Entries Tagged "privacy"

Page 54 of 145

Eavesdropping by Visual Vibrations

Researchers are able to recover sound through soundproof glass by recording the vibrations of a plastic bag.

Researchers at MIT, Microsoft, and Adobe have developed an algorithm that can reconstruct an audio signal by analyzing minute vibrations of objects depicted in video. In one set of experiments, they were able to recover intelligible speech from the vibrations of a potato-chip bag photographed from 15 feet away through soundproof glass.

In other experiments, they extracted useful audio signals from videos of aluminum foil, the surface of a glass of water, and even the leaves of a potted plant.

This isn’t a new idea. I remember military security policies requiring people to close the window blinds to prevent someone from shining a laser on the window and recovering the sound from the vibrations. But both the camera and processing technologies are getting better.

News story.

Posted on August 8, 2014 at 11:50 AMView Comments

The US Intelligence Community has a Third Leaker

Ever since the Intercept published this story about the US government’s Terrorist Screening Database, the press has been writing about a “second leaker”:

The Intercept article focuses on the growth in U.S. government databases of known or suspected terrorist names during the Obama administration.

The article cites documents prepared by the National Counterterrorism Center dated August 2013, which is after Snowden left the United States to avoid criminal charges.

Greenwald has suggested there was another leaker. In July, he said on Twitter “it seems clear at this point” that there was another.

Everyone’s miscounting. This is the third leaker:

  • Leaker #1: Edward Snowden.
  • Leaker #2: The person who is passing secrets to Jake Appelbaum, Laura Poitras and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. I have also heard privately that the NSA knows that this is a second leaker.
  • Leaker #3: This new leaker, with access to a different stream of information (the NCTC is not the NSA), whom the Intercept calls “a source in the intelligence community.”

Harvard Law School professor Yochai Benkler has written an excellent law-review article on the need for a whistleblower defense. And there’s this excellent article by David Pozen on why government leaks are, in general, a good thing.

Posted on August 7, 2014 at 12:14 PMView Comments

Legal Attacks Against Tor

Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.

Here’s the EFF: “Seven Things You Should Know About Tor.”

EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.

Posted on July 15, 2014 at 6:13 AMView Comments

GCHQ Catalog of Exploit Tools

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

Posted on July 14, 2014 at 12:35 PMView Comments

NSA Spied on Prominent Muslim Americans

The latest story from the Snowden documents is about five prominent Muslim Americans who were spied on by the NSA and FBI. It’s a good story, and I recommend reading it in its entirety. I have a few observations.

One, it’s hard to assess the significance of this story without context. The source document is a single spreadsheet that lists 7,485 e-mail addresses monitored between 2002 and 2008.

The vast majority of individuals on the “FISA recap” spreadsheet are not named. Instead, only their email addresses are listed, making it impossible in most cases to ascertain their identities. Under the heading “Nationality,” the list designates 202 email addresses as belonging to “U.S. persons,” 1,782 as belonging to “non-U.S. persons,” and 5,501 as “unknown” or simply blank. The Intercept identified the five Americans placed under surveillance from their email addresses.

Without knowing more about this list, we don’t know whether this is good or bad. Is 202 a lot? A little? Were there FISA warrants that put these people on the list? Can we see them?

Two, the 2008 date is important. In July of that year, Congress passed the FISA Amendments Act, which restricted what sorts of surveillance the NSA can do on Americans. So while this story tells us about what was happening before the FAA, we don’t know what—if anything—changed with the passage of the FAA.

Three, another significant event at the time was the FBI’s prosecution of the Holy Land Foundation on terrorism charges. This brought with it an overly broad investigation of Muslim Americans who were just associated with that charity, but that investigation came with approved warrants and all the due process it was supposed to have. How many of the Americans on this list are there as a result of this one case?

Four, this list was just the starting point for a much broader NSA surveillance effort. As Marcy Wheeler pointed out, these people were almost certainly associationally mapped. CAIR founder Nihad Awad is one of the NSA targets named in the story. CAIR is named in an EFF lawsuit against the NSA. If Awad had any contact with the EFF in 2008, then they were also being spied on—that’s one hop. Since I had lots of contact with the EFF in the affected time period, I was being spied on as well—that’s two hops. And if any of you e-mailed me around that time—well, that’s three hops. This isn’t “just metadata”; this is full-take content that’s stored forever. And, yes, the president instructed the NSA to only spy people up to two hops away this January, but that was just one program under one authority.

This is a hard story to analyze, because it’s more anecdote than data. I much preferred last Saturday’s story that tried to analyze broad trends about who the subjects of NSA surveillance are. But anecdotes are more persuasive than data, so this story might be more compelling to a mainstream audience.

Other commentary: EFF, Ben Wittes, the Director of National Intelligence. I’m curious to watch how this story unfolds in the media.

One final note: I just couldn’t think of a headline more sensationalist than the descriptive one.

Posted on July 9, 2014 at 12:39 PMView Comments

Web Activity Used in Court to Portray State of Mind

I don’t care about the case, but look at this:

“Among the details police have released is that Harris and his wife, Leanna, told them they conducted Internet searches on how hot a car needed to be to kill a child. Stoddard testified Thursday that Ross Harris had visited a Reddit page called “child-free” and read four articles. He also did an Internet search on how to survive in prison, Stoddard said.

“Also, five days before Cooper died, Ross Harris twice viewed a sort of homemade public service announcement in which a veterinarian demonstrates on video the dangers of leaving someone or something inside a hot car.”

Stoddard is a police detective. It seems that they know about his web browsing because they seized and searched his computer:

…investigators confiscated Harris’ work computer at Home Depot following his arrest and discovered an Internet search about how long it would take for an animal to die in a hot car.

Stoddard also testified that Harris was “sexting”—is this a word we use in court now?—with several women on the day of his son’s death, and sent explicit pictures to one of them. I assume he knows that by looking at Harris’s message history.

A bunch of this would not be admissible in trial, but this was a probable-cause hearing, and the rules are different for those. CNN writes: “a prosecutor insisted that the testimony helped portray the defendant’s state of mind and spoke to the negligence angle and helped establish motive.”

This case aside, is there anyone reading this whose e-mails, text messages, and web searches couldn’t be cherry-picked to portray any state of mind a prosecutor might want to portray? (Qu’on me donne six lignes écrites de la main du plus honnête homme, j’y trouverai de quoi le faire pendre.Cardinal Richelieu.)

Posted on July 4, 2014 at 6:24 AMView Comments

NSA Targets the Privacy-Conscious for Surveillance

Jake Appelbaum et al., are reporting on XKEYSCORE selection rules that target users—and people who just visit the websites of—Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “bridges@torproject.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.

[…]

It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.

[…]

There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.

It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link—with the embedded torproject.org URL above—is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.

EDITED TO ADD (7/3): The BoingBoing story says that this was first published on Tagesschau. Can someone who can read German please figure out where this originated.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

EDITED TO ADD (7/3): More news stories. Thread on Reddit. I don’t expect this to get much coverage in the US mainstream media.

EDITED TO ADD (7/3): Here is the code. In part:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/

$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
word(‘linux’
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
tor ‘);
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
// END_DEFINITION

// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint(‘ct_mo/TAILS’)=
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION

Hacker News and Slashdot threads. ArsTechnica and Wired articles.

EDITED TO ADD (7/4): EFF points out that it is illegal to target someone for surveillance solely based on their reading:

The idea that it is suspicious to install, or even simply want to learn more about, tools that might help to protect your privacy and security underlies these definitions—and it’s a problem. Everyone needs privacy and security, online and off. It isn’t suspicious to buy curtains for your home or lock your front door. So merely reading about curtains certainly shouldn’t qualify you for extra scrutiny.

Even the U.S. Foreign Intelligence Surveillance Court recognizes this, as the FISA prohibits targeting people or conducting investigations based solely on activities protected by the First Amendment. Regardless of whether the NSA is relying on FISA to authorize this activity or conducting the spying overseas, it is deeply problematic.

Posted on July 3, 2014 at 11:01 AMView Comments

Goldman Sachs Demanding E-Mail Be Deleted

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.

The breach occurred on June 23 and included “highly confidential brokerage account information,” Goldman said in a complaint filed last Friday in a New York state court in Manhattan.

[…]

Goldman said the contractor meant to email her report, which contained the client data, to a “gs.com” account, but instead sent it to a similarly named, unrelated “gmail.com” account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google’s “incident response team” reported on June 26 that the email cannot be deleted without a court order.

“Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs,” the bank said.

“By contrast, Google faces little more than the minor inconvenience of intercepting a single email – an email that was indisputably sent in error,” it added.

EDITED TO ADD (7/7): Google deleted the unread e-mail, without waiting for a court order.

Posted on July 3, 2014 at 5:46 AMView Comments

1 52 53 54 55 56 145

Sidebar photo of Bruce Schneier by Joe MacInnis.