Now this is interesting:
Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet.
The company’s work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence organisation.
Lots more at the link.
The documents are in Russian, so it will be a while before we get translations.
EDITED TO ADD (4/1): More information.
Posted on March 30, 2023 at 6:00 PM •
The Intercept has a long article on the insecurity of photo cropping:
One of the hazards lies in the fact that, for some of the programs, downstream crop reversals are possible for viewers or readers of the document, not just the file’s creators or editors. Official instruction manuals, help pages, and promotional materials may mention that cropping is reversible, but this documentation at times fails to note that these operations are reversible by any viewers of a given image or document.
Uncropped versions of images can be preserved not just in Office apps, but also in a file’s own metadata. A photograph taken with a modern digital camera contains all types of metadata. Many image files record text-based metadata such as the camera make and model or the GPS coordinates at which the image was captured. Some photos also include binary data such as a thumbnail version of the original photo that may persist in the file’s metadata even after the photo has been edited in an image editor.
Posted on February 21, 2023 at 7:14 AM •
People are trying to dig up dirt on Peiter Zatko, better known as Mudge.
For the record, I have not been contacted. I’m not sure if I should feel slighted.
Posted on September 14, 2022 at 6:51 AM •
Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that it violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitter’s chief security officer until he was fired in January.
The Washington Post has the scoop (with documents) and companion backgrounder. This CNN story is also comprehensive.
EDITED TO ADD: Another news article. Slashdot thread.
EDITED TO ADD (9/2): More info.
Posted on August 24, 2022 at 6:40 AM •
Someone hacked the Ecuadorian embassy in Moscow and found a document related to Ecuador’s 2013 efforts to bring Edward Snowden there. If you remember, Snowden was traveling from Hong Kong to somewhere when the US revoked his passport, stranding him in Russia. In the document, Ecuador asks Russia to provide Snowden with safe passage to come to Ecuador.
It’s hard to believe this all happened almost ten years ago.
Posted on June 29, 2022 at 6:19 AM •
Two speakers were censored at the Australian Information Security Association’s annual conference this week in Melbourne. Thomas Drake, former NSA employee and whistleblower, was scheduled to give a talk on the golden age of surveillance, both government and corporate. Suelette Dreyfus, lecturer at the University of Melbourne, was scheduled to give a talk on her work—funded by the EU government—on anonymous whistleblowing technologies like SecureDrop and how they reduce corruption in countries where that is a problem.
Both were put on the program months ago. But just before the event, the Australian government’s ACSC (the Australian Cyber Security Centre) demanded they both be removed from the program.
It’s really kind of stupid. Australia has been benefiting a lot from whistleblowers in recent years—exposing corruption and bad behavior on the part of the government—and the government doesn’t like it. It’s cracking down on the whistleblowers and reporters who write their stories. My guess is that someone high up in ACSC saw the word “whistleblower” in the descriptions of those two speakers and talks and panicked.
You can read details of their talks, including abstracts and slides, here. Of course, now everyone is writing about the story. The two censored speakers spent a lot of the day yesterday on the phone with reporters, and they have a bunch of TV and radio interviews today.
I am at this conference, speaking on Wednesday morning (today in Australia, as I write this). ACSC used to have its own government cybersecurity conference. This is the first year it combined with AISA. I hope it’s the last. And that AISA invites the two speakers back next year to give their censored talks.
EDITED TO ADD (10/9): More on the censored talks, and my comments from the stage at the conference.
Posted on October 8, 2019 at 5:15 PM •
Interesting essay arguing that we need better legislation to protect cybersecurity whistleblowers.
Congress should act to protect cybersecurity whistleblowers because information security has never been so important, or so challenging. In the wake of a barrage of shocking revelations about data breaches and companies mishandling of customer data, a bipartisan consensus has emerged in support of legislation to give consumers more control over their personal information, require companies to disclose how they collect and use consumer data, and impose penalties for data breaches and misuse of consumer data. The Federal Trade Commission (“FTC”) has been held out as the best agency to implement this new regulation. But for any such legislation to be effective, it must protect the courageous whistleblowers who risk their careers to expose data breaches and unauthorized use of consumers’ private data.
Whistleblowers strengthen regulatory regimes, and cybersecurity regulation would be no exception. Republican and Democratic leaders from the executive and legislative branches have extolled the virtues of whistleblowers. High-profile cases abound. Recently, Christopher Wylie exposed Cambridge Analytica’s misuse of Facebook user data to manipulate voters, including its apparent theft of data from 50 million Facebook users as part of a psychological profiling campaign. Though additional research is needed, the existing empirical data reinforces the consensus that whistleblowers help prevent, detect, and remedy misconduct. Therefore it is reasonable to conclude that protecting and incentivizing whistleblowers could help the government address the many complex challenges facing our nation’s information systems.
Posted on June 3, 2019 at 6:30 AM •
In 2015, the Intercept started publishing “The Drone Papers,” based on classified documents leaked by an unknown whistleblower. Today, someone who worked at the NSA, and then at the National Geospatial-Intelligence Agency, was charged with the crime. It is unclear how he was initially identified. It might have been this: “At the agency, prosecutors said, Mr. Hale printed 36 documents from his Top Secret computer.”
The article talks about evidence collected after he was identified and searched:
According to the indictment, in August 2014, Mr. Hale’s cellphone contact list included information for the reporter, and he possessed two thumb drives. One thumb drive contained a page marked “secret” from a classified document that Mr. Hale had printed in February 2014. Prosecutors said Mr. Hale had tried to delete the document from the thumb drive.
The other thumb drive contained Tor software and the Tails operating system, which were recommended by the reporter’s online news outlet in an article published on its website regarding how to anonymously leak documents.
Posted on May 9, 2019 at 3:17 PM •
New York Magazine published an excellent profile of the single-document leaker Reality Winner.
Posted on December 29, 2017 at 6:34 AM •
This should come as no surprise:
Alas, our findings suggest that secure communications haven’t yet attracted mass adoption among journalists. We looked at 2,515 Washington journalists with permanent credentials to cover Congress, and we found only 2.5 percent of them solicit end-to-end encrypted communication via their Twitter bios. That’s just 62 out of all the broadcast, newspaper, wire service, and digital reporters. Just 28 list a way to reach them via Signal or another secure messaging app. Only 22 provide a PGP public key, a method that allows sources to send encrypted messages. A paltry seven advertise a secure email address. In an era when anything that can be hacked will be and when the president has declared outright war on the media, this should serve as a frightening wake-up call.
When journalists don’t step up, sources with sensitive information face the burden of using riskier modes of communication to initiate contact—and possibly conduct all of their exchanges—with reporters. It increases their chances of getting caught, putting them in danger of losing their job or facing prosecution. It’s burden enough to make them think twice about whistleblowing.
I forgive them for not using secure e-mail. It’s hard to use and confusing. But secure messaging is easy.
Posted on August 31, 2017 at 6:52 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.