Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 9, 2019

Skipping ISP Blocks – Thanks Google!

Filed under: Browsers,Privacy — Patrick Durusau @ 8:01 pm

Google’s Web Packaging standard arises as a new tool for privacy enthusiasts by Catalin Cimpanu.

From the post:

… Web Packaging allows website owners to create a cryptographically-signed version of the page, in one single file, which they can distribute to users via alternative channels, even without breaking HTTPS support.

Google says that website owners can share these signed versions of their pages via their normal web server, via cache systems, or even using peer devices, such as other users’ smartphones and computers.

Web Packaging looks like an ideal solution in cases where nation-states or internet service providers might block access to a website.

Website owners can create signed packages of their sites’ pages, which can then be introduced inside a network of peers and shared among users without having to connect to the origin server that might have been blocked locally.

Further reading:

Dodging ISP blocks can be done as simply as zipping up files and posting the zip archive to a non-blocked ISP. What motivates the Web Packaging work is a desire for “signed” pages for offline use. The dodging of ISP blocks is a side effect of other requirements.

Even if unintentional, another mechanism for dodging ISP blocks merits your support and patronage. Presently supported only in Chrome.

January 23, 2019

[Tails] USB images instead of ISO images – Testing Needed – Release January 29th

Filed under: Privacy,Tails — Patrick Durusau @ 3:20 pm

[Tails] USB images instead of ISO images – Testing Needed

From the webpage:

We need your help to test the simplified installation methods of Tails that we will release with 3.12 on January 29.

The method will be much simpler and faster, especially for macOS users, but for Windows users as well. Debian and Ubuntu users won’t have to install a specific program anymore and the process will also be faster for other Linux users.

In short, instead of downloading an ISO image (a format originally designed for CDs) you will download a USB image that is already an image of the data as written to your USB stick by Tails Installer. So no need for Tails Installer anymore and no need for an intermediary Tails nor a second USB stick when installing from Windows or macOS.

You should be able to create a persistent volume right away.

The methods for upgrading Tails will remain the same.
… (emphasis in original)

Got a few minutes?

The privacy you protect maybe your own!

January 10, 2019

“…avoid[ing] data monopolies and misuse” The other purpose of data collection being?

Filed under: Privacy — Patrick Durusau @ 8:55 pm

Sorry, your data can still be identified even if it’s anonymized by Kelsey Campbell-Dollaghan.

From the post:

Thanks to the near-complete saturation of the city with sensors and smartphones, we humans are now walking, talking data factories. Passing through a subway turnstile, sending a text, even just carrying a phone in your pocket: we generate location-tagged data on an hourly basis. All that data can be a boon for urban planners and designers who want to understand cities–and, of course, for tech companies and advertisers who want to understand the people in them. Questions about data privacy are frequently met with a chorus of, It’s anonymized! Any identifying features are scrubbed from the data!

The reality, a group of MIT scientists and urban planners show in a new study, is that it’s fairly simple to figure out who is who anyway. In other words, anonymized data can be deanonymized pretty quickly when you’re working with multiple datasets within a city.

“As researchers, we believe that working with large-scale datasets can allow discovering unprecedented insights about human society and mobility, allowing us to plan cities better,” observed Daniel Kondor of MIT’s Future Urban Mobility Group in the release. “Nevertheless, it is important to show if identification is possible, so people can be aware of potential risks of sharing mobility data,” adding, “currently much of this wealth of information is held by just a few companies and public institutions that know a lot about us, while we know so little about them. We need to take care to avoid data monopolies and misuse.”

In other words, as urban planners, tech companies, and governments collect and share data, we now know that “it’s anonymized” is never a guarantee of privacy. And as they dig deep into the data we generate, cities and citizens need to demand that this data can never be reidentified.
(emphasis in original)

I’m sorely puzzled by the “…avoid data monopolies and misuse.” We already have data monopolies and misuse of data (Facebook for example.).

Do you think they mean break-up data monopolies and regulate the use of data?

Both of those seem very unlikely.

A solution may lie in “…just a few companies and public institutions that know a lot about us, while we know so little about them.”

While freeing data from “just a few companies and public institutions,” you could learn and share a great deal about them.

Something to keep in mind!

November 17, 2018

IMSI-Catcher in 30 Minutes

Filed under: Government,Privacy,STINGER — Patrick Durusau @ 9:51 pm

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes by Joseph Cox.

From the post:

With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.

But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

Once you get up and running, project’s github page, other extensions and uses will occur to you.

I deeply disagree with the assessment:

The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

The greater danger comes when secret agencies and even police agencies, operate with no effective oversight. Either because their operations are too secret to be known to others or a toady, such as the FISA court, is called upon to pass judgment.

As the “threat” from IMSI-catchers increases, manufacturers will engineer phones that resist attacks from the government and the public. A net win for the public, if not the government.

IMSI-catchers and more need to be regulars around government offices and courthouses. Governments like surveillance so much, let’s provide them with a rich and ongoing experience of the same.

November 15, 2018

*exploitation not included

Filed under: Privacy — Patrick Durusau @ 2:24 pm

The title is a riff on Mozilla’s *privacy not included list of privacy insecure gifts for the holiday season.

While intended as a warning to consumers, I can’t think of a better shopping list for members of government, their staffs, corporate officers, lobbyists, or even your co-workers.

Unlike some, I don’t consider privacy to be a universal good, especially if a breach of privacy takes down someone like Senator Mitch McConnell or some similar ilk.

Use your imagination or ping me (not free) for development of a list of likely recipients of your holiday largess.

But as the title suggests: *exploitation not included.

PS: And no, I don’t want to know the intended purpose of your list. Enjoy the holidays!

November 5, 2018

ꓘamerka —… [On Ubuntu 18.04] 

Filed under: Open Source Intelligence,Privacy,Shodan — Patrick Durusau @ 1:25 pm

ꓘamerka — Build interactive map of cameras from Shodan by Wojciech.

From the post:

This post will be really quick one, I want to share one of the curiosity I wrote recently. It’s proof of concept to visualize cameras from Shodan API into real map. Some of the cameras are left open with no authentication so you don’t need to have any hacking skills to get access, and depends on where camera is located you can get interesting view in some cases. With lot of luck, it can help you with OSINT investigations or geolocating photos. Imagine you have photo to geolocate and you found open camera exactly pointing to this place, or somewhere nearby, which can give you hint.

Source: https://github.com/woj-ciech/kamerka

OK, so I git clone git:github.com/woj-ciech/kamerka in a directory.

After changing to the kamerka directory:

pip -r install requirements

Answer:

Usage:
pip [options]

no such option: -r

Syntax error. Try:

pip install -r requirements.txt

Success!

Restriction: Works only with paid Shodan.io accounts.

Opps! I don’t have a commercial Shodan account (at the moment) so I need to break here.

When I obtain a commercial Shodan account I will report further on this script. Thinking Venice Beach would be a nice location to test for cameras. 😉

October 3, 2018

New Release: Tor Browser 8.0.2 – Upgrade Time!

Filed under: Privacy,Tor — Patrick Durusau @ 10:25 am

New Release: Tor Browser 8.0.2

From the post:

Tor Browser 8.0.2 is now available from the Tor Browser Project page and also from our distribution target=”_blank”directory.

This release features important security updates to Firefox. We picked up the necessary patches, but because we needed to start building before Mozilla was ready with a first candidate build, we did not bump the Firefox version to 60.2.2esr. Thus, users are fine with Tor Browser 8.0.2 even though the Firefox version is 60.2.1esr.

Grab the latest version of Tor Browser today!

You are the last and best hope for your personal privacy.

September 20, 2018

HIDE AND SEEK… (Pegasus Spyware)

Filed under: Government,Pegasus,Privacy — Patrick Durusau @ 12:27 pm

HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert.

From the post:


Key Findings

  • Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
  • We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
  • Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
  • Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.

(The image of Pegasus infections looks far better and is more informative in the original post.)

The NSO Group responded to the Hide and Seek post here.

Any defense against the NSO Group and/or users of their software is up to you. Governments are clearly not on the side of citizens when it comes to the NSO Group.

September 4, 2018

…Access to Evidence and Encryption [Not One Step Backwards]

Filed under: Encryption,Privacy — Patrick Durusau @ 1:34 pm

Statement of Principles on Access to Evidence and Encryption (United States, the United Kingdom, Canada, Australia and New Zealand)

From the preamble:

The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights. Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.

Each of the Five Eyes jurisdictions will consider how best to implement the principles of this statement, including with the voluntary cooperation of industry partners. Any response, be it legislative or otherwise, will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process. We recognize that, in giving effect to these principles, governments may have need to engage with a range of stakeholders, consistent with their domestic environment and legal frameworks.

This joint statement memorializes Five Eyes jurisdictions’ ignorance of computer encryption. Or perhaps basic logic, that material cannot be accessible and yet not accessible (encrypted) at the same time. It’s called a contradiction in terms.

The Five Eye jurisdictions may as well decide to round Pi off to 3.14. (STOP! That was sarcasm, please don’t meddle with Pi. All sorts of things, missiles, rockets, aircraft, etc., will suddenly go horribly wrong.)

Do not engage with any of the Five Eye jurisdictions on any proposal to give governments access to encrypted materials.

I mean that quite literally. There are no facts to be produced, no trade-offs to discuss, no supervisory mechanisms to considered. Cybersecurity experts have already established that data either is or is not encrypted. Any backdoor into an encryption system means it isn’t secure. (full stop)

There aren’t any viable issues open for discussion.

By your non-participation, the Five Eye jurisdictions will write their regulations more poorly than with your presence.

The poorer the regulations, the more easily breached the resulting encryptions will be.

June 16, 2018

Thumbprint Loans @ Post Offices?

Filed under: Government,Politics,Privacy — Patrick Durusau @ 12:32 pm

In case you haven’t heard, payday loans are the ban of the poor. Aboutpayday.com

I created a graphic that captures the essential facts of a thumbprint loan proposal, which I suggest locating at US Post offices.

The essence of the proposal is to eliminate all the paperwork for government sponsored payday loans at prime plus 1% simple interest.

To do that, all that is required for a loan is a thumbprint. That’s it. No name, location, where your job is located, etc.

When paid, users can choose to create a credit history for their thumbprint, or, have it deleted from the system. Users who create a credit history can build up a record in order to borrow larger than base amounts, or to create a credit history for export to more conventional lenders.

When I first starting thinking about this proposal, I envisioned interactions with Post Office personnel but even that is unnecessary. Thumbprint loans could be wholly automated, up to and including dispersal of cash. That has the added feature of not being limited to post office hours of operation.

A rough sketch to be sure but reducing the APR of payday loans by 791% to 532% for 24 million Americans is worth being on the national agenda.

May 22, 2018

ACLU Flyer for Amazon’s Rekognition

Filed under: Government,Privacy — Patrick Durusau @ 7:22 pm

Did you see the ACLU flyer for Amazon’s Rekognition program?

If there was a police department in the United States that was unaware of Rekognition, that is no longer the case. Way to go ACLU!

Part of the ACLU flyer reads as follows:

Marketing materials and documents obtained by ACLU affiliates in three states reveal a product that can be readily used to violate civil liberties and civil rights. Powered by artificial intelligence, Rekognition can identify, track, and analyze people in real time and recognize up to 100 people in a single image. It can quickly scan information it collects against databases featuring tens of millions of faces, according to Amazon.

Amazon is marketing Rekognition for government surveillance. According to its marketing materials, it views deployment by law enforcement agencies as a “common use case” for this technology. Among other features, the company’s materials describe “person tracking” as an “easy and accurate” way to investigate and monitor people. Amazon says Rekognition can be used to identify “people of interest” raising the possibility that those labeled suspicious by governments — such as undocumented immigrants or Black activists — will be seen as fair game for Rekognition surveillance. It also says Rekognition can monitor “all faces in group photos, crowded events, and public places such as airports” — at a time when Americans are joining public protests at unprecedented levels.

Amazon’s Rekognition raises profound civil liberties and civil rights concerns. Today, the ACLU and a coalition of civil rights organizations demanded that Amazon stop allowing governments to use Rekognition.

My first impression was this is yet another fund raising effort by the ACLU. That impression grew stronger when I saw:

right under the “…demanded that Amazon stop allowing governments to use Rekognition.”

That takes you to:

ACLU address and permission harvesting!

The ACLU’s faux concern about Rekognition obtains your contact data and permission to contact.

Why do I say “faux concern?” Petitioning a vendor to withdraw a product offered by others. Name five similar campaigns that were successful. Name three. Still nothing? How about one?

I’ve got nothing, how about you?

On the other hand, despite surveillance of US citizens being illegal, the NSA engaged in, concealed and continued that surveillance. Explosive Revelation of Obama Administration Illegal Surveillance of Americans (National Review), NSA surveillance exposed (CBS News), NSA Surveillance (ACLU).

Based on experience with the NSA and others, would you guess that ACLU address and permission harvesting is going to be less than effective at stopping Rekognition? The only possible success of this ACLU effort will be a larger solicitation list for the ACLU. Not what I’m interested in signing up for. You?

Options from defeating facial recognition software range from the purely physical to tricking the underlying software. A bit old (2016) but 6 Ways to Defeat Facial Recognition Cameras has some amusing ways to defeat facial recognition software, but most of them tag you as avoiding facial recognition. Unless and until avoiding facial recognition becomes commonplace, obvious avoidance isn’t the best plan.

More recent and promising efforts include Google researchers create universal adversarial image patches to defeat AI object recognition (2018), an effort to hijack an AI system’s attention. That’s only one of many efforts to defeat facial/image recognition software.

Bottom line: Amazon is going to successfully market its Rekognition software, especially with name recognition assistance from the ACLU.

Forfeiting your contact data and permission to the ACLU accomplishes exactly that, gives the ACLU your contact data and permission to contact.

Using, developing, and promoting technology to defeat facial recognition software without permission or agreement is our only hope.

April 29, 2018

Processing “Non-Hot Mike” Data (Audio Processing for Data Scientists)

Filed under: Ethics,Politics,Privacy,Speech Recognition — Patrick Durusau @ 6:32 pm

A “hot mike” is one that is transmitting your comments, whether you know the mike is activated or not.

For example, a “hot mike” in 2017 caught this jewel:

Israeli Prime Minister Benjamin Netanyahu called the European Union “crazy” at a private meeting with the leaders of four Central European countries, unaware that a microphone was transmitting his comments to reporters outside.

“The EU is the only association of countries in the world that conditions the relations with Israel, that produces technology and every area, on political conditions. The only ones! Nobody does it. It’s crazy. It’s actually crazy. There is no logic here,” Netanyahu said Wednesday in widely reported remarks.

Netanyahu was meeting with the leaders of Hungary, Slovakia, Czech Republic and Poland, known as the Visegrad Group.

The microphone was switched off after about 15 minutes, according to reports.

A common aspect of “hot mike” comments is the speaker knew the microphone was present, but assumed it was turned off. In “hot mike” cases, the speaker is known and the relevance of their comments usually obvious.

But what about “non-hot mike” comments? That is comments made by a speaker with no sign of a microphone?

Say casual conversation in a restaurant, at a party, in a taxi, in a conversation at home or work, or anywhere in between?

Laws governing the interception of conversations are vast and complex so before processing any conversation data you suspect to be intercepted, seek legal counsel. This post assumes you have been properly cautioned and chosen to proceed with processing conversation data.

Royal Jain, in Intro to audio processing world for a Data scientist, begins a series of posts to help bridge the gap between NLP and speech/audio processing. Jain writes:

Coming from NLP background I had difficulties in understanding the concepts of speech/audio processing even though a lot of underlying science and concepts were the same. This blog series is an attempt to make the transition easier for people having similar difficulties. The First part of this series describes the feature space which is used by most machine learning/deep learning models.

Looking forward to more posts in this series!

Data science ethics advocates will quickly point out that privacy concerns surround the interception of private conversations.

They’re right!

But when the privacy in question belows to those who plan, fund and execute regime-change wars, killing hundreds of thousands and making refugees out of millions more, generally increasing human misery on a global scale, I have an answer to the ethics question. My question is one of risk assessment.

You?

March 31, 2018

GDPR Linking Guide

Filed under: EU,Privacy — Patrick Durusau @ 2:22 pm

Before you go completely dark for anyone located in the EU, a list of URLs for pointing into Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) appears below.

For all of its cleverness, the EU could not develop an intuitive ID scheme, something like “art-1, art-2,” choosing instead, “d1e1404-1-1 and d1e1455-1-1,” plus 97 more for all the sections. Guessing those section ids for the HTML version is difficult.

To solve that problem, use the following links for English (your language url + the #id for other languages):

I plan on hosting a improved but unofficial version that has predictable links not only for section headings but sub-sections and paragraphs as well. Watch for a note about that version.

If the EU were truly interested in the privacy of natural persons, they would be advocating and supporting the use of Tor servers and browsers.

But, they’re not.

Draw your own conclusions for their failure to do so.

PS: Please copy, modify, share these links for any reason, but especially to promote discussion of this lame approach to privacy by the EU.

March 24, 2018

The Dark Web = Freedom of Speech

Filed under: Censorship,Free Speech,Privacy — Patrick Durusau @ 4:49 pm

Freedom of speech never was all that popular in the United States and recently it has become even less so.

Craigslist personals, some subreddits disappear after FOSTA passage by Cyrus Farivar.

From the post:

In the wake of this week’s passage of the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA) bill in both houses of Congress on Wednesday, Craigslist has removed its “Personals” section entirely, and Reddit has removed some related subreddits, likely out of fear of future lawsuits.

FOSTA, which awaits the signature of President Donald Trump before becoming law, removes some portions of Section 230 of the Communications Decency Act. The landmark 1996 law shields website operators that host third-party content (such as commenters, for example) from civil liability. The new bill is aimed squarely at Backpage, a notorious website that continues to allow prostitution advertisements and has been under federal scrutiny for years.

I am deeply saddened to report that the House vote was 388 ayes and 25 noes and the Senate vote was 97 to 2.

You can follow the EFF lead as they piss and moan about this latest outrage. But all their activity (and fund raising) didn’t prevent its passage. So, what are the odds the EFF will get it repealed? That’s what I thought.

I’m not looking for Craigslist to jump to the Dark Web but certainly subreddits should be able to make the switch. The more subreddits, along with new sites and services that switch to the Dark Web, the more its usage and bandwidth will grow. Looking forward to the day when the default configuration of new computers is for the Dark Web. The “open” web being an optional choice with appropriate warnings.

If you are not (yet) a Dark Web jockey, try: How To Access Notorious Dark Web Anonymously (10 Step Guide). Enough to get you started and to demonstrate the potential of the Dark Web.

February 20, 2018

The EFF, Privilege, Revolution

Filed under: Cybersecurity,Politics,Privacy — Patrick Durusau @ 8:57 pm

The Revolution and Slack by Gennie Gebhart and Cindy Cohn.

From the post:

The revolution will not be televised, but it may be hosted on Slack. Community groups, activists, and workers in the United States are increasingly gravitating toward the popular collaboration tool to communicate and coordinate efforts. But many of the people using Slack for political organizing and activism are not fully aware of the ways Slack falls short in serving their security needs. Slack has yet to support this community in its default settings or in its ongoing design.

We urge Slack to recognize the community organizers and activists using its platform and take more steps to protect them. In the meantime, this post provides context and things to consider when choosing a platform for political organizing, as well as some tips about how to set Slack up to best protect your community.

Great security advice for organizers and activists who choose to use Slack.

But let’s be realistic about “revolution.” The EFF, community organizers and activists who would use Slack, are by definition, not revolutionaries.

How else would you explain the pantheon of legal cases pursued by the EFF? When the EFF lost, did it seek remedies by other means? Did it take illegal action to protect/avenge injured innocents?

Privilege is what enables people to say, “I’m using the law to oppose to X,” while other people are suffering the consequences of X.

Privilege holders != revolutionaries.

FYI any potential revolutionaries: If “on the Internet, no one knows your a dog,” it’s also true “no one knows you are a government agent.”

February 8, 2018

Running a Tor Relay (New Guide)

Filed under: Privacy,Security,Tor — Patrick Durusau @ 10:45 am

The New Guide to Running a Tor Relay

Have we told you lately how much we love our relay operators? Relays are the backbone of the Tor network, providing strength and bandwidth for our millions of users worldwide. Without the thousands of fast, reliable relays in the network, Tor wouldn’t exist.

Have you considered running a relay, but didn’t know where to start? Perhaps you’re just looking for a way to help Tor, but you’ve always thought that running a relay was too complicated or technical for you and the documentation seemed daunting.

We’re here to tell you that you can become one of the many thousands of relay operators powering the Tor network, if you have some basic command-line experience.

If you can’t help support the Tor network by running a relay, don’t despair! There’s are always ways to volunteer and of course to donate.

Your support helps everyone who uses Tor and sometimes results in really cool graphics, like this one for running a Tor relay:

If you want something a bit closer to the edge, try creating a graphic where spy rays from corporations and governments bounce off of secure autos, computers, homes, phones.

January 31, 2018

Don’t Mix Public and Dark Web Use of A Bitcoin Address

Filed under: Cybersecurity,Dark Web,Privacy,Security — Patrick Durusau @ 10:30 am

Bitcoin payments used to unmask dark web users by John E Dunn.

From the post:

Researchers have discovered a way of identifying those who bought or sold goods on the dark web, by forensically connecting them to Bitcoin transactions.

It sounds counter-intuitive. The dark web comprises thousands of hidden services accessed through an anonymity-protecting system, usually Tor.

Bitcoin transactions, meanwhile, are supposed to be pseudonymous, which is to say visible to everyone but not in a way that can easily be connected to someone’s identity.

If you believe that putting these two technologies together should result in perfect anonymity, you might want to read When A Small Leak Sinks A Great Ship to hear some bad news:

Researchers matched Bitcoin addresses found on the dark web with those found on the public web. Depending on the amount of information on the public web, identified named individuals.

Black Letter Rule: Maintain separate Bitcoin accounts for each online persona.

Black Letter Rule: Never use a public persona on the dark web or a dark web persona on the public web.

Black Letter Rule: Never make Bitcoin transactions between public versus dark web personas.

Remind yourself of basic OpSec rules every day.

January 22, 2018

EFF Investigates Dark Caracal (But Why?)

Filed under: Cybersecurity,Electronic Frontier Foundation,Government,Privacy,Security — Patrick Durusau @ 9:19 pm

Someone is touting a mobile, PC spyware platform called Dark Caracal to governments by Iain Thomson.

From the post:

An investigation by the Electronic Frontier Foundation and security biz Lookout has uncovered Dark Caracal, a surveillance-toolkit-for-hire that has been used to suck huge amounts of data from Android mobiles and Windows desktop PCs around the world.

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

The EFF could be spending its time and resources duplicating Dark Caracal for the average citizen.

Instead the EFF continues its quixotic pursuit of governmental wrong-doers. I say “quixotic” because those pilloried by the EFF, such as the NSA, never change their behavior. Unlawful conduct, including surveillance continues.

But don’t take my word for it, the NSA admits that it deletes data it promised under court order to preserve: NSA deleted surveillance data it pledged to preserve. No consequences. Just like there were no consequences when Snowden revealed widespread and illegal surveillance by the NSA.

So you have to wonder, if investigating and suing governmental intelligence organizations produces no tangible results, why is the EFF pursuing them?

If the average citizen had the equivalent of Dark Caracal at their disposal, say as desktop software, the ability of governments like Lebanon, Kazakhstan, and others, to hide their crimes, would be greatly reduced.

Exposure is no guarantee of accountability and/or punishment, but the wack-a-mole strategy of the EFF hasn’t produced transparency or consequences.

December 13, 2017

Making an Onion List and Checking It Twice (or more)

Filed under: Privacy,Tor — Patrick Durusau @ 3:51 pm

Bash script to check if .onions and other urls are alive or not

From the post:

The basic idea of this bash script is to feed a list of .onion urls and use torsocks and wget to check if the url is active or not, surely there are many other alternatives but it always nice to have another option.

Useful script and daily reminder:

Privacy is a privilege you work for, it doesn’t happen by accident.

November 15, 2017

Going Among Capitalists? Don’t Forget Your S8 USB Cable!

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 5:45 pm

Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable by Cory Doctorow.

From the post:

Mich from ha.cking bought a $25 “S8 data line locator” device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of “trickle down surveillance” where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

For all the technical details see: Inside a low budget consumer hardware espionage implant by mich @0x6d696368by.

In some legal jurisdictions use of this cable may be construed as a crime. But, as US torture of prisoners, NSA surveillance, and numerous other crimes by US operatives demonstrates, prosecution of crimes is at the whim and caprice of prosecutors.

Calling something a “crime” is pejorative labeling for media purposes, unless you are a prosecutor deciding on prosecution. Otherwise, it’s just labeling.

November 7, 2017

Intel MINIX – Universal Vulnerability?

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 7:03 pm

MINIX — The most popular OS in the world, thanks to Intel by Bryan Lunduke

Unless most claims of being “widespread,” the claims about MINIX, a secret OS on Intel chips, appear to be true.

From the post:


MINIX is running on “Ring -3” (that’s “negative 3”) on its own CPU. A CPU that you, the user/owner of the machine, have no access to. The lowest “Ring” you have any real access to is “Ring 0,” which is where the kernel of your OS (the one that you actually chose to use, such as Linux) resides. Most user applications take place in “Ring 3” (without the negative).

The second thing to make my head explode: You have zero access to “Ring -3” / MINIX. But MINIX has total and complete access to the entirety of your computer. All of it. It knows all and sees all, which presents a huge security risk — especially if MINIX, on that super-secret Ring -3 CPU, is running many services and isn’t updated regularly with security patches.

For details, see Replace your exploit-ridden firmware with a Linux kernel, by Ron Minnich, et. al. (Seventy-one (71) slides. File name: Replace UEFI with Linux.pdf. I grabbed a copy just in case this one goes away.)

Intel material on UEFI.

Unified Extensible Firmware Interface Forum, consortium website. For the latest versions of specifications see: http://www.uefi.org/specifications but as of today, see:

ACPI Specification Version 6.2 (Errata A)

ACPI can first be understood as an architecture-independent power management and configuration framework that forms a subsystem within the host OS. This framework establishes a hardware register set to define power states (sleep, hibernate, wake, etc). The hardware register set can accommodate operations on dedicated hardware and general purpose hardware. [page 1.] 1177

UEFI Specification Version 2.7 (Errata A)

T
his Unified Extensible Firmware Interface (hereafter known as UEFI) Specification describes an interface between the operating system (OS) and the platform firmware. UEFI was preceded by the Extensible Firmware Interface Specification 1.10 (EFI). As a result, some code and certain protocol names retain the EFI designation. Unless otherwise noted, EFI designations in this specification may be assumed to be part of UEFI.

The interface is in the form of data tables that contain platform-related information, and boot and runtime service calls that are available to the OS loader and the OS. Together, these provide a standard environment for booting an OS. This specification is designed as a pure interface specification. As such, the specification defines the set of interfaces and structures that platform firmware must implement. Similarly, the specification defines the set of interfaces and structures that the OS may use in booting. How either the firmware developer chooses to implement the required elements or the OS developer chooses to make use of those interfaces and structures is an implementation decision left for the developer.

Using this formal definition, a shrink-wrap OS intended to run on platforms compatible with supported processor specifications will be able to boot on a variety of system designs without further platform or OS customization. The definition will also allow for platform innovation to introduce new features and functionality that enhance platform capability without requiring new code to be written in the OS boot sequence. [page 1.] 2575

UEFI Shell Specification Version 2.2

The UEFI Shell environment provides an API, a command prompt and a rich set of commands that extend and enhance the UEFI Shell’s capability. [page 1] 258

UEFI Platform Initialization Specification Version 1.6

This specification defines the core code and services that are required for an implementation of the Pre-EFI Initialization (PEI) phase of the Platform Initialization (PI) specifications (hereafter referred to as the “PI Architecture”). This PEI core interface specification (CIS) does the following:
[vol. 1, page 1] 1627

UEFI Platform Initialization Distribution Packaging Specification Version 1.1

This specification defines the overall architecture and external interfaces that are required for distribution of UEFI/PI source and binary files. [page 1] 359

TCG EFI Platform Specification

PC Client Work Group EFI Platform Specification, Version 1.22, Revision 15

This document is about the processes that boot an Extensible Firmware Interface (EFI) platform and load an OS on that platform. Specifically, this specification contains the requirements for measuring EFI unique events into TPM PCRs and adding boot event entries into the Event Log. [page 5] 43

TCG EFI Protocol Specification

PC Client Work Group EFI Protocol Specification, Family “2.0”, Level 00, Revision 00.13

The purpose of this document is to define a standard interface to the TPM on an EFI platform. This standard interface is useful on any instantiations of an EFI platform that conforms to the EFI Specification. This EFI Protocol Specification is a pure interface specification that provides no information on “how” to construct the underlying firmware implementation. [page 9] 46

By my count, 5,585 pages from the Unified Extensible Firmware Interface Forum, consortium website alone.

Of course, then you need to integrate it with other documentation, your test results and the results of others, not to mention blogs and other sources.

Breaking this content into useful subjects would be non-trivia, but how much are universal vulnerabilities worth?

October 12, 2017

Cheap Tracking of Public Officials/Police

Filed under: Image Recognition,Machine Learning,Privacy — Patrick Durusau @ 2:12 pm

The use of license plate readers by law enforcement and others is on the rise. Such readers record the location of your license plate at a particular time and place. They also relieve public bodies of large sums of money.

How I replicated an $86 million project in 57 lines of code by Tait Brown details how he used open source software to create a “…good enough…” license plate reader for far less than the ticket price of $86 million.

Brown has an amusing (read unrealistic) good Samaritan scenario for his less expensive/more extensive surveillance system:


While it’s easy to get caught up in the Orwellian nature of an “always on” network of license plate snitchers, there are many positive applications of this technology. Imagine a passive system scanning fellow motorists for an abductors car that automatically alerts authorities and family members to their current location and direction.

The Teslas vehicles are already brimming with cameras and sensors with the ability to receive OTA updates — imagine turning them into a virtual fleet of good samaritans. Ubers and Lyft drivers could also be outfitted with these devices to dramatically increase the coverage area.

Using open source technology and existing components, it seems possible to offer a solution that provides a much higher rate of return — for an investment much less than $86M.

The better use of Brown’s less expensive/more extensive surveillance system is tracking police and public official cars. Invite them to the gold fish bowl they have created for all the rest of us.

A great public data resource for testing testimony about the presence/absence of police officers at crime scenes, protests, long rides to the police station and public officials consorting with co-conspirators.

ACLU calls for government to monitor itself, reflect an unhealthy confidence in governmental integrity. Only a close watch on government by citizens enables governmental integrity.

September 25, 2017

Evidence of Government Surveillance in Mexico Continues to Mount [Is This News?]

Filed under: Cybersecurity,Government,Journalism,News,Privacy,Reporting,Security — Patrick Durusau @ 4:19 pm

Evidence of Government Surveillance in Mexico Continues to Mount by Giovanna Salazar, translated by Omar Ocampo.

From the post:

In early September, further attempts to spy on activists in Mexico were confirmed. The president of Mexicans Against Corruption and Impunity (MCCI), an organization dedicated to investigative journalism, received several SMS messages that were intended to infect his mobile device with malicious software.

According to The New York Times, Claudio X. González Guajardo was threatened with Pegasus, a sophisticated espionage tool or “spyware” sold exclusively to governments that was acquired by the Mexican government in 2014 and 2015, with the alleged intention of combating organized crime. Once installed, Pegasus spyware allows the sender or attacker to access files on the targeted device, such as text messages, emails, passwords, contacts list, calendars, videos and photographs. It even allows the microphone and camera to activate at any time, inadvertently, on the infected device.

Salazar’s careful analysis of the evidence leaves little doubt:

these intrusive technologies are being used to intimidate and silence dissent.

But is this news?

I ask because my starting assumption is that governments buy surveillance technologies to invade the privacy of their citizens. The other reason would be?

You may think some targets merit surveillance, such as drug dealers, corrupt officials, but once you put surveillance tools in the hands of government, all citizens are living in the same goldfish bowl. Whether we are guilty of any crime or not.

The use of surveillance “to intimidate and silence dissent” is as natural to government as corruption.

The saddest part of Salazar’s report is that Pegasus is sold exclusively to governments.

Citizens need a free, open source edition of Pegasus Next Generation with which to spy on governments, businesses, banks, etc.

A way to invite them into the goldfish bowl in which ordinary citizens already live.

The ordinary citizen has no privacy left to lose.

The question is when current spy masters will lose theirs as well?

September 22, 2017

Warrantless Stingray Unconstitutional – Ho-Hum

Filed under: Government,Privacy — Patrick Durusau @ 2:33 pm

Tracking phones without a warrant ruled unconstitutional by Lisa Vaas.

From the post:

A Washington DC Court of Appeals said on Thursday that law enforcement’s warrantless use of stingrays—suitcase-sized cell site simulators that mimic a cell tower and that trick nearby phones into connecting and giving up their identifying information and location—violates the Constitution’s Fourth Amendment protection against unreasonable search.

The ruling (PDF) overturned the conviction of a robbery and sexual assault suspect. In its decision, the DC Court of Appeals determined the use of the cell-site simulator “to locate a person through his or her cellphone invades the person’s actual, legitimate and reasonable expectation of privacy in his or her location information and is a search.”

Civil libertarians will be celebrating this decision! But the requirements of Jones vs. US are:

  1. You MUST commit a crime.
  2. You MUST be arrested for the crime in #1.
  3. You MUST be prosecuted for the crime in #1.
  4. The prosecutor MUST rely evidence from use of a warrentless stingray.
  5. The evidence in #4 MUST be crucial to proving your guilt, otherwise you are convicted on other evidence.

If any of those five requirements are missing, you don’t profit from Jones vs. US.

The exclusionary rule, the rule that excludes unconstitutionally obtained evidence sounds great, but unless you meet all its requirements, you are SOL.

For example, what if your phone and the phones of other protesters are subject to warrantless surveillance at a pro-environment rally? Or at a classic political rally? Or at a music concert? The government is just gathering data on who attended.

The exclusionary rule doesn’t do anything for you in those cases. Your identity has been unlawfully obtained, unconstitutionally as constitutional lawyers are fond of saying, but there no relief for you in Jones vs. US.

Glad the DC Circuit took that position but it has little bearing on your privacy in the streets of the United States.

September 18, 2017

Darkening the Dark Web

Filed under: Cybersecurity,Privacy,Security,Tor — Patrick Durusau @ 8:47 pm

I encountered Andy Greenberg‘s post, It’s About to Get Even Easier to Hide on the Dark Web (20 January 2017), and was happy to read:

From the post:


The next generation of hidden services will use a clever method to protect the secrecy of those addresses. Instead of declaring their .onion address to hidden service directories, they’ll instead derive a unique cryptographic key from that address, and give that key to Tor’s hidden service directories. Any Tor user looking for a certain hidden service can perform that same derivation to check the key and route themselves to the correct darknet site. But the hidden service directory can’t derive the .onion address from the key, preventing snoops from discovering any secret darknet address. “The Tor network isn’t going to give you any way to learn about an onion address you don’t already know,” says Mathewson.

The result, Mathewson says, will be darknet sites with new, stealthier applications. A small group of collaborators could, for instance, host files on a computer known to only to them. No one else could ever even find that machine, much less access it. You could host a hidden service on your own computer, creating a way to untraceably connect to it from anywhere in the world, while keeping its existence secret from snoops. Mathewson himself hosts a password-protected family wiki and calendar on a Tor hidden service, and now says he’ll be able to do away with the site’s password protection without fear of anyone learning his family’s weekend plans. (Tor does already offer a method to make hidden services inaccessible to all but certain Tor browsers, but it involves finicky changes to the browser’s configuration files. The new system, Mathewson says, makes that level of secrecy far more accessible to the average user.)

The next generation of hidden services will also switch from using 1024-bit RSA encryption keys to shorter but tougher-to-crack ED-25519 elliptic curve keys. And the hidden service directory changes mean that hidden service urls will change, too, from 16 characters to 50. But Mathewson argues that change doesn’t effect the dark web addresses’ usability since they’re already too long to memorize.

Your wait to test these new features for darkening the dark web are over!

Tor 0.3.2.1-alpha is released, with support for next-gen onion services and KIST scheduler

From the post:

And as if all those other releases today were not enough, this is also the time for a new alpha release series!

Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It includes support for our next-generation (“v3”) onion service protocol, and adds a new circuit scheduler for more responsive forwarding decisions from relays. There are also numerous other small features and bugfixes here.

You can download the source from the usual place on the website. Binary packages should be available soon, with an alpha Tor Browser likely by the end of the month.

Remember: This is an alpha release, and it’s likely to have more bugs than usual. We hope that people will try it out to find and report bugs, though.

The Vietnam War series by Ken Burns and Lynn Novick makes it clear the United States government lies and undertakes criminal acts for reasons hidden from the public. To trust any assurance by that government of your privacy, freedom of speech, etc., is an act of madness.

Will you volunteer to help with the Tor project or place your confidence in government?

It really is that simple.

September 5, 2017

Tor Browser 7.0.5 is released – Upgrade! Stay Ahead of Spies!

Filed under: Privacy,Tor — Patrick Durusau @ 4:47 pm

Tor Browser 7.0.5 is released

From the webpage:

Tor Browser 7.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release makes HTTPS-Everywhere compatible with Tor Browser on higher security levels and ensures that browser windows on macOS are properly rounded.

Well, no guarantee you will stay ahead of spies but using the current release of Tor is the best one can do. At least for browsers.

Enjoy!

September 1, 2017

US Labor Day (sic) Security Reading

Filed under: Cybersecurity,Government,Privacy,Security — Patrick Durusau @ 9:16 pm

I know, for the US to have a “labor day” holiday is a jest too cruel for laughter.

But, many people will have a long weekend, starting tomorrow, so suggested reading is in order.

Surveillance Self-Defense, a project of the EFF, has security “playlists” for:

Academic researcher? Learn the best ways to minimize harm in the conduct of your research.

Activist or protester? How to keep you and your communications safe wherever your campaigning takes you.

Human rights defender? Recipes for organizations who need to keep safe from government eavesdroppers.

Journalism student? Lessons in security they might not teach at your j-school.

Journalist on the move? How to stay safe online anywhere without sacrificing access to information.

LGBTQ Youth Tips and tools to help you more safely access LGBTQ resources, navigate social networks, and avoid snoopers.

Mac user? Tips and tools to help you protect your data and communications.

Online security veteran? Advanced guides to enhance your surveillance self-defense skill set.

Want a security starter pack? Start from the beginning with a selection of simple steps.

Have a great weekend!

August 8, 2017

Radio Navigation, Dodging Government GPS

Filed under: Government,GPS,Privacy — Patrick Durusau @ 4:26 pm

Radio navigation set to make global return as GPS backup, because cyber by Sean Gallagher.

From the post:

Way back in the 1980s, when I was a young naval officer, the Global Positioning System was still in its experimental stage. If you were in the middle of the ocean on a cloudy night, there was pretty much only one reliable way to know where you were: Loran-C, the hyperbolic low-frequency radio navigation system. Using a global network of terrestrial radio beacons, Loran-C gave navigators aboard ships and aircraft the ability to get a fix on their location within a few hundred feet by using the difference in the timing of two or more beacon signals.

An evolution of World War II technology (LORAN was an acronym for long-range navigation), Loran-C was considered obsolete by many once GPS was widely available. In 2010, after the US Coast Guard declared that it was no longer required, the US and Canada shut down their Loran-C beacons. Between 2010 and 2015, nearly everyone else shut down their radio beacons, too. The trial of an enhanced Loran service called eLoran that was accurate within 20 meters (65 feet) also wrapped up during this time.

But now there’s increasing concern about over-reliance in the navigational realm on GPS. Since GPS signals from satellites are relatively weak, they are prone to interference, accidental or deliberate. And GPS can be jammed or spoofed—portable equipment can easily drown them out or broadcast fake signals that can make GPS receivers give incorrect position data. The same is true of the Russian-built GLONASS system.

Sean focuses on the “national security” needs for a backup to GPS but it isn’t North Koreans, Chinese or Russians who are using Stingray devices against US citizens.

No, those are all in use by agents of the federal and/or state governments. Ditto for anyone spoofing your GPS in the United States.

You need a GPS backup, but your adversary is quite close to home.

The new protocol is call eLoran and Sean has a non-technical overview of it.

You would have unusual requirements to need a private eLoran but so you have an idea of what is possible:


eLoran technology has been available since the mid-1990s and is still available today. In fact, the state-of-the-art of eLoran continues to advance along with other 21st-century technology. eLoran system technology can be broken down into a few simple components: transmitting site, control and monitor site, differential reference station site and user equipment.

Modern transmitting site equipment consists of a high-power, modular, fully redundant, hot-swappable and software configurable transmitter, and sophisticated timing and control equipment. Standard transmitter configurations are available in power ranges from 125 kilowatts to 1.5 megawatts. The timing and control equipment includes a variety of external timing inputs to a remote time scale, and a local time scale consisting of three ensembled cesium-based primary reference standards. The local time scale is not directly coupled to the remote time scale. Having a robust local time scale while still monitoring many types of external time sources provides a unique ability to provide proof-of-position and proof-of-time. Modern eLoran transmitting site equipment is smaller, lighter, requires less input power, and generates significantly less waste heat than previously used Loran-C equipment.

The core technology at a differential eLoran reference station site consists of three differential eLoran reference station or integrity monitors (RSIMs) configurable as reference station (RS) or integrity monitor (IM) or hot standby (RS or IM). The site includes electric field (E-field) antennas for each of the three RSIMs.

Modern eLoran receivers are really software-defined radios, and are backward compatible with Loran-C and forward compatible, through firmware or software changes. ASF tables are included in the receivers, and can be updated via the Loran data channel. eLoran receivers can be standalone or integrated with GNSS, inertial navigation systems, chip-scale atomic clocks, barometric altimeters, sensors for signals-of-opportunity, and so on. Basically, any technology that can be integrated with GPS can also be integrated with eLoran.
Innovation: Enhanced Loran, GPS World (May, 2015)

Some people are happy with government controlled services. Other people, not so much.

Who is determining your location?

June 22, 2017

See Through Walls With WiFi!

Filed under: Privacy — Patrick Durusau @ 7:07 pm

Drones that can see through walls using only Wi-Fi

From the post:

A Wi-Fi transmitter and two drones. That’s all scientists need to create a 3D map of the interior of your house. Researchers at the University of California, Santa Barbara have successfully demonstrated how two drones working in tandem can ‘see through’ solid walls to create 3D model of the interiors of a building using only, and we kid you not, only Wi-Fi signals.

As astounding as it sounds, researchers Yasamin Mostofi and Chitra R. Karanam have devised this almost superhero-level X-ray vision technology. “This approach utilizes only Wi-Fi RSSI measurements, does not require any prior measurements in the area of interest and does not need objects to move to be imaged,” explains Mostofi, who teaches electrical and computer engineering at the University.

For the paper and other details, see: 3D Through-Wall Imaging With Unmanned Aerial Vehicles and WiFi.

Before some contractor creates the Stingray equivalent for law enforcement, researchers and electronics buffs need to create new and improved versions for the public.

Government and industry offices are more complex than this demo but the technology will continue to improve.

I don’t have the technical ability to carry out the experiment but wondering if measurement of a strong signal from any source as it approaches a building and then its exit on the far side would serve the same purpose?

Reasoning that government/industry buildings may become shielded to some signals but in an age of smart phones, not all.

Enjoy!

June 7, 2017

Tor 7.0! (Won’t Protect You From @theintercept)

Filed under: Cybersecurity,Privacy,Tor — Patrick Durusau @ 7:11 pm

Tor Browser 7.0 Is Out!

The Tor browser is great but recognize its limitations.

A primary one is Tor can’t protect you from poor judgment @theintercept. No software can do that.

Change your other habits as appropriate.

Older Posts »

Powered by WordPress