P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 18-02-15, 09:05 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - February 21st, '15

Since 2002


































"The discovery of the [NSA] Equation Group is significant…this omnipotent cyber espionage entity…infecting hard drive firmware on a dozen different brands." – Costin Raiu


"That U.S. and U.K. spy agencies hacked the network of a Dutch company to steal encryption keys for billions of SIM cards is truly shocking…another worrying sign that these agencies think they are above the law." – Anne Jellema






































February 21st, 2015




Kim Dotcom's Lawyer Plays Down Megaupload Worker's Guilty Plea

Kim Dotcom's US lawyer has denied that a guilty plea by one of the Megaupload's former employees has major implications for his client's case.

Andrus Nomm was sentenced to a year in jail after pleading guilty on Friday to conspiracy to commit copyright infringement while working for the now defunct file-sharing site.

The US is currently trying to extradite Mr Dotcom, who founded Megaupload, from New Zealand to stand trial.

Mr Dotcom denies wrongdoing.

The US Department of Justice (DoJ) has alleged that Megaupload's staff had "operated websites that wilfully reproduced and distributed infringing copies of copyrighted works" over a period of five years, causing more than $400m (£260m) of harm to copyright owners.

Nomm - a 36-year-old Estonian citizen - agreed to this damages estimate as part of his plea, according to a press release from the DoJ. He had been living in the Netherlands before he travelled to Virginia to make the deal with the US authorities.

The DoJ added that Nomm had acknowledged that through his work as a computer programmer for Megaupload, he had become aware of copyright-infringing material being stored on its sites, including films and TV shows that had contained FBI anti-piracy warnings.

It said he had also admitted to having downloaded copyright-infringing files himself.

"This conviction is a significant step forward in the largest criminal copyright case in US history," said assistant attorney general Leslie Caldwell.

'Compassion and understanding'

Hong Kong-based Megaupload was one of the world's most visited "cyber locker" sites when its domain names and assets were seized in January 2012, at the request of the US authorities.

Mr Dotcom has long maintained that he had not encouraged users to upload pirated material, and has said he cannot be held responsible for what others had stored on his service.

At the end of last week Friday he tweeted: "I have nothing but compassion and understanding for Andrus Nomm and I hope he will soon be reunited with his son."

In an interview with Radio New Zealand, Mr Dotcom's lawyer attempted to play down the significance of the latest development.

"Mr Nomm [was] interested in just getting one year and being done with this, essentially [he] lost on procedure rather than merit," said Ira Rothken.

"It looks like a scripted guilty plea that was more of a Hollywood public relations stunt.

"Andrus Nomm was involved particularly in video streaming and... video streaming is never a copyright crime in the United States.

"The other points that were made during his plea bargain was that he claimed that no filtering was going on - but the failure to filter was at most a civil issue and not a criminal issue.

"And then he also said that Kim Dotcom evidently did not care about copyrights, not withstanding the robust notice and takedown policies of Megaupload. And the notion that someone does not care is also not a crime, it's not even a civil wrong."

Mr Dotcom and five other individuals face charges of conspiracy to commit racketeering, conspiracy to commit copyright infringement, conspiracy to commit money laundering and wire fraud.

An extradition hearing for Mr Dotcom and three of the other accused is scheduled to take place in Auckland in June.
http://www.bbc.co.uk/news/technology-31488708





Valve Censoring Torrent References in Steam Chat

It seems Valve is restricting just what you can talk about when using the Steam chat service. Specifically, any reference to a particular torrent site is being stripped from conversation, while mentions of other pages trigger a warning that the site is "potentially malicious".

Millions of gamers use Steam every day, with a large portion using the online messaging service. If you're the sort of person who likes to chat about where to acquire Linux ISOs (or, um, other things), however, you might like to take your conversations elsewhere.

In the wake of website KickassTorrents being taken offline earlier this week, people quickly noticed that references to the torrent site were being stripped from chat - with no warning, notificiation, or acknowledgement that anything is missing.

We've seen censorship before, with chat providers blocking certain words, replacing key letters with asterisks or simply substituting inoffensive words for those considered "problematic". That's not what Valve is doing here though - the entire message is disappearing, not just the troublesome domain.

As is common among websites used for torrent distribution, KickassTorrents is mirrored across a number of domains - but Steam chat is only blanking one of them. Other variants of the same site are simply flagged as "potentially malicious", prompting a warning message if a user attempts to follow a link sent in chat.

At this stage, Valve has not commented on why that particular domain is being targeted by chat censorship - or if it's the only site affected - but it does illustrate that Steam chat might not be the best place to discuss those latest Linux ISOs...
http://www.playerattack.com/news/201...in-steam-chat/





ISPs Unveil Draft Anti-Piracy Scheme

Draft code will see notices issued to ISP customers accused of online piracy
Rohan Pearce

Under a draft industry code of practice unveiled today by telco group Communications Alliance, ISP customers will be issued with a series of warning notices in response to alleged online copyright infringement.

The implementation of such a code is one of the key pillars of the government's crackdown on online copyright violations.

Under the code if a rights holder detects unauthorised online sharing of one of its works, it can notify the ISP associated with the IP address.

The ISP will "endeavour to match the IP addresses identified by Rights Holders to the Account Holders to which the IP addresses were assigned at the time of the alleged infringements," the draft (PDF) states.

The initial notice will inform the recipient "that the activity allegedly detected on their account is indicative of an infringement of copyright under the Copyright Act 1968 and provide information about sources of non-infringing content.

If an account holder receives three notices within the space of 12 months, "ISPs will, on the request of a Rights Holder, facilitate an expedited preliminary discovery process" — clearing the path for a rights holder to take civil court action against the alleged downloader.

"An ISP must not accept any requests by a Rights Holder to, disclose any personal information including the identity or any contact details of an Account Holder at any stage of the copyright notice scheme, unless there is a court order or written permission from the Account Holder expressly authorising such disclosure of personal information," the draft states.

Previously a major barrier to the development of a notice scheme has been the apportioning of costs for establishing and operating it.

Section 4.4 of the draft notes that rights holders and ISPs are still working to "quantify the costs of meeting the specific operational responsibilities and processes required by the Scheme" and "determine how these costs should be fairly apportioned between ISPs and Right Holders" in line with a letter sent last year to stakeholders by Communications Minister Malcolm Turnbull and Attorney-General George Brandis.

That letter said that the government expected the code to "fairly" apportion costs between ISPs and rights holders and ensure smaller ISPs are not disproportionally affected.

The draft code also provides a means for ISP customers to appeal to an 'Adjudication Panel' if they are issued with three notices within a 12-month period.

The code applies to ISPs "that supply residential fixed internet access services" and the scheme "covers residential fixed, internet Account Holders only".

The scheme also envisages capping the number of notices ISPs will have to issue during the first 18 months after implementation: "No ISP will be obliged to process more than a [minimum specified number] of Infringement Reports during a given calendar month during the initial 18 months of operation of the copyright notice scheme."

An evaluation process will be carried out within 18 months of the scheme coming into effect.

The three tiers of notices are categorised as "education", "warning" and "final". After issuing a final notice an ISP is obliged to "act reasonably to facilitate and assist an application by a Rights Holders for Preliminary Discovery":

An ISP must act reasonably to facilitate and assist an application by a Rights Holders for Preliminary Discovery to the extent that such orders are sought: (a) following Rights Holders and ISPs observing the procedures prescribed by this Code in relation to an Account Holder whose IP address was included on a Final Notice List provided by that Account Holder’s ISP to a relevant Rights Holder; (b) in relation to the identity and address (if available to that ISP) contact details of that Account Holder; and (c) for provision of copies of Notices sent to that Account Holder that were the subject of the Final Notice List...

An ISP must comply with a final court order to disclose the Account Holder’s details to the Rights Holder.


"These issues are complex and while both industries want to eradicate online copyright infringement, it has proved very difficult in the past for rights holders and ISPs to agree on the shape of a notice scheme," Communication Alliance CEO John Stanton said that in a statement released by the organisatoin.

"Much work remains, but publication of a draft code is an important milestone toward greater protection for the legitimate rights of the creative industries."

The working committee that developed the draft included representatives from Telstra, Optus, Vodafone Hutchison Australia, iiNet, M2, IP Star, Verizon and Baker and McKenzie. The committee worked with a stakeholder group that included representatives of rights holders and consumer groups.

Advocacy group Australian Communications Consumer Action Network (ACCAN), which participated in the drafting process, said it was concerned about the potential for rights holders to use evidence gathered through the scheme to take court action that would disconnect consumers.

"Disconnection from the internet or speed throttling are not proportionate methods to tackle the problem of online copyright infringement," ACCAN's CEO, Teresa Corbin, said in a statement.

"Negotiations are still underway on key aspects of the code and ACCAN will continue to engage to get a fair result for consumers.

"Evidence from overseas strongly indicates that markets that have access to affordable legitimate content do not have the same problem with online copyright infringement. For example in the US the relative volume of torrenting reduced five-fold after Netflix and others gained a foothold

"We believe that if the Australian streaming market is allowed to mature it would reduce the need for costly regulation."

Corbin said that ACCAN is concerned that consumers will ultimately pay for the scheme.

"This scheme sets up a David versus Goliath struggle, letting corporate giants such as Foxtel and Village Roadshow Limited use their legal force against everyday Australians," Choice campaigns manager Erin Turner said in a statement.

"While the industry is trying to sell this as a no-penalty education scheme, it will actually help them funnel Australians into litigation by forcing ISPs hand over customer details based on unproven accusations.

"This is no gentle education program. It's a flawed notice scheme that gives rights holders access to personal details. ISPs will send up to three notices based on rights holder accusations. After this, they can pass on personal customer details to the rights holders."

The group also criticised a $25 fee charged to ISP customers who wish to appeal a notice.

Turner said the scheme could lead to so-called speculative invoicing or expensive lawsuits for consumers.

"This scheme will likely see Australians being either sued or contacted by rights holders demanding arbitrary payments," Turner said.

"This is particularly concerning because under Australian law, there is no limit to the amount of money that can be sought by a rights holder for copyright infringement."

The effectiveness of "graduated response" schemes reducing copyright infringement has previously been questioned by Australian research.

"Graduated response schemes have been variously criticized for impinging on the human right to freedom of expression, for breaching privacy and for failing to comply with key tenets of the rule of law," states a 2013 paper by Monash University researcher Rebecca Giblin.

"But quite separate from those criticisms, their legitimacy is seriously thrown into question by the startling lack of evidence that graduated response helps achieve any of copyright law’s underlying aims...

"There is no evidence demonstrating a causal connection between graduated response and reduced infringement. If 'effectiveness' means reducing infringement, then graduated response is not effective. Furthermore, there is little convincing evidence that any variety of graduated response increases the size of the legitimate market."

The Communications Alliance is seeking public comment on the draft code. The public comment period closes 5pm on 23 March.

Another key pillar of the government's copyright crackdown is proposed legislation that will allow allow rights holders to apply for court orders to force ISPs to block websites.

The government is yet to introduce a bill to implement a copyright-related site-blocking regime. The idea has previously been condemned by critics as "open to abuse" and "unlikely to be effective".

The scheme "will enable a court to order the blocking of overseas hosted websites that can be shown to be primarily for the purpose of facilitating online copyright infringement," the letter by Turnbull and Brandis stated.

A number of ISPs including iiNet are currently engaged in a legal struggle with US company Dallas Buyers Club LLC over an attempt by DBC to obtain the details of ISP customers who allegedly violated its copyright. The impending introduction of an industry code that includes an expedited preliminary discovery process has been raised in court.
http://www.computerworld.com.au/arti...-infringement/





Illegal, Immoral, and Here to Stay: Counterfeiting and the 3D Printing Revolution
Josh Greenbaum

If you’re looking for a way to gauge how the 3D printing market will evolve, look no further than the dawn of two other revolutionizing technologies – the desktop printing market and the VHS standard. And be prepared for a decidedly off-color story.

While many of us have fond memories of watching a favorite movie when it first came out on VHS, or admiring the first three-color party invitation we printed on a laser printer, the fact remains that innocent pursuits were not the sole reason either of these technologies took off. And we shouldn’t expect 3D printing to be any different.

The reality is that in both cases, the illegal, illicit, and otherwise unwholesome played a major role in the growth of both the VHS and desktop printing markets. While it’s clear that most applications of these technologies were G-rated, there were plenty that weren’t. And when it comes to 3D printing, that unwholesome and downright illegal activity called counterfeiting is likely to become one of the major reasons why 3D printing will be a major growth industry in the coming years.

To be sure, as with all technologies, from the Paleolithic stone ax to 20th century nuclear fission, there are applications for good that hopefully outweigh the not-so-good. And 3D printing will have its fair share: from the manufacture of prosthetics and spare parts to on-demand organs, foods, and your child’s next toy, the 3D printing revolution will by and large have a positive impact on society as a whole.

But the threat of a major surge in counterfeiting based on the availability of relatively cheap 3D printers, increasingly sophisticated printing materials, and a never-ending supply of CAD designs available on the Internet will fuel an enormous black market in counterfeit parts. And the potential impact of 3D printers for counterfeiting just keeps on growing: A recent report by Gartner Group speculates that intellectual property loss due to 3D printer counterfeiting could total $100 billion by 2018.

What is it about 3D printing that will make it, in the words of Scientific American, “the counterfeiter’s best friend”? Just like the desktop printing industry of the 1980s, it’s that perfect storm of three important factors: the availability of a breakthrough device at a consumer price, the availability of the raw materials needed to copy something valuable, and the right software for turning the new technology into a counterfeiter’s “best friend.”

1985 was the year the perfect storm hit the desktop publishing market. The first widely available laser printer, the HP Laserjet, hit the market priced at the high end of the consumer market at about $3,000. This printer could handle pretty much any kind of paper, and print rapidly and accurately. At the same time, Aldus Pagemaker, the first widely available desktop publishing package, also hit the market, similarly priced at the high-end of the consumer market at under $700. Hello, forged credentials, certificates, permits, bills of lading, and eventually, money. Voila, another friend of the counterfeiter was born.

The illicit side of the VHS market had a slightly different trajectory. In the mid-1970s, the Betamax video standard arrived, taking advantage of the ready availability of VCRs priced in the $1,200 range. In 1977, Sony’s Betamax was challenged by upstart JVC’s VHS standard, with a couple of twists. Twist number one was the VHS could record a full-length movie, while Betamax maxed out at an hour. Twist number two was that while Sony resisted licensing Betamax for use by the pornography industry, JVC had no such qualms. Within 10 years, VHS ruled the market, and the world of entertainment has never been the same.

2014 was the years 1977 or 1985 in the world of 3D printing. Hobbyist 3D printers started showing up priced at less than $600, though a printer capable of handling the demands of the counterfeiter was still priced in the $2,500 range. And while the printers weren’t exactly free, a wide range of freeware, too numerous to mention here, showed up to allow would-be makers and counterfeiters an incredible pallet of designs, drivers, and controllers.

It’s true that the materials needed to do the most sophisticated counterfeits are not as widely available as the market will eventually require, but a wide range of thermoplastics, advanced polymers, and other materials are now available to assist the counterfeiter. And it’s a given that, as the printers become more sophisticated, and the consumers become more demanding, that list will only grow over time.

Where does it all end? There’s little doubt that a cat-and-mouse game of counterfeiting and counter-measures will soon ensue. The insertion of easily-detectable nanomaterials into a legitimate copy could be used to distinguish it from a counterfeit, much like watermarks are used to detect fraudulently printed documents. Certain high-value raw materials that can be used for reproducing highly specialized, dangerous, or restricted objects could have their sales and distribution tightly regulated. Preventing counterfeiting also promises to be a growth market.

Even more important, many experts agree, will be the need for a revolution in how intellectual property protections, such as patent, copyright, and trademark are applied to the new world of 3D printing. IP protection has always lagged technological advances, and 3D printing isn’t any different: while it is clearly illegal to print a patented object, merely possessing the plans for printing that object does not violate patent law. So the onus will be on the patent-holder to prove that the object has been printed. But if the print run is in single digits, finding and proving that the counterfeited objects were illegally printed, and by whom, will be an enforcement nightmare.

The best we can do as a society is try to ensure that the benefits outweigh the problems, and in that regard, 3D printing is also following the trajectory of previous innovations. It’s certainly clear that as this new technology evolves, and the rate of counterfeiting grows with it, there will be innovations in the use of 3D printing that will advance the art of counterfeiting in ways that were never anticipated.

But it’s also clear, as it was for the VHS format and desktop publishing, that the push provided by counterfeiting, albeit one that also advances the causes of criminality and illegality, will have a positive effect on expanding the use, and most likely lowering the cost, of 3D printing, while increasing the availability of new materials and software. The trick will be to be able to distinguish between “good” 3D printing, and “bad” 3D printing, and ensure that the barriers to the latter don’t inhibit the former. We’ve done this with VHS, desktop publishing, and for better and worse, we’ll be able to do it for 3D printing as well. The more things change, the more they remain the same…
http://www.wired.com/2015/02/illegal...ng-revolution/





Pirate Bay vs. Kickass Torrents: Which File Sharing Site Is Now Most Popular In The World?
James Geddes

The Pirate Bay and Kickass Torrents have remained the two most popular file-sharing sites for years now, but with all the recent downtime, domain seizures and changes, which of the two sites is currently ranked No. 1 in popularity?

It has certainly been a rough ride as of late for The Pirate Bay and Kickass Torrents, the world's two largest file-sharing services. The Pirate Bay, long ranked as the world's number one file sharing service, was raided by Swedish authorities on Dec. 9 of last year. Its servers were seized and the site went offline, with many wondering if and when it would return. In late December, signs of a resurrection appeared, and on Jan.31, the site returned, fully functional at a new domain.

In the interim, other file-sharing sites picked up the slack. Pirate Bay clones and copies such as oldpiratebay.org popped up, but it was The Pirate Bay's biggest rival, Kickass Torrents, which catapulted into the number one position and was crowned the most popular torrent site in early 2015.

Kickass was not without its share of hosting issues as well, however. In December 2014, the site switched domains to a Somolian server in what was reported as a routine domain change. On Feb. 9, however, the site was listed as banned, and after a brief downtime returned to its previous host located in Tonga, where it has remained up and running since. Meanwhile, The Pirate Bay return is still plagued by hosting issues, resulting in an extended outage as recently as Feb.13.

With both sites up and running for the better part of February, the question remains, who now holds the crown as top file-hosting site on the web? The answer is not so easy to determine, however. With all the domain name changes, determining top dog is not as clear a process as it normally would be. While a recent report claims Kickass is currently tops, no clear data source or time frame is cited.

The Alexa web analytic rankings for the sites for the two current domain names appear to show The Pirate Bay as the clear winner, as thepiratebay.se shows a global rank of 216, as opposed to Kickass.to at 1,004. But a closer look shows things may not be what they seem. Alexa also shows kickass.so, Kickass Torrents' domain name that was recently banned on Feb.9, as having a global rank of 67. That's because Alexa averages traffic over a period of time to determine rank. The rankings of The Pirate Bay and Kickass in early 2014 were 79 and 103, respectively, so clearly the most current Alexa rankings certainly do not give the real picture.

So whether Kickass has actually usurped The Pirate Bay due the long outage of the latter site is not yet evident. Extended disappearances by file-sharing sites can result in a loss of users, as file sharers form new habits and lose trust in sites that continually go offline. Demonoid, once one of the largest torrent sites in the world, lost much of its popularity due to an extended downtime, and though it relaunched last year, it hasn't yet returned to its former standing.

Besides topping The Pirate Bay in relative stability, Kickass has several other things going for it. Many file sharers find the user interface and design of Kickass to be more appealing and user friendly than that of The Pirate Bay. Recent changes in Google's search policy to reduce search results from illegal file-sharing sites could mean a loss for The Pirate Bay which, as the top torrent site, likely received the highest volume of default traffic from such results compared with other torrent sites.

In addition, former The Pirate Bay moderators who were not asked to return to its current incarnation have warned users that unverified torrents on the newly resurrected site might be unsafe, containing viruses and malware. For The Pirate Bay to remain number one, it needs to regain users trust in the stability of its online presence as well as in the security of its content.
http://www.techtimes.com/articles/34...-the-world.htm





In a Shift, ‘Shades’ Dominates Box Office

‘Fifty Shades of Grey’ leads weekend box office, stirring reflection on sex films
Brooks Barnes and Michael Cieply

Moviegoers turned out en masse to see the sadomasochistic love story “Fifty Shades of Grey” over the Presidents’ Day weekend, delivering a triumph for Universal Pictures and potentially altering Hollywood’s approach to sex.

“Fifty Shades of Grey,” capitalizing on the fall of Valentine’s Day on a Saturday, will take in about $90.7 million between Thursday night and Monday, according to Rentrak, which compiles ticketing data. The movie, which cost $40 million, attracted an audience that was 68 percent female, Universal said.

The film, directed by Sam Taylor-Johnson and based on the erotic novel by E. L. James, played in 3,646 theaters in North America, the largest release in history for an R-rated movie, according to Nick Carpou, Universal’s president of domestic distribution. “Theater owners added screens in response to a clamor from their patrons,” Mr. Carpou said on Sunday.

Female fans of the best-selling book — apparently dragging along a lot of reluctant husbands and boyfriends to theaters — created a wave of interest that pushed past reviewers, who gave the film terrible notices. Also drowned out were those calling for a boycott, among them the feminist group Stop Porn Culture, several domestic abuse organizations and the Roman Catholic archbishop of Cincinnati.

There were also small protests overseas, where the film took in an additional $158 million through Sunday. (Sample placard in London: “50 Shades of Nay!”) The movie was banned in some countries, including Indonesia, Kenya and Malaysia.

R-rated movies tend to perform best in big cities and other politically liberal areas. But “Fifty Shades of Grey” was enough of a cultural force — whipped up in part by Universal marketers — that crowds turned out in traditionally conservative places like the Carolinas, Kentucky and Tennessee, Mr. Carpou said.

The 24-screen AMC theater at Walt Disney World in Orlando, Fla., sold out multiple showings on Saturday, including a 4 p.m. matinee.

“I never bought the argument that the sexual theme would keep people away,” said Michael De Luca, a producer of the film. “People are not that prudish anymore.”

The response to the film, which is expected to spawn two sequels, could have a ricochet effect in Hollywood, which for decades has been operating under an assumption that sex — at least, the most blatant sort — is multiplex poison.

The story of a naïve student (Dakota Johnson) who enters into a kinky sexual relationship with a tormented billionaire (Jamie Dornan), “Fifty Shades of Grey” has a frankness that recalls popular studio offerings from the 1970s. “Emmanuelle,” a soft-core erotic film, helped bail out a faltering Columbia Pictures in 1974. “Last Tango in Paris” took in about $155 million at today’s prices in 1973 for United Artists.

But the Reagan era saw a shift in public mores. Pornography also became widely available on videocassette in the 1980s. Those factors contributed to a collapse in erotic movies at the box office, film historians said.

Ken Russell’s “Crimes of Passion,” a controversial erotic thriller that featured Kathleen Turner as a prostitute with a day job in the fashion industry, took in just $6.6 million when released in 1984, after adjusting for inflation. Two years later, “9 ½ Weeks” did only a little better, scoring $14.5 million in ticket sales.

The erotic drama “Showgirls,” which was rated NC-17, became such a punch line in 1995 that studios overwhelmingly swore off the genre. Even risqué blockbusters like “Sex and the City” (2008) or “Basic Instinct” (1992) were more flirtatious or titillating than unambiguous sexual explorations.

Still, multiplex owners appeared to walk an awkward line between embracing “Fifty Shades of Grey” and protecting their family-friendly image.

One theater in Deerfield Beach, Fla., for instance, turned the premiere into a lingerie party, offering massages and pole dancing demonstrations. At the same time, AMC Theaters, the second-largest theater chain in North America behind Regal Entertainment, said publicly that “Fifty Shades of Grey” fans should leave “props” at home, presumably referring to whips or rope.

It was a strong weekend for Hollywood all around. “Kingsman: The Secret Service” was expected to arrive at roughly $41 million in four-day ticket sales; it cost 20th Century Fox an estimated $81 million to make. “The SpongeBob Movie: Sponge Out of Water” (Paramount) was expected to generate about $37.6 million, for a two-week domestic total of more than $100 million.

Credit for the theatrical success of “Fifty Shades of Grey” belongs in large part to Donna Langley, Universal’s chairwoman. Ms. Langley aggressively wooed Ms. James, winning the film rights amid a bidding war in part by offering the author — who had no movie experience — an eyebrow-arching degree of creative control.

Rival studios credited Universal marketers with a simple yet highly effective advertising slogan: “Are You Curious?” The question was designed to resonate on multiple levels. Did the studio succeed in translating the book? What exactly is sadomasochistic sex? Universal also intended the question to play to the culturally curious — a sophisticated audience that may have found Ms. James’s prose more laughable than titillating but did not want to miss out on a zeitgeist moment.

From the beginning, Universal tried to add a degree of sophistication to the film in hopes of overcoming the book’s lowbrow stigma. Ms. Langley hired Ms. Taylor-Johnson, known for the art film “Nowhere Boy,” to direct the adaptation. Universal also released “Fifty Shades of Grey” on its Focus Features specialty label.

Ms. Langley initially planned to unfurl “Fifty Shades of Grey” last summer, but she moved the film back after realizing that Valentine’s Day fell on a Saturday this year. That set up a potential one-two punch: Fans of the book would likely come out on Friday, and then couples would hopefully fuel ticket sales on Saturday. Studio research indicated that women overwhelmingly make Valentine’s Day movie decisions.

To begin reframing “Fifty Shades of Grey” as a film, Universal put its young stars on the cover of Entertainment Weekly as soon as they were cast. The studio began advertising the film last year on Valentine’s Day. To further destigmatize the content — to make ticket buyers feel comfortable seeing (and be seen seeing) a movie focused on sex — Universal worked to link it to mainstream entertainment; a trailer debuted during “Scandal” on ABC, for instance.

Universal also advertised the film during the Super Bowl.

Phil Contrino, chief analyst at BoxOffice.com, said on Sunday that “Fifty Shades of Grey” could take in $500 million worldwide without batting an eye. He called that a ticket-selling achievement “that’s sure to shake up the definition of what a blockbuster can look like.”
http://www.nytimes.com/2015/02/16/mo...sex-films.html





AT&T Charges $29 More for Gigabit Fiber that Doesn’t Watch Your Web Browsing

AT&T goes head to head against Google in KC on fiber and targeted ads.
Jon Brodkin

AT&T's gigabit fiber-to-the-home service has just arrived in Kansas City, and the price is the same as Google Fiber—if you let AT&T track your Web browsing history.

Just as it did when launching its "GigaPower" service in Austin, Texas in late 2013, AT&T offers different prices based on how jealously users guard their privacy. AT&T's $70 per-month pricing for gigabit service is the same price as Google Fiber, but AT&T charges an additional $29 a month to customers who opt out of AT&T's "Internet Preferences" program.

AT&T says it tracks "the webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter... AT&T Internet Preferences works independently of your browser's privacy settings regarding cookies, do-not-track, and private browsing. If you opt-in to AT&T Internet Preferences, AT&T will still be able to collect and use your Web browsing information independent of those settings."

Keeping tabs on the customer's Web browsing lets AT&T serve advertisements targeted to individual users.

"Using the IP address assigned to each GigaPower account, AT&T scans for your AT&T Internet Preferences election," the company says. "AT&T will treat your Internet browsing activity in accordance with your election. If you chose to participate in the AT&T Internet Preferences program, your Internet traffic is routed to AT&T's Internet Preferences web browsing and analytics platform. If you chose not to participate in the AT&T Internet Preferences program, your Internet traffic is not routed to the Internet Preferences analytics platform. AT&T may collect and use web browsing information for other purposes, as described in our Privacy Policy, even if you do not participate in the Internet Preferences program."

Google told Ars that Google Fiber does not track users' browsing history. Google also doesn't offer different pricing levels based on privacy selections made by its fiber customers. But Google already tracks users across its own Web properties regardless of whether they also subscribe to Google Fiber.

"We collect information about the services that you use and how you use them, like when you watch a video on YouTube, visit a website that uses our advertising services, or you view and interact with our ads and content," Google says.

Google Fiber's privacy policy notes that Google does collect additional information from Fiber users, but it doesn't necessarily combine that information with data it collects from usage of other Google services.

"Technical information collected from the use of Google Fiber Internet for network management, security or maintenance may be associated with the Google Account you use for Fiber, but such information associated with the Google Account you use for Fiber will not be used by other Google properties without your consent," Google says. "Other information from the use of Google Fiber Internet (such as URLs of websites visited or content of communications) will not be associated with the Google Account you use for Fiber, except with your consent or to meet any applicable law, regulation, legal process or enforceable governmental request."

Fiber beyond the press release

Despite AT&T CEO Randall Stephenson threatening to "pause" the company's fiber rollout because of new net neutrality regulations, the company seems to be continuing its expansion.

As for AT&T's new offerings in Kansas City, the company said it launched today "in parts of Kansas City, Mo., parts of Leawood, Lenexa, Olathe, and Overland Park, Kan. and in surrounding communities located throughout the metro area. Additionally, AT&T has plans to expand the service to Independence, Mo. and Shawnee, Kan."

Besides the $70 gigabit service, AT&T is also offering a gigabit Internet and TV bundle (with HBO) that costs $120 per month for the first three years. Adding voice to the deal raises the price to $150 per month.

Google does not sell voice service with its Internet plans. But it does have one offer AT&T hasn't matched, namely the free 5Mbps Internet service for those who can't afford or simply prefer not to pay for the gigabit speeds. The "free" service does require a one-time $300 construction fee but has no monthly service payments.
http://arstechnica.com/business/2015...-web-browsing/





Big Telecom Tried to Kill Net Neutrality Before it was Even a Concept

Opinion: Millions spent on campaigns, lobbying in bid to avoid common carrier label.
Donny Shaw

The chairman of the Federal Communications Commission announced recently he would seek to reclassify broadband Internet as a common carrier service so the government could enforce net neutrality rules, something that President Obama supports. Some telecom executives and Republicans in Congress are calling this an “extreme” and “backwards” proposal, and they’re investigating the President’s role in pushing for it.

But we’ve only reached this pivotal moment in the net neutrality debate because of past efforts by corporate lobbyists and their political allies to weaken the government’s ability to protect the open Internet. Without the telecommunications industry’s massive power to design policies in its favor, the government would most likely already have the authority it needs to ensure net neutrality.

In the early 2000s, back when Gmail was still for Garfield fans only, policymakers were facing important questions about the nature of broadband Internet and how it should be treated by regulators. The last major telecommunications bill was passed by Congress in 1996 and since then the technology had advanced rapidly, with two different services, cable Internet and digital subscriber line (DSL), becoming widely available.

These services both operated on infrastructure that was originally built for other purposes (cable television and landline telephony, respectively), and since the 1996 bill didn’t address Internet service in a substantial way, regulators had simply applied the regulatory treatment traditionally associated with the infrastructures to the new Internet services being offered on them. That meant that cable Internet, carried over lines used to transmit television, was treated like an “information service,” while DSL, carried over copper telephone wires, was treated like a “telecommunications service.”

The distinction is critical because under the 1996 law telecommunications services— things like wireline telephone service—are regulated more heavily under Title II of the law while information services—things like television channels and websites—are more lightly regulated under the Federal Communication Commission’s ancillary authority originating in Title I. Cable systems also face cable-specific rules from Title VI, which was added to communications law in 1984.

Title II was designed by Congress in 1934 to prevent the companies that provide basic communications services from engaging in anticompetitive and discriminatory practices. It treats these services as “common carriers”—essentially private utilities that have to meet certain public benefit, openness, and non-discrimination requirements in exchange for owning and operating monopolies. At the time of its creation this applied primarily to telephone companies, but the requirements of the law are also well suited to preventing internet service providers from violating net neutrality principles.

To consumers, cable and DSL ISPs were offering nearly identical services, but because of the outdated laws they were being treated very differently by regulators. In order to achieve regulatory parity, regulators had to decide if broadband service was more like a cable television channel or more like landline telephone service. In other words, they had to choose between regulating cable Internet up to Title II or deregulating DSL Internet service down to its general Title I authority.

The Baby Bells

In 2000 the DSL industry was dominated by the four remaining companies from the breakup of the old AT&T monopoly—Verizon, BellSouth, SBC Communications, and Qwest. These companies, commonly referred to as the “Baby Bells,” still operated regional monopolies and therefore were required under the 1996 bill to allow other carriers to access their networks. Because of this requirement, a new and growing industry of startup ISPs (competitive local exchange carriers, or CLECs) had begun leasing copper-line infrastructure from the Bells and offering competing broadband service to customers on their lines.

Not surprisingly, as the Baby Bells rolled out their DSL service, they saw the cable industry’s more relaxed regulations and total lack of competition and wanted the same treatment from the government. They launched a massive lobbying effort to push the Clinton and Bush administrations, the Federal Communication Commission, and Congress to eliminate the network sharing requirement that had spawned the CLEC market and to deregulate DSL services more broadly. Between 1999 and 2002 the four companies spent a combined $95.6 million on lobbying the federal government, according to data from the Center for Responsive Politics, which would rank them above such trade group lobbying behemoths as the Chamber of Commerce and the American Medical Association in total lobbying expenditures for the years. The companies also spent millions to lobby the public directly through aggressive advertising and public relations campaigns.

Their basic strategy was to push a bargain that if DSL was reclassified and they were allowed to operate regional monopolies without having to follow common carrier rules, they would voluntarily increase their investments in infrastructure and speed up the deployment of broadband in underserved areas.

One of the Baby Bells’ closest allies in Congress at the time was Louisiana Democrat-turned-Republican Rep. Billy Tauzin, who in 2001 had become the Chairman of the Energy and Commerce Committee, which oversees telecommunications issues and the Federal Communications Commission. The four companies had given hundreds of thousands to Tauzin’s electoral campaigns over the years. In the 2000 election, Verizon was Tauzin’s largest single donor ($13,750) and SBC was his fourth largest ($10,000). In the 2002 election the Baby Bells gave more than $61,300 to Tauzin’s campaign committee and leadership PAC, making him the top congressional recipient of their political spending for that cycle. They also helped pay for a $400,000 Mardi Gras-themed fundraiser for Tauzin at the 2000 Republican National Convention. Tauzin’s son was employed at the time as a lobbyist for one of the Baby Bells, BellSouth, in Louisiana. (For more information on Tauzin’s deep relationship with the Bell companies, check out this article originally published at Interactive Weekly).

In 2001 Tauzin teamed up with Democratic Rep. John Dingell, himself a top recipient of Baby Bell largesse, to sponsor legislation that would give the companies pretty much everything they had been lobbying for. Their bill, the “Internet Deployment and Broadband Freedom Act,” known more commonly as “Tauzin-Dingell,” would exempt Verizon and the Baby Bells from having to share their networks with competitive start-up carriers as required by the 1996 bill.

The bill also proposed to add a new section to Title II of the Communications Act to broadly exempt broadband Internet, regardless of the carrier technology, from a wide swath of the regulatory powers held by the FCC and the states. “Neither the [Federal Communications] Commission, nor any State, shall have authority to regulate the rates, charges, terms, or conditions for, or entry into the provision of, any high speed data service, Internet backbone service, or Internet access service,” the bill text read in part.

On February 27, 2002, Tauzin’s bill was brought to the floor of the House and passed by a vote of 273-157. Both Democrats and Republicans were divided on the bill, but it still won support from a majority of both parties. More than party affiliation, campaign contributions from Verizon and the Baby Bells were a better predictor of how members would vote, a fact that suggests the companies had a powerful influence over policymakers as they debated the future of broadband regulation. According to an analysis by the Center for Responsive Politics, the representatives who voted in favor of Tauzin-Dingell received, on average, 2.9 times more money from Verizon and the Baby Bells in the form of campaign contributions in the 2002 election than did the Representatives who voted against it.

The cable industry was officially indifferent to Tauzin-Dingell, despite the fact that it benefited its chief competitor industry, because they recognized that it favored a “regulate down” approach and, if enacted, could put them in a better position for avoiding new regulations on their own services. “NCTA strongly believes that marketplace competition is the best way to foster the availability of broadband services to all Americans,” the National Cable & Telecommunications Association (NCTA) said in a statement. “Thus, we have not opposed the Tauzin-Dingell bill nor advocated that regulatory conditions be placed on broadband competitors."

Tauzin’s friend Powell

At the same time that the House was voting on the Tauzin-Dingell bill, the Federal Communications Commission was considering separately what they could do through rulemaking to achieve regulatory parity between cable and DSL. In 2000 the FCC launched a rulemaking proceeding to determine how to classify and regulate cable internet service. In 2002 they opened a similar proceeding for DSL that sought to “resolve outstanding issues regarding the classification of telephone-based broadband Internet access services and the regulatory implications of that classification.”

Beginning in 2001, the Federal Communications Commission was chaired by Michael Powell, the son of Colin Powell and a former attorney for GTE Corp., the company that would form Verizon after merging with Bell Atlantic in 2000. Powell, in many ways, owes his position on the FCC to none other than Rep. Billy Tauzin. Back in 1997, Tauzin lobbied to get Powell appointed to the commission over incumbent Rachelle Chong, who was seeking a second term. Then, in 2001, Tauzin led the charge to get President Bush to elevate Powell to the chairmanship over Pat Wood III, who, until Tauzin got involved, was widely expected to take the position. As recounted by Village Voice reporter Brendan Koerner, Tauzin “engineered” Powell’s accession to the chairmanship as one of his first Bush-era acts.

To recap: Powell, a former attorney for Verizon, was hand-picked to lead the FCC by the head of the congressional committee with oversight over the commission, Billy Tauzin, and immediately faced major decisions on the regulatory classification of the Internet, an issue that Tauzin had spent years working on and that directly impacted the bottom line of his biggest donors.

Powell seems to have received the message that Billy Tauzin and the House of Representatives sent when they voted to gut Title II as it applies to the Internet. On Feb. 14, 2002, just two weeks after the House passed the Tauzin-Dingell bill, the Powell-led FCC took an unusual step that set in motion their approach to regulatory parity for cable and DSL. The Commission leapfrogged the typical public comment period and “notice of proposed rulemaking” and issued a declaratory ruling that cable Internet was properly classified as an information service, and thus not subject to common carrier rules, including line sharing requirements and nondiscrimination protections. One month later they released a rule proposal that tentatively concluded that DSL would also be reclassified as a Title I information service. The DSL reclassification was finalized in 2005.

It’s unclear what kinds of discussions Billy Tauzin was having with Powell around the FCC’s decisions to classify broadband as a Title I information service, but watchdog groups were accusing him of “meddling” in related rulemaking proceedings at the agency around the same time. Later accounts of Tauzin’s involvement in health care legislation as a lobbyist for the pharmaceutical industry suggest that he can be aggressive at lobbying policymakers to bend his way.

With the FCC’s rulings, broadband Internet service was officially differentiated from dial-up Internet service for regulatory purposes and reclassified to the same category of lightly regulated information services as things like websites or apps. The Powell-led FCC had finalized nearly all of the broadband deregulation that the Baby Bells had lobbied for and that Rep. Tauzin and Baby Bell-backed representatives had endorsed, but without having to go through Congress and change the law.

These rulings led to the elimination of line-sharing requirements and decimated the CLEC industry that had been competing with the local monopolies for residential broadband customers. Years later Verizon and Comcast would use the rulings to kill the FCC’s attempts at enforcing net neutrality. In 2010, the DC Circuit Court of Appeals ruled in favor of Comcast in determining that the FCC did not have “reasonably ancillary” jurisdiction to use Title I of the Communication Act to stop Comcast from throttling peer-to-peer programs because they could not cite a statutorily mandated responsibility empowering them to do so.

In 2014 the DC Circuit cited the Title I classification of ISPs in siding with Verizon and vacating the FCC’s second attempt at promulgating net neutrality rules. “Given that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such,” the court stated.

Michael Powell left the FCC in 2005, but he is still one of the most powerful figures in determining Internet regulations and net neutrality rules. Powell is now the president and chief lobbyist of the NCTA, a cable industry trade group that has been the hands-down leader in the industry’s efforts to block net neutrality. Under Powell, the organization has increased its spending on lobbying year after year and it now spends more on lobbying than any other organization in the communications sector. With Powell at the helm working his connections in Congress and at the FCC, they seemed to be getting maximum bang for the buck because so-called revolving door connections make lobbying spending more effective—until current FCC Chairman and former NCTA chief Tom Wheeler announced that he would propose to reclassify broadband as Obama suggested.

Although it looks like as though the FCC is about to reclassify broadband as Title II, many of the same factors that led to the deregulatory rulings of the early 2000s are still in play. Members of Congress, disproportionately those who are financially supported by large cable and telecom companies, are lobbying against Title II reclassification. The broadband industry is now more consolidated than ever and the industry’s promise of infrastructure investment in exchange for deregulation has not come to pass.

The companies that provide Internet service to most Americans have not always been deregulated monopolies with the ability to create fast lanes and slow lanes on the Internet. They got there by using many of the tactics that have fueled the record levels of distrust in the U.S. government—bought politicians, corrupt legislation, and revolving-door power trading. While it’s not possible to examine the counterfactual history in which policymakers designed regulatory parity for the Internet with total independence, it should be acknowledged that the current net neutrality debate is based on past policy decisions, including the original removal of broadband from Title II, that were shaped by lobbying dollars and the raw monopoly power of America’s top telecommunications companies.
http://arstechnica.com/tech-policy/2...ven-a-concept/





UK Parliament Calls for Internet to be Classified as a Public Utility

A world-class country should have world-class Internet access.
Sebastian Anthony

A new report published by the upper house of UK parliament—the House of Lords—has called for Internet access to be reclassified as a public utility. Further, the report says that the UK is falling behind other countries when it comes to both high-speed Internet access (i.e., new fiber-to-the-home and fiber-to-the-node deployments) and universal Internet access—two factors that could significantly affect the UK's ability to compete in the still-rapidly-growing international digital economy.

The House of Lords' call for UK Internet access to be reclassified as a public utility is very similar to the conversation surrounding Title II reclassification of ISPs in the US. "We conclude that the Government should define the Internet as a utility service, available for all to access and use," reads the summary of the House of Lords report. The report stops short of discussing how this will actually work in a legal sense—that's probably up to the next UK government—but it does mention Estonia, which was the first country to add Internet access to its list of human rights, as a very good example to follow.

Beyond universal Internet access, the report also discusses how the United Kingdom lags other countries in terms of high-speed access. In January 2015, an Ookla report placed London in 26th place out of 33 European capitals. There are also a large number of "not-spots" in urban areas, where Internet providers decided that it didn't make economic sense to deploy new infrastructure (usually fiber). In both cases, the House of Lords is worried that these problems will affect the UK's long-term international competitiveness.

The current government has been fairly good at investing in both fixed-line and wireless coverage across the UK, but clearly other countries are investing more—or at least investing more wisely. The incoming UK government will hopefully be formed in May, following a general election. With some awesome new technologies coming down the pike—LTE Advanced, "5G," and gigabit G.fast DSL over copper wires—there's an opportunity for the new government to play a big role in encouraging commercial ISPs to deploy universal, high-speed Internet access.
http://arstechnica.com/business/2015...ublic-utility/





Cellphone Start-Ups Use Wi-Fi First to Handle Calls and Take On Rivals
Brian X. Chen

It would not be an insult to say Republic Wireless and FreedomPop are obscure little companies.

But they dream big. The two companies are at the forefront of a tantalizing wireless communications concept that has proved hard to produce on a big scale: Reduce cellphone costs by relying on strategically placed Wi-Fi routers. And when there are no routers available, fall back on the traditional cellular network.

They have been at this for nearly five years with mixed success. The companies say they are already profitable and gradually adding subscribers. But they are tiny — both say their customers are in the hundreds of thousands. Verizon Wireless, by comparison, has more than 100 million.

Still, the upstarts have been trailblazers, proof that alternative wireless networks are feasible and maybe even profitable. Now some giant companies look to be following their lead.

Last month, Cablevision announced a phone service that would be powered entirely by Wi-Fi, for $30 a month, while a traditional wireless contract costs around $100 a month. Google has also been working on a cellphone service that relies heavily on Wi-Fi, according to people briefed on the company’s plans.

For consumers, all this could be very good news.

The big American carriers — Verizon Wireless, AT&T, Sprint and T-Mobile USA — have not been worried about their Wi-Fi-powered competitors. But Cablevision and Google could force them to pay attention. And an industry already engaged in a price-cut war could be compelled to go even lower to keep the upstarts at bay.

“Wi-Fi first is a massive disrupter to the current cost structure of the industry,” said Stephen Stokols, chief executive of FreedomPop. “That’s going to be a big shock to the carriers.”

The concept championed by the two little companies in their nationwide services is surprisingly simple. The traditional wireless carriers operate their services with cell towers, but occasionally in areas with extra heavy traffic they resort to Wi-Fi to bear some of the load.

FreedomPop and Republic Wireless do the opposite. They offer services that rely primarily on Wi-Fi networks, and in areas without Wi-Fi, customers can pull a signal from regular cell towers.

FreedomPop, a Los Angeles company that was started in 2012, works with companies that already provide Wi-Fi “hot spots” across the country, like the connections available inside McDonald’s or Starbucks coffee shops, to create a huge Internet-driven phone network.

FreedomPop, which has 80 employees, offers software that enables smartphones to automatically join Wi-Fi networks, similar to the way a cellphone automatically finds and connects to a cell tower. For $5 a month, users can gain access to a network of 10 million Wi-Fi hot spots a month, many of which are normally not open to the public, the company said. FreedomPop’s other low-cost plans use a combination of Wi-Fi hot spots and Sprint’s network. Some basic plans are free.

Republic Wireless, based in Raleigh, N.C., uses a similar approach. For $5 a month, customers can make calls or connect to the Internet solely over Wi-Fi. For $10 a month, they can use both Wi-Fi and a cellular connection from Sprint in Republic’s most popular option. Republic Wireless’s parent company, Bandwidth.com, a telecommunications provider with about 400 employees, developed a technique to move calls seamlessly between different Wi-Fi networks and cell towers.

Both companies say they are growing rapidly. FreedomPop says it is doubling its customer base roughly every four to six months; Republic Wireless says its customer base is growing 13 percent a month.

“You can’t pretend these companies are major players by any stretch. But I think their real importance is proof of concept,” said Craig Moffett, a telecom analyst for MoffettNathanson. “They demonstrate just how disruptive a Wi-Fi-first operator can be, and just how much cost they can take out.”

Google may be experimenting with a hybrid approach similar to the small companies’. A person briefed on Google’s plans, who spoke on the condition of anonymity because the conversations were private, said the company wanted to make use of the fiber network it had installed in various cities to create an enormous network of Wi-Fi connections that phones could use to place calls and use apps over the Internet. In areas out of reach, Google’s network would switch over to cell towers leased by T-Mobile USA and Sprint, this person said.

Google has been rumored to be working on this for several years. Now it may be in a good position to offer it.

Google’s broadband Internet network, Google Fiber, has been deployed in three metropolitan areas and is expanding to four more. In addition, Google’s smartphone messaging app, Hangouts, could be a substitute for traditional texting services, and the popular Google Voice service can be used as an Internet-powered application for placing calls.

In major cities, the Wi-Fi-first network makes sense. People use smartphones frequently while sitting around their offices and apartments, and Wi-Fi can handle the job just fine.

But once people start moving around, it is not so simple. The benefit of a cell service is that your phone can switch among multiple towers while you are on the go. This process is called handover, which Wi-Fi was not originally designed to handle.

Still, to compete with the big wireless providers, out-of-the-box thinking is necessary. The federal government regulates the radio waves that carry phone calls and wireless data, dividing them up by frequencies so signals do not interfere with one another. The big carriers acquired the vast majority of the licenses for radio frequencies reserved for commercial wireless phone services, leaving little room for more competitors.

Wi-Fi, by contrast, is an unregulated, unlicensed technology that just about any individual or business can set up so long as they can tap into an Internet connection.

Representatives for Google, Sprint and T-Mobile USA declined to comment on the prospect of the search giant becoming a phone carrier.

But some wonder if even the biggest companies could make a Wi-Fi-based phone network work. Jan Dawson, an independent telecom analyst, said people would inevitably lose connections when they are on the go — riding a train or even just taking a walk.

“There are just so many places where Wi-Fi doesn’t reach, and the quality of Wi-Fi that you can find is often subpar,” Mr. Dawson said.

The top two carriers, Verizon and AT&T, do not seem too concerned. Verizon and AT&T both say they are confident in the performance of their cellular networks. T-Mobile supports Wi-Fi-powered calling for the latest iPhones, and Sprint said that it plans to improve its service by leaning on Wi-Fi.

David Morken, chief executive of Republic Wireless, argues that there are plenty of budget-conscious consumers who just want cheaper cellphone bills and do not mind making the leap to a phone service powered primarily by Wi-Fi.

But the majority of Republic Wireless customers opted for a $10 plan that includes a combination of Wi-Fi and cellular services, he said. In other words, the traditional cellular infrastructure will not go away. But he has faith that one day it will be the second option, not the first.

“There are many, many implications to cellular being relegated to a backup position,” he said.

Conor Dougherty contributed reporting.
http://www.nytimes.com/2015/02/16/te...ir-weight.html





Out-of-State Data Centers Find Tax Haven in Hillsboro, in Exchange for a Job or Two

Hillsboro gets its first 'wholesale' data center
Luke Hammill

Out-of-state companies have been building data centers in Hillsboro to take advantage of a state program giving them up to five years of property tax breaks worth millions of dollars. In return, the companies promise job creation.

But the program, dubbed an "enterprise zone," only requires that such companies create one job. Some data centers provide barely more than that.

Fifteen Hillsboro businesses saved more than $11.5 million in property taxes in 2013-14, thanks to the city's enterprise zones, state records show. Those businesses have brought at least 1,360 jobs to the zone since 2009, in addition to building new facilities, purchasing from local companies and guaranteeing certain wages.

But Solarworld alone accounts for nearly half of the job creation and about three quarters of the 2013-14 tax breaks. In fact, three of the 15 companies - Solarworld, Jireh Semiconductor and TriQuint Semiconductor, which was recently renamed Qorvo after a merger - created 87 percent of the new jobs.

The median number of full-time jobs created among the 15 companies that benefited from the enterprise zone in the 2013-14 tax year is 12.

If the three largest employers were removed from the enterprise zone, about 75 percent of the remaining 2013-14 tax abatement would go to four data center companies that have created just seven full-time jobs since joining the zone, according to an Oregonian/OregonLive analysis of state data. The remaining quarter would go to eight companies that have created 170 jobs since 2009.

A company called Infomart Portland highlights the disparity. Infomart employed just one full-time worker in 2013, but received a greater 2013-14 tax break - over $775,000 - than Qorvo, which has created 330 full-time jobs since 2011 on top of the 600 full-timers it had already hired.

That's because the tax breaks are on new buildings and equipment. Infomart Portland's facility is a 240,000-square-foot data center at 21515 N.W. Evergreen Parkway opened in 2012. The out-of-state company's investment - the assessed value of the new property exempt from taxes - was more than $45 million, according to the Oregon Department of Revenue.
http://www.oregonlive.com/hillsboro/...ters_find.html





Risen: Obama Administration is Greatest Enemy of Press Freedom
Gold

New York Times reporter James Risen slammed Attorney General Eric Holder in a series of tweets Tuesday evening, calling the Obama administration “The greatest enemy of press freedom in a generation.”

“Eric Holder has been the nation's top censorship officer, not the top law enforcement officer,” Risen tweeted. “Eric Holder has done the bidding of the intelligence community and the White House to damage press freedom in the United States.”

Risen was tweeting in response to a speech Holder gave earlier on Tuesday at the National Press Club, where he defended the administration’s record on prosecuting leakers, saying they could have prosecuted far more than they actually did.

“We have tried to be appropriately sensitive in bringing those cases that warranted prosecution,” Holder said. “We have turned away, I mean, turned away substantially greater number of cases that were presented to us where prosecution was sought.”

For seven years Risen mounted a legal battle against government demands that he identify his confidential sources for parts of a 2006 book where he detailed a CIA plan to undermine Iran’s nuclear program. The Supreme Court declined his request to take up the case, which left Risen with virtually no protection against being forced to identify his sources, although he vowed he would never do so. As a result, Risen became the latest face of first amendment rights and reporter’s privilege in the United States.
Late last year Holder dropped the demand that Risen reveal his sources. In January, former CIA officer Jeffrey Sterling was found guilty on nine felony counts for the leak.

“Eric Holder has sent a message to dictators around the world that it is okay to crack down on the press and jail journalists,” Risen tweeted on Tuesday. “Eric Holder leaves behind a wrecked First Amendment.”

“Eric Holder managed to destroy any semblance of a reporter’s privilege in the United States,” he continued. “This is Eric Holder's true legacy on press freedom: ‘There is no First Amendment ‘reporter's privilege.’ From DOJ brief in my case.”

Brian Fallon, Holder's top spokesperson, replied to Risen's tweet late Tuesday about there being no "reporter's privilege" in the First Amendment.

"That's what the law says, Jim. Urge Congress to pass the media shield bill and it will be different," Fallon said.

In another tweet responding to Risen's assertion that the Obama administraiton is the "greatest enemy to press freedom," Fallon tweeted "Ridiculous on its face considering past [administraitons] actually did jail reporters."
http://www.politico.com/blogs/media/...om-202707.html





Obama: ‘There’s No Scenario in Which We Don’t Want Really Strong Encryption’
Liz Gannes

The ongoing tussle over people’s data has pitted President Barack Obama and his administration against companies like Apple and Google, as both sides take up an increasingly crucial debate about the balance between privacy and protection.

These companies are among a number of tech giants that have pushed Washington to end the bulk collection of private data because of customer privacy concerns, while the NSA has said the practice is necessary to fighting terrorism.

As part of a one-on-one interview with Re/code on a wide range of technology topics, Kara Swisher* asked the president whether American citizens should be entitled to control their data, just as the president controls his own private conversations through encrypted email. It’s an issue that’s increasingly important as people move their conversations and payments to newer, more secure alternatives on mobile phones.

“You have encrypted email, shouldn’t everybody have encrypted email, or have their protections?” she asked.

Obama replied that he’s “a strong believer in strong encryption …. I lean probably further on side of strong encryption than some in law enforcement.” He maintained that he is as firm on the topic as he ever has been.

But the issue, Obama said, is the hypothetical. What if the FBI has a good case against someone involved in a terrorist plot and wants to know who that person was communicating with? Traditionally, they could get a court order for a wire tap. Today, a company might tell the FBI they can’t technically comply.

That’s not to say Obama would point specifically to a case where encryption stymied an investigation. “The first time that an attack takes place in which it turns out that we had a lead and we couldn’t follow up on it, the public’s going to demand answers,” he said.

Obama didn’t offer any proposals, but he staked his own position. “Ultimately everybody, and certainly this is true for me and my family, we all want to know that if we’re using a smartphone for transactions, sending messages, having private conversations, that we don’t have a bunch of people compromising that process. There’s no scenario in which we don’t want really strong encryption.”

Sensitive to Silicon Valley concerns about government eavesdropping, Obama added, “This isn’t bulk collection. This isn’t fishing expeditions by government.”

* Kara Swisher is married to but separated from Megan Smith, chief technology officer for the Obama Administration. See her ethics statement here.
http://recode.net/2015/02/13/obama-t...ng-encryption/





Broad Coalition Pushes for Minnesota Data Privacy Amendment
Abby Simons

A move to change the Minnesota Constitution to protect text messages, e-mails and other electronic data from warrantless searches is getting enthusiastic support from a broad coalition of lawmakers and privacy advocates, but could face roadblocks from key DFL Senate leaders.

The “My Life, My Data” movement would make Minnesota the second state to amend its Constitution by adding the words “electronic communications and data” to Section 10 of the document, which guarantees “the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures.” If approved, the amendment would appear on the November 2016 election ballot. A similar measure passed in Missouri last year with 75 percent of voter support.

The Minnesota version would protect bank records, text messages, e-mails and other data. Sen. Branden Petersen, R-Andover, is teaming up with DFL Sens. Scott Dibble of Minneapolis and John Marty of Roseville to push the amendment they say is needed to update the Constitution for the 21st century. A House version sponsored by Rep. Peggy Scott, R-Andover, also has bipartisan support.

Dibble, who chairs the Transportation and Public Safety Committee, said he signed on because of the ever-blurring line between what is public and private information.

“This is a set of values that unites all of us across our different party affiliations and ideologies,” he said. “I think a central unifying premise of our system of government is we only need as much government as necessary.”

The measure is working its way through House committees, but has hit an obstacle in the Senate, where Judiciary Committee Chairman Ron Latz, DFL-St. Louis Park, has blocked the bill from being heard in his committee. Latz said he opposes legislating by amendment, and thinks the proposal is redundant because recent court decisions support requiring a warrant for electronic data. Petersen counters that many circumstances have not been addressed by the courts, leaving data vulnerable.

“My hope is that we can change Senator Latz’s mind,” Petersen said. “I believe a majority of the Senate DFL caucus supports this bill, from the conversations I’ve had.”

Petersen said he has asked law enforcement for a formal opinion, but “I’d say their initial reaction was pretty good.”

Andy Skoogman, executive director of the Minnesota Chiefs of Police Association, declined to comment on the proposal.

Senate Majority Leader Tom Bakk, DFL-Cook, said Monday he is reluctant to see the amendment go forward and has not broached the topic with Republican House Speaker Kurt Daudt, of Crown.

“I’m generally reluctant on the whole idea of Constitutional amendments. In fact as a citizen I don’t know that I’ve ever voted in support of one,” Bakk said. “I think it would be unlikely we’re going to consider this for the ballot in ’16.”

Dibble, however, noted that the opinion of leadership may not be as influential in the Senate.

“The Senate operates a little differently than the House, and to be honest with you I wonder if Senator Bakk is even aware of this bill at this point,” Dibble said Monday. “We haven’t had a conversation in the caucus about it … it would be my goal and my intention to raise this conversation in a larger context setting.”

‘It’s not about party politics’

Karl Eggers, of Liberty Minnesota, a libertarian grass roots group, said the measure goes beyond the usual red/blue divide.

“It’s not about party politics, it’s not about egos,” Eggers said. “It’s about protecting the U.S. Constitution.

Eggers was among a number of privacy advocates who attended the Monday news conference, along with the American Civil Liberties Union, Tea Party Minnesota, Occupy Minnesota and others.

“Everyone up here is saying Minnesota supports its traditional right to be free from unreasonable searches and seizures,” said privacy advocate Matt Ehling, who also leads the legislative issues committee for the Minnesota Coalition on Government Information. “They’re also saying they support a modest, targeted constitutional amendment to make clear that these protections still apply in our digital era.”

On Monday afternoon the Republican Party of Minnesota sent out an e-mail touting the proposed amendment and urging supporters to contact Latz’s office to ask for a hearing.
http://www.startribune.com/politics/...292136831.html





Babar: Suspected Nation State Spyware in the Spotlight
Marion Marschalek

Cyphort Labs has collected and analyzed a highly advanced piece of malware, which for all intents and purposes seems to be a full blown cyber espionage tool of the kind a nation state would be behind. This malware invades Windows desktop machines and aims at exfiltrating almost anything of value: it steals data from instant messengers, softphones, browsers and office applications.

The analyzed malware consists of two pieces: a dropper and an implant. The implant is able to hook APIs of interest in dedicated remote processes to steal data on the fly.

The internal project name of the analyzed malware is ‘Babar64’, which rings a bell when thinking back of documents leaked through Der Spiegel back in January (http://www.spiegel.de/media/media-35683.pdf). There, a slide deck originating from Communications Security Establishment Canada (CSEC) describes an alleged nation state malware named Babar. The samples at hand fit well with what is described in the CSEC document; and, as CSEC states they are suspected to originate from French intelligence.

As it is with binary attribution, these allegations are impossible to prove without the shadow of a doubt. What we can say with certainty though is that Babar strikes the analyst with sophistication not typically seen in common malware. Furthermore, the binaries come with the same handwriting as the malware dubbed ‘Bunny’ which we have blogged about before (http://www.cyphort.com/evilbunny-mal...rumented-lua/). We assume the same author is behind both families.

Note: I will be hosting a webinar on the topic of Evil Bunny malware next week. You can register here to attend.

DROPPER

MD5 9fff114f15b86896d8d4978c0ad2813d
SHA-1 27a0a98053f3eed82a51cdefbdfec7bb948e1f36
File Size 693.4 KB (710075 bytes)



IMPLANT

MD5 4525141d9e6e7b5a7f4e8c3db3f0c24c
SHA-1 efbe18eb8a66e4b6289a5c53f22254f76e3a29bd
File Size 585.4 KB (599438 bytes)

A BABAR(ian) BINARY

A target machine is infected possibly through a drive-by or malicious e-mail attachments. Babar is deployed through a malware dropper, which installs the malware.

Babar essentially is an implant, a malicious Windows DLL. Babar’s implant is a 32-bit DLL written in C++, which upon start injects itself to running processes and invades desktop applications by applying a global Windows hook. The original filename of the sample at hand is ‘perf585.dll’. The implant is capable of logging keystrokes, capturing screen shots, eavesdropping on installed softphones and spying on instant messengers in addition to a list of simpler espionage tricks. Babar is a full blown espionage tool, built to excessively spy on the activity on an infected machine’s user.

The DLL dropped by Babar is placed into the application data folder, along with a directory named ‘MSI’ where the runtime data will be stored. Babar operates through multiple instances, by injecting its DLL to a maximum of three desktop processes. This is achieved by loading the Babar DLL to remote processes through a mapped memory object.

Apart from that, Babar comes with a userland rootkit component which applies global Windows hooks to invade all processes on its desktop. This way Babar can install API hooks for various APIs via Windows Detours technique to actively steal data from arbitrary processes.

The spying activities are performed either through the Babar instance locally or through processes invaded via hooking. Instance-local capabilities are basic spying on window names or snooping on the clipboard data, while the global hooks manage to steal information directly from Windows API calls.

A summary of the capabilities would be as follows:

• Logging keystrokes
• Taking screenshots
• Capture of audio streams from softphone applications
• Stealing of clipboard data
• System and user default language, keyboard layout
• Names of desktop windows

The keylogger module is based on Windows RAWINPUT. The malware creates an invisible window, with no other purpose than to receive window messages. By processing the window message queue it filters out input events and dispatches them to a raw input device object. Said object is configured to grab keyboard events through GetRawInputData.

The interest of Babar’s process hooking module is focused on the following applications, parted in the categories internet communication, file processing and media:

• Internet communication
• iexplore.exe,firefox.exe,opera.exe,chrome.exe,Safari.exe,msn msgr.exe
• File processing
• exe, winword.exe, powerpnt.exe, visio.exe, acrord32.exe, notepad.exe, wordpad.exe.txt
• Media
• skype.exe, msnmsgr.exe, oovoo.exe, nimbuzz.exe, googletalk.exe, yahoomessenger.exe, x-lite.exe

The malicious implant can steal input coming from the keyboard, information on which files are edited, it can intercept chat messages and record calls established by one of the listed softphones. The stolen information is encrypted and dumped to a file on disk, which will be located in the working directory under %APPDATA%\MSI.

COMMAND AND CONTROL SERVERS

The analyzed sample of Babar has two hard coded C&C server addresses which are included in its configuration data:

http://www.horizons-tourisme.com/_vt...c/bb/index.php
http://www.gezelimmi.com/wp-includes/misc/bb/index.php

The domain horizons-tourisme.com is a legitimate website, operated by an Algerian travel agency, located in Algiers, Algeria. The website is in French and still online today. Gezelimmi.com is a Turkish domain, currently responding with an HTTP error message 403, access not permitted. Both domains appear to be of legitimate use, but compromised and abused to host Babar’s server side infrastructure.
http://www.cyphort.com/babar-suspect...are-spotlight/





State Dept. has Yet to Clear its Computer Network of Hackers: WSJ

Three months after the U.S. State Department confirmed hackers breached its unclassified email system, the government has still not been able to evict them from the network, the Wall Street Journal reported on Thursday, citing three people familiar with the investigation.

Government officials, assisted by outside contractors and the National Security Agency, have repeatedly scanned the network and taken some systems offline, the Journal reported. But investigators still see signs of the hackers on State Department computers, the people familiar with the matter told the paper.

Each time investigators find a hacker tool and block it, the intruders tweak it slightly to attempt to sneak past defenses, the Journal reported. It is not clear how much data the hackers have taken.

No official determination has been made about who is behind the breach, which was disclosed in November, the paper said.

The Journal reported that five people familiar with the original intrusion said they had seen or been told of links suggesting involvement by the Russian government.

The malware, or intrusion software, is similar to other tools linked to Moscow in the past, the paper said. Two of the people said the intruders had taken State Department emails related to the crisis in Ukraine, among other things, the Journal reported.

(Reporting by Eric Beech; Editing by Peter Cooney)
http://www.reuters.com/article/2015/...0LO03R20150220





How “Omnipotent” Hackers Tied to NSA Hid for 14 years—and Were Found at Last

"Equation Group" ran the most advanced hacking operation ever uncovered.
Dan Goodin

In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn't know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.

It wasn't the first time the operators—dubbed the "Equation Group" by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group's extensive library. (Kaspersky settled on the name Equation Group because of members' strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)

Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.

A long list of almost superhuman technical feats illustrate Equation Group's extraordinary skill, painstaking work, and unlimited resources. They include:

• The use of virtual file systems, a feature also found in the highly sophisticated Regin malware. Recently published documents provided by Ed Snowden indicate that the NSA used Regin to infect the partly state-owned Belgian firm Belgacom.
• The stashing of malicious files in multiple branches of an infected computer's registry. By encrypting all malicious files and storing them in multiple branches of a computer's Windows registry, the infection was impossible to detect using antivirus software.
• Redirects that sent iPhone users to unique exploit Web pages. In addition, infected machines reporting to Equation Group command servers identified themselves as Macs, an indication that the group successfully compromised both iOS and OS X devices.
• The use of more than 300 Internet domains and 100 servers to host a sprawling command and control infrastructure.
• USB stick-based reconnaissance malware to map air-gapped networks, which are so sensitive that they aren't connected to the Internet. Both Stuxnet and the related Flame malware platform also had the ability to bridge airgaps.
• An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

"It seems to me Equation Group are the ones with the coolest toys," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame."

In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency.

First is the group's known aptitude for conducting interdictions, such as installing covert implant firmware in a Cisco Systems router as it moved through the mail.

Second, a highly advanced keylogger in the Equation Group library refers to itself as "Grok" in its source code. The reference seems eerily similar to a line published last March in an Intercept article headlined "How the NSA Plans to Infect 'Millions' of Computers with Malware." The article, which was based on Snowden-leaked documents, discussed an NSA-developed keylogger called Grok.

Third, other Equation Group source code makes reference to "STRAITACID" and "STRAITSHOOTER." The code words bear a striking resemblance to "STRAITBIZARRE," one of the most advanced malware platforms used by the NSA's Tailored Access Operations unit. Besides sharing the unconventional spelling "strait," Snowden-leaked documents note that STRAITBIZARRE could be turned into a disposable "shooter." In addition, the codename FOXACID belonged to the same NSA malware framework as the Grok keylogger.

Apart from these shared code words, the Equation Group in 2008 used four zero-day vulnerabilities—including two that were later incorporated into Stuxnet.

The similarities don't stop there. Equation Group malware dubbed GrayFish encrypted its payload with a 1,000-iteration hash of the target machine's unique NTFS object ID. The technique makes it impossible for researchers to access the final payload without possessing the raw disk image for each individual infected machine. The technique closely resembles one used to conceal a potentially potent warhead in Gauss, a piece of highly advanced malware that shared strong technical similarities with both Stuxnet and Flame. (Stuxnet, according to The New York Times, was a joint operation between the NSA and Israel, while Flame, according to The Washington Post, was devised by the NSA, the CIA, and the Israeli military.)

Beyond the technical similarities to the Stuxnet and Flame developers, Equation Group boasted the type of extraordinary engineering skill people have come to expect from a spy organization sponsored by the world's wealthiest nation. One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

While it's simple for end users to re-flash their hard drives using executable files provided by manufacturers, it's just about impossible for an outsider to reverse engineer a hard drive, read the existing firmware, and create malicious versions.

"This is an incredibly complicated thing that was achieved by these guys, and they didn't do it for one kind of hard drive brand," Raiu said. "It's very dangerous and bad because once a hard drive gets infected with this malicious payload it's impossible for anyone, especially an antivirus [provider], to scan inside that hard drive firmware. It's simply not possible to do that."

Equation Group's work

One of the most intriguing elements of Equation Group is its suspected use of interdiction to infect targets. Besides speaking to the group's organization and advanced capabilities, such interceptions demonstrate the lengths to which the group will go to infect people of interest. The CD from the 2009 Houston conference—which Kaspersky declined to identify, except to say it was related to science—tried to use the autorun.inf mechanism in Windows to install malware dubbed DoubleFantasy. Kaspersky knows that conference organizers did send attendees a disc, and the company knows the identity of at least one conference participant who received a maliciously modified one, but company researchers provided few other details and don't know precisely how the malicious content wound up on the disc.

"It would be very easy to trace the attack back to the organizers and point them out, and this could in turn result in some very serious diplomatic incidents," Raiu said. "Our best guess is that the organizers didn't act in a malicious way against the participants, but [that] some of the CD-ROMs on their way to the participants were intercepted and replaced with the malicious variants."

Even less is known about a CD for installing Oracle 8i-8.1.7 for Windows sent six or seven years earlier, except that it installed an early Equation Group malware program known as EquationLaser. The conference and Oracle CDs are the only Equation Group interdictions that Kaspersky researchers have discovered. Given how little is known about the interdictions, they weren't likely to have been used often.

A separate method of infection relied on a worm introduced in 2008 that Kaspersky has dubbed Fanny, after a text string that appears in one of the zero-day exploits used by the worm to self-replicate. The then-unknown vulnerability resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is connected to a PC. By embedding malicious code inside the .LNK files, a booby-trapped stick could automatically infect the connected computer even when its autorun feature was turned off. The self-replication and lack of any dependence on a network connection made the vulnerability ideal for infecting air-gapped machines. (The .LNK vulnerability is classified as CVE-2010-2568.)

Some two years after first playing its role in Fanny, the .LNK exploit was added to a version of Stuxnet so that the worm could automatically spread through highly sensitive computers in Iran. Fanny also relied on an elevation-of-privilege vulnerability that was a zero day at the time the worm was introduced. In 2009, the exploit also made its way into Stuxnet, but by then, Microsoft had patched the underlying bug with the release of MS09-025.

A far more common infection vector was Web-based attacks that exploited vulnerabilities in Oracle's Java software framework or in Internet Explorer. The exploits were hosted on a variety of websites related to everything from reviews of technology products to discussions of Islamic Jihad. In addition to planting exploits on the websites, the attack code was also transmitted through ad networks. The wide range of exploit carriers may explain why so many of the machines Kaspersky observed reporting to its sinkholes were domain controllers, data warehouses, website hosts, and other types of servers. Equation Group, it seems, wasn't infecting only end user computers—it was also booby-trapping servers known to be accessed by targeted end users.

Equation Group exploits are notable for the surgical precision exercised to ensure that only an intended target was infected. One Equation Group-written PHP script that Kaspersky unearthed, for instance, checked if the MD5 hash of a website visitor's username was either 84b8026b3f5e6dcfb29e82e0b0b0f386 or e6d290a03b70cfa5d4451da444bdea39. The plaintext corresponding to the first hash is "unregistered," an indication that attackers didn't want to infect visitors who weren't logged in. The second hash has yet to be deciphered.

"We could not crack this MD5, despite using considerable power for several weeks, which makes us believe [the plaintext username] is a relatively complex one," Raiu said. "It definitely indicates that whoever is behind this username should not be infected by the Equation Group, [and] actually it shouldn't even see the exploit. I would assume this is either one of the group members (a fake identity), one of their partners, or a known identity of a previously infected victim."

The PHP script also took special care not to infect IP addresses based in Jordan, Turkey, and Egypt. Kaspersky observed users visiting the site who didn't meet any of these exceptions, yet they still weren't attacked—an indication that an additional level of filtering spared all but the most sought-after targets who visited the site.

More recently, Kaspersky has observed malicious links on the site standardsandpraiserepurpose[.]com that looked like

Code:
standardsandpraiserepurpose[.]com/login?qq=5eaae4d[SNIP]0563&rr=1&h=cc593a6bfd8e1e26c2734173f0ef75be3527a205
where the h value (that is, the text following the "h=") appears to be an SHA1 hash. Kaspersky has yet to crack those hashes, but company researchers suspect they're being used to serve customized exploits to specific people. The company is recruiting help from fellow white-hat hackers in cracking them. Other hashes include:

• 0044c9bfeaac9a51e77b921e3295dcd91ce3956a
• 06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e
• 3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6
• 5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7
• 930d7ed2bdce9b513ebecd3a38041b709f5c2990
• e9537a36a035b08121539fd5d5dcda9fb6336423

The PHP exploit code also serves unique Web pages and HTML code to people visiting with iPhones, behavior that Kaspersky found telling.

"This indicates the exploit server is probably aware of iPhone visitors and can deliver exploits for them as well," Kaspersky's report published Monday explained. "Otherwise, the exploitation URL can simply be removed for these." The report also said one sinkholed server receives visits from a large pool of China-based machines that identify themselves as Macs in the browser user agent string. While Kaspersky has yet to obtain Equation Group malware that runs on OS X, they believe it exists.

Six codenames

In all, Kaspersky has tied at least six distinct pieces of malware to Equation Group. They include:

EquationLaser: an early implant in use from 2001 to 2004.

DoubleFantasy: a validator-style trojan designed to confirm if the infected person is an intended target. People who are confirmed get upgraded to either EquationDrug or GrayFish.

EquationDrug: also known as Equestre, this is a complex attack platform that supports 35 different modules and 18 drivers. It is one of two Equation Group malware platforms to re-flash hard drive firmware and use virtual file systems to conceal malicious files and stolen data.

It was delivered only after a target had been infected with DoubleFantasy and confirmed to be a target. It was introduced in 2002 and was phased out in 2013 in favor of the more advanced GrayFish.

GrayFish: the successor to EquationDrug and the most sophisticated of all the Equation Group attack platforms. It resides completely in the registry and relies on a bootkit to take hold each time a computer starts. Whereas EquationDrug re-flashed hard drives for six models, GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a vulnerability in the CloneCD driver ElbyCDIO.sys—and possibly drivers of other programs—to bypass Windows code-signing requirements.

The BBSVC service is another GRAYFISH mechanism used when the Pill cannot be injected, for some unknown reason. It loads further stages of Grayfish at the time the OS starts. In essence, it's a weaker mechanism than the pill, because it exposes one single malicious executable on the hard drive of the victims. This is why BBSVC is a polymorphic executable, filled with gibberish and random data to make it hard to detect. The platform kernel "fvexpy.sys" is one of the core components of Grayfish. It is designed to run in Windows kernel mode and provide functions for the platform components.

GrayFish is the crowning achievement of the Equation Group. The malware platform is so complex that Kaspersky researchers still understand only a fraction of its capabilities and inner workings. Key to the sophistication of GrayFish is its bootkit, which allows it to take extraordinarily granular control of the machines it infects.

"This allows it to control the launching of Windows at each stage," Kaspersky's written report explained. "In fact, after infection, the computer is not run by itself anymore: it is GrayFish that runs it step by step, making the necessary changes on the fly."

Fanny: A computer worm that exploited what in 2008 were two zero-day vulnerabilities in Windows to self-replicate each time an infected USB stick was inserted into a targeted computer. The main purpose of Fanny was to conduct reconnaissance on sensitive air-gapped networks. After infecting a computer not connected to the Internet, Fanny collected network information and saved it to a hidden area of the USB drive. If the stick was later plugged in to an Internet-computer, it would upload the data to attacker servers and download any attacker commands. If the stick was later plugged into the air-gapped machine, the downloaded commands would be executed. This process would continue each time the stick was switched between air-gapped and Internet-connected machines.

Mistakes were made

No matter how elite a hacking group may be, Raiu said, mistakes are inevitable. Equation Group made several errors that allowed Kaspersky researchers to glean key insights into an operation that went unreported for at least 14 years.

Kaspersky first came upon the Equation Group in March 2014, while researching the Regin software that infected Belgacom and a variety of other targets. In the process, company researchers analyzed a computer located in the Middle East and dubbed the machine "Magnet of Threats" because, in addition to Regin, it was infected by four other highly advanced pieces of malware, including Turla, Careto/Mask, ItaDuke, and Animal Farm. A never-before-seen sample of malware on the computer piqued researchers' interest and turned out to be an EquationDrug module.

Following the discovery, Kaspersky researchers combed through their cloud-based Kaspersky Security Network of exploits and infections reported by AV users and looked for similarities and connections. In the following months, the researchers uncovered additional pieces of malware used by Equation Group as well as the domain names used to host command channels.

Perhaps most costly to the attackers was their failure to renew some of the domains used by these servers. Out of the 300 or so domains used, about 20 were allowed to expire. Kaspersky quickly registered the domains and, over the past ten months, has used them to "sinkhole" the command channels, a process in which researchers monitor incoming connections from Equation Group-infected machines.

One of the most severe renewal failures involved a channel that controlled computers infected by "EquationLaser," an early malware platform abandoned around 2003 when antivirus programs began to detect it. The underlying domain name remained active for years until one day, it didn't; Kaspersky acquired it and EquationLaser-infected machines still report to it.

"It's really surprising to see there are victims around the world infected with this malware from 12 years ago," Raiu said. He continues to see about a dozen infected machines that report from countries that include Russia, Iran, China, and India.

Raiu said 90 percent or more of the command and control servers were closed last year, although some remained active as recently as last month.

"We understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown."

The sinkholes have allowed Kaspersky researchers to gather key clues about the operation, including the number of infected computers reporting to the seized command domains, the countries in which these compromised computers are likely located, and the types of operating systems they run.

Another key piece of information gleaned by Kaspersky: some machines infected by Equation Group are the "patients zero" that were used to seed the Stuxnet worm so it would travel downstream and infect Iran's Natanz facility.

"It is quite possible that the Equation Group malware was used to deliver the Stuxnet payload," Kaspersky researchers wrote in their report.

Other key mistakes were variable names, developer account names, and similar artifacts left in various pieces of Equation Group malware. In the same way cat burglars wear gloves to conceal their fingerprints, attackers take great care to scrub such artifacts out of their code before releasing it. But in at least 13 cases, they failed. Possibly the most telling artifact is the string "-standalonegrok_2.1.1.1" that accompanies a highly advanced keylogger tied to Equation Group.

Another potentially damaging artifact found by Kaspersky is the Windows directory path of "c:\users\rmgree5" belonging to one of the developer accounts that compiled Equation Group malware. Assuming the rmgree5 wasn't a randomly generated account name, it may be possible to link it to a developer's real-world identity if the handle has been used for other accounts or if it corresponds to a developer's real-world name such as "Richard Gree" or "Robert Greenberg."

Kaspersky researchers still don't know what to make of the 11 remaining artifacts, but they hope fellow researchers can connect the strings to other known actors or incidents. The remaining artifacts are:

• SKYHOOKCHOW
• prkMtx - unique mutex used by the Equation Group's exploitation library (gPrivLibh)
• "SF" - as in "SFInstall", "SFConfig"
• "UR", "URInstall" - "Performing UR-specific post-install..."
• "implant" - from "Timeout waiting for the "canInstallNow" event from the implant-specific EXE!"
• STEALTHFIGHTER (VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00
• DRINKPARSLEY - (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00)
• STRAITACID - (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00)
• LUTEUSOBSTOS - (VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00)
• STRAITSHOOTER - STRAITSHOOTER30.exe
• DESERTWINTER - c:\desert~2\desert~3\objfre_w2K_x86\i386\DesertWinterDriver. pdb

Hacking without a budget

The money and time required to develop the Equation Group malware, the technological breakthroughs the operation accomplished, and the interdictions performed against targets leave little doubt that the operation was sponsored by a nation-state with nearly unlimited resources to dedicate to the project. The countries that were and weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact found inside the Equation Group keylogger strongly support the theory the NSA or a related US agency is the responsible party, but so far Kaspersky has declined to name a culprit. NSA officials didn't respond to an e-mail seeking comment for this story.

Update: Reuters reporter Joseph Menn said the hard-drive firmware capability has been confirmed by two former government employees. He wrote:

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

What is safe to say is that the unearthing of the Equation Group is a seminal finding in the fields of computer and national security, as important, or possibly more so, than the revelations about Stuxnet.

"The discovery of the Equation Group is significant because this omnipotent cyber espionage entity managed to stay under the radar for almost 15 years, if not more," Raiu said. "Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none. As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown."
http://arstechnica.com/security/2015...found-at-last/





The Great SIM Heist

How spies stole the keys to the encryption castle
Jeremy Scahill and Josh Begley

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

As part of the covert operations against Gemalto, spies from GCHQ — with support from the NSA — mined the private communications of unwitting engineers and other company employees in multiple countries.

Gemalto was totally oblivious to the penetration of its systems — and the spying on its employees. “I’m disturbed, quite concerned that this has happened,” Paul Beverly, a Gemalto executive vice president, told The Intercept. “The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.” He added that “the most important thing for us now is to understand the degree” of the breach.

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

Beverly said that after being contacted by The Intercept, Gemalto’s internal security team began on Wednesday to investigate how their system was penetrated and could find no trace of the hacks. When asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Beverly said, “I am totally unaware. To the best of my knowledge, no.”

According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.

Additionally, the spy agency targeted unnamed cellular companies’ core networks, giving it access to “sales staff machines for customer information and network engineers machines for network maps.” GCHQ also claimed the ability to manipulate the billing servers of cell companies to “suppress” charges in an effort to conceal the spy agency’s secret actions against an individual’s phone. Most significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network. A note accompanying the slide asserted that the spy agency was “very happy with the data so far and [was] working through the vast quantity of product.”

The Mobile Handset Exploitation Team (MHET), whose existence has never before been disclosed, was formed in April 2010 to target vulnerabilities in cellphones. One of its main missions was to covertly penetrate computer networks of corporations that manufacture SIM cards, as well as those of wireless network providers. The team included operatives from both GCHQ and the NSA.

While the FBI and other U.S. agencies can obtain court orders compelling U.S.-based telecom companies to allow them to wiretap or intercept the communications of their customers, on the international front this type of data collection is much more challenging. Unless a foreign telecom or foreign government grants access to their citizens’ data to a U.S. intelligence agency, the NSA or CIA would have to hack into the network or specifically target the user’s device for a more risky “active” form of surveillance that could be detected by sophisticated targets. Moreover, foreign intelligence agencies would not allow U.S. or U.K. spy agencies access to the mobile communications of their heads of state or other government officials.

“It’s unbelievable. Unbelievable,” said Gerard Schouw, a member of the Dutch Parliament, when told of the spy agencies’ actions. Schouw, the intelligence spokesperson for D66, the largest opposition party in the Netherlands, told The Intercept, “We don’t want to have the secret services from other countries doing things like this.” Schouw added that he and other lawmakers will ask the Dutch government to provide an official explanation and to clarify whether the country’s intelligence services were aware of the targeting of Gemalto, whose official headquarters is in Amsterdam.

Last November, the Dutch government amended its constitution to include explicit protection for the privacy of digital communications, including those made on mobile devices. “We have, in the Netherlands, a law on the [activities] of secret services. And hacking is not allowed,” Schouw said. Under Dutch law, the interior minister would have to sign off on such operations by foreign governments’ intelligence agencies. “I don’t believe that he has given his permission for these kind of actions.”

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”
att_sim

AS CONSUMERS BEGAN to adopt cellular phones en masse in the mid-1990s, there were no effective privacy protections in place. Anyone could buy a cheap device from RadioShack capable of intercepting calls placed on mobile phones. The shift from analog to digital networks introduced basic encryption technology, though it was still crackable by tech savvy computer science graduate students, as well as the FBI and other law enforcement agencies, using readily available equipment.

Today, second-generation (2G) phone technology, which relies on a deeply flawed encryption system, remains the dominant platform globally, though U.S. and European cellphone companies now use 3G, 4G and LTE technology in urban areas. These include more secure, though not invincible, methods of encryption, and wireless carriers throughout the world are upgrading their networks to use these newer technologies.

It is in the context of such growing technical challenges to data collection that intelligence agencies, such as the NSA, have become interested in acquiring cellular encryption keys. “With old-fashioned [2G], there are other ways to work around cellphone security without those keys,” says Green, the Johns Hopkins cryptographer. “With newer 3G, 4G and LTE protocols, however, the algorithms aren’t as vulnerable, so getting those keys would be essential.”

The privacy of all mobile communications — voice calls, text messages and Internet access — depends on an encrypted connection between the cellphone and the wireless carrier’s network, using keys stored on the SIM, a tiny chip smaller than a postage stamp, which is inserted into the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. SIM cards can be used to store contacts, text messages, and other important data, like one’s phone number. In some countries, SIM cards are used to transfer money. As The Intercept reported last year, having the wrong SIM card can make you the target of a drone strike.

SIM cards were not invented to protect individual communications — they were designed to do something much simpler: ensure proper billing and prevent fraud, which was pervasive in the early days of cellphones. Soghoian compares the use of encryption keys on SIM cards to the way Social Security numbers are used today. “Social security numbers were designed in the 1930s to track your contributions to your government pension,” he says. “Today they are used as a quasi national identity number, which was never their intended purpose.”

Because the SIM card wasn’t created with call confidentiality in mind, the manufacturers and wireless carriers don’t make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. “I doubt anyone is treating those things very carefully,” says Green. “Cell companies probably don’t treat them as essential security tokens. They probably just care that nobody is defrauding their networks.” The ACLU’s Soghoian adds, “These keys are so valuable that it makes sense for intel agencies to go after them.”

As a general rule, phone companies do not manufacture SIM cards, nor program them with secret encryption keys. It is cheaper and more efficient for them to outsource this sensitive step in the SIM card production process. They purchase them in bulk with the keys pre-loaded by other corporations. Gemalto is the largest of these SIM “personalization” companies.

After a SIM card is manufactured, the encryption key, known as a “Ki,” is burned directly onto the chip. A copy of the key is also given to the cellular provider, allowing its network to recognize an individual’s phone. In order for the phone to be able to connect to the wireless carrier’s network, the phone — with the help of the SIM — authenticates itself using the Ki that has been programmed onto the SIM. The phone conducts a secret “handshake” that validates that the Ki on the SIM matches the Ki held by the mobile company. Once that happens, the communications between the phone and the network are encrypted. Even if GCHQ or the NSA were to intercept the phone signals as they are transmitted through the air, the intercepted data would be a garbled mess. Decrypting it can be challenging and time-consuming. Stealing the keys, on the other hand, is beautifully simple, from the intelligence agencies’ point of view, as the pipeline for producing and distributing SIM cards was never designed to thwart mass surveillance efforts.

One of the creators of the encryption protocol that is widely used today for securing emails, Adi Shamir, famously asserted: “Cryptography is typically bypassed, not penetrated.” In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force. While the NSA and GCHQ have substantial resources dedicated to breaking encryption, it is not the only way — and certainly not always the most efficient — to get at the data they want. “NSA has more mathematicians on its payroll than any other entity in the U.S.,” says the ACLU’s Soghoian. “But the NSA’s hackers are way busier than its mathematicians.”

GCHQ and the NSA could have taken any number of routes to steal SIM encryption keys and other data. They could have physically broken into a manufacturing plant. They could have broken into a wireless carrier’s office. They could have bribed, blackmailed or coerced an employee of the manufacturer or cellphone provider. But all of that comes with substantial risk of exposure. In the case of Gemalto, hackers working for GCHQ remotely penetrated the company’s computer network in order to steal the keys in bulk as they were en route to the wireless network providers.

SIM card “personalization” companies like Gemalto ship hundreds of thousands of SIM cards at a time to mobile phone operators across the world. International shipping records obtained by The Intercept show that in 2011, Gemalto shipped 450,000 smart cards from its plant in Mexico to Germany’s Deutsche Telekom in just one shipment.

In order for the cards to work and for the phones’ communications to be secure, Gemalto also needs to provide the mobile company with a file containing the encryption keys for each of the new SIM cards. These master key files could be shipped via FedEx, DHL, UPS or another snail mail provider. More commonly, they could be sent via email or through File Transfer Protocol, FTP, a method of sending files over the Internet.

The moment the master key set is generated by Gemalto or another personalization company, but before it is sent to the wireless carrier, is the most vulnerable moment for interception. “The value of getting them at the point of manufacture is you can presumably get a lot of keys in one go, since SIM chips get made in big batches,” says Green, the cryptographer. “SIM cards get made for lots of different carriers in one facility.” In Gemalto’s case, GCHQ hit the jackpot, as the company manufactures SIMs for hundreds of wireless network providers, including all of the leading U.S.— and many of the largest European — companies.

But obtaining the encryption keys while Gemalto still held them required finding a way into the company’s internal systems.

TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys. They did this by utilizing the NSA’s X-KEYSCORE program, which allowed them access to private emails hosted by the SIM card and mobile companies’ servers, as well as those of major tech corporations, including Yahoo and Google.

In effect, GCHQ clandestinely cyberstalked Gemalto employees, scouring their emails in an effort to find people who may have had access to the company’s core networks and Ki-generating systems. The intelligence agency’s goal was to find information that would aid in breaching Gemalto’s systems, making it possible to steal large quantities of encryption keys. The agency hoped to intercept the files containing the keys as they were transmitted between Gemalto and its wireless network provider customers.

GCHQ operatives identified key individuals and their positions within Gemalto and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations, “he would certainly be a good place to start.” They did not claim to have decrypted the employee’s communications, but noted that the use of PGP could mean the contents were potentially valuable.

The cyberstalking was not limited to Gemalto. GCHQ operatives wrote a script that allowed the agency to mine the private communications of employees of major telecommunications and SIM “personalization” companies for technical terms used in the assigning of secret keys to mobile phone customers. Employees for the SIM card manufacturers and wireless network providers were labeled as “known individuals and operators targeted” in a top-secret GCHQ document.

According to that April 2010 document, “PCS Harvesting at Scale,” hackers working for GCHQ focused on “harvesting” massive amounts of individual encryption keys “in transit between mobile network operators and SIM card personalisation centres” like Gemalto. The spies “developed a methodology for intercepting these keys as they are transferred between various network operators and SIM card providers.” By that time, GCHQ had developed “an automated technique with the aim of increasing the volume of keys that can be harvested.”

The PCS Harvesting document acknowledged that, in searching for information on encryption keys, GCHQ operatives would undoubtedly vacuum up “a large number of unrelated items” from the private communications of targeted employees. “[H]owever an analyst with good knowledge of the operators involved can perform this trawl regularly and spot the transfer of large batches of [keys].”

The document noted that many SIM card manufacturers transferred the encryption keys to wireless network providers “by email or FTP with simple encryption methods that can be broken … or occasionally with no encryption at all.” To get bulk access to encryption keys, all the NSA or GCHQ needed to do was intercept emails or file transfers as they were sent over the Internet — something both agencies already do millions of times per day. A footnote in the 2010 document observed that the use of “strong encryption products … is becoming increasingly common” in transferring the keys.

In its key harvesting “trial” operations in the first quarter of 2010, GCHQ successfully intercepted keys used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan. But, the agency noted, its automated key harvesting system failed to produce results against Pakistani networks, denoted as “priority targets” in the document, despite the fact that GCHQ had a store of Kis from two providers in the country, Mobilink and Telenor. “[i]t is possible that these networks now use more secure methods to transfer Kis,” the document concluded.

From December 2009 through March 2010, a month before the Mobile Handset Exploitation Team was formed, GCHQ conducted a number of trials aimed at extracting encryption keys and other personalized data for individual phones. In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries. In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they’d compiled 300,000. “Somali providers are not on GCHQ’s list of interest,” the document noted. “[H]owever, this was usefully shared with NSA.”

The GCHQ documents only contain statistics for three months of encryption key theft in 2010. During this period, millions of keys were harvested. The documents stated explicitly that GCHQ had already created a constantly evolving automated process for bulk harvesting of keys. They describe active operations targeting Gemalto’s personalization centers across the globe, as well as other major SIM card manufacturers and the private communications of their employees.

A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets. In the future, the agency predicted, it would be capable of processing more than 50 million per second. The document did not state how many keys were actually processed, just that the NSA had the technology to perform such swift, bulk operations. It is impossible to know how many keys have been stolen by the NSA and GCHQ to date, but, even using conservative math, the numbers are likely staggering.

GCHQ assigned “scores” to more than 150 individual email addresses based on how often the users mentioned certain technical terms, and then intensified the mining of those individuals’ accounts based on priority. The highest-scoring email address was that of an employee of Chinese tech giant Huawei, which the U.S. has repeatedly accused of collaborating with Chinese intelligence. In all, GCHQ harvested the emails of employees of hardware companies that manufacture phones, such as Ericsson and Nokia; operators of mobile networks, such as MTN Irancell and Belgacom; SIM card providers, such as Bluefish and Gemalto; and employees of targeted companies who used email providers, such as Yahoo and Google. During the three-month trial, the largest number of email addresses harvested were those belonging to Huawei employees, followed by MTN Irancell. The third largest class of emails harvested in the trial were private Gmail accounts, presumably belonging to employees at targeted companies.

The GCHQ program targeting Gemalto was called DAPINO GAMMA. In 2011, GCHQ launched operation HIGHLAND FLING to mine the email accounts of Gemalto employees in France and Poland. A top-secret document on the operation stated that one of the aims was “getting into French HQ” of Gemalto “to get in to core data repositories.” France, home to one of Gemalto’s global headquarters, is the nerve center of the company’s worldwide operations. Another goal was to intercept private communications of employees in Poland that “could lead to penetration into one or more personalisation centers” — the factories where the encryption keys are burned onto SIM cards.

As part of these operations, GCHQ operatives acquired the usernames and passwords for Facebook accounts of Gemalto targets. An internal top-secret GCHQ wiki on the program from May 2011 indicated that GCHQ was in the process of “targeting” more than a dozen Gemalto facilities across the globe, including in Germany, Mexico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore.

The document also stated that GCHQ was preparing similar key theft operations against one of Gemalto’s competitors, Germany-based SIM card giant Giesecke and Devrient.

On January 17, 2014, President Barack Obama gave a major address on the NSA spying scandal. “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,” he said.

The monitoring of the lawful communications of employees of major international corporations shows that such statements by Obama, other U.S. officials and British leaders — that they only intercept and monitor the communications of known or suspected criminals or terrorists — were untrue. “The NSA and GCHQ view the private communications of people who work for these companies as fair game,” says the ACLU’s Soghoian. “These people were specifically hunted and targeted by intelligence agencies, not because they did anything wrong, but because they could be used as a means to an end.”

THERE ARE TWO basic types of electronic or digital surveillance: passive and active. All intelligence agencies engage in extensive passive surveillance, which means they collect bulk data by intercepting communications sent over fiber-optic cables, radio waves or wireless devices.

Intelligence agencies place high-power antennas, known as “spy nests,” on the top of their countries’ embassies and consulates, which are capable of vacuuming up data sent to or from mobile phones in the surrounding area. The joint NSA/CIA Special Collection Service is the lead entity that installs and mans these nests for the United States. An embassy situated near a parliament or government agency could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials. The U.S. embassy in Berlin, for instance, is located a stone’s throw from the Bundestag. But if the wireless carriers are using stronger encryption, which is built into modern 3G, 4G and LTE networks, then intercepted calls and other data would be more difficult to crack, particularly in bulk. If the intelligence agency wants to actually listen to or read what is being transmitted, they would need to decrypt the encrypted data.

Active surveillance is another option. This would require government agencies to “jam” a 3G or 4G network, forcing nearby phones onto 2G. Once forced down to the less secure 2G technology, the phone can be tricked into connecting to a fake cell tower operated by an intelligence agency. This method of surveillance, though effective, is risky, as it leaves a digital trace that counter-surveillance experts from foreign governments could detect.

Stealing the Kis solves all of these problems. This way, intelligence agencies can safely engage in passive, bulk surveillance without having to decrypt data and without leaving any trace whatsoever.

“Key theft enables the bulk, low-risk surveillance of encrypted communications,” the ACLU’s Soghoian says. “Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It’s like a time machine, enabling the surveillance of communications that occurred before someone was even a target.”

Neither the NSA nor GCHQ would comment specifically on the key theft operations. In the past, they have argued more broadly that breaking encryption is a necessary part of tracking terrorists and other criminals. “It is longstanding policy that we do not comment on intelligence matters,” a GCHQ official stated in an email, adding that the agency’s work is conducted within a “strict legal and policy framework” that ensures its activities are “authorized, necessary and proportionate,” with proper oversight, which is the standard response the agency has provided for previous stories published by The Intercept. The agency also said, “[T]he UK’s interception regime is entirely compatible with the European Convention on Human Rights.” The NSA declined to offer any comment.

It is unlikely that GCHQ’s pronouncement about the legality of its operations will be universally embraced in Europe. “It is governments massively engaging in illegal activities,” says Sophie in’t Veld, a Dutch member of the European Parliament. “If you are not a government and you are a student doing this, you will end up in jail for 30 years.” Veld, who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept: “The secret services are just behaving like cowboys. Governments are behaving like cowboys and nobody is holding them to account.”

The Intercept’s Laura Poitras has previously reported that in 2013 Australia’s signals intelligence agency, a close partner of the NSA, stole some 1.8 million encryption keys from an Indonesian wireless carrier.

A few years ago, the FBI reportedly dismantled several transmitters set up by foreign intelligence agencies around the Washington, D.C. area, which could be used to intercept cellphone communications. Russia, China, Israel and other nations use similar technology as the NSA across the world. If those governments had the encryption keys for major U.S. cellphone companies’ customers, such as those manufactured by Gemalto, mass snooping would be simple. “It would mean that with a few antennas placed around Washington, D.C., the Chinese or Russian governments could sweep up and decrypt the communications of members of Congress, U.S. agency heads, reporters, lobbyists and everyone else involved in the policymaking process and decrypt their telephone conversations,” says Soghoian.

“Put a device in front of the U.N., record every bit you see going over the air. Steal some keys, you have all those conversations,” says Green, the Johns Hopkins cryptographer. And it’s not just spy agencies that would benefit from stealing encryption keys. “I can only imagine how much money you could make if you had access to the calls made around Wall Street,” he adds.

THE BREACH OF Gemalto’s computer network by GCHQ has far-reaching global implications. The company, which brought in $2.7 billion in revenue in 2013, is a global leader in digital security, producing banking cards, mobile payment systems, two-factor authentication devices used for online security, hardware tokens used for securing buildings and offices, electronic passports and identification cards. It provides chips to Vodafone in Europe and France’s Orange, as well as EE, a joint venture in the U.K. between France Telecom and Deutsche Telekom. Royal KPN, the largest Dutch wireless network provider, also uses Gemalto technology.

In Asia, Gemalto’s chips are used by China Unicom, Japan’s NTT and Taiwan’s Chungwa Telecom, as well as scores of wireless network providers throughout Africa and the Middle East. The company’s security technology is used by more than 3,000 financial institutions and 80 government organizations. Among its clients are Visa, Mastercard, American Express, JP Morgan Chase and Barclays. It also provides chips for use in luxury cars, including those made by Audi and BMW.

In 2012, Gemalto won a sizable contract, worth $175 million, from the U.S. government to produce the covers for electronic U.S. passports, which contain chips and antennas that can be used to better authenticate travelers. As part of its contract, Gemalto provides the personalization and software for the microchips implanted in the passports. The U.S. represents Gemalto’s single largest market, accounting for some 15 percent of its total business. This raises the question of whether GCHQ, which was able to bypass encryption on mobile networks, has the ability to access private data protected by other Gemalto products created for banks and governments.

As smart phones become smarter, they are increasingly replacing credit cards and cash as a means of paying for goods and services. When Verizon, AT&T and T-Mobile formed an alliance in 2010 to jointly build an electronic pay system to challenge Google Wallet and Apple Pay, they purchased Gemalto’s technology for their program, known as Softcard. (Until July 2014, it previously went by the unfortunate name of “ISIS Mobile Wallet.”) Whether data relating to that, and other Gemalto security products, has been compromised by GCHQ and the NSA is unclear. Both intelligence agencies declined to answer any specific questions for this story.

PRIVACY ADVOCATES and security experts say it would take billions of dollars, significant political pressure, and several years to fix the fundamental security flaws in the current mobile phone system that NSA, GCHQ and other intelligence agencies regularly exploit.

A current gaping hole in the protection of mobile communications is that cellphones and wireless network providers do not support the use of Perfect Forward Security (PFS), a form of encryption designed to limit the damage caused by theft or disclosure of encryption keys. PFS, which is now built into modern web browsers and used by sites like Google and Twitter, works by generating unique encryption keys for each communication or message, which are then discarded. Rather than using the same encryption key to protect years’ worth of data, as the permanent Kis on SIM cards can, a new key might be generated each minute, hour or day, and then promptly destroyed. Because cellphone communications do not utilize PFS, if an intelligence agency has been “passively” intercepting someone’s communications for a year and later acquires the permanent encryption key, it can go back and decrypt all of those communications. If mobile phone networks were using PFS, that would not be possible — even if the permanent keys were later stolen.

The only effective way for individuals to protect themselves from Ki theft-enabled surveillance is to use secure communications software, rather than relying on SIM card-based security. Secure software includes email and other apps that use Transport Layer Security (TLS), the mechanism underlying the secure HTTPS web protocol. The email clients included with Android phones and iPhones support TLS, as do large email providers like Yahoo and Google.

Apps like TextSecure and Silent Text are secure alternatives to SMS messages, while Signal, RedPhone and Silent Phone encrypt voice communications. Governments still may be able to intercept communications, but reading or listening to them would require hacking a specific handset, obtaining internal data from an email provider, or installing a bug in a room to record the conversations.

“We need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages,” says Soghoian.
https://firstlook.org/theintercept/2...eat-sim-heist/





Chip Maker to Investigate Claims of Hacking by N.S.A. and British Spy Agencies
Mark Scott

Gemalto, a French-Dutch digital security company, said on Friday that it was investigating a possible hacking by United States and British intelligence agencies that may have given them access to worldwide mobile phone communications.

The investigation follows news reports on Thursday that the National Security Agency in the United States and the Government Communications Headquarters in Britain had hacked Gemalto’s networks to steal SIM card encryption codes.

The claims — reported on a website called The Intercept — were based on documents from 2010 provided by Edward J. Snowden, the former N.S.A. contractor.

The American and British intelligence agencies are said to have stolen the encryption key codes to so-called smart chips manufactured by Gemalto, which are used in cellphones, passports and bank cards around the world.

Gemalto is the world’s biggest maker of SIM cards, the small chips in cellphones that hold an individual’s personal security and identity information.

By gaining access to the chips, the British and American agencies are said to have been able to look up large amounts of mobile voice and data communications without the permission of governments or telecommunications providers like Verizon Wireless and AT&T.

“We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” Gemalto said in a statement on Friday.

It added, “We take this publication very seriously and will devote all resources necessary to fully investigate.”

Shares in the company fell 7.5 percent on Friday in early afternoon trading in Amsterdam. A spokeswoman for the company declined to comment on the length of the investigation into the possible hacking.

A GCHQ spokesman declined to comment on intelligence matters, while a representative from the N.S.A. was not immediately available to comment.

The latest claims follow a series of accusations based on documents provided by Mr. Snowden that American and British intelligence agencies routinely gained access to online communications.

Those affected included several high-profile figures, like Angela Merkel, the German chancellor; American intelligence agencies were suspected of monitoring her cellphone conversations.

“The news that U.S. and U.K. spy agencies hacked the network of a Dutch company to steal encryption keys for billions of SIM cards is truly shocking,” said Anne Jellema, chief executive of the World Wide Web Foundation, a nonprofit that campaigns for Internet freedom. “This is yet another worrying sign that these agencies think they are above the law.”
http://www.nytimes.com/2015/02/21/wo...-agencies.html





Google Calls FBI's Plan to Expand Hacking Power a 'Monumental' Constitutional Threat

Any change in accessing computer data should go through Congress, the search giant said.
Dustin Volz

Google is warning that the government's quiet plan to expand the FBI's authority to remotely access computer files amounts to a "monumental" constitutional concern.

The search giant submitted public comments earlier this week opposing a Justice Department proposal that would grant judges more leeway in how they can approve search warrants for electronic data.

The push to change an arcane federal rule "raises a number of monumental and highly complex constitutional, legal, and geopolitical concerns that should be left to Congress to decide," wrote Richard Salgado, Google's director for law enforcement and information security.

The provision, known as Rule 41 of the federal rules of criminal procedure, generally permits judges to grant search warrants only within the bounds of their judicial district. Last year, the Justice Department petitioned a judicial advisory committee to amend the rule to allow judges to approve warrants outside their jurisdictions or in cases where authorities are unsure where a computer is located.

Google, in its comments, blasted the desired rule change as overly vague, saying the proposal could authorize remote searches on the data of millions of Americans simultaneously—particularly those who share a network or router—and cautioned it rested on shaky legal footing.

"The serious and complex constitutional concerns implicated by the proposed amendment are numerous and, because of the nature of Fourth Amendment case law development, are unlikely to be addressed by courts in a timely fashion," Salgado wrote.

The Justice Department has countered that the rule change amounts to a small-scale tweak of protocol, one that is necessary to align search-warrant procedures with the realities of modern technology. In its own comments, the Justice Department accused some opponents of the rule change of "misreading the text of the proposal or misunderstanding current law."

"The proposal would not authorize the government to undertake any search or seizure or use any remote search technique not already permitted under current law," Deputy Assistant Attorney General David Bitkower said in a memorandum written late last year and made public Tuesday. He added that investigators are "careful to avoid collateral damage when executing remote searches, just as [they are] careful to avoid injury to persons or damage to property in the far more common scenario of executing physical warrants."

Google is the only major tech firm to weigh in on the little-noticed proposed rule change, for which the public comment period ended on Tuesday. Privacy and civil-liberties groups, such as the American Civil Liberties Union, and some technology experts have also condemned the plan as a potential threat to the Fourth Amendment's protection against unreasonable government search and seizures.

A change this broad should only be enacted by Congress, they argue.

"I empathize that it is very hard to get a legislative change," Amie Stepanovich, senior policy counsel with Access, a digital-freedom group, told the judicial panel during a meeting called to review the proposal in November. "However, when you have us resorting to Congress to get increased privacy protections, we would also like to see the government turn to Congress to get increased surveillance authority."

Google echoed that concern in its comments, saying the panel should "leave the expansion of the government's investigative and technological tools, if any are necessary or appropriate, to Congress."

The rules committee is expected to render a decision on Rule 41 in the coming months, though the amendment faces several additional hurdles before it can be adopted. That process includes a review by the Supreme Court and, finally, Congress, which would have seven months to act on the proposal. Failure to enact legislation to "reject, modify, or defer the rules," however, would result in them automatically taking effect, according to policies that govern U.S. courts.
http://www.nationaljournal.com/tech/...hreat-20150218





Snowden Filmmaker Says US Surveillance 'Out of Control'
Veronique Dupont

For most Oscar nominees, the weeks before the February 22 ceremony are a whirlpool of stress.

But Laura Poitras, up for best documentary for "Citizenfour," insists it is like going for a healthy walk -- compared to what she went through to get here.

When former National Security Agency (NSA) consultant Edward Snowden, who revealed the massive scope of US intelligence surveillance, contacted the filmmaker, she found her life turned into a spy novel.

The most risky time was when she went to meet him in Hong Kong, with journalist Glenn Greenwald, the second person contacted by Snowden.

"I took some extreme precautions," she said, adding that she had a separate computer which she only consulted from public places.

"I didn't carry a cell phone for a year after I started reporting because I didn't want it to start broadcasting my location," she told AFP in an interview in Los Angeles.

It was this period that is recounted in "Citizenfour," a title which refers to the pseudonym Snowden used when he contacted her.

Poitras has already won a series of prizes for "Citizenfour," including a Bafta for best documentary. An Oscar, though, would "get more attention around this issue, surveillance," she said.

- Snowden helped boost 'awareness' -

She believes that Snowden's revelations, which won Pulitzer prizes for the Guardian and Washington Post journalists who reported them, helped to boost "awareness of what the government is doing to collect information... and the risk they are posing.

"People are using more encryption. Google is using more encryption of their servers. People are probably more careful with their information," she said.

Above all, the revelations have underlined that "intelligence agencies become out of control and are expanding at a faster pace than laws that regulate them," she said.

"Citizenfour," the third part of a trilogy about the US government's war on terrorism, was co-produced by Steven Soderbergh and edited by Frenchwoman Mathilde Bonnefoy.

It notably shows Snowden explaining the so-called Prism US spy system, which monitors NSA data and communications, to Poitras, Greenwald and Guardian journalist Ewen MacAskill.

It also shows 31-year-old Snowden's paranoia about cameras and telephones. The hotel curtains are drawn; he gets stressed when there are noises. We also see him explaining his motivations, his anxiety about his girlfriend being harassed, guilt at having fled the US without telling her, and then later reuniting with her in Russia.

Snowden remains wanted by the United States, and lives in Moscow.

"The motivation for the film was really to tell the story of what happened, what was the motivation and why he took the risks that he took," Poitras said.

She says recognition for her film "probably provides a bit of shield for me in case the government would like to come after me in any form of legal way.

"It's a double-edged sword. People can contact me with projects who wouldn't have contacted me before, so it's higher profile. But most of the work I've done today I've been able to do it because I was actually kind of low-profile. So maybe now some people could think I'm too over the radar."
https://news.yahoo.com/snowden-filmm...134044426.html





Experts Call for ‘Return to Human Intelligence’ after Snowden

Security agencies need a ‘real cultural shift’ including protection for whistleblowers and citizens as part of its oversight body
Stuart Dredge

The UK’s national security boss, Robert Hannigan, should come clean on surveillance and stop attacking technology companies, privacy experts have said.

Intelligence agencies must use the debate sparked by Edward Snowden’s surveillance revelations to overhaul their attitude to privacy and oversight, said the group speaking at Dublin’s Web Summit in November.

“What’s urgently required is a real cultural shift amongst our politicians and among our civil servants in Whitehall as to the value of privacy: the fact that it’s a public and social good, and it’s a collective good as well,” said Bella Sankey, policy director at civil liberties organisation Liberty.

Sankey, speaking alongside the former MI5 intelligence officer and whistleblower Annie Machon, criticised Hannigan for his attack on technology companies, in which he claimed were “in denial” about the misuse of the internet by terrorists, and that “privacy has never been an absolute right”.

“Given everything we’ve learnt in the past 18 months, he chose not to address at all the very serious things that GCHQ stand accused of: blanket surveillance of the UK population with public knowledge and without parliamentary knowledge, [and] receiving warrantless bulk intercepts from the NSA on US and people around the world,” said Machon.

“Instead he chose to attack tech companies, to kind of instigate a PR smearing campaign in a threatening and non-constructive way. It’s astounding when GCHQ is in the dock that it has yet to respond on the substance of anything that we’ve learned.”

Sankey called for “a new settlement and a new consensus” with full engagement from agencies and politicians. “This whole notion that individual privacy is in tension with the security of everyone is really shot to pieces by what we’ve learned about what’s been going on,” she said.

“Liberty has a case in the Investigatory Powers Tribunal, which is this very secretive quasi-court which is the means by which you challenge surveillance measures in the UK. And we’re hoping by that case that we’re going to be able to force a change in the law and for some of this debate to come out in the open,” she said.

“But it’s a very long and slow process, and so far the agencies have been resisting and obfuscating every step of the way.”

Effective oversight - to include citizens

Jamie Bartlett, director of the centre for the analysis of social media at thinktank Demos, said most citizens cared more about stopping terrorists than about privacy.

“What I think the Snowden revelations have done is certainly created the impression among the public that the spies are scooping up everything: everything we do, all the data, every swipe every click, every bit of browsing history. So they’re omnipotent, they’re omnipresent,” he said.

Bartlett said Snowden has prompted a “robust response” from technology companies, and an increase in the availability of easy-to-use encryption services for the public. But terrorists and criminals would also be benefitting from encrypted services, making it harder for agencies to prevent attacks, especially perpetrated by unpredictable individuals with “ a low barrier to entry”.

It could mean, he said, the crisis of confidence in the intelligence agencies will be about them failing to stop terrorism, rather than in overstepping the mark on privacy.

Bartlett speculated about a return to “old-fashioned human intelligence”: targeted bugs in rooms and infiltration of groups, though these actually present a greater moral hazard. “We need a new settlement about the types of intelligence we’re going to allow - and crucial to that is a far better system of oversight.”

Rather than securicrats watching other securicrats, “I want citizens who are security cleared to be part of the Intelligence and Security Committee [in parliament],” he said.

Protection for whistleblowers

Machon called for a “proper channel” for whistleblowers that would listen to their concerns, investigate and punish any wrongdoing.

“What we have is a system where if you ask questions or have ethical concerns you are told to shut up and just follow orders. And you become marked as a troublemaker,” she said. “So those who do have ethical concerns, those who are concerned about illegal operations, usually just resign and get on with their lives.”

Machon drew on her own experience going on the run with her then-partner David Shayler in 1996, and noted that intelligence whistleblowers still face the punishment of being “de facto criminalised for speaking to anyone outside that agency”.

“That will be the only way to change the culture: that awareness that they can’t get away with this closed groupthink any longer; the awareness that they will be held to account; and the awareness that they cannot lie to government any more to cover up their crimes and mistakes,” she said.

“We’re a long way from it. We have the Intelligence and Security Committee in parliament, which is made up of place-men, appointed by the prime minister, and it really has no teeth. It can’t investigate properly. It never has been able to investigate properly. And if this was beefed up into a meaningful oversight body that whistleblowers and others could go to, then I think that would enforce change.”

GCHQ ‘frustrated’ by growing use of encryption

Bartlett suggested that Hannigan’s decision to go on the offensive reflected wider frustration within GCHQ about technology companies ramping up encryption features.

“One might say with some weight that they’ve brought this on themselves, because it’s as a result of the revelations of Edward Snowden that more people are using this type of software,” he said.

“It is very difficult indeed for GCHQ and others to keep tabs on what ISIS is doing. They have become far more sophisticated and their use of open source encryption has been increasing dramatically,” he said adding that there should be more of a partnership approach rather than bullying the sector.

“They’re going to have to find a more progressive, positive working relationship. And I don’t think the best way of doing it is going on the front foot and slagging them off.”

Terrorism is for the police, not the security services

Machon said there needs to be a debate about the role of the intelligence agencies.

“Our intelligence agencies were put in place to protect ‘national security’ - which has never been legally defined under British law - and to protect the economic wellbeing of the state,” she said, citing WWII and the provisional IRA campaigns of the 1970’s to 1990’s as examples of threats to national security.

“But going after small, fast-paced terrorist organisations is not national security. These terrorist attacks are horrific, appalling crimes that traumatise people. But they are not a threat to our national security,” she said.

“The agencies have mission creep going on. They have taken over work that is not really appropriate to an intelligence agency, but is more appropriate for police work, where you’re supposed to gather evidence and put people on trial in front of a jury of their peers.”

Machon said there needed to be a “wholesale rethink” of British intelligence agencies and surveillance, starting with the establishment of an entirely new agency that worked within a regulatory framework.

The home secretary signs seven warrants a day

Sankey said it is inappropriate for UK ministers to be signing surveillance and interception warrants when Canada, New Zealand and Australia all appointed judges to do so. She said Liberty had calculated that the home secretary signs around seven each day.

“How, amongst all the other duties of the home secretary, are they supposed to have the time and attention to scrutinise each one, assess whether it’s necessary and proportionate, and ask the necessary questions? They just don’t. It’s a ridiculous system.”

Sankey claimed that independent research on NSA bulk interception has shown it hasn’t prevented a single attack. “The efficacy of the policy has not been shown to work,” she said. “If that information isn’t being acted upon, what’s the point of ever harvesting more and more of it? In the hackneyed needle and haystack analogy, you rarely need a bigger haystack.”

Without privacy, democracy cannot function

East Germans were traumatised by the scale and invasiveness of surveillance by the Stasi from 1950 to 1990, Machon said, which explained Germany’s outrage to Snowden’s revelations.

“They know that if you do not have privacy, then you do not have the capability to mobilise and push back against a domineering government,” she said. “First they did come for the journalists, the trade unionists and the activists, and then it got worse.

“If you don’t have privacy, you can’t mobilise, you can’t plan, you cannot resist. You cannot have a functioning democracy, and that way lies totalitarianism. And that’s what we’re facing at the moment.”

Bartlett said many in the UK felt they were prepared to give up some of their personal privacy to help protect the country from terrorism, but Sankey said it is wrong to view the internet through the prism of terrorism.

“That’s what Robert Hannigan was doing, saying ‘this is the network of the terrorists’.

“But it’s not. It’s a free and public good. It’s got enormous potential, but that potential can be massively undermined if it becomes a tool of oppression for the most powerful governments in the world like the US and the UK.”
http://www.theguardian.com/technolog...lance-nsa-gchq





Flaw in Netgear Wi-Fi Routers Exposes Admin Password, WLAN Details
Zeljka Zorz

A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins.

The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.

"At first glance, this service appears to be filtered and authenticated; HTTP requests with a 'SOAPAction' header set but without a session identifier will yield a HTTP 401 error. However, a HTTP request with a blank form and a 'SOAPAction' header is sufficient to execute certain requests and query information from the device," he explained in a post on the Full Disclosure mailing list.

"As this SOAP service is implemented by the built-in HTTP / CGI daemon, unauthenticated queries will also be answered over the internet if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query."

The vulnerability can be exploited both by attackers that have already gained access to the local network and by remote attackers - if the affected devices have the remote/WAN management feature enabled.

Hardware and firmware confirmed affected:

• Netgear WNDR3700v4 - V1.0.0.4SH
• Netgear WNDR3700v4 - V1.0.1.52
• Netgear WNR2200 - V1.0.1.88
• Netgear WNR2500 - V1.0.0.24.

Additional platforms believed to be affected:

• NetGear WNDR3800
• NetGear WNDRMAC
• NetGear WPN824N
• NetGear WNDR4700

Check out his post for proof-of-concept code to test yours for the flaw.

"In the absence of a known security contact these issues were reported to Netgear support. The initial response from Netgear support was that despite these issues 'the network should still stay secure' due to a number of built-in security features," says Adkins.

"Attempts to clarify the nature of this vulnerability with support were unsuccessful. This ticket has since been auto-closed while waiting for a follow up. A subsequent email sent to the Netgear 'OpenSource' contact has also gone unanswered."
http://www.net-security.org/secworld.php?id=17959





Uh-oh: Samsung Smart TVs Don't Encrypt Your Captured Voice Data
Lucian Constantin

Samsung does not encrypt voice recordings that are collected and transmitted by its smart TVs to a third party service, even though the company has claimed that it uses encryption to secure consumers’ personal information.

A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung’s own privacy policy those words can in some cases include personal or sensitive information. The incident even drew comparisons to Big Brother behavior from George Orwell’s dystopian novel 1984.

In response, Samsung clarified in a blog post that only certain commands, like voice search queries, get sent to a server operated by a third-party, a company called Nuance Communications, for the purpose of being converted into text. The company also noted that this is how voice recognition services work in most products, including smartphones and tablets.

The data collection is done in a transparent manner with users having the ability to opt out, Samsung said in a statement at the time, adding that it uses “industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.”

Broadcasting your voice for everyone to hear

Following the incident, David Lodge, a researcher with a U.K.-based security firm called Pen Test Partners, intercepted and analyzed the Internet traffic generated by a Samsung smart TV and found that it does send captured voice data to a remote server using a connection on port 443.

This port is typically associated with encrypted HTTPS (HTTP with SSL, or Secure Sockets Layer) communications, but when Lodge looked at the actual traffic he was surprised to see that it wasn’t actually encrypted.

“What we see here is not SSL encrypted data,” Lodge said in a blog post. “It’s not even HTTP data, it’s a mix of XML and some custom binary data packet.”

Lodge believes that the reason why Samsung chose to use port 443 might simply be because it’s typically not blocked by network firewalls.

“I don’t understand why they don’t encapsulate it in HTTP(S) though,” he said.

The responses back to the TV from the third-party server, which include the text interpretation of the spoken words, are also unencrypted.

Samsung did not immediately respond to a request for comment.
http://www.pcworld.com/article/28857...lect.html?null





Lenovo PCs Ship with Man-in-the-Middle Adware that Breaks HTTPS Connections

Superfish may make it trivial for attackers to spoof any HTTPS website.
Dan Goodin

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

The adware and its effect on Web encryption has been discussed since at least September in Lenovo customer forum threads such as those here and here. In the latter post, dated January 21, a user showed a root certificate titled Superfish was installed:

He then went on to show how the certificate tampered with the HTTPS connection to a banking website, behavior that allowed Superfish to collect all data unencrypted.

Surprisingly, the behavior largely escaped the notice of security and privacy advocates, until now. On Wednesday evening, following several lengthy Twitter discussions about the overlooked behavior, security researcher Chris Palmer bought a Lenovo Yoga 2 Pro for $600 at a San Francisco Bay Area Best Buy store. He quickly confirmed that the model was pre-installed with the Superfish software and self-signed key.

When Palmer visited https://www.bankofamerica.com/, he found that the certificate presented to his browser wasn't signed by certificate authority VeriSign as one would expect, but rather by Superfish.

He saw the same Superfish-signed certificate misrepresenting itself when he visited other HTTPS-protected websites. In fact, there isn't a single TLS-protected website that wasn't affected.

Palmer was later able to confirm that the private key for the Superfish certificate installed on his Yoga 2 contained the same private key as a Superfish certificate installed on a different person's Lenovo PC. That means there's a good chance attackers could use the certificate to create fake HTTPS websites that wouldn't be detected by vulnerable Lenovo machines. At the time this report was being prepared, there were no reports of anyone testing and confirming the hypothesis, but several researchers agreed the scenario seemed highly likely.

No, certificate pinning won't save you

The Superfish software hijacks encrypted Web sessions no matter which browser someone uses. Worse yet, certificate pinning in Google Chrome will do nothing to alert users that something is amiss. As Google points out in a post explaining certificate pinning, the mechanism isn't set up to validate certificates chained to a private anchor, such as a root certificate installed in the operating system of the connecting device. "A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites," the Google page warned. "'Data loss prevention' appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning."

It's not known exactly which Lenovo computers come with Superfish pre-installed. A Lenovo representative said in a forum that Superfish has been uninstalled and cited "some issues (browser pop up behavior for example)" as the reason. On Twitter Wednesday evening, a Lenovo representative reiterated that the adware was removed on new machines. But as Palmer's experience demonstrated, it's still possible to buy Lenovo PCs that have it pre-installed. And it remains unclear if there's an update mechanism in place to remove it from machines that already have it installed. It's also unknown if PCs from other manufacturers come with Superfish pre-installed. Readers should be aware that even after uninstalling the Superfish adware from their machines, the Superfish root certificate will remain.

Superfish presumably installs the root certificates so it can inject ads into encrypted Web pages. By many people's standards, that's bad. But adware that breaks HTTPS connections and may make users vulnerable to man-in-the-middle attacks that are trivial to carry out is orders of magnitude worse. Stay tuned. We'll all be hearing much more about the Superfish debacle in the days and weeks ahead.
http://arstechnica.com/security/2015...s-connections/





Superfish Security Certificate Password Cracked, Creating New Attack Vector
Martin Anderson

Robert Graham at Errata Security has published an article announcing his success in extracting the SuperFish self-signed security certificate from the installed adware which has caused such a controversy for Chinese laptop and PC manufacturer Lenovo in the last 24 hours.

Since the password - ‘komodia’ - is now known, Lenovo machines with SuperFish’s adware installed now present a workable attack vector for hackers, in the form of software which can perform ‘man-in-the-middle’ https interceptions, using a self-signed certificate with a known password. Effectively it presents a pre-installed hacking environment which would be extremely difficult to arrange with conventional ingenuity.

Until now the ability of the SuperFish adware to insert commercials into any point in the end-user’s web-browsing was only being used for the commercial benefit of the parties involved - SuperFish and Lenovo; the use of the self-signed certificate meant that ad pop-ups would not be interrupted during connections to sites using secure https protocols – including banking sites.

With the password available, the chain of security between a 'SuperFished' Lenovo machine using the adware's self-signed certificate and secure sites will remain apparently unaffected - even though a hacker may be ‘listening in’.

It’s not even a good password. Komodia is the name of a company whose flagship product is the Komodia Redirector framework. The KR framework ‘allows you to change TCP/IP network sessions with a few simple clicks. The platform intercepts traffic (using LSP/WFP) on the local machine based on rules that you define, and it includes many built in functions that you can use without writing a single line of code.’

Lenovo’s semi-apologetic statement on the scandal characterises the company’s relationship with Superfish as ‘not financially significant’, declaring that its goal was ‘to enhance the experience for users’.

The Superfish software was preloaded onto a select number of laptop and desktop machines produced by the Beijing-based tech giant in the last few years. SuperFish’s Visual Discovery search technology led to the company being ranked by Forbes at one point as the 64th most promising company in the United States.

The complete statement reads:

Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

1. Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

2. Lenovo stopped preloading the software in January.

3. We will not preload this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.

We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at http://forums.lenovo.com

http://thestack.com/superfish-passwo...-signed-190215





Will the Madness Never End? Komodia SSL Certificates are EVERYWHERE
Marc Rogers

So as people have started turning over stones looking to see how common these Komodia certificates are, some surprising (and depressing) things are beginning to surface.

1. It does appear that Komodia is behind this.
2. It appears that Komodia uses the same framework for many many products. Heres some that have been found so far.
1. Komodia’s “Keep My Family Secure” parental control software.
2. Qustodio’s parental control software
3. Kurupira Webfilter
3. The password is always “komodia”
4. The certificates are always weak, the private key is always bundled with them (of course it is).

I think that at this point it is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method.

What does this mean? Well this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some some of Parental Control software installed on their computer should probably check to see if they are affected.

This problem is MUCH bigger than we thought it was.

If you are a parent that has installed parental control software – in particular the ones named above I would check to see if your computer has been affected by this as a matter of urgency –

https://filippo.io/Badfish/

If you have come into contact with any Komodia product, I would do the same, before carefully removing it form any system that you care about.
http://marcrogers.org/2015/02/19/wil...re-everywhere/





Firefox to Get a "Walled Garden" for Browser Extensions, Mozilla to be Sole Arbiter
Paul Ducklin

Mozilla is the latest vendor, if you will excuse me not referring to it as a foundation or a community, to announce a walled garden for its software ecosystem.

In the second half of 2015, it says, Firefox will require all browser extensions to be digitally signed.

The purpose should be obvious: to make it harder for surreptitious, devious or plain malevolent add-ons to make their way into your browser unnoticed.

Extensions can adapt the behaviour of Firefox significantly, from rewriting links and content, through keeping tabs on where you browse, to reading and using your data.

As a result, malicious extensions can be as bad for your digital health as a full-blown malware infection at the operating system level.

How it will work

Mozilla will be the signer-in-chief, and that, apparently, will be that.

If you publish your extension via Mozilla's equivalent of the App Store, known as AMO, or addons.mozilla.org, the company will automatically vet it, sign it, and make it available for download.

That'll be a bit like Google's Bouncer, the automatic process that decides if your Android app is safe for inclusion on Google Play.

The good side of of an automatically-scan-approve-and-sign process is that it's simple and fast.

That makes it vaguely more egalitarian than a complex and bureaucratic mechanism that tends to favour bigger, more established software makers, who themselves have the staff and bureaucracy to match.

The bad side is that automatic systems for software approval are designed as much to help online software markets grow really quickly as they are to keep the crooks out.

So they don't always do a very good job of security, and if completely automatic approval systems do let malware or dodgy programs through, they give a powerful but completely false sense of safety that plays straight into the hands of the crooks.

Going off market

Like Google on Android, but unlike Apple on iOS, Mozilla will continue to allow its users to shop "off market," so you won't be forced to publish your extensions via AMO.

Unlike on Android, however, this won't require users to invoke an "allow unsigned extensions" option.

In fact, Mozilla says that there will be no way, neither via command line nor through configuration options, to suppress signature checking.

Instead, all extensions will have to be signed, even "off-market" ones, so instead of devolving the responsibility for off-market content onto the user, Mozilla is going to require developers to make the effort.

→ Apparently, there will be a special sort of exception for in-house extensions, to appease Mozilla's corporate users. How this will work, and how it will be locked down to prevent malware abusing it as a backdoor, is not yet clear. Presumably you'll be able to instruct your company browsers to accept extensions signed with a company certificate.

What isn't clear is how developers will test their extensions under the current Release version before submitting them for approval.

Mozilla says:

Installation of unsigned extensions will still be possible on Nightly and Developer Edition, as well as special, unbranded builds of Release and Beta that will be available mainly for developers testing their extensions.

This, of course, raises the question, "Will the unbranded or the Developer builds be sufficiently similar to the Release versions out in the real world that developers can stand by their testing results?"

It also makes you wonder, "How many users, including businesses, will simply switch to the unbranded versions themselves and be done with this code signing hassle?"

The community strikes back

Security and reliability concerns, however, don't seem to be what's worrying some of the more vocal members of the Mozilla community, who have already hit back with comments like this emotive piece:

Please don't do this.

It is taking freedom away from your users, and freedom away from add-on developers.

You are handing a powerful tool to governments & corporations that will suppress add-ons they don’t like, by compelling you not to sign.

Mozilla as a platform for freedom & creative software development will be torn to shreds by this.

Please stop.


Or this well-reasoned gem:

We don’t want this, so you can send it back to your boss that we said to shove it.

Mozilla has certainly set the cat amongst its own community's pigeons.

At this stage, it's not even clear if the organisation is going to be able to please some of the people some of the time.
https://nakedsecurity.sophos.com/201...-sole-arbiter/





Hard Disk Hacking – Intro
Jeroen Domburg

Apart from this article, I also gave a talk at OHM2013 about this subject. The video of that talk (minus the first few minutes) is now online.

Hard disks: if you read this, it's pretty much certain you use one or more of the things. They're pretty simple: they basically present a bunch of 512-byte sectors, numbered by an increasing address, also known as the LBA or Logical Block Address. The PC the HD is connected to can read or write data to and from these sectors. Usually, a file system is used that abstracts all those sectors to files and folders.

If you look at an HD from that naive standpoint, you would think the hardware should be pretty simple: all you need is something that connects to a SATA-port which can then position the read/write-head and read or write data from or to the platters. But maybe more is involved: don't hard disks also handle bad block management and SMART attributes, and don't they usually have some cache they must somehow manage?

All that implies there's some intelligence in an hard disk, and intelligence usually implies hackability. I'm always interested in hackability, so I decided I wanted to look into how hard disks work on the non-mechanical level. Research like this has been done before for various bits of hardware: from PCI extension cards to embedded controllers in laptops to even Apple keyboards. Usually the research has been done in order to prove the hackability of these devices can lead to compromised software, so I decided to take the same approach: for this hack, I wanted to make a hard disk that could bypass software security.

Parts on the PCB

To figure out if hard disks are hackable, I first had to get to know them better. Luckily, like most of you, I had a whole stack of old and/or broken hard disks to look at:

Ofcourse, we all know how the mechanical parts of a hard disk are supposed to work, and I wasn't really interested in those parts. My interest was in the little PCB that's on the back of most HDs and where the SATA and power connectors were located. This is what such a PCB looks like:

You can see that there are about four chips on the PCB. This is what I found out about them:

This is a bit of DRAM. It's a jellybean part, with easy-to-find datasheets. The capacity of these chips range from 8MB to 64MB, and these sizes correspond to the cache size the hard disk is supposed to have.

This is the spindle motor controller. It's not a standard part, so datasheets are hard to find, but some of the controllers seem to have brothers and sisters that are a bit easier to find. ST Smooth controllers seem to be the most used ones; apart from driving the spindle motor, they also do power regulation and have some A/D channels.

This is a bit of serial flash. It's also a jellybean part, with sizes ranging from 64KB to 256KB. It seems to be used to store the program the hard disk controller boots up from. Some hard disks don't have this chip but have the flash internal to the HD controller chip instead.

These little devices aren't chips, but piezo-electric shock sensors. They can be used to move the heads somewhere safe when the HD experiences a mechanical shock, but more likely just set a bit somewhere to indicate your warranty is void because you dropped your HD.

And this is the bit where all the fun stuff happens: the hard disk controller. They are made by Marvell, ST and some other LSI companies. Some hard disk companies also make their own controllers: I've seen both Samsung and Western Digital do this. With almost everything else being a jellybean part, this is the device I was interested in.

Unfortunately, these parts are somewhat underdocumented. Saying the companies making the controllers aren't too kind on revealing information about them is an understatement: they don't even mention the existence of the part numbers on their sites! Unfortunately, the rest of the Internet isn't too helpful either: looking for datasheets only reveal datasheet-sites not having the actual PDFs and obscure Chinese sellers claiming to have the ICs.

So, no datasheets of the most important IC, that means we're stranded, right?

Hooking up JTAG

Luckily, there are other ways to find out information about these ICs than datasheets. One of my web searches actually resulted in something useful.

what I found was a thread from a guy called Dejan on the HDDGuru forums. Dejan had managed to corrupt the internal flash of his hard disk in some way and wanted to know if there's a way to either boot the controller from external flash, or a method to re-write the flash. For five days, he doesn't get a reponse, but the guy is inventive: the next thing he posts is the message that he has found the pinout of the JTAG-port. That's a major find: the JTAG-port can be used to control a controller like a puppet. You can stop it, restart it, modify memory, set breakpoints etc with it. Dejan then figures out how to dump the boot ROM of the controller, figures out there's a serial port on one of the hard disk headers and manages to restore his flash ROM. He then dumps a few more bits and pointers about the flash update process before finally disappearing into the mists of the Internet again.

All this was pretty useful information: it told me at least the Western Digital controllers seem to have an ARM-core that's accessible over the JTAG-port. It also told me these hard disks usually have a serial port, which is usually unused but could be useful for debugging my hack. With this, I should have enough information to start hacking.

So, this is my setup:

The red thing is an FT2232H-board, a cheap board you can get for about EUR30 which can do JTAG and serial, as well as SPI-communications. It's connected to the JTAG-interface of the hard disk, as well as the header where the hard disk has its serial port. The HD is directly connected to the SATA-port on my computers mainboard, as well as to an external ATX power supply. I use OpenOCD as the software to drive the JTAG-port.

Now, the question is: would it actually work? Dejan did this with a 2.5" 250G HD with an 88i6745-controller, and he detected an arm9-core. I grabbed a 3.5" 2TB HD with an 88i9146-controller instead, which had a different form factor and is a bit newer. Luckily, OpenOCD has a way to detect what's on the JTAG chain by itself. This is what it found:

This confused me for a bit... I expected a single tap, for the single ARM core that's inthere... but instead, I found three taps... does that mean this chip has three ARM-cores?

After some research, I found out that yes, the chip indeed seems to have three cores. There's two Feroceons, which are quite powerful arm9-like cores, and a Cortex-M3 core, which is a bit smaller, more microcontroller-ish core. Some more playing around (and later research) indicating the controllers all had different functions:

• Feroceon 1 handles the physical reading and writing from/to the hard disk platters
• Feroceon 2 handles the SATA-interface
• Feroceon 2 also handles the cache and LBA to CHS translation
• The Cortex-M3 handles... nothing? I could stop it and still have all hard disk functions.

Now, what core to start hacking at? My target was to try and compromise the security of a system by using hard disk firmware mods. The easiest and probably hardest-to-detect way to do this was to modify data on the fly. That way, the data on the disk wouldn't need to be changed and the firmware could just make itself invisible. To do this, I would need to find a suitable core to that kind of interception: I needed to have a core that would have access to the data when it's in-transit from the disk to the SATA-cable, and also could be rigged to modify the data while it was in between those two points.

Now, how would that data get from the HD platters to the SATA interface? Here's where I used a bit of intuition. My reasoning went something like this:

If the processors would use a standard memory copy, with them running at 150MHz, they would only be able to reach 150*23/2=2.4Gbps, and in practice most likely much less. The hard disk is specced at 6Gbps, so there's probably some hardware acceleration involved. The most likely hardware acceleration would be to use DMA. That would mean the data is copied directly from the head reading logic to memory, without active involvment of the processor. The same goes for the SATA-port: the processor would have to only indicate where the data is, and the DMA logic would take care of reading the data directly from memory.

If this was the case, where would the memory that the DMA-engine would be pointed at, be located? The cache of the hard disk would be a good location: data read from the disk would need to be in cache anyway, so it would make sense to copy it there immediately when reading from the disk. I figured out earlier that Feroceon 2 was responsible for the cache handling; that'd make it a prime target for a hacking attempt.

So, I deduced that the data was read and written through DMA, without any CPU action involved. Now the question was: Even if the CPUs won't touch the data in normal operation, can they actually access it? To answer this question, I first used the JTAG-connection and a bit of disassembly to figure out the memory map of the 2nd Feroceon:

As you can see, the memory map is a bit fragmented. There are small bits of RAM sprinkled around, there's some IO and IRQ space, and a bit of internal boot ROM. There also is a big, 64MB segment of what I suspected was the DRAM-chip with the cache in it. Let's find out if this is actually true. First, I mounted the disk on my machine and wrote 'Hello world!' to a file on it. Now, could I find the string in the 64MB mem region?

Yep, there it is. Seems the cache is accessible by the Feroceons and mapped to the 64MB DRAM region.

Injecting code

Ofcourse, if I wanted to change something in the cache, I couldn't scan the complete 64MB of RAM every time: I needed to know how the cache works. For that, I would need to dump, disassemble and understand the hard disk firmware at least enough to make sense of the caching functions.

Disassembling this firmware is not a trivial task. First of all, the code mixes ARM and thumb-style instructions, which is irritating if you don't have a disassembler which can automatically switch between the two. Furthermore, something that usually makes disassembling software a lot easier is absent: Usually, routines are coded to spit out messages like "Couldn't open logfile! when something goes wrong. These messages are a huge help in figuring out what a routine does. This firmware, however, has none of these strings: you need to figure out what a routine does purely by the code. The codebase seems to be a bit old, though, and sometimes the disassembly feels like some features have been 'bolted on' to the code later, making everything a bit more complicated.

There also are a few things that make life easier, though. First of all, it seems Western Digital hasn't been intentionally obfuscating the code: no tricks like jumping in the middle of an instruction have been used. Also, because the JTAG-interface is available, you can meddle with the code, set breakpoints or change it on-the-fly, making figuring out what routine gets run when immensely easier.

After a long time of staring at the code, trying to make sense of things and sometimes jumping into the debugger to see if a guess was correct, I managed to get to the core of the caching system: a table in RAM I call the 'cache descriptor table':

Every entry in the cache descriptor table describes a block in the cache. It contains the start LBA of the disk sectors that are or should be cached, how much of the cache actually is filled with disk data, some flags indicating the state of the cache entry and a number indicating where in memory the cached data resides.

Now, with the secrets of the cache descriptor table unraveled, could I intercept a disk read before it'd go out the SATA-port to the PC? To do that, I'd need to be able to execute my own code on the hard disk controller. Moreover, I would have to make sure the code would get run on the correct time: if it modified the cache too soon, the data wouldn't be in there yet; if it modified the cache too late, the data would've already gone to the PC.

The way I did this was by hooking an existing routine. My hack would be in Feroceon 2, and that CPU did all the SATA transfers, so there must be some routine that's responsible for setting up the SATA hardware to pick up the data from cache. If I could find this routine, I could perhaps run my own code before it.

After a lot of browsing, setting breakpoints, failing and trying again, I finally found some routine that fit the bill. I modified it to run my code before it by hooking it. Here's the original code:

Code:
000167BE ; r0 - slot in sata_req
000167BE sub_0_167BE:
000167BE                 PUSH    {R4-R7,LR}
000167C0                 MOVS    R7, R0
000167C2                 LSLS    R1, R0, #4
000167C4                 LDR     R0, =sata_req
000167C6                 SUB     SP, SP, #0x14
000167C8                 ADDS    R6, R1, R0
000167CA                 LDRB    R1, [R6,#0xD]
000167CC                 LDR     R2, =stru_0_40028DC
000167CE                 STR     R1, [SP,#0x28+var_1C]
000167D0                 LDRB    R0, [R6,#(off_0_FFE3F108+2 - 0xFFE3F0FC)]
000167D2                 LDRB    R5, [R6,#(off_0_FFE3F108 - 0xFFE3F0FC)]
000167D4                 LSLS    R0, R0, #4
And here's what happens when the code is hooked to call my code:
000167BE ; r0 - slot in sata_req
000167BE sub_0_167BE:
000167BE                 PUSH    {R4-R7,LR}
000167C0                 MOVS    R7, R0
000167C2                 LD      R6, =hookedAddr
000167C4                 BX      R6
000167C6                 .dw     checksumFix
000167C8                 .dd     hookedAddr
000167CC                 LDR     R2, =stru_0_40028DC
000167CE                 STR     R1, [SP,#0x28+var_1C]
000167D0                 LDRB    R0, [R6,#(off_0_FFE3F108+2 - 0xFFE3F0FC)]
000167D2                 LDRB    R5, [R6,#(off_0_FFE3F108 - 0xFFE3F0FC)]
000167D4                 LSLS    R0, R0, #4
...
FFE3F000                 PUSH    {R0-R12, LR}
FFE3F004                 BX      changeThingsInCache
FFE3F008                 POP     {R0-R12, LR}
FFE3F00C                 LSLS    R1, R0, #4
FFE3F010                 LDR     R0, =sata_req
FFE3F014                 SUB     SP, SP, #0x14
FFE3F018                 ADDS    R6, R1, R0
FFE3F01C                 LDRB    R1, [R6,#0xD]
FFE3F020                 BX      0x167CC
As you can see, some original instructions are replaced with a jump to new code in an otherwise unused bit of ram at address 0xFFE3F000 and an extra word to make sure the checksum of the code region still is valid. If this isn't done, the HD will try to load a backup from its platters, which isn't what we want. The code that's jumped to executes a routine called changeThingsInCache and then does what the replaced code would've done. It then continues execution in the original routine like nothing has happened.

Now all I need to write was a routine to modify the cached data. For a first test, I decided on a routine that in pseudocode went something like this:

Code:
void hook() {
  foreach (cache_struct in cache_struct_table) {
    if (is_valid(cache_struct)) {
      foreach (sector in cache_struct.sectors) {
        sector[0]=0x12345678;
      }
    }
  }
}
This little bit of code would replace the first 4 bytes of every sector in cache with 0x12345678 every time it's called, so if I uploaded all this to the hard disk, I should see that number on the start of every sector I read. I uploaded the bits of code over JTAG...

Persistence

Ofcourse, I could make this into a full hack, but needing to use JTAG to poke it in RAM every time the hard disk boots would make it pretty useless. I needed to make it persistant, that is, I needed to store my modifications somewhere where it would be picked up again every time the hard disk powers on.

My location of choice was the flash rom. I could probably also have put it somewhere in the reserved sectors on the disk itself, but if I messed something up, I would have no way to recover my disk. The flash chip is just an eight-pin standard part, so I could easily take it out, flash it and put it in again. For that purpose, I desoldered it and put it on a bit of veroboard, so I could easily switch it between a programmer and the hard disk:

Now, what to put in the flash? Luckily, the format of what's stored in the chip already has been figured out: it consists of multiple blocks of data, with a table describing them at the very start. That table describes the location of the block in flash, how it's compressed (if it is compressed), the location where the block should be put in RAM and, for the final address, an execution point where the loader would jump to to start executing the program.

Unfortunately, I couldn't modify the code that was in the flash; the bits that contained the parts where I wanted to put my hooks was compressed with an unknown compression algorithm, so I couldn't modify that. What I however could do was add an extra block, and modify the execution address so that block would get executed before the rest. That made things a bit easier: when 'my' block got executed, I could just code it to insert the hooks in the now decompressed bits of code.

Ofcourse, I had to dis- and re-assemble the flash binary for this. I created a tool for that, unimaginatively called 'fwtool'. This tool can dump out the various blocks in the flash, plus translate the header into a text file for easy modification. You can then modify, delete or add a block and re-assemble everything into a single firmware file, ready to be re-flashed. I used that to add my custom bit of code to the image, flashed everything back to the chip, put the chip back into the HD, booted everything back up and this was the result:

The result isn't that shocking: it's exactly the same as I had before. The trick is that I didn't need the JTAG-rig to get it.

Software flashing

While the flash mod was a good step forward, I still couldn't play out my imaginary hacker scenario: I don't think any server company accepts 'donations' of hard disks with de- and re-soldered flash chips. I needed to find a way to re-flash the chip while it was still soldered to the hard disk, preferably from the PC the hard disk was connected to.

The Western Digital firmware upgrade tools proves this is possible: it's basically a tool you run under DOS to put new firmware to both the flash and the service area aka the reserved sectors of the hard disk. According to the Internet, the tools use so-called Vendor Specific Commands to There are also some other tools that can meddle with the firmware: for example, there is a bit of proof-of-concept code that can use unused reserved sectors to hide away data. Finally, there's a set of tools called idle3-tools that can be used to modify a byte in the firmware to modift the idle behaviour of the hard disk. This code also uses VSCs, and does this using the 'official' way using Linux scsi passthrough ioctls. I decided to 'borrow' this code, modify it a bit and integrate it in fwtool. After some messing around and guessing VSC parameters, fwtool could all of a sudden also read and write the flash of a HD attached to the PC it's run on.

With this, my attack was complete. If a blackhat hacker had somehow obtained root access to a server with this drive, he could use fwtool to remotely dump the flash of the disk, modify it and flash it back. Eventually, the owner of the box will find out I am using his box for nefarious purposes and will probably re-install the system, securing the way the hacker orginally entered the machine.

With the firmware hack in place, however, the attacker could tell the hard disk to do something nefarious with the new install. He'd need to trigger that behaviour first, though, and that could be done by writing a certain magic string the firmware hack would look for to the disk. The magic string can be in any file; the attacker could for example upload a .jpeg-file with the string in it to the server. He could also request a file from the webserver with the magic string appended to the URL. That would eventually end up in the logs of the machines, triggering the exploit.

The hard disk firmware hack would then do something nefarious. For example, it could wait for the machine to read out the file /etc/shadow, where all the passwords are stored on an Unix/Linux system, and modify the contents on-the-fly to something the attacker hardcoded earlier. When the attacker would then try to log into the system with his own password, the machine would check this password against the now-modified /etc/shadow and the attacker would be free to login again.

Here's the demonstration I did at the presentation. You can see me try to log into the root account of the machine unsuccessfully. I then enable the hack and give it a replacement password hash, namely for the password 'test123'. Because Linux caches the shadow file (like all files recently accessed), I have to generate a lot of disk activity for the file to be 'pushed out' of the cache; that way, when I try to login again, Linux will be forced to fetch the shadow file from disk again. Finally, with the cache cleared, I can just log into the root account with the faked test123 password.

Other uses

Ofcourse, restoring access to servers which had their clandestine entry methods removed isn't the only useful way my reverse engineering efforts can be used for. It can also be used for defensive purposes.

For example, you could make an un-clonable hard disk: the hard disk would act normal if the access pattern for the sectors was somewhat random, like a normal OS would access a filesystem. If the disk was accessed only sequentially, like a disk cloning utility would do, the hard disk could mangle the data, making the clone different from the original.

The disk controller is also interesting as a generic controller board. You have three fairly capable CPU cores, with a pretty big amount of RAM connected to it. There's also an uart, for the serial port, and at least two SPI interfaces; one to the flash rom and one to the spindle controllers. You can load the code for the processor by updating an external flash chip, or even by using the serial port in the bootloader. To demonstrate the power of the chip, I ported a fairly ubiquitous bit of software to my HD. The demo is a proof-of-concept only, the serial port is the only peripherial that works, and no userspace is available yet. Nevertheless, I am still a bit proud to say I have installed Linux on my hard disk. On top, a standard command line (the HD is mounted under /mnt), on the bottom the output of my work on the serial port of the hard disk:

A bit more explanation about what happens here: the kernel and init are both packed in pieces with the size of exactly one sector, with a magic string and order number prepended. By reading the file from the disk, it will end up in the cache of the disk. The write of the magic string 'HD, lnx!' finally triggers the modified firmware to search the cache for all the sectors, re-assemble the kernel image and boots it. The kernel is built for a MMU-less CPU (the disk controller doesn't have one) and only has a driver for the serial port. A MMU-less kernel unfortunately needs a specially formatted bit of userspace too. I couldn't get this to compile, so the kernel finally panics because it can't find an init it can execute.

Conclusion

So, there you have it. While the hard disk controller is a beast without much data known about it, it's still perfectly well possible to reverse engineer it and to write custom code for it. The unknown-ness of the controller does make it harder to write generic hacks, which makes me doubtfull that a thing like the evil firmware patch will ever be seen in the wild: it's much easier to just get another zero-day software exploit than reverse engineer the firmware of every single hard disk every server you stumble upon has.

I also hope to have proven that a broken hard disk is something you can still use. While the mechanics of a broken HD probably are shot, the PCB still contains an usable embedded system, which actually is pretty powerful considering you can usually get broken hard disks for free.

Releasing the source-code for a security project always is a nasty subject. I want to release code, but I do not want to be responsible for a lot of permanently hacked servers... I decided to compromise: you can download the code I used here, but I removed the shadow-replacement code. Make note: I'm not going to support the process to get all this running in any way; it's a hack, you figure it out.
http://spritesmods.com/?art=hddhack





The Anonymity Network At Risk
Debbie Fletcher

You don’t have to watch NCIS to know that almost everything we do leaves some kind of trail or trace. Every click of the Internet and every post we make, email we send and file we download are all being tracked by someone somewhere. Unless, of course, it isn’t.

There are many reasons a person would want to go incognito on the Internet, and those reasons run the gamut from reasonable to evil. Therefore, there are many reasons a program that allows people to be anonymous on the Internet would be targeted for attack. Here’s why the anonymity network TOR is said to be at risk in 2015, and what the origin of the risk truly is.

What TOR Is For

Tor isn’t just any old Internet application that can aid important dissident political movements as well as providing a haven for drug traffickers. TOR is a free software package that acts as an anonymity network to enable users to navigate the Internet without being tracked by corporations, government agencies or other parties. These Internet communications are anonymized using application layers of encryption – also known as onion routing. (TOR previously stood for The Onion Router.)

TOR is used by all kinds of people for all kinds of reasons. Your Uncle Larry with the tinfoil hat makes for an obvious fan, as do run-of-the-mill privacy enthusiasts. TOR has also become invaluable for people like domestic abuse victims and their social workers who need to keep their locations and communication under wraps in order to avoid digital stalking.

On a larger scale, TOR is widely used by journalists, political activists and citizens in countries that face censorship or Internet restrictions that have reason to fear reprisal from the government. TOR has played an integral part in political movements in Iran and Egypt, and was famously used by NSA whistleblower Edward Snowden.

As there is for almost everything involving the Internet, however, there’s another side to TOR. It can, and is, used for illegal activity, including the distribution of illicit sexual content, the distribution of controlled substances, identity theft, credit-card fraud and bank fraud. TOR is known to be used by hacktivist groups, as well as criminal enterprises.

Already Under Attack

Pardon us if you saw this one coming, but the hacker group the Lizard Squad – famous for its repeated attacks on Sony – spent the end of 2014 targeting TOR. TOR’s anonymizing is made possible by a massive network of computers known as volunteer nodes. The Lizard Squad’s attacks on TOR are made possible by members overtaking huge numbers of the volunteer nodes. By overtaking these nodes, hackers are essentially able to eavesdrop on TOR users, leaving them open to further attack or possible extortion attempts.

It seems a war may be brewing between hacktivist groups over the Lizard Squad’s targeting of TOR. While the Lizard Squad’s antics with Sony have largely been regarded with benign amusement by most denizens of the Internet, messing with TOR is not turning out to have the same effect. Internet activist group Anonymous has taken exception to the attacks on TOR, stating that users need the service due to corrupt governments. Anonymous has warned the Lizard Squad to stand down.

The 2015 TOR Attack Trend

As bad as being caught in a battle between Anonymous and the Lizard Squad seems like it would be, if Internet security analysts are right, 2015 could get even uglier for TOR. Not only will TOR users have to be wary that they could be targeted by the Lizard Squad or other hacker groups, it’s likely they could also be targeted by government agencies.

DDoS attacks against North Korea have already made major headlines over the last month, bringing even more public attention to the issue of DDoS attacks. And with so much illegal activity alleged to be taking place on TOR, analysts agree it’s only a matter of time before police, the NSA, the FBI and other government agencies are seeking to unmask TOR service providers through small, targeted DDoS attacks on the anonymity network.

In fact, the security of TOR was already called into question in November of 2014 when the FBI shut down roughly 400 websites involved in the sale of contraband and arrested 17 people involved with online drug marketplaces. All of those people had assumed they were operating anonymously.

TOR is already what analysts call a ‘fragile network,’ and with hacker groups as well as legitimate organizations like government agencies targeting it for attack, it would seem TOR has some adapting to do.

We already know DDoS attacks are going to continue to grow in popularity and in level of devastation, so it’s up to networks and organizations like TOR to evolve in how they deal with these attacks.
http://techcrunch.com/2015/02/14/the...twork-at-risk/

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

February 14th, February 7th, January 31st, January 24th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 09:44 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)