- cypherpunks - lists.cpunks.org

Dan Geer on IoT
by John Young 09 May '14

09 May '14

https://securityledger.com/2014/05/security-and-internet-of-things-can-we-t… Attendees will hear an address by Dr. Dan Geer, the Chief Security Officer at In-Q-Tel, the U.S. Central Intelligence Agency's investment arm. Dan is one of the smartest and most prescient thinkers in the security world, who has made headlines by warning about the dangers of our reliance of technology monocultures like Microsoft's Windows operating systems. Most recently, Dan has been sounding similar alarms about an (emerging) monoculture of "small devices and the chips that run them." In other words: just because the network of the future doesn't have a Windows sticker and "Intel Inside" logo on it, doesn't mean that the same kinds of problems don't exist. Many of you who have been following this blog know that the Security Ledger is particularly interested in covering the (fast) evolving border line between "traditional" IT security and the terra incognito of the Internet of Things. This week, we're taking that discussion to the next level with our first-ever event: The Security of Things Forum (or SECoT for short). SECoT is going to be an amazing day of discussion and debate about what I consider one of the foremost challenges facing the technology community in the next decade: securing a rapidly expanding population of intelligent and Internet-connected devices.

1 0

OpenSSH memory leak
by Matej Kovacic 08 May '14

08 May '14

Hi, (NOT OpenSSL!) in case you didn't came aroud this: http://pastebin.com/gjkivAf3 Unfortunately, there is no patch yet... Regards, M.

5 4

“General Keith.. so great to see you.. !”
by coderman 07 May '14

07 May '14

http://america.aljazeera.com/articles/2014/5/6/nsa-chief-google.html Exclusive: Emails reveal close Google relationship with NSA National Security Agency head and Internet giant’s executives have coordinated through high-level policy discussions May 6, 2014 5:00AM ET by Jason Leopold @JasonLeopold Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying. Disclosures by former NSA contractor Edward Snowden about the agency’s vast capability for spying on Americans’ electronic communications prompted a number of tech executives whose firms cooperated with the government to insist they had done so only when compelled by a court of law. But Al Jazeera has obtained two sets of email communications dating from a year before Snowden became a household name that suggest not all cooperation was under pressure. On the morning of June 28, 2012, an email from Alexander invited Schmidt to attend a four-hour-long “classified threat briefing” on Aug. 8 at a “secure facility in proximity to the San Jose, CA airport.” “The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” Alexander wrote in the email, obtained under a Freedom of Information Act (FOIA) request, the first of dozens of communications between the NSA chief and Silicon Valley executives that the agency plans to turn over. Alexander, Schmidt and other industry executives met earlier in the month, according to the email. But Alexander wanted another meeting with Schmidt and “a small group of CEOs” later that summer because the government needed Silicon Valley’s help. “About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.” Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, said she believes information sharing between industry and the government is “absolutely essential” but “at the same time, there is some risk to user privacy and to user security from the way the vulnerability disclosure is done.” The challenge facing government and industry was to enhance security without compromising privacy, Granick said. The emails between Alexander and Google executives, she said, show “how informal information sharing has been happening within this vacuum where there hasn’t been a known, transparent, concrete, established methodology for getting security information into the right hands.” The classified briefing cited by Alexander was part of a secretive government initiative known as the Enduring Security Framework (ESF), and his email provides some rare information about what the ESF entails, the identities of some participant tech firms and the threats they discussed. The classified briefing cited by Alexander was part of a secretive government initiative known as the Enduring Security Framework (ESF), and his email provides some rare information about what the ESF entails, the identity of some participant tech firms and the threats they discussed. Alexander explained that the deputy secretaries of the Department of Defense, Homeland Security and “18 US CEOs” launched the ESF in 2009 to “coordinate government/industry actions on important (generally classified) security issues that couldn’t be solved by individual actors alone.” “For example, over the last 18 months, we (primarily Intel, AMD [Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on the industry side) completed an effort to secure the BIOS of enterprise platforms to address a threat in that area.” “BIOS” is an acronym for “basic input/output system,” the system software that initializes the hardware in a personal computer before the operating system starts up. NSA cyberdefense chief Debora Plunkett in December disclosed that the agency had thwarted a “BIOS plot” by a “nation-state,” identified as China, to brick U.S. computers. That plot, she said, could have destroyed the U.S. economy. “60 Minutes,” which broke the story, reported that the NSA worked with unnamed “computer manufacturers” to address the BIOS software vulnerability. But some cybersecurity experts questioned the scenario outlined by Plunkett. “There is probably some real event behind this, but it’s hard to tell, because we don’t have any details,” wrote Robert Graham, CEO of the penetration-testing firm Errata Security in Atlanta, on his blog in December. “It”s completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.” And by enlisting the NSA to shore up their defenses, those companies may have made themselves more vulnerable to the agency’s efforts to breach them for surveillance purposes. “I think the public should be concerned about whether the NSA was really making its best efforts, as the emails claim, to help secure enterprise BIOS and mobile devices and not holding the best vulnerabilities close to their chest,” said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation’s digital civil liberties team. He doesn’t doubt that the NSA was trying to secure enterprise BIOS, but he suggested that the agency, for its own purposes, was “looking for weaknesses in the exact same products they’re trying to secure.” The NSA “has no business helping Google secure its facilities from the Chinese and at the same time hacking in through the back doors and tapping the fiber connections between Google base centers,” Cardozo said. “The fact that it’s the same agency doing both of those things is in obvious contradiction and ridiculous.” He recommended dividing offensive and defensive functions between two agencies. The government has asked for Silicon Valley’s help. Adam Berry / Getty Images Two weeks after the “60 Minutes” broadcast, the German magazine Der Spiegel, citing documents obtained by Snowden, reported that the NSA inserted back doors into BIOS, doing exactly what Plunkett accused a nation-state of doing during her interview. Google’s Schmidt was unable to attend to the mobility security meeting in San Jose in August 2012. “General Keith.. so great to see you.. !” Schmidt wrote. “I’m unlikely to be in California that week so I’m sorry I can’t attend (will be on the east coast). Would love to see you another time. Thank you !” Since the Snowden disclosures, Schmidt has been critical of the NSA and said its surveillance programs may be illegal. Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, did attend that briefing. Foreign Policy reported a month later that Dempsey and other government officials — no mention of Alexander — were in Silicon Valley “picking the brains of leaders throughout the valley and discussing the need to quickly share information on cyber threats.” Foreign Policy noted that the Silicon Valley executives in attendance belonged to the ESF. The story did not say mobility threats and security was the top agenda item along with a classified threat briefing. A week after the gathering, Dempsey said during a Pentagon press briefing, “I was in Silicon Valley recently, for about a week, to discuss vulnerabilities and opportunities in cyber with industry leaders … They agreed — we all agreed on the need to share threat information at network speed.” Google co-founder Sergey Brin attended previous meetings of the ESF group but because of a scheduling conflict, according to Alexander’s email, he also could not attend the Aug. 8 briefing in San Jose, and it’s unknown if someone else from Google was sent. A few months earlier, Alexander had emailed Brin to thank him for Google’s participation in the ESF. “I see ESF’s work as critical to the nation’s progress against the threat in cyberspace and really appreciate Vint Cerf [Google’s vice president and chief Internet evangelist], Eric Grosse [vice president of security engineering] and Adrian Ludwig’s [lead engineer for Android security] contributions to these efforts during the past year,” Alexander wrote in a Jan. 13, 2012, email. “You recently received an invitation to the ESF Executive Steering Group meeting, which will be held on January 19, 2012. The meeting is an opportunity to recognize our 2012 accomplishments and set direction for the year to come. We will be discussing ESF’s goals and specific targets for 2012. We will also discuss some of the threats we see and what we are doing to mitigate those threats … Your insights, as a key member of the Defense Industrial Base, are valuable to ensure ESF’s efforts have measurable impact.” A Google representative declined to answer specific questions about Brin’s and Schmidt’s relationship with Alexander or about Google’s work with the government. “We work really hard to protect our users from cyberattacks, and we always talk to experts — including in the U.S. government — so we stay ahead of the game,” the representative said in a statement to Al Jazeera. “It’s why Sergey attended this NSA conference.” Brin responded to Alexander the following day even though the head of the NSA didn’t use the appropriate email address when contacting the co-chairman. “Hi Keith, looking forward to seeing you next week. FYI, my best email address to use is [redacted],” Brin wrote. “The one your email went to — sergey.brin(a)google.com — I don’t really check.”

3 2

NSA good guys
by Cypher 04 May '14

04 May '14

I wonder how long the good but misunderstood people over at NSA knew about Heartbleed and didn't disclose? I mean, certainly "protecting" us would necessitate them coming forward, right? The wouldn't deliberately leave the entire country vulnerable just so the could keep spying, right? Good people, my ass. Cypher Sent from my mobile device

21 53

NSA TEMPEST NONSTOP Document Released
by John Young 02 May '14

02 May '14

Just declassified and released after 8 years from FOIA request: NSA TEMPEST 01-02 NONSTOP Evaluation Standard (Oct 2002): <http://cryptome.org/2014/05/nsa-tempest-01-02-oct-02.pdf>http://cryptome.org/2014/05/nsa-tempest-01-02-oct-02.pdf (3.2MB) Compare NONSTOP Techniques from 1975: <http://cryptome.org/nacsem-5112.htm>http://cryptome.org/nacsem-5112.htm Both heavily redacted but comparison may fill in missing. The TEMPEST researchers at Cambridge may have full documents. What say? Our compilation: http://cryptome.org/nsa-tempest.htm

1 0

Ubuntu bug 1308572
by Georgi Guninski 30 Apr '14

30 Apr '14

Ubuntu bug 1308572 https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 ----- affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 -----

2 2

DoJ tried to stop Barrett Brown's criticism of gov
by Douglas Lucas 28 Apr '14

28 Apr '14

This morning WhoWhatWhy published my new article, "Silencing Barrett Brown." I obtained the transcript of the hacktivist journo's September 4 gag hearing, which revealed bench conference conversations that were inaudible from the gallery when I attended. The transcript shows the prosecution asked the judge to stop Brown's wide-ranging criticism of the government in general, claiming that his anti-authority "tone" in one of his Guardian articles was "problematic." My article also provides an update on his case and plea deal. http://whowhatwhy.com/2014/04/28/silencing-barrett-brown/

1 0

Re: [Cryptography] GCC bug 30475 (was Re: bounded pointers in C)
by John Young 28 Apr '14

28 Apr '14

The criminal liability of NSA, other spies corps, orgs and comsec wizards in de facto complicit deception and exploitation of the public is a worthy topic to drag out of the hideaways. It might be demonizing of the valiant code warriors to be described as a Racketeer Influenced Criminal Organization operating under the cheerfully duplicitous Open Source. Open secrecy is the main tool of these sub rosa hoodlums, Mafioso mathematicians wiggling out of responsibility by algo shadiness and protestations of public service on behalf of working around censorship to free the slaves for better use producing cream for the privacy milkers. Top of the cream milkers adopt the aggrieved innocence when caught red-handed rustling public cattle, hello Mr. Bundy. So sue me, they laugh, knowing no jury could possibly grasp the arcane lingo the bozos use to semaphor signals about their nefaria promoted as good for the commonweal. Subsidize us, befuddled citz, kachink. A huge market ripoff, comsec, privacy and freedom of the Internet. Simple beginnings with a few crafty ne'er do well engineers, mathematicians and scientists, avoiding penal labor in labs, factories and spynests, setting up a quiet racket to control and monetize crypto, comsec and privacy while selling hacks and snitching to the fuzz downtown. Which has produced a boom in profits and reputations for the TLA- and nick-named coders, hackers, exploiters, leakers, promoters, apologists, yes, even populist heros and awards winners from Anonymous to Alexander to Snowden and this very list of who's who in wily coyotes. Code-wielding Corsicans never had it so good since the opening of the Internet frontier to unfettered gangsters claiming to be comsec enforcers for Judge Roy Bean west of Silicon Valley). Just saying howdy to my gang of cypherpunks free rangers for whom working around law-enforcement fences while informing, backdooring, and cheating on each other is top secret code of silence Omerta.

1 0

Poul-Henning Kamp
by dan＠geer.org 27 Apr '14

27 Apr '14

The talk Poul-Henning Kamp gave 12 Feb at FOSDEM http://www.youtube.com/watch?v=fwcl17Q0bpk parallels a half-dozen different threads found here. Carefully adjust your skepticism knob before listening (30m talk, 15m Q&A). --dan Scepticism is the chastity of the intellect; it is shameful to give it up too soon, or to the first comer. -- George Santayana

1 0

"Population Management"
by grarpamp 25 Apr '14

25 Apr '14

https://publicintelligence.net/identity-dominance/

1 0