Page 395

FBI Agents Pose as Repairmen to Bypass Warrant Process

This is a creepy story. The FBI wanted access to a hotel guest’s room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant.

From the motion to suppress:

The next time you call for assistance because the internet service in your home is not working, the “technician” who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have “consented” to an intrusive search of your home.

Basically, the agents snooped around the hotel room, and gathered evidence that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians.

More coverage of the case here.

This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can’t be sure they are not government agents in disguise, then we’ve lost quite a lot of our freedom and liberty.

Tags: , , , , ,

Posted on November 26, 2014 at 6:50 AMView Comments

Regin: Another Military-Grade Malware

Regin is another militarygrade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.

EDITED TO ADD (12/10): More information.

Tags: , , , , , ,

Posted on November 25, 2014 at 6:57 AMView Comments

Pre-Snowden Debate About NSA Call-Records Collection Program

AP is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program.

The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing the calling records of nearly every American fundamentally changed the character of the agency, which is supposed to eavesdrop on foreigners, not Americans.

Hacker News thread.

Tags: , , , ,

Posted on November 20, 2014 at 2:42 PMView Comments

A New Free CA

Announcing Let’s Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.

This is an absolutely fantastic idea.

The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

[…]

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

Slashdot thread. Hacker News thread.

EDITED TO ADD (11/19): Good post. And EFF’s blog post.

Tags: , , , ,

Posted on November 18, 2014 at 12:38 PMView Comments

Whatsapp Is Now End-to-End Encrypted

Whatsapp is now offering end-to-end message encryption:

Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device.

I don’t know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives me some confidence that it’s a robust implementation.

EDITED TO ADD (11/20): Slashdot thread.

Tags: , , ,

Posted on November 18, 2014 at 12:35 PMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.