just icing on the cake...." v3rgEz writes: In 2007, two NSA employees put together "Untangling the Web," the agency's official guide to scouring the World Wide Web. The 651-page guide cites Borges, Freud, and Ovid -- and that's just in the preface. MuckRock obtained a copy of the guide under an NSA Freedom of Information request, and has a write up of all the guide's amazing best parts.
They're calling it "the weirdest thing you'll read today".

Slashdot Top Deals