m Quec.lim's republished posts.http://quec.li/~m /Over 700 Million People Taking Steps to Avoid NSA Surveillancehttps://www.schneier.com/blog/archives/2014/12/over_700_millio.htmltag:www.schneier.com,2014:/blog//2.6450Mon, 15 Dec 2014 07:07:00 -0500<p>There's a <a href="https://www.cigionline.org/internet-survey">new international survey</a> on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the <a href="https://www.cigionline.org/internet-survey#edward-snowden">findings</a>, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."</p> <p>The press is mostly spinning this as evidence that Snowden has not had an effect: "<a href="http://www.ibtimes.co.uk/edward-snowden-revelations-not-having-much-impact-internet-users-1477189">merely 39%</a>," "<a href="http://www.theguardian.com/technology/2014/nov/25/edward-snowden-privacy-open-thread">only 39%</a>," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users -- which is not everybody -- who have heard of him. So it's much less than 39%.)</p> <p>Even so, I disagree with the "<a href="http://www.ibtimes.co.uk/edward-snowden-revelations-not-having-much-impact-internet-users-1477189">Edward Snowden Revelations Not Having Much Impact on Internet Users</a>" headline. He's having an enormous impact. I ran the actual numbers country by country, combining <a href="http://www.internetlivestats.com/internet-users-by-country/">data on Internet penetration</a> with data from this survey. Multiplying everything out, I calculate that <i>706 million people</i> have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)</p> <p>Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world.</p> <p>It's probably true that most of those people took steps that didn't make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It's probably even true that some of those people didn't take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that <i>750 million people</i> are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.</p> <p>Name another news story that has caused over ten percent of the world's population to change their behavior in the past year? Cory Doctorow is <a href="http://boingboing.net/2014/11/12/peak-indifference-to-surveilla-2.html">right</a>: we have reached "peak indifference to surveillance." From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.</p> <p>Related: a recent Pew Research Internet Project <a href="http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/">survey</a> on Americans' perceptions of privacy, commented on by <a href="http://www.lawfareblog.com/2014/11/pew-study-says-exactly-what-youd-expect-on-privacy/">Ben Wittes</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6450Who Might Control Your Telephone Metadatahttps://www.schneier.com/blog/archives/2014/12/who_might_contr.htmltag:www.schneier.com,2014:/blog//2.6449Fri, 12 Dec 2014 10:26:00 -0500<p><br /> Remember last winter when President Obama <a href="http://www.nytimes.com/2014/03/25/us/obama-to-seek-nsa-curb-on-call-data.html">called for an end</a> to the NSA's telephone metadata collection program? He didn't actually call for an end to it; he just wanted it moved from an NSA database to some commercial database. (I still think this is a <a href="http://www.slate.com/articles/technology/future_tense/2014/02/nsa_surveillance_metadata_the_government_not_private_companies_should_store.html">bad idea</a>, and that having the companies store it is worse than having the government store it.)</p> <p>Anyway, the Director of National Intelligence <a href="https://www.fbo.gov/?s=opportunity&amp;mode=form&amp;id=b4756bf512d4d7a385f765e5a3fd169d&amp;tab=core&amp;_cview=0">solicited</a> companies who might be interested and capable of storing all this data. <a href="https://www.documentcloud.org/documents/1378665-interested-vendors-telephony-metadata-collection.html">Here's the list</a> of companies that expressed interest. Note that Oracle is on the list -- the only company I've heard of. Also note that many of these companies are just intermediaries that register for all sorts of things.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6449Why ASICs may be good for Bitcoinhttps://freedom-to-tinker.com/blog/jbonneau/why-asics-may-be-good-for-bitcoin/https://freedom-to-tinker.com/?p=10617Fri, 12 Dec 2014 08:13:00 -0500Bitcoin mining is now almost exclusively performed by Bitcoin-specific ASICs (application-specific integrated circuits). These chips are made by a few startup manufacturers and cannot be used for anything else besides mining Bitcoin or closely related cryptocurrencies [1]. Because they are somewhere between a thousand and a million times more efficient at mining Bitcoin than a [&#8230;]http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10617Comments on the Sony Hackhttps://www.schneier.com/blog/archives/2014/12/comments_on_the.htmltag:www.schneier.com,2014:/blog//2.6447Thu, 11 Dec 2014 15:37:00 -0500<p>I don't have a lot to say about the <a href="http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/">Sony hack</a>, which seems to still be ongoing. I want to highlight a few points, though.</p> <ol><li>At this point, the attacks seem to be a few hackers and not the <a href="http://www.theguardian.com/technology/2014/dec/10/fbi-doubts-north-korea-link-sony-pictures-hack">North Korean government</a>. (My guess is that it's not an <a href="http://www.hollywoodreporter.com/news/sony-hack-studio-security-points-753509">insider</a>, either.) That we live in the world where we aren't sure if any given cyberattack is the work of a foreign government or a couple of guys should be scary to us all. <p><li>Sony is a company that hackers have loved to hate <a href="http://gizmodo.com/why-sony-keeps-getting-hacked-1667259233">for years now</a>. (Remember their <a href="https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal">rootkit</a> from 2005?) We've learned previously that putting yourself in this position can be disastrous. (Remember <a href="http://www.wired.com/2011/02/anonymous-hacks-hbgary/">HBGary</a>.) We're learning that again.</p> <p><li>I don't see how Sony <a href="http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/">launching a DDoS attack</a> against the attackers is going to help at all.</p> <p><li>The most <a href="http://time.com/3625392/the-7-most-outrageous-things-we-learned-from-the-sony-hack/">sensitive information</a> that's being leaked as a result of this attack isn't the unreleased movies, the executive emails, or the celebrity gossip. It's the minutia from <a href="http://gizmodo.com/the-sony-hacks-are-goddamn-terrifying-1668911102">random employees</a>: </p> <blockquote><p>The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It's an email about trying to get pregnant. It's shit-talking coworkers behind their backs, and people's credit card log-ins. It's literally thousands of Social Security numbers laid bare. It's even the harmless, mundane, trivial stuff that makes up any day's email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.</p></blockquote> <p>These people didn't have anything to hide. They aren't public figures. Their details aren't going to be news anywhere in the world. But their privacy as been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and reads this stuff.</p> <blockquote><p>These are people who did nothing wrong. They didn't click on phishing links, or use dumb passwords (or even if they did, they didn't cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn't have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we've become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.</p></blockquote> <p>Gizmodo got this 100% correct. And this is why privacy is so important for everyone.</ol></p> <p>I'm sure there'll be more information as this continues to unfold.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6447Striking a balance between advertising and ad blockinghttps://freedom-to-tinker.com/blog/dwallach/striking-a-balance-between-advertising-and-ad-blocking/https://freedom-to-tinker.com/?p=10611Thu, 11 Dec 2014 11:27:00 -0500http://quec.li/EntryComments?feed=https%3A%2F%2Ffreedom-to-tinker.com%2Frss.xml%3Ffeed%3Drss2&entry=https%3A%2F%2Ffreedom-to-tinker.com%2F%3Fp%3D10611NSA Hacking of Cell Phone Networkshttps://www.schneier.com/blog/archives/2014/12/nsa_hacking_of_.htmltag:www.schneier.com,2014:/blog//2.6439Tue, 09 Dec 2014 07:33:00 -0500<p>The <i>Intercept</i> has <a href="https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-hack-cellphones/">published</a> an article -- based on the Snowden documents -- about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a general communications infrastructure, looking for weaknesses and vulnerabilities that will allow it to spy on the bad guys at some later date.</p> <p>In that way, AURORAGOLD is similar to the NSA's <a href="https://firstlook.org/theintercept/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/">program</a> to hack sysadmins around the world, just in case that access will be useful at some later date; and to the GCHQ's <a href="http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgian-telecoms-firm-a-923406.html">hacking</a> of the Belgian phone company Belgacom. In both cases, the NSA/GCHQ is finding general vulnerabilities in systems that are protecting many innocent people, and exploiting them instead of fixing them.</p> <p>It is unclear from the documents exactly what cell phone vulnerabilities the NSA is exploiting. Remember that cell phone calls go through the regular phone network, and are as vulnerable there as non-cell calls. (GSM encryption only protects calls from the handset to the tower, not within the phone operators' networks.) For the NSA to target cell phone networks particularly rather than phone networks in general means that it is interested in information specific to the cell phone network: location is the most obvious. We <a href="http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html">already know</a> that the NSA can eavesdrop on most of the world's cell phone networks, and that it tracks <a href="http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html">location</a> <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/new-documents-show-how-the-nsa-infers-relationships-based-on-mobile-location-data">data</a>.</p> <p>I'm not sure what to make of the NSA's cryptanalysis efforts against GSM encryption. The GSM cellular network uses three different encryption schemes: A5/1, which has been <a href="https://en.wikipedia.org/wiki/A5/1">badly broken</a> in the academic world for over a decade (a previous Snowden document <a href="http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html">said</a> the NSA could process A5/1 in real time -- and so can everyone else); A5/2, which was designed deliberately weak and is <a href="https://en.wikipedia.org/wiki/A5/2">even more easily broken</a>; and A5/3 (aka KASUMI), which is <a href="https://en.wikipedia.org/wiki/KASUMI">generally believed</a> to be secure. There are additional attacks against all A5 ciphers <a href="http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf">as they are used</a> in the GSM system known in the academic world. Almost certainly the NSA has operationalized all of these attacks, and probably others as well. Two documents published by the <i>Intercept</i> mention attacks against A5/3 -- <a href="https://firstlook.org/theintercept/document/2014/12/04/opulent-pup-encryption-attack">OPULENT PUP</a> and <a href="https://firstlook.org/theintercept/document/2014/12/04/wolframite-encryption-attack">WOLFRAMITE</a> -- although there is no detail, and thus no way to know how much of these attacks consist of cryptanalysis of A5/3, attacks against the GSM protocols, or attacks based on exfiltrating keys. For example, GSM carriers know their users' A5 keys and store them in databases. It would be much easier for the NSA's TAO group to steal those keys and use them for real-time decryption than it would be to apply mathematics and computing resources against the encrypted traffic.</p> <p>The <i>Intercept</i> points to these documents as an example of the NSA deliberately introducing flaws into global communications standards, but I don't really see the evidence here. Yes, the NSA is spying on industry organizations like the GSM Association in an effort to learn about new GSM standards as early as possible, but I don't see evidence of it influencing those standards. The one relevant sentence is in a presentation about the "SIGINT Planning Cycle": "How do we introduce vulnerabilities where they do not yet exist?" That's pretty damning in general, but it feels more aspirational than a statement of practical intent. Already there are lots of pressures on the GSM Association to allow for "lawful surveillance" on users from countries around the world. That surveillance is generally with the assistance of the cell phone companies, which is why hacking them is such a priority. My guess is that the NSA just sits back and lets other countries weaken cell phone standards, then exploits those weaknesses.</p> <p>Other countries do as well. There are many vulnerabilities in the cell phone system, and it's folly to believe that only the NSA and GCHQ exploits them. And countries that can't afford their own research and development organization can buy the capability from cyberweapons arms manufacturers. And remember that technology flows downhill: today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacker tools. </p> <p>For example, the US company Verint <a href="http://www.washingtonpost.com/business/technology/for-sale-systems-that-can-secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html">sells</a> cell phone tracking systems to both corporations and governments worldwide. The company's website <a href="http://www.verint.com/about">says</a> that it's "a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance," with clients in "more than 10,000 organizations in over 180 countries." The UK company Cobham <a href="https://www.privacyinternational.org/sii/cobham">sells</a> a system that allows someone to send a "blind" call to a phone -- one that doesn't ring, and isn't detectable. The blind call forces the phone to transmit on a certain frequency, allowing the sender to track that phone to within one meter. The company <a href="https://s3.amazonaws.com/s3.documentcloud.org/documents/409237/115-cobham-tactical-c4i.pdf">boasts</a> government customers in Algeria, Brunei, Ghana, Pakistan, Saudi Arabia, Singapore, and the United States. Defentek, a company mysteriously registered in Panama, <a href="http://www.washingtonpost.com/business/technology/for-sale-systems-that-can-secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html">sells</a> a system that can "locate and track any phone number in the world...undetected and unknown by the network, carrier, or the target." It's not an idle boast; telecommunications researcher Tobias Engel <a href="http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf">demonstrated</a> the same capability at a hacker conference in 2008. Criminals can purchase illicit products to let them do the same today.</p> <p>As I <a href="http://www.theatlantic.com/technology/archive/2014/05/should-hackers-fix-cybersecurity-holes-or-exploit-them/371197/">keep saying</a>, we no longer live in a world where technology allows us to separate communications we want to protect from communications we want to exploit. Assume that anything we learn about what the NSA does today is a preview of what cybercriminals are going to do in six months to two years. That the NSA chooses to exploit the vulnerabilities it finds, rather than fix them, puts us all at risk. </p> <p><i>This essay has <a href="http://www.lawfareblog.com/2014/12/nsa-hacking-of-cell-phone-networks/">previously appeared</a> on the Lawfare blog.</i></p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6439matt [wronka.org]http://quec.es/org.wronka/matt/2014/12/09/Tue, 09 Dec 2014 01:47:26 +0000;matt [wronka.org]Mon, 08 Dec 2014 20:47:00 -0500<a href="http://m.chronicle.com/article/Behind-RPIs-Highly-Paid/150441/">http://m.chronicle.com/article/Behind-RPIs-Highly-Paid/150441/</a><br /> <br /> The difference between my encounters with institute presidents at RPI and Brown were night and day; and both seem to fit with others' experiences.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+09+Dec+2014+01%3A47%3A26+%2B0000%3Bmatt+%5Bwronka.org%5DRapiscan Full-Body Scanner for Salehttps://www.schneier.com/blog/archives/2014/12/rapiscan_full-b.htmltag:www.schneier.com,2014:/blog//2.6438Mon, 08 Dec 2014 12:09:00 -0500<p>Government surplus. Only $8,000 on <a href="http://www.ebay.com/itm/111519265986">eBay</a>. Note that this device has been <a href="https://radsec.org">analyzed before</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6438Corporate Abuse of Our Datahttps://www.schneier.com/blog/archives/2014/12/corporate_abuse.htmltag:www.schneier.com,2014:/blog//2.6437Mon, 08 Dec 2014 08:19:00 -0500<p>Last week, we learned about a striking piece of malware called <a href="https://en.wikipedia.org/wiki/Regin_(malware)">Regin</a> that has been infecting computer networks worldwide since 2008. It's more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there's <a href="http://www.scmagazineuk.com/nsa-gchq-or-both-behind-stuxnet-like-regin-malware/article/384888/">substantial evidence</a> that it was built and operated by the United States. </p> <p>This isn't the first government malware discovered. <a href="http://www.infowar-monitor.net/ghostnet">GhostNet</a> is believed to be Chinese. <a href="http://arstechnica.com/security/2013/01/red-Oct-computer-espionage-network-may-have-stolen-terabytes-of-data">Red October</a> and <a href="http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307">Turla</a> are believed to be Russian. <a href="http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf">The Mask</a> is probably Spanish. <a href="http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet">Stuxnet</a> and <a href="http://www.washingtonpost.com/world/national-security/newly-identified-computer-virus-used-for-spying-is-20-times-size-of-stuxnet/2012/05/28/gJQAWa3VxU_story.html">Flame</a> are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted. </p> <p>I dislike the "cyberwar" metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and <a href="https://targetedthreats.net/">NGOs</a>. Sometimes these attacks are <a href="http://www.darkreading.com/attacks-and-breaches/cyber-weapon-friendly-fire-chevron-stuxnet-fallout/d/d-id/1107339">accidental</a>, but often they are <a href="http://www.reuters.com/article/2014/11/20/us-cybercrime-usa-china-idUSKCN0J42M520141120">deliberate</a>. </p> <p>For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat. </p> <p>This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from <a href="http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance">Symantec</a>, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which <a href="https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/">described</a> Regin and its U.S. connections the following day. Both <a href="https://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/">Kaspersky</a> and <a href="https://www.f-secure.com/weblog/archives/00002766.html">F-Secure</a> soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009. </p> <p>So why did these companies all keep Regin a secret for so long? And why did they leave us vulnerable for all this time? </p> <p>To get an answer, we have to disentangle two things. Near as we can tell, all the companies had added signatures for Regin to their detection database long before last month. The VirusTotal website has a signature for Regin as of <a href="https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/">2011</a>. Both <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan:WinNT/Regin.A#tab=1">Microsoft security</a> and <a href="https://twitter.com/mikko/status/536959936476221440">F-Secure</a> started detecting and removing it that year as well. Symantec has protected its users against Regin since <a href="http://il.norton.com/regin/">2013</a>, although it certainly added the VirusTotal signature in 2011. </p> <p>Entirely separately and seemingly independently, all of these companies decided not to publicly discuss Regin's existence until after Symantec and the Intercept did so. Reasons given vary. Mikko Hyponnen of F-Secure said that <a href="https://twitter.com/mikko/status/536942825292959744">specific</a> <a href="https://twitter.com/mikko/status/536944050361073664">customers</a> asked him not to discuss the malware that had been found on their networks. Fox IT, which was hired to remove Regin from the Belgian phone company Belgacom's website, didn't say anything about what it discovered because it "<a href="http://mashable.com/2014/11/25/regin-spy-malware-nsa-gchq/">didn't want to interfere with NSA/GCHQ operations</a>." </p> <p>My guess is that none of the companies wanted to go public with an incomplete picture. Unlike criminal malware, government-grade malware can be hard to figure out. It's much more elusive and complicated. It is constantly updated. Regin is made up of multiple modules -- Fox IT <a href="http://mashable.com/2014/11/25/regin-spy-malware-nsa-gchq/">called it</a> "a full framework of a lot of species of malware" -- making it even harder to figure out what's going on. Regin has also been used sparingly, against only a select few targets, making it hard to get samples. When you make a press splash by identifying a piece of malware, you want to have the whole story. Apparently, no one felt they had that with Regin. </p> <p>That is not a good enough excuse, though. As nation-state malware becomes more common, we will often lack the whole story. And as long as countries are battling it out in cyberspace, some of us will be targets and the rest of us might be unlucky enough to be sitting in the blast radius. Military-grade malware will continue to be elusive. </p> <p>Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn't. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.</p> <p><i>This essay <a href="http://www.technologyreview.com/view/533136/antivirus-companies-should-be-more-open-about-their-government-malware-discoveries/">previously appeared</a> in the </i>MIT Technology Review.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6437matt [wronka.org] Lollipop/ART issues; Firefox Weavehttp://quec.es/org.wronka/matt/2014/12/07/Sun, 07 Dec 2014 18:37:08 +0000;matt [wronka.org]Sun, 07 Dec 2014 13:37:00 -0500I've switched back to Android 4.4 (CM-11, &quot;Kitkat&quot;). The following were issues I found with Android 5.0 (&quot;Lollipop&quot;):<br /> * fdroid repos don't work, which is annoying (<a href="https://gitlab.com/fdroid/fdroidclient/issues/111">https://gitlab.com/fdroid/fdroidclient/issues/111</a>)<br /> * some Activesync servers don't work&mdash;I've only seen this reported with Horde (and I had the issue with both 5.0 and 5.2; <a href="https://bugs.horde.org/ticket/13702">https://bugs.horde.org/ticket/13702</a>)<br /> <br /> Back on CM-11, using the ART runtime, Firefox Sync (Weave/&quot;Deprecated&quot;) also fails, apparently with a Unicode string error. It works fine with Dalvik. I don't know if this would have been an issue on Lollipop as well which uses ART by default. I didn't look for a specific bug for this, but was surprised that this sync was still supported since it was supposed to go away several versions ago (<a href="https://bugs.horde.org/ticket/13702">https://bugs.horde.org/ticket/13702</a>). Apparently work on making the new service easy to use by third parties is either hard or just not a priority&mdash;the whole issue seems to have been bungled and now everyone's stuck with a mess. (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=989756#c14">https://bugzilla.mozilla.org/show_bug.cgi?id=989756#c14</a>)<br /> <br /> I also missed some of the UI elements from CM-11, like the circular battery indicator (is this a theme added by CM?) The settings menu was also more usable on CM-11. In general, Lollipop seemed to waste space, although I had mixed feelings about the task switching interface (it did seem to show more options at once, but made the active surface a bit small on a phone screen). A lot of Lollipop was flat, and Apple-like, looking pretty without giving the user any indication of whether interfaces were scrollable or otherwise how to interact with the device.<br /> <br /> Unlike other reports, I did not run into any issues with WiFi or battery life on Lollipop&mdash;in fact, both seemed to be at least as good if not more reliable than on CM-11 and CM-10.2 but I don't have any objective tests for that. Specifically, I thnk my worst battery behaviour was in part to K9 synching my mail, and I haven't set that back up.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Sun%2C+07+Dec+2014+18%3A37%3A08+%2B0000%3Bmatt+%5Bwronka.org%5DShould we have unarmed police?http://blogs.law.harvard.edu/philg/2014/12/06/should-we-have-unarmed-police/http://blogs.law.harvard.edu/philg/?p=6495Sat, 06 Dec 2014 22:38:00 -0500http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6495matt [wronka.org] Hacking Android/Cyanogen Email in KitKat and Lollipophttp://quec.es/org.wronka/matt/2014/12/06/Sat, 06 Dec 2014 17:51:38 +0000;matt [wronka.org]Sat, 06 Dec 2014 12:51:00 -0500Work switched from Zimbra to MicroSoft Exchange some time back, and I've stopped synchronizing my calendar with my Nexus 4 since then (instead using my Handspring Visor Edge). The reason was straight forward: the MicroSoft server wanted the ability to wipe my entire device.<br /> <br /> This seemed like overreach, and after talking with people in IT, it wasn't intentional, it was just the default. The changes in the AOSP code are pretty straightforward to disable this. I've posted diffs for both KitKat and Lollipop: <a href="http://matt.wronka.org/stuff/projects/icpp/android/cyanogenmod/">http://matt.wronka.org/stuff/projects/icpp/android/cyanogenmod/</a><br /> <br /> The KitKat changes also include some clean-up of CM code I didn't find useful (CMUpdater, CMAccounts), these aren't in CM12 yet. If you'd rather cherry-pick the changes for CM11 or AOSP 4.4 there are two AOSP applications to patch: <a href="http://matt.wronka.org/stuff/projects/icpp/android/aosp/4.4/">http://matt.wronka.org/stuff/projects/icpp/android/aosp/4.4/</a> <br /> <br /> It looks like a lot of refactoring went into the Exchange services in 5.0, the patchset is smaller, but there's a new issue as reported to horde: <a href="https://bugs.horde.org/ticket/13702">https://bugs.horde.org/ticket/13702</a> <br /> I can confirm that this is an issue with Android 5.0&mdash;the effect is that the device appears to sync, but when it is about to complete it removes all data it received. I have not looked into fixing this yet but appears unrelated to Horde itself.<br /> <br /> For now, full builds are at:<br /> <a href="http://hume.matt.wronka.org/~matt/tmp/cm-12-20141204-SNAPSHOT-CNJ-mako.zip">http://hume.matt.wronka.org/~matt/tmp/cm-12-20141204-SNAPSHOT-CNJ-mako.zip</a> (Nexus 4, Android 5.0/CM12/Lollipop)<br /> <a href="http://hume.matt.wronka.org/~matt/tmp/cm-11-20141122-SNAPSHOT-CNJ-mako.zip">http://hume.matt.wronka.org/~matt/tmp/cm-11-20141122-SNAPSHOT-CNJ-mako.zip</a> (Nexus 4, Android 4.4/CM11/KitKat)<br /> <a href="http://hume.matt.wronka.org/~matt/tmp/cm-11-20141114-SNAPSHOT-CNJ-crespo.zip">http://hume.matt.wronka.org/~matt/tmp/cm-11-20141114-SNAPSHOT-CNJ-crespo.zip</a> (Nexus S, Android 4.4/CM11/KitKat)http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Sat%2C+06+Dec+2014+17%3A51%3A38+%2B0000%3Bmatt+%5Bwronka.org%5DEditor's choicehttp://www.reuters.com/article/2014/12/06/24-hours-in-pictures-idUSRTR4GX8M?feedType=RSS&amp;feedName=RCOMUS_24http://www.reuters.com/article/2014/12/06/24-hours-in-pictures-idUSRTR4GX8M?feedType=RSS&amp;feedName=RCOMUS_24Sat, 06 Dec 2014 01:05:00 -0500Our top photos from the last 24 hours.http://quec.li/EntryComments?feed=http%3A%2F%2Ffeeds.reuters.com%2FReutersPictures&entry=http%3A%2F%2Fwww.reuters.com%2Farticle%2F2014%2F12%2F06%2F24-hours-in-pictures-idUSRTR4GX8M%3FfeedType%3DRSS%26amp%3BfeedName%3DRCOMUS_24Faux DIYhttp://dandreamsofcoding.com/2014/12/04/faux-diy/http://dandreamsofcoding.com/?p=2529Thu, 04 Dec 2014 12:00:00 -0500http://quec.li/EntryComments?feed=http%3A%2F%2Fdandreamsofcoding.com%2Ffeed%2F&entry=http%3A%2F%2Fdandreamsofcoding.com%2F%3Fp%3D2529Special Roles: a Bestiaryhttp://dandreamsofcoding.com/2014/12/01/special-roles-a-bestiary/http://dandreamsofcoding.com/?p=2293Mon, 01 Dec 2014 12:00:00 -0500http://quec.li/EntryComments?feed=http%3A%2F%2Fdandreamsofcoding.com%2Ffeed%2F&entry=http%3A%2F%2Fdandreamsofcoding.com%2F%3Fp%3D2293Putting NSA/GCHQ Spying Togetherhttps://www.schneier.com/blog/archives/2014/12/putting_nsagchq.htmltag:www.schneier.com,2014:/blog//2.6427Mon, 01 Dec 2014 07:41:00 -0500<p><a href="http://electrospaces.blogspot.com/2014/11/incenser-or-how-nsa-and-gchq-are.html">This</a> is a really good analysis of how the NSA/GCHQ spying programs actually work. It's nice that we finally have enough documents public that we can start putting together the complete pictures.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6427matt [wronka.org]http://quec.es/org.wronka/matt/2014/11/25/Tue, 25 Nov 2014 21:04:30 +0000;matt [wronka.org]Tue, 25 Nov 2014 16:04:00 -05003%! And -4.3&deg;C.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+25+Nov+2014+21%3A04%3A30+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org]http://quec.es/org.wronka/matt/2014/11/25/Tue, 25 Nov 2014 21:02:10 +0000;matt [wronka.org]Tue, 25 Nov 2014 16:02:00 -05002%!http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+25+Nov+2014+21%3A02%3A10+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org]http://quec.es/org.wronka/matt/2014/11/25/Tue, 25 Nov 2014 21:01:58 +0000;matt [wronka.org]Tue, 25 Nov 2014 16:01:00 -0500Battery was at 17%, plugged in it dropped to nine before jumping to 51%. Now it is charging at 0%, but stable.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+25+Nov+2014+21%3A01%3A58+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org]http://quec.es/org.wronka/matt/2014/11/18/Tue, 18 Nov 2014 15:39:46 +0000;matt [wronka.org]Tue, 18 Nov 2014 10:39:00 -0500Trebuchet's new found lack of landscape is frustrating.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Tue%2C+18+Nov+2014+15%3A39%3A46+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org]http://quec.es/org.wronka/matt/2014/11/13/Thu, 13 Nov 2014 20:27:53 +0000;matt [wronka.org]Thu, 13 Nov 2014 15:27:00 -0500Also annoyingly with CM11 Trebuchet cannot rotate and widgets cannot be resized.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Thu%2C+13+Nov+2014+20%3A27%3A53+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org]http://quec.es/org.wronka/matt/2014/11/13/Thu, 13 Nov 2014 19:45:44 +0000;matt [wronka.org]Thu, 13 Nov 2014 14:45:00 -0500WTF is this new circular time selector in KitKat? I didn't think Android could create a worse interface for selecting time than it previously had.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Thu%2C+13+Nov+2014+19%3A45%3A44+%2B0000%3Bmatt+%5Bwronka.org%5D