m Quec.lim's republished posts.http://quec.li/~m /Detecting When a Smartphone Has Been Compromisedhttps://www.schneier.com/blog/archives/2016/07/detecting_when_.htmltag:www.schneier.com,2016:/blog//2.10702Wed, 27 Jul 2016 14:09:00 -0400<p>Andrew "bunnie" Huang and Edward Snowden have designed a smartphone case that detects unauthorized transmissions by the phone. <a href="https://www.pubpub.org/pub/direct-radio-introspection/">Paper</a>. <a href="https://www.theguardian.com/us-news/2016/jul/21/phone-case-privacy-data-monitor-bluetooth-wifi-snowden-introspection-engine">Three</a> <a href="https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-snitches/">news</a> <a href="http://www.bbc.com/news/technology-36865209">articles</a>.</p> <p>Looks like a clever design. Of course, it has to be outside the device; otherwise, it could be compromised along with the device. Note that this is still in the research design stage; there are no public prototypes. </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10702The NSA and &quot;Intelligence Legalism&quot;https://www.schneier.com/blog/archives/2016/07/the_nsa_and_int.htmltag:www.schneier.com,2016:/blog//2.10704Wed, 27 Jul 2016 07:47:00 -0400<p>Interesting law journal paper: "<a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2495844">Intelligence Legalism and the National Security Agency's Civil Liberties Gap</a>," by Margo Schlanger:</p> <blockquote><p><b>Abstract</b>: This paper examines the National Security Agency, its compliance with legal constraints and its respect for civil liberties. But even if perfect compliance could be achieved, it is too paltry a goal. A good oversight system needs its institutions not just to support and enforce compliance but also to design good rules. Yet as will become evident, the offices that make up the NSA's compliance system are nearly entirely compliance offices, not policy offices; they work to improve compliance with existing rules, but not to consider the pros and cons of more individually-protective rules and try to increase privacy or civil liberties where the cost of doing so is acceptable. The NSA and the administration in which it sits have thought of civil liberties and privacy only in compliance terms. That is, they have asked only "Can we (legally) do X?" and not "Should we do X?" This preference for the can question over the should question is part and parcel, I argue, of a phenomenon I label "intelligence legalism," whose three crucial and simultaneous features are imposition of substantive rules given the status of law rather than policy; some limited court enforcement of those rules; and empowerment of lawyers. Intelligence legalism has been a useful corrective to the lawlessness that characterized surveillance prior to intelligence reform, in the late 1970s. But I argue that it gives systematically insufficient weight to individual liberty, and that its relentless focus on rights, and compliance, and law has obscured the absence of what should be an additional focus on interests, or balancing, or policy. More is needed; additional attention should be directed both within the NSA and by its overseers to surveillance policy, weighing the security gains from surveillance against the privacy and civil liberties risks and costs. That attention will not be a panacea, but it can play a useful role in filling the civil liberties gap intelligence legalism creates.</p></blockquote> <p>This is similar to what I wrote in <a href="https://www.schneier.com/books/data_and_goliath/"><i>Data and Goliath</i></a>:</p> <blockquote><p>There are two levels of oversight. The first is strategic: are the rules we're imposing the correct ones? For example, the NSA can implement its own procedures to ensure that it's following the rules, but it should not get to decide what rules it should follow.... <p>The other kind of oversight is tactical: are the rules being followed? Mechanisms for this kind of oversight include procedures, audits, approvals, troubleshooting protocols, and so on. The NSA, for example, trains its analysts in the regulations governing their work, audits systems to ensure that those regulations are actually followed, and has instituted reporting and disciplinary procedures for occasions when they're not.</p></blockquote> <p>It's not enough that the NSA makes sure there is a colorable legal interpretation that authorizes what they do. We need to make sure that their understanding of the law is shared with the outside world, and that what they're doing is a good idea.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10704Inflectionhttp://xkcd.com/1709/http://xkcd.com/1709/Wed, 20 Jul 2016 00:00:00 -0400<img src="http://imgs.xkcd.com/comics/inflection.png" title="&quot;Or maybe, because we're suddenly having so many conversations through written text, we'll start relying MORE on altered spelling to indicate meaning!&quot; &quot;Wat.&quot;" alt="&quot;Or maybe, because we're suddenly having so many conversations through written text, we'll start relying MORE on altered spelling to indicate meaning!&quot; &quot;Wat.&quot;" />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1709%2FVisiting a Website against the Owner's Wishes Is Now a Federal Crimehttps://www.schneier.com/blog/archives/2016/07/visiting_a_webs.htmltag:www.schneier.com,2016:/blog//2.10685Wed, 13 Jul 2016 15:10:00 -0400<p>While we're on the subject of <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/">terrible 9th Circuit Court rulings</a>:</p> <blockquote><p>The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act.... Its reasoning appears to be very broad. If I'm reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they're committing a federal crime of accessing your computer without authorization.</p></blockquote>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10685Password Sharing Is Now a Crimehttps://www.schneier.com/blog/archives/2016/07/password_sharin_1.htmltag:www.schneier.com,2016:/blog//2.10684Wed, 13 Jul 2016 12:07:00 -0400<p>In a truly terrible ruling, the US 9th Circuit Court ruled that using someone else's password with their permission but without the permission of the site owner is a <a href="https://motherboard.vice.com/read/password-sharing-is-a-federal-crime">federal crime</a>.</p> <blockquote><p>The argument McKeown made is that the employee who shared the password with Nosal "had no authority from Korn/Ferry to provide her password to former employees." <p>At issue is language in the CFAA that makes it illegal to access a computer system "without authorization." McKeown said that "without authorization" is "an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission." The question <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/06/password-sharing-case-divides-ninth-circuit-in-nosal-ii/">that legal scholars</a>, groups such as the <a href="https://www.eff.org/issues/cfaa">Electronic Frontier Foundation</a>, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?</p> <p>Reinhardt argues that Nosal's use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you're breaking federal law.</p></blockquote> <p>The <a href="https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit">EFF</a>:</p> <blockquote><p>While the majority opinion said that the facts of this case "bear little resemblance" to the kind of password sharing that people often do, Judge Reinhardt's dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband's user credentials to access his bank account to pay bills, Judge Reinhardt noted: "So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates." As a result, although the majority says otherwise, the court turned anyone who has ever used someone else's password without the approval of the computer owner into a potential felon.</p></blockquote> <p>The <a href="https://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a> has been a disaster for many reasons, this being one of them. There will be an appeal of this ruling.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10684Researchers Discover Tor Nodes Designed to Spy on Hidden Serviceshttps://www.schneier.com/blog/archives/2016/07/researchers_dis.htmltag:www.schneier.com,2016:/blog//2.10674Fri, 08 Jul 2016 08:01:00 -0400<p>Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow <a href="https://boingboing.net/2016/07/01/researchers-find-over-100-spyi.html">explains</a>:</p> <blockquote><p>These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over. <p>The researchers used "honeypot" .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.</p> <p>This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.</p> <p>No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of "infowar" weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).</p></blockquote> <p>The Tor project is working on redesigning its system to block this attack.</p> <p>Vice Motherboard <a href="https://motherboard.vice.com/read/over-100-snooping-tor-nodes-have-been-spying-on-dark-web-sites">article</a>. Defcon talk <a href="https://www.defcon.org/html/defcon-24/dc-24-speakers.html#Noubir">announcement</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10674Gnome Annhttp://xkcd.com/1704/http://xkcd.com/1704/Fri, 08 Jul 2016 00:00:00 -0400<img src="http://imgs.xkcd.com/comics/gnome_ann.png" title="President Andrew Johnson once said, &quot;If I am to be shot at, I want Gnome Ann to be in the way of the bullet.&quot;" alt="President Andrew Johnson once said, &quot;If I am to be shot at, I want Gnome Ann to be in the way of the bullet.&quot;" />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1704%2FHijacking Someone's Facebook Account with a Fake Passport Copyhttps://www.schneier.com/blog/archives/2016/07/hijacking_someo.htmltag:www.schneier.com,2016:/blog//2.10673Thu, 07 Jul 2016 14:27:00 -0400<p>BBC has the <a href="http://www.bbc.com/news/technology-36661557">story</a>. The confusion is that a scan of a passport is much easier to forge than an actual passport. This is a truly hard problem: how do you give people the ability to get back into their accounts after they've lost their credentials, while at the same time prohibiting hackers from using the same mechanism to hijack accounts? Demanding an easy-to-forge copy of a hard-to-forge document isn't a good solution.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10673U.S. jets abandoned Syrian rebels in the desert. Then they lost a battle to ISIS.https://www.washingtonpost.com/news/checkpoint/wp/2016/07/06/u-s-jets-abandoned-syrian-rebels-in-the-desert-then-they-lost-a-battle-to-isis/https://www.washingtonpost.com/news/checkpoint/wp/2016/07/06/u-s-jets-abandoned-syrian-rebels-in-the-desert-then-they-lost-a-battle-to-isis/Wed, 06 Jul 2016 17:38:15 -0400"The priority here appeared to be going after the target, going after the big shiny object."http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.washingtonpost.com%2Frss%2Fworld%2Fnational-security&entry=https%3A%2F%2Fwww.washingtonpost.com%2Fnews%2Fcheckpoint%2Fwp%2F2016%2F07%2F06%2Fu-s-jets-abandoned-syrian-rebels-in-the-desert-then-they-lost-a-battle-to-isis%2FA tragic splithttp://www.economist.com/news/leaders/21701265-how-minimise-damage-britains-senseless-self-inflicted-blow-tragic-split?fsrc=rss%7Cleahttp://www.economist.com/news/leaders/21701265-how-minimise-damage-britains-senseless-self-inflicted-blow-tragic-splitFri, 24 Jun 2016 01:07:00 -0400<p><div> <img src="http://cdn.static-economist.com/sites/default/files/imagecache/full-width/images/2016/06/articles/main/20160625_ldd300.jpg" alt="" title="" width="595" height="335" /> </div></p> <p>HOW quickly the unthinkable became the irreversible. A year ago few people imagined that the legions of Britons who love to whinge about the European Union?silly regulations, bloated budgets and pompous bureaucrats?would actually vote to leave the club of countries that buy nearly half of Britain?s exports. Yet, by the early hours of June 24th,&nbsp;it was clear that voters had ignored the warnings of economists, allies and their own government and, after more than four decades in the EU, were about to <a href="http://www.economist.com/news/britain/21701264-britain-has-voted-leave-eu-what-follows-will-be-new-prime-minister-volatile-financial">step boldly into the unknown</a>.</p> <p>The tumbling of the pound to 30-year lows offered a taste of what is to come. As confidence plunges, Britain may well dip into recession. A permanently less vibrant economy means fewer jobs, lower tax receipts and, eventually, extra austerity. The result will also shake a fragile world economy. Scots, most of whom voted to Remain, may now be keener to break free of the United Kingdom, as they nearly did in 2014. Across the Channel, Eurosceptics such as the French National...</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.economist.com%2Ffeeds%2Fprint-sections%2F69%2Fleaders.xml&entry=http%3A%2F%2Fwww.economist.com%2Fnews%2Fleaders%2F21701265-how-minimise-damage-britains-senseless-self-inflicted-blow-tragic-split