omnibus PRISM/NSA/free Edward Snowden/encryption tutorial thread

Oh, and if you decide to roll your own with Algo or something, Amazon AWS has a free tier that will get you a server to run it on for a year. That's what I've been doing.

those nsa hackers have given up on their bitcoin ransom and put out the password for the rest of the equation group exploits

https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

obv this coming right in the aftermatch of the syria strikes is totally coincidental

probably should take a look at my work email

it sounds from twitter like it's all like exploits for sendmail in redhat 7 or whatever rather than partic up to date stuff

[not the angle you're looking at i realise tombot]

well I assume that the stuff that can be readily identified and analyzed within a couple of hours is going to be stuff people are already familiar with
wouldn't be surprised if it adheres to sturgeon's law, but it's going to be the 2-3 things that aren't immediately obvious that we should be worried about

what's not totally coincidental is this coming at the same moment that mark s lost his temper with frederik b

deeper state from before the dawn of time

Oh right, Deep State Magic.

the auction was never really about bitcoins

The ShadowBrokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent (and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users....

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day [exploits] released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”

https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

Code Name Solution
“EternalBlue” Addressed by MS17-010
“EmeraldThread” Addressed by MS10-061
“EternalChampion” Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
“EsikmoRoll” Addressed by MS14-068
“EternalRomance” Addressed by MS17-010
“EducatedScholar” Addressed by MS09-050
“EternalSynergy” Addressed by MS17-010
“EclipsedWing” Addressed by MS08-067

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

EnglishmanDentist

U.S. intelligence agencies conducted illegal surveillance on American citizens over a five-year period, a practice that earned them a sharp rebuke from a secret court that called the matter a “very serious” constitutional issue.

The criticism is in a lengthy secret ruling that lays bare some of the frictions between the Foreign Intelligence Surveillance Court and U.S. intelligence agencies obligated to obtain the court’s approval for surveillance activities.

The ruling, dated April 26 and bearing the label “top secret,” was obtained and published Thursday by the news site Circa....

The document, signed by Judge Rosemary M. Collyer, said the court had learned in a notice filed Oct. 26, 2016, that National Security Agency analysts had been conducting prohibited queries of databases “with much greater frequency than had previously been disclosed to the court.”

It said a judge chastised the NSA’s inspector general and Office of Compliance for Operations for an “institutional ‘lack of candor’ ” for failing to inform the court. It described the matter as “a very serious Fourth Amendment issue.”

http://www.mcclatchydc.com/news/nation-world/national/national-security/article152947909.html

http://www.washingtonexaminer.com/trump-nominates-backdoor-search-defender-to-lead-privacy-board/article/2633026

so someone explain to me how catastrophic of a disaster this wifi protocol being cracked is

Ehh, patch all your stuff, especially your android phone. Always be patching.

If you have auto updates for Mac or Windows you’re already protected, I believe. Microsoft’s release last Tuesday definitely had the fix.

If you run a big corporate network that allows guest WiFi access you’ll be testing and protecting against this for probably years, though.

Here’s a decent blog on it

http://blog.erratasec.com/2017/10/some-notes-on-krack-attack.html?m=1

this is a good backgrounder on the institutional missed opportunities that lead to this problem

https://blog.cryptographyengineering.com/2017/10/16/falling-through-the-kracks/

(that whole blog, on the mathsy/theory/CS side of infosec, is all around great btw)

Pelosi and Ryan, champions of FISA 702

https://theintercept.com/2018/01/11/nsa-pelosi-democrats-spy-american-section-702/

not nsa but surveillance/close enough

https://www.theguardian.com/world/2018/may/14/is-your-boss-secretly-or-not-so-secretly-watching-you

James Bloodworth spent a month working as a “picker” – the person who locates the products ordered – for Amazon in March 2016 for his book Hired: Six Months Undercover in Low-Wage Britain. “We carried this handheld device at all times and it tracks your productivity,” he says. It would direct workers to the items they need to find on the shelves in one of Amazon’s vast warehouses. “Each time you picked up an item, there would be this countdown timer [to get to the next item] which would measure your productivity.” Bloodworth says supervisors would tell people how productive they were being; he was warned he was in the bottom 10%. “You were also sent admonishments through the device saying you need to get your productivity up. You’re constantly tracked and rated. I found you couldn’t keep up with the productivity targets without running – yet you were also told you weren’t allowed to run, and if you did, you’d get a disciplinary. But if you fell behind in productivity, you’d get a disciplinary for that as well.” It didn’t feel, he says, “that you were really treated as a human being”. Workers had to go through airport-style security scanners at the beginning and end of their shifts, or to get to the break areas. He says going to the loo was described as “idle time” and once found a bottle of urine on one of the shelves.

Amazon says its scanning devices “are common across the warehouse and logistics sector as well as in supermarkets, department stores and other businesses, and are designed to assist our people in performing their roles”, while the company “ensures all of its associates have easy access to toilet facilities, which are just a short walk from where they are working”. It adds: “Associates are allowed to use the toilet whenever needed. We do not monitor toilet breaks.”

...

Surveillance can have positive applications. It’s necessary (and legally required) in the financial industry to prevent insider trading. It could be used to prevent harassment and bullying, and to root out bias and discrimination. One interesting study last year monitored emails and productivity, and used sensors to track behaviour and interaction with management, and found that men and women behaved almost identically at work. The findings challenged the belief that the reason women are not promoted to senior levels is that they are less proactive or have fewer interactions with leaders, and simply need to “lean in”.

Still, says, Woodcock, “we need to have a conversation in society about whether work should be somewhere that you’re surveilled”. That need is perhaps most urgent where low-paid, insecure jobs are concerned. “If you work in the gig economy, you have a smartphone,” Woodcock points out, and that smartphone can be used to track you. “I think because many of these workplaces don’t have traditional forms of organisation or trade unions, management are able to introduce these things with relatively little collective resistance.”

The Independent Workers Union of Great Britain is well aware of the issues of monitoring and data collection. James Farrar is the chair of its United Private Hire Drivers branch, and the Uber driver who won a legal battle against the company last year for drivers’ rights. “They do collect an awful lot of information,” he says. “One of the things they will report to you on a daily basis is how good your acceleration and braking has been. You get a rating. The question is: why are they collecting that information?” Uber also monitors “unusual movements” of the phone when someone is driving (implying it knows if someone is using their phone while at the wheel) and, of course, tracks cars and drivers by GPS.

“My concern with it is this information is being fed into a dispatch algorithm,” he says. “We should have access to the data and understand how it’s being used. If some kind of quality score on my driving capability [is put into an algorithm], I may be offered less valuable work, kept away from the most valuable clients – who knows?” It’s not an unreasonable fear – the food delivery company Deliveroo already does something similar, monitoring its riders’ and drivers’ performance, and has started offering “priority access” when booking shifts to those who “provide the most consistent, quality service”. Uber, however, says its monitoring is intended only to deliver “a smoother, safer ride … This data is used to inform drivers of their driving habits and is not used to affect future trip requests.”

Not all surveillance is bad, says Farrar. In some ways, he would like more. He was assaulted by a passenger and is calling for CCTV in all vehicles, partly for the safety of drivers. “There is a role for surveillance technology,” he says. Ironically, when Farrar went for a meeting with Uber to discuss the assault, the company made him turn his phone off to prove he wasn’t recording it.

also lots two people with interesting surnames

bloodworth and woodcock

Snowden memoir is out, getting some good reviews

The United States today filed a lawsuit against Edward Snowden, a former employee of the Central Intelligence Agency (CIA) and contractor for the National Security Agency (NSA), who published a book entitled Permanent Record in violation of the non-disclosure agreements he signed with both CIA and NSA.

The lawsuit alleges that Snowden published his book without submitting it to the agencies for pre-publication review, in violation of his express obligations under the agreements he signed. Additionally, the lawsuit alleges that Snowden has given public speeches on intelligence-related matters, also in violation of his non-disclosure agreements.

The United States’ lawsuit does not seek to stop or restrict the publication or distribution of Permanent Record. Rather, under well-established Supreme Court precedent, Snepp v. United States, the government seeks to recover all proceeds earned by Snowden because of his failure to submit his publication for pre-publication review in violation of his alleged contractual and fiduciary obligations.

https://www.justice.gov/opa/pr/united-states-files-civil-lawsuit-against-edward-snowden-publishing-book-violation-cia-and

Some of the Federal Bureau of Investigation’s warrantless searches through the National Security Agency’s enormous troves of communications data violated the law and the Constitution, according to secret surveillance court rulings partially declassified on Tuesday.

The bureau’s so-called backdoor searches, long regarded by civil libertarians as a government end-run around warrant requirements, were overly broad, the court found. They appear to have affected what a judge on the court called “a large number of individuals, including U.S. persons.” On one day in December 2017 alone, the court found, the FBI conducted 6,800 queries of the NSA databases using Social Security numbers. The government, in secret, conceded that there were “fundamental misunderstandings” among some FBI personnel over the standards necessary for the searches....

As early as March 2018, the FISA Court identified to the government that the FBI was not sufficiently documenting which of its queries were tied to people inside the United States, despite a statutory obligation to do so. Nor were the searches “reasonably designed” to find evidence of crimes or foreign spying.

https://www.thedailybeast.com/secret-court-fbi-warrantless-searches-were-illegal

I'm shocked! Shocked!

anyone read his book yet?

I went control-f'ing for my name to see if I had participated in this thread much. Landed on this post and didn't know what to make of it: omnibus PRISM/NSA/free Edward Snowden/encryption tutorial thread

So I reverse image searched it and here was what Google was able to come up with.

https://i.imgur.com/LWrsVC9.png

Fun indeed, Google.

President Trump said on Saturday that he would consider pardoning Edward J. Snowden, the former National Security Agency contractor who faced criminal charges after leaking classified documents about vast government surveillance.

“There are many, many people — it seems to be a split decision — many people think that he should be somehow be treated differently and other people think he did very bad things,” Mr. Trump said during a news conference at his golf club in Bedminster, N.J. “I’m going to take a very good look at it.”

https://www.nytimes.com/2020/08/15/us/politics/trump-snowden-esper.html

I. Just. Can’t.

Congratulations GOP. This is who you are now. https://t.co/CAE98A7qjV

— Susan Rice (@AmbassadorRice) August 16, 2020

Who?

https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber

It costs around $16 to steal anyone's SMS account, which can then be used to hijack their other accounts.

In utterly non-shocking news:

Edward Snowden swears allegiance to Russia and receives passport, lawyer says

Edward Snowden, a former National Security Agency contractor who leaked information about U.S. surveillance programs, swore an oath of allegiance to Russia and has collected his Russian passport, his lawyer told state media on Friday.

“Edward received a Russian passport yesterday and took the oath in accordance with the law,” lawyer Anatoly Kucherena said, according to Russia’s Interfax news agency. “He is, of course, happy, thanking the Russian Federation for the fact that he received citizenship,” he continued. “And most importantly, under the Constitution of Russia, he can no longer be extradited to a foreign state.”