FBI issues formal warning on massive malware network linked to Russia

By Olivia Beavers

The FBI on Friday issued a formal warning that a sophisticated Russia-linked hacking campaign is compromising hundreds of thousands of home network devices worldwide and it is advising owners to reboot these devices in an attempt to disrupt the malicious software.

The law enforcement agency said foreign cyber actors are targeting routers in small or home offices with a botnet — or a network of infected devices — known as VPNFilter.

Cybersecurity experts and officials say VPNFilter has infected an estimated 500,000 devices worldwide.

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices," the bureau's cyber division wrote in a public alert.

"Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware."

Earlier this week, the Department of Justice (DOJ) announced the bureau was working to disrupt the malware, which officials have linked to the cyber espionage group known as APT 28 or Sofacy.

Some cybersecurity firms have already determined this hacking group is being sponsored by the Russian government.

Experts at Cisco’s threat intelligence arm Talos on Wednesday first called attention to VPNFilter, warning that hackers are ramping up malware attacks against Ukraine, infecting thousands of devices ahead of an upcoming national holiday in the country.

"While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control infrastructure dedicated to that country," Talos wrote in a blog post.

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries."

The firm warned that VPNFilter could wreak havoc in a number of ways, from stealing website credentials to causing widespread internet disruption.

"The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off Internet access for hundreds of thousands of victims worldwide."

ZTE technology and phones pose a major cyber security threat

http://www.chicagotribune.com/business/ct-trump-zte-china-20180513-story.html

Edward Snowdens New App Turns A Smartphone Into A Security System

By David Z. Morris

December 24, 2017

Edward Snowden, who blew the whistle on NSA surveillance of U.S. citizens, knows a thing or two about spying. He’s now released an app, Haven, that makes it easier to defend yourself against the most aggressive kinds.

Haven, now in public beta, turns any Android smartphone into a sensitive security system. It’s primarily intended to be installed on a secondary phone — say, last year’s model — which then takes photos and records sound of any activity in a room where it’s placed. Haven will then send alerts of any intrusion to a user’s primary phone over encrypted channels.

http://fortune.com/2017/12/24/edward-snowden-haven-security-app/

Millions of high-security crypto keys crippled by newly discovered flaw

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software and application signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PC's.

The 5 year old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world.

The code library was developed by German chipmaker Infineon, and has been generating weak keys since 2012 at the latest.

https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/

The Intercept Discloses Top-Secret NSA Document On Russia Hacking Aimed At US Voting System

The report details an operation targeting voter registration in 2016.

By Ben Dreyfuss

On Monday, the Intercept published a classified internal NSA document noting that Russian military intelligence mounted an operation to hack at least one US voting software supplier—which provided software related to voter registration files—in the months prior to last year’s presidential contest. It has previously been reported that Russia attempted to hack into voter registration systems, but this NSA document provides details of how one such operation occurred.

According to the Intercept:

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the US election and voting infrastructure. The report, dated May 5, 2017, is the most detailed US government account of Russian interference in the election that has yet come to light.

While the document provides a rare window into the NSA’s understanding of the mechanics of Russian hacking, it does not show the underlying “raw” intelligence on which the analysis is based. A US intelligence officer who declined to be identified cautioned against drawing too big a conclusion from the document because a single analysis is not necessarily definitive.

The report indicates that Russian hacking may have penetrated further into US voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document:

Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.

Go read the whole thing.

Trump’s Son Met With Russian Lawyer After Being Promised Damaging Information On Clinton

By JO BECKER, MATT APUZZO and ADAM GOLDMAN JULY 9, 2017

A meeting arranged by Donald Trump Jr. was held at Trump Tower in June 2016 with a Russian lawyer who has connections to the Kremlin. Credit Sam Hodgson for The New York Times

President Trump’s eldest son, Donald Trump Jr., was promised damaging information about Hillary Clinton before agreeing to meet with a Kremlin-connected Russian lawyer during the 2016 campaign, according to three advisers to the White House briefed on the meeting and two others with knowledge of it.

The meeting was also attended by his campaign chairman at the time, Paul J. Manafort, and his son-in-law, Jared Kushner. Mr. Manafort and Mr. Kushner only recently disclosed the meeting, though not its content, in confidential government documents described to The New York Times.

The Times reported the existence of the meeting on Saturday. But in subsequent interviews, the advisers and others revealed the motivation behind it.

The meeting — at Trump Tower on June 9, 2016, two weeks after Donald J. Trump clinched the Republican nomination — points to the central question in federal investigations of the Kremlin’s meddling in the presidential election: whether the Trump campaign colluded with the Russians. The accounts of the meeting represent the first public indication that at least some in the campaign were willing to accept Russian help.

And while Trump has been dogged by revelations of undisclosed meetings between his associates and the Russians, the episode at Trump Tower is the first such confirmed private meeting involving members of his inner circle during the campaign — as well as the first one known to have included his eldest son. It came at an inflection point in the campaign, when Donald Trump Jr., who served as an adviser and a surrogate, was ascendant and Mr. Manafort was consolidating power.

It is unclear whether the Russian lawyer, Natalia Veselnitskaya, actually produced the promised compromising information about Mrs. Clinton. But the people interviewed by The Times about the meeting said the expectation was that she would do so.

In a statement on Sunday, Donald Trump Jr. said he had met with the Russian lawyer at the request of an acquaintance. “After pleasantries were exchanged,” he said, “the woman stated that she had information that individuals connected to Russia were funding the Democratic National Committee and supporting Ms. Clinton. Her statements were vague, ambiguous and made no sense. No details or supporting information was provided or even offered. It quickly became clear that she had no meaningful information.”

He said she then turned the conversation to adoption of Russian children and the Magnitsky Act, an American law that blacklists suspected Russian human rights abusers. The law so enraged President Vladimir V. Putin of Russia that he retaliated by halting American adoptions of Russian children.

“It became clear to me that this was the true agenda all along and that the claims of potentially helpful information were a pretext for the meeting,” Mr. Trump said.

When he was first asked about the meeting on Saturday, he said only that it was primarily about adoptions and mentioned nothing about Mrs. Clinton.

President Trump’s son-in-law, Jared Kushner, also attended the meeting last year at Trump Tower. Credit Ruth Fremson/The New York Times

Mark Corallo, a spokesman for the president’s lawyer, said on Sunday that “Trump was not aware of and did not attend the meeting.”

Lawyers and spokesmen for Mr. Kushner and Mr. Manafort did not immediately respond to requests for comment. In his statement, Donald Trump Jr. said he asked Mr. Manafort and Mr. Kushner to attend, but did not tell them what the meeting was about.

American intelligence agencies have concluded that Russian hackers and propagandists worked to tip the election toward Donald J. Trump, in part by stealing and then providing to WikiLeaks internal Democratic Party and Clinton campaign emails that were embarrassing to Mrs. Clinton. WikiLeaks began releasing the material on July 22.

A special prosecutor and congressional committees are now investigating the Trump campaign’s possible collusion with the Russians. Mr. Trump has disputed that, but the investigation has cast a shadow over his administration.

Mr. Trump has also equivocated on whether the Russians were solely responsible for the hacking. On Sunday, two days after his first meeting as president with Mr. Putin, Mr. Trump said in a Twitter post: “I strongly pressed President Putin twice about Russian meddling in our election. He vehemently denied it. I’ve already given my opinion.....” He also tweeted that they had “discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded...””

On Sunday morning on Fox News, the White House chief of staff, Reince Priebus, described the Trump Tower meeting as a “big nothing burger.”

“Talking about issues of foreign policy, issues related to our place in the world, issues important to the American people is not unusual,” he said.

But Representative Adam B. Schiff of California, the leading Democrat on the House Intelligence Committee, one of the panels investigating Russian election interference, said he wanted to question “everyone that was at that meeting.”

“There’s no reason for this Russian government advocate to be meeting with Paul Manafort or with Mr. Kushner or the president’s son if it wasn’t about the campaign and Russia policy,” Mr. Schiff said after the initial Times report.

Ms. Veselnitskaya, the Russian lawyer invited to the Trump Tower meeting, is best known for mounting a multipronged attack against the Magnitsky Act.

The adoption impasse is a frequently used talking point for opponents of the act. Ms. Veselnitskaya’s campaign against the law has also included attempts to discredit the man after whom it was named, Sergei L. Magnitsky, a lawyer and auditor who died in 2009 in mysterious circumstances in a Russian prison after exposing one of the biggest corruption scandals during Mr. Putin’s rule.

Mr. Trump’s former campaign chairman, Paul J. Manafort, at the Republican National Convention in July 2016 in Cleveland. Credit Sam Hodgson for The New York Times

Ms. Veselnitskaya’s clients include state-owned businesses and a senior government official’s son, whose company was under investigation in the United States at the time of the meeting. Her activities and associations had previously drawn the attention of the F.B.I., according to a former senior law enforcement official.

Ms. Veselnitskaya said in a statement on Saturday that “nothing at all about the presidential campaign” was discussed. She recalled that after about 10 minutes, either Mr. Kushner or Mr. Manafort walked out.

She said she had “never acted on behalf of the Russian government” and “never discussed any of these matters with any representative of the Russian government.”

The Trump Tower meeting was disclosed to government officials in recent days, when Mr. Kushner, who is also a senior White House aide, filed a revised version of a form required to obtain a security clearance.

The Times reported in April that he had failed to disclose any foreign contacts, including meetings with the Russian ambassador to the United States and the head of a Russian state bank. Failure to report such contacts can result in a loss of access to classified information and even, if information is knowingly falsified or concealed, in imprisonment.

Mr. Kushner’s advisers said at the time that the omissions were an error, and that he had immediately notified the F.B.I. that he would be revising the filing.

In a statement on Saturday, Mr. Kushner’s lawyer, Jamie Gorelick, said: “He has since submitted this information, including that during the campaign and transition, he had over 100 calls or meetings with representatives of more than 20 countries, most of which were during transition. Mr. Kushner has submitted additional updates and included, out of an abundance of caution, this meeting with a Russian person, which he briefly attended at the request of his brother-in-law Donald Trump Jr. As Mr. Kushner has consistently stated, he is eager to cooperate and share what he knows.”

Mr. Manafort, the former campaign chairman, also recently disclosed the meeting, and Donald Trump Jr.’s role in organizing it, to congressional investigators who had questions about his foreign contacts, according to people familiar with the events. Neither Mr. Manafort nor Mr. Kushner was required to disclose the content of the meeting.

A spokesman for Mr. Manafort declined to comment.

Since the president took office, Donald Trump Jr. and his brother Eric have assumed day-to-day control of their father’s real estate empire. Because he does not serve in the administration and does not have a security clearance, Donald Trump Jr. was not required to disclose his foreign contacts.

Federal and congressional investigators have not publicly asked for any records that would require his disclosure of Russian contacts.

Ms. Veselnitskaya is a formidable operator with a history of pushing the Kremlin’s agenda. Most notable is her campaign against the Magnitsky Act, which provoked a Cold War-style, tit-for-tat dispute with the Kremlin when President Barack Obama signed it into law in 2012.

Under the law, about 44 Russian citizens have been put on a list that allows the United States to seize their American assets and deny them visas. The United States asserts that many of them are connected to the fraud exposed by Mr. Magnitsky, who after being jailed for more than a year was found dead in his cell. A Russian human rights panel found that he had been assaulted. To critics of Mr. Putin, Mr. Magnitsky, in death, became a symbol of corruption and brutality in the Russian state.

An infuriated Mr. Putin has called the law an “outrageous act,” and, in addition to banning American adoptions, he compiled what became known as an “anti-Magnitsky” blacklist of United States citizens.

Among those blacklisted was Preet Bharara, then the United States attorney in Manhattan, who led notable convictions of Russian arms and drug dealers. Mr. Bharara was abruptly fired in March, after previously being asked to stay on by President Trump.

One of Ms. Veselnitskaya’s clients is Denis Katsyv, the Russian owner of Prevezon Holdings, an investment company based in Cyprus. He is the son of Petr Katsyv, the vice president of the state-owned Russian Railways and a former deputy governor of the Moscow region. In a civil forfeiture case prosecuted by Mr. Bharara’s office, the Justice Department alleged that Prevezon had helped launder money linked to the $230 million corruption scheme exposed by Mr. Magnitsky by putting it in New York real estate and bank accounts. Prevezon recently settled the case for $6 million without admitting wrongdoing.

Ms. Veselnitskaya and her client also hired a team of political and legal operatives to press the case for repeal. And they tried but failed to keep Mr. Magnitsky’s name off a new law that takes aim at human-rights abusers across the globe. The team included Rinat Akhmetshin, an émigré to the United States who once served as a Soviet military officer and who has been called a Russian political gun for hire. Fusion GPS, a consulting firm that produced an intelligence dossier that contained unverified allegations about Mr. Trump, was also hired to do research for Prevezon.

Ms. Veselnitskaya was also deeply involved in the making of a film that disputes the widely accepted version of Mr. Magnitsky’s life and death. In the film and in her statement, she said the true culprit of the fraud was William F. Browder, an American-born financier who hired Mr. Magnitsky to investigate the fraud after three of his investment funds companies in Russia were seized.

Mr. Browder called the film a state-sponsored smear campaign.

“She’s not just some private lawyer,” Mr. Browder said of Ms. Veselnitskaya. “She is a tool of the Russian government.”

John O. Brennan, a former C.I.A. director, testified in May that he had been concerned last year by Russian government efforts to contact and manipulate members of Mr. Trump’s campaign. “Russian intelligence agencies do not hesitate at all to use private companies and Russian persons who are unaffiliated with the Russian government to support their objectives,” he said.

The F.B.I. began a counterintelligence investigation last year into Russian contacts with any Trump associates. Agents focused on Mr. Manafort and a pair of advisers, Carter Page and Roger J. Stone Jr.

Among those now under investigation is Michael T. Flynn, who was forced to resign as Mr. Trump’s national security adviser after it became known that he had falsely denied speaking to the Russian ambassador about sanctions imposed by the Obama administration over the election hacking.

Congress later discovered that Mr. Flynn had been paid more than $65,000 by companies linked to Russia, and that he had failed to disclose those payments when he renewed his security clearance and underwent an additional background check to join the White House staff.

In May, the president fired the F.B.I. director, James B. Comey, who days later provided information about a meeting with Mr. Trump at the White House. According to Mr. Comey, the president asked him to end the bureau’s investigation into Mr. Flynn; Mr. Trump has repeatedly denied making such a request. Robert S. Mueller III, a former F.B.I. director, was then appointed as special counsel.

The status of Mr. Mueller’s investigation is not clear, but he has assembled a veteran team of prosecutors and agents to dig into any possible collusion.

Follow Jo Becker, Matt Apuzzo and Adam Goldman on Twitter.
Maggie Haberman, Sophia Kishkovsky and Eric Lipton contributed reporting. Kitty Bennett contributed research.

Get politics and Washington news updates via Facebook, Twitter and in the Morning Briefing newsletter.

Obama’s secret struggle to punish Russia for Putin’s election assault

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. 

Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladi­mir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent.

Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/?utm_term=.12a31b9dd507&hpid=hp_hp-top-table-main_russiaobama-banner-7a%3Ahomepage%2Fstory

2016 election is officially illegitimate. TIME: Hackers Altered Voter Rolls

http://time.com/4828306/russian-hacking-election-widespread-private-data/

Election Hackers Altered Voter Rolls, Stole Private Data, Officials Say
Massimo Calabresi - Jun 22, 2017

The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least one successful attempt to alter voter information, and the theft of thousands of voter records that contain private information like partial Social Security numbers, current and former officials tell TIME.

In one case, investigators found there had been a manipulation of voter data in a county database but the alterations were discovered and rectified, two sources familiar with the matter tell TIME. Investigators have not identified whether the hackers in that case were Russian agents.

The fact that private data was stolen from states is separately providing investigators a previously unreported line of inquiry in the probes into Russian attempts to influence the election. In Illinois, more than 90% of the nearly 90,000 records stolen by Russian state actors contained drivers license numbers, and a quarter contained the last four digits of voters’ Social Security numbers, according to Ken Menzel, the General Counsel of the State Board of Elections.

Congressional investigators are probing whether any of this stolen private information made its way to the Trump campaign, two sources familiar with the investigations tell TIME.

“If any campaign, Trump or otherwise, used inappropriate data the questions are, How did they get it? From whom? And with what level of knowledge?” the former top Democratic staffer on the House Intelligence Committee, Michael Bahar, tells TIME. “That is a crux of the investigation."

Comey’s FBI Computer Illegally Accessed: Data Given To Russian Diplomats

Exclusive: Sources close to the intelligence community report that Director Comey’s FBI computer was illegally accessed immediately after he was dismissed from his post. They further report that ‘removable media’ was used in the commission of this crime. ‘Removable media’ is a category describing physical devices that can be placed into a computer, either to download information or to upload it, such as a memory card, a USB stick, a removable hard drive, a thumb drive or similar items.

Sources further report that a person or persons allied to Donald Trump passed data accessed from Director Comey’s computer to Russian diplomats. It is not known when or how this took place. A piece of removable media containing all the data in question has been recovered from hostile actors, sources say, and is now in the possession of the Justice Department.

Director Comey is said to have known in advance that Mr. Trump would dismiss him. He took careful steps, these sources say, to leave not only a paper trail as we have seen in the story of the ‘Comey Memo’ but also a digital one. Director Comey’s own primary work computer, and other computers in and around his former office, were fitted with sophisticated intelligence community software allowing the Justice Department to see precisely how and when they were attacked.

The official Foreign Ministry of Russia’s Twitter account posted a tweet showing Foreign Minister Lavarov laughing with Rex Tillerson, the Secretary of State who has won the Order of Friendship of Vladimir Putin, over Director Comey’s firing, on the day Donald Trump hosted the Russians in the White House and verbally gave them top-secret allied intelligence, later published by the Russian news agency Tass.

White House sources say Trump has already discussed his resignation more than once. Perhaps when he discovers that the justice and intelligence communities are well aware he breached Director Comey’s computer and handed FBI data to Russia, he may decide to spare the nation further trauma and resign.

If he becomes President, Mike Pence will be unable to pardon Donald Trump for any crimes at the state level.

More on this story as we receive it.

https://patribotics.blog/2017/05/17/comeys-fbi-computer-illegally-accessed-data-given-to-russian-diplomats/

Majority Want Trump To Resign If His Campaign Colluded With Russia

If the Trump campaign worked with Russia to sway the 2016 election, the American people want the president to start packing his bags.

By Sean Colarossi

If it turns out that Donald Trump’s campaign did, indeed, work with the Russians to defeat Hillary Clinton in last fall’s presidential election, a majority of the country – 53 percent – thinks the president should resign.

According to the explosive new poll from Public Policy Polling (PPP), which debuted Wednesday night on MSNBC’s Rachel Maddow Show, the American people said – by a 14-point margin – that Trump should step down if there was collusion.



Another result revealed on Maddow’s program found that a plurality of the country believes Trump’s campaign did, in fact, work with Russia to swing the 2016 election in his favor.

If you’re keeping score at home: The American people think both that Trump’s campaign colluded with Russia and that the president should resign as a result.

While there is endless political polling released on a weekly basis asking about hypothetical scenarios, what should be terrifying to the White House is that the explosive Russia scandal is just one more investigation or one more small piece of evidence away from making the questions posed in the PPP survey a reality.

At that point, the president will have to face a country that doesn’t just believe he isn’t doing a good job, as polls repeatedly suggest, but also that he should no longer have the job at all.

Moscow's work didn't end on Nov. 8, 2016

Rachel Maddow Says Helping Trump Become POTUS Was Only The Beginning Of Russia’s Operation
 

Maddow says there is growing evidence that Moscow's work didn't end on Nov. 8, 2016 – that was only the opening act. 

By Sean Colarossi 

The MSNBC star said events that have unfolded during Trump’s time in office show that “Russia may now be reaping its reward, maybe getting what it wants out of the United States government as payback for running the successful op that helped install the new head of the American government.”



During the opening of her show, Maddow said that it’s one thing for the Trump campaign and its officials to meet and seemingly work with the Russians during the campaign – but it’s becoming apparent that the election may have just been the opening act of Moscow’s operation.

The new developments that Wikileaks – the same folks that worked with the Russians to expose hacked DNC emails last year – released a trove of classified CIA material is further proof, Maddow says, that the Russians are likely still trying to meddle in U.S. affairs at the direction of Vladimir Putin. Instead of influencing an election, the goal now seems to be disrupting and undermining U.S. intelligence agencies.

Like usual, there is a connection between the latest WikiLeaks release and the President of the United States.

As Maddow pointed out, Trump supporter Nigel Farage, who recently had dinner with Trump, met with Wikileaks founder Julian Assange just two days after the classified CIA information was reportedly released by the organization. When asked why he was visiting Assange, Farage said he “couldn’t remember.”

While the focus is rightfully on Russia’s involvement in last year’s election and what connection the Russians had with the Trump campaign, it’s also important to consider that Moscow now may be influencing our government. In other words, the election may have just been the beginning.

Maddow brings that point home:

The Russian government attacked our election. The Russian government was in contact with multiple Trump campaign sources while they were doing it. Russian nemeses in the American government – U.S. State Department, CIA – are not faring well since Donald Trump came to power. Is the operation that Russia started during the campaign, is it over? Or are they still running it? Are we still in this now?

It’s unsettling to consider the possibility that Russia, after helping put Donald Trump in the White House, is still influencing U.S. affairs. But there is mounting evidence that Moscow’s work didn’t end on Nov. 8, 2016 – that was only the beginning.

Rednecked, Racist Attorney General Jefferson Beauregard Sessions III Won't Rule Out Using Mafia Law To Go After Legal Marijuana

http://www.alternet.org/drugs/attorney-general-sessions-rule-out-using-mafia-law-go-after-legal-marijuana

DS Programming For Newbies

This is a PDF file that contains the posts made by Foxi4 in this post as an introduction into C programming.

This is so that people can download & view on mobile devices or print out, without having to go through each & every post he's done.

The Blacklist - The Artax Network S3 E20

Reeling with grief, the task force hunts the organization behind Liz's failed abduction - who is Solomon working for and why was Liz the target? Meanwhile, Red confronts a man from his past. Brian Dennehy guest stars.

Why The Apple VS Govt Storyline Is A Fake Designed To Distract The Public

By Bill Blunden

 

The backdoor is already in the IPhone.

 

The media is erupting over the FBI’s demand that Apple help it decrypt an iPhone belonging to Syed Rizwan Farook, one of the attackers involved in the assault in San Bernardino this past December.

Originally Apple wanted the FBI to keep things on the down low, asking the Feds to present their application for access under seal. But for whatever reason the FBI decided to go public. Apple then put on a big show of resistance and now there are legislators threatening to change the law in favor of the FBI. Yet concealed amid this unfolding drama is a vital fact that very few outlets are paying attention to.

Tim Cook protests that Apple is being asked to create “a new version of the iPhone operating system.” This glib talking point distracts attention from the reality that there’s essentially a backdoor on every new iPhone that ships around the world: the ability to load and execute modified firmware without user intervention.

Ostensibly software patches were intended to fix bugs. But they can just as easily install code that compromises sensitive data. I repeat: without user intervention. Apple isn’t alone in this regard. Has anyone noticed that the auto-update feature deployed with certain versions of Windows 10 is impossible to turn off using existing user controls?

Update features, it would seem, are a bullseye for spies. And rightly so because they represent a novel way to quietly execute malicious software. This past September the Washington Post published a leaked memo from the White House which proposed that intelligence agencies leverage “provider-enabled remote access to encrypted devices through current update procedures.” Yep, the same update procedures that are marketed as helping to keep users safe. And it would appear that the spies are making progress. There’s news from Bloomberg of a secret memo that tasked spymasters with estimating the budgetary requirements needed to develop “encryption workarounds.”

And, finally, please notice throughout this whole ordeal how the Director of the NSA, unlike the vociferous FBI director, has been relatively silent. With a budget on the order of $10 billion at its disposal the NSA almost certainly has something equivalent to what the courts have asked Apple to create. The NSA probably doesn’t want to give its bypass tool to the FBI and blow its operational advantage. After all, the NSA is well versed in the art of firmware-level manipulation. Experts have opined that for a few million (a drop in the bucket for a spy outfit like the NSA or CIA) this capability could be implemented. NSA whistleblower William Binney tends to agree. When asked what users could do to protect themselves from the Deep State’s prying eyes Binney replied:

“Use smoke signals! With NSA’s budget of over $10 bill a year, they have more resources to acquire your data than you can ever hope to defend against.
This has to be addressed in law and legislation. Call your local governmental representative and complain, otherwise, if you sit and do nothing… you are fucked!!!”

So while Apple manufactures the perception that it’s fighting for user privacy, keep in mind that the media’s Manichean narrative of “good vs. evil” doesn’t necessarily explain what’s transpiring.

Despite cheerleading by Ed Snowden and others Apple is not the company that it would have us believe it is. Apple has a long history of helping the government crack iPhones and security researchers have already unearthed any number of hidden services lurking below the iPhones surface.

The public record over the past several decades informs that ersatz public opposition often conceals private collusion. And Apple, dear reader, is no stranger when it comes to clandestine government programs. The sad truth is that government spies and corporate data hoarders assemble in the corridors of the American Deep State protected by a veil of official secrecy and sophisticated propaganda.

Related Stories

• WATCH: Apple CEO Tim Cook Refuses to Help FBI Hack Into iPhone, Citing Global Threat to Data Security
• Are We Really Supposed to Believe That Apple's Spat Against the Govt Is a Fight to Protect the Freedom of American Citizens?
• Banking While Muslim: Hijab-Wearing Woman Forced to Remove Scarf, Gets Kicked out of Omaha Bank

Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge

Posted by Soulskill

MojoKid writes:  

Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. 

As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure. 

The team gave themselves a week to root out vulnerabilities, and to keep everyone sharp, the researchers made a contest out of it pitting the North American and European participants against each other.  

Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.

Who Hacked Ashley Madison?

By  Brian Krebs

AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.



It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.
Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.

I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.

On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?

Twitter user ThadeusZu tweets about setting up replication servers. Did you spot the Youtube video he’s playing when he took this screenshot?

Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.

ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

WHO IS THADEUS ZU?

As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).

Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media counts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.

A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.

Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here.

Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose  in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).

Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.

Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).

Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.
Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu ‏tweeted:

“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”

To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.

But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations.

People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.

Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.

It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.

KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.

All The Ways Your Smartphone Is Spying On You 24/7

"Have you ever wondered how Google tracks where you are? How about what those terms and conditions mean when you access free Wi-Fi?

As scary as it sounds, your smartphone’s apps share a lot of the private information on your device with marketing agencies, phone operators and other private companies. But where does all that data go? And what happens to it?

AJ+ and the interactive documentary series “Do Not Track” investigate.” *

The full interactive experience from Do Not Track: http://www.donottrack-doc.com

NSA hiding Equation spy program on hard drives

By JOSEPH MENN

Equation infection: Kaspersky Labs says the highest number of machines infected with Equation programs were in Iran, Russia and Pakistan.

The US National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyber-espionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

Kaspersky Labs - The areas of government Equation has been able to infect by nation.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines declined to comment.

Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.

The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of US technology products abroad.

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

TECHNOLOGICAL BREAKTHROUGH

According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.

"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have taken control of thousands of PC's, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital, Seagate, Toshiba, IBM, Micron Technology and Samsung.

Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.

GETTING THE SOURCE CODE

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a road map to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

Concerns about access to source code flared after a series of high-profile cyber attacks on Google Inc and other US companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big US tech and defense companies.

It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive US agency, the government can request a security audit to make sure the source code is safe.

"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."

Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

 - Reuters

EFF’s Game Plan for Ending Global Mass Surveillance

By Rainey Reitman

We have a problem when it comes to stopping mass surveillance. 

The entity that’s conducting the most extreme and far-reaching surveillance against most of the world’s communications—the National Security Agency—is bound by United States law.

That’s good news for Americans. U.S. law and the Constitution protect American citizens and legal residents from warrantless surveillance. That means we have a very strong legal case to challenge mass surveillance conducted domestically or that sweeps in Americans’ communications.

Similarly, the United States Congress is elected by American voters. That means Congressional representatives are beholden to the American people for their jobs, so public pressure from constituents can help influence future laws that might check some of the NSA’s most egregious practices.

But what about everyone else? What about the 96% of the world’s population who are citizens of other countries, living outside U.S. borders. They don't get a vote in Congress. And current American legal protections generally only protect citizens, legal residents, or those physically located within the United States. So what can EFF do to protect the billions of people outside the United States who are victims of the NSA’s spying?

For years, we’ve been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we’re laying out the plan, so you can understand how all the pieces fit together—that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference.

This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistle-blowers help shine light on surveillance abuses.

If you’d like an overview of how U.S. surveillance law works, check out our addendum.

Intro: Mass Surveillance by NSA, GCHQ and Others 

The National Security Agency is working to collect as much as possible about the digital lives of people worldwide. As the Washington Post reported, a former senior U.S. intelligence official characterized former NSA Director Gen. Keith Alexander’s approach to surveillance as “Collect it all, tag it, store it… And whatever it is you want, you go searching for it.”

The NSA can’t do this alone. It relies on a network of international partners who help collect information worldwide, especially the intelligence agencies of Australia, Canada, New Zealand, and the United Kingdom (collectively known, along with the United States, as the “Five Eyes.”) In addition, the United States has relationships (including various levels of intelligence data sharing and assistance) with Belgium, Denmark, France, Germany, Israel, Italy, Japan, the Netherlands, Norway, Singapore, Spain, South Korea, Sweden, and potentially a number of other countries worldwide.

There are also other countries—like Russia, China, and others—engaging in surveillance of digital communications without sharing that data with the NSA. Some of those governments, including the U.S. government, are spending billions of dollars to develop spying capabilities that they use aggressively against innocent people around the world. Some of them may do so with even less oversight and even fewer legal restrictions.

Although whistle-blowers and journalists have focused attention on the staggering powers and ambitions of the likes of the NSA and GCHQ, we should never assume that other governments lack the desire to join them. Agencies everywhere are hungry for our data and working to expand their reach. Read about international surveillance law reform and fighting back through user-side encryption.

We focus here on the NSA because we know the most about its activities and we have the most legal and political tools for holding it to account. Of course, we need to know much more about surveillance practices of other agencies in the U.S. and abroad and expand our work together with our partners around the world to confront surveillance as a worldwide epidemic.

Mass surveillance is facilitated by technology companies, especially large ones. These companies often have insufficient or even sloppy security practices that make mass surveillance easier, and in some cases may be actively assisting the NSA in sweeping up data on hundreds of millions of people (for example, AT&T). In other cases, tech companies may be legally compelled to provide access to their servers to the NSA (or they may choose to fight that access). Read more about how tech companies can harden their systems against surveillance.

The NSA relies on several laws as well as a presidential order to justify its continued mass surveillance. Laws passed by Congress as well as orders from the U.S. President can curtail surveillance by the NSA, and the Supreme Court of the United States also has authority to put the brakes on surveillance.

The Game Plan

Given that the American legal system doesn’t adequately protect the rights of people overseas, what can we do in the immediate future to protect Internet users who may not be Americans?

Here’s the game plan for right now. Note that these are not consecutive steps; we’re working on them concurrently.

1.  Pressure technology companies to harden their systems against NSA surveillance
To date, there are unanswered questions about the degree to which U.S. technology companies are actively assisting the NSA.

In some cases, we know that tech companies are doing a lot to help the NSA get access to data. AT&T is a clear example of this. Thanks to whistle blower evidence, we know AT&T has a secret room at its Folsom Street facility in San Francisco where a fiber optic splitter creates a copy of the Internet traffic that passes through AT&T’s networks. That splitter routes data directly to the NSA.

Some companies have taken things a step further and deliberately weakened or sabotaged their own products to "enable" NSA spying. We don't know who's done this or what they've done, but the NSA documents make clear that it's happening. It's the height of betrayal of the public, and it could conceivably be taking place with the help even of some companies that are loudly complaining about government spying.

So what do we know about major tech companies, like Google, Facebook, Yahoo, and Microsoft? Here we have mixed reports. Documents provided by Edward Snowden and published in the Guardian and the Washington Post name nine U.S. companies—Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple—as participants in the NSA’s PRISM program. The documents indicate that the NSA has access to servers at each of these companies, and implies that these companies are complicit in the surveillance of their users.

The companies, in turn, have strongly denied these allegations, and have even formed a lobby group calling on governments to "limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of Internet communications."

While a start, that’s a far cry from the role companies could be playing. Tech companies also have the ability to harden their systems to make mass surveillance more difficult, and to roll out features that allow users to easily encrypt their communications so that they are so completely secure that even their service providers can’t read them. Perhaps most importantly, technology companies must categorically resist attempts to insert back doors into their hardware or software.

There's also an important legal issue that can't be ignored. Tech companies are in a unique position to know about surveillance requests that are kept secret from the press and the public. These companies may have the best chance to fight back on behalf of their users in court (as Yahoo has done).

What’s more, tech companies literally spend millions of dollars to lobby for laws in Washington and enjoy incredible access to and influence over U.S. lawmakers. Often, companies spend that money trying to derail potential regulation. Instead, these companies could be heavily prioritizing positive surveillance reform bills.

So how do we get tech companies to start fighting surveillance in court, hardening their systems against surveillance, pushing back against the administration, and lobbying for real reform? We’re focused on transparency—uncovering everything we can about the degree to which big tech companies are actively helping the government—and public pressure. That means highlighting ways that companies are fighting surveillance and calling out companies that fail to stand up for user privacy.  

It’s why we’re proud to support the Reset the Net campaign, designed to get companies big and small to take steps to protect user data. It's also why we're working to make what companies do and don't do in this area more visible. Campaigns like HTTPS Everywhere and our work on email transport encryption, as well as scorecards like Who Has Your Back are designed to poke and prod these companies to do more to protect all their users, and get them to publicly commit to steps that the public can objectively check.

We also need to cultivate a sense of responsibility on the part of all those who are building products to which the public entrusts its most sensitive and private data. The people who create our computing devices, network equipment, software environments, and so on, need to be very clear about their responsibility to the users who have chosen to trust them. They need to refuse to create backdoors and they need to fix any existing backdoors they become aware of. And they need to understand that they themselves, unfortunately, are going to be targets for governments that will try to penetrate, subvert, and coerce the technology world in order to expand their spying capabilities. They have a grave responsibility to users worldwide and we must use public pressure to ensure they live up to that responsibility.

2. Create a global movement that encourages user-side encryption

Getting tech giants to safeguard our digital lives and changing laws and policies might be slow going, but anybody could start using encryption in a matter of minutes. From encrypted chat to encrypted email, from secure web browsing to secure document transfers, encryption is a powerful way to make mass surveillance significantly more difficult.

However, encryption can be tricky, especially if you don’t have a team of engineers to walk you through it the way we do at EFF. With that in mind, we’ve created Surveillance Self Defense, an in-depth resource that explains encryption to folks who may want to safeguard their data but have little or no idea how to do it.

We’ve already translated the materials into Spanish and Arabic, and we’re working on even more translations.
             
We’ll continue to expand these materials and translate them into as many languages as possible, while also doing a public campaign to make sure as many people as possible read them.

Again, the more people worldwide understand the threat and the more they understand how to protect themselves—and just as importantly, what they should expect in the way of support from companies and governments—the more we can agitate for the changes we need online to fend off the dragnet collection of data.

3. Encourage the creation of secure communication tools that are easier to use

Many of the tools that are using security best practices are, frankly, hard to use for everyday people. The ones that are easiest to use often don’t adopt the security practices that make them resilient to surveillance.

We want to see this problem fixed so that people don’t have to trade usability for security. We’re rolling out a multi-stage Campaign for Secure and Usable Crypto, and we kicked it off with a Secure Messaging Scorecard. The Secure Messaging Scorecard is only looking at a few criteria for security, and the next phases of the project will home in on more challenging security and usability objectives.

The goal? Encouraging the development of new technologies that will be secure and easy for everyday people to use, while also pushing bigger companies to adopt security best practices.

4. Reform Executive Order 12333

Most people haven’t even heard of it, but Executive Order 12333 is the primary authority the NSA uses to engage in the surveillance of people outside the U.S. While Congress is considering much-needed reforms to the Patriot Act, there’s been almost no debate about Executive Order 12333.

This executive order was created by a stroke of the pen from President Ronald Reagan in 1981.

President Obama could undo the worst parts of this executive order just as easily, by issuing a presidential order banning mass surveillance of people regardless of their nationality.

We’ve already launched the first phase of our campaign to reform Executive Order 12333.

5. Develop guiding legal principles around surveillance and privacy with the help of scholars and legal experts worldwide

The campaign got started well before the Snowden leaks began. It began with a rigorous policy document called the International Principles on the Application of Human Rights to Communications Surveillance, which features 13 guiding principles about limiting surveillance. Written by academics and legal experts from across the globe, the principles have now been endorsed by over 417 NGO's and 350,000 individuals worldwide, and have been the basis for a pro-privacy resolution successfully passed by the United Nations.

The 13 Principles, as they're also known, are also meant to work both locally and globally. By giving politicians and activists the context for why mass surveillance is a violation of established international human rights law, they make it clear that legalizing mass surveillance—a path promoted by the Five Eyes countries—is the wrong way forward. The 13 Principles are our way of making sure that the global norm for human rights in the context of communication surveillance isn't the warped viewpoint of NSA and its four closest allies, but that of 50 years of human rights standards showing mass surveillance to be unnecessary and disproportionate.

6. Cultivate partners worldwide who can champion surveillance reform on the local level, and offer them support and promotion

Katitza Rodriguez, EFF’s International Rights Director, is rarely in our San Francisco office. That’s because the majority of her time is spent traveling from country to country, meeting with advocacy groups on the ground throughout Latin America and parts of Europe to fight for surveillance law reform. Katitza and the rest of EFF’s international team assist these groups in working to build country-specific plans to end mass surveillance at home and abroad.

The goal is to engage activists and lawyers worldwide who can use the 13 Principles and the legal analyses we’ve prepared to support them at the national level to fight against the on-going trend of increased surveillance powers. For example, we teamed up with activists in Australia, Mexico, and Paraguay to help fight data retention mandates in those countries, including speaking in the Paraguayan National Congress.

EFF is especially focused on countries that are known to share intelligence data with the United States and on trying to understand the politics of surveillance behind those data sharing agreements and surveillance law proposals.

We’ve been sharing with and learning from groups across the world a range of different tactics, strategies, and legal methods that can be helpful in uncovering and combating unchecked surveillance. Our partners are starting to develop their own national surveillance law strategies, working out a localized version of the Who Has Your Back campaign, evaluating strategic litigation, and educating the general public of the danger of mass surveillance.

In certain locales, these battles are politically and socially difficult, in particular in places where a culture of fear has permeated the society. We’ve seen anti-surveillance advocates wrongly painted as allies of pedophiles or terrorists. In at least one of the countries we’re working in, anonymity is forbidden in its constitution. For some of our partners, promoting a rational debate about checking government power abuses can risk their very freedom, with activists facing jail time or even more serious consequences for speaking out.

Establishing a bottom-up counter-surveillance law movement—even if it's one based on common sense and the entire history of modern democracies—isn't easy. It’s a titanic task that needs the involvement of advocates around the world with different tactics and strategies that are complementary. This is why we’ve also been working to make connections between activists in different countries, with case studies like the Counter-Surveillance Success Stories, and highlighting individuals who are proud to stand up and say "I Fight Surveillance." We’re also teaming up with partners, such as Panoptykon Foundation, to share the strategies and tactics they used in Europe with local groups in Latin America and vice-versa. We're working closely with groups in the Middle East and North Africa, such as 7iber and SMEX, to track, report on, and coordinate responses to state surveillance in these regions.

All of this has helped inform the work we've done in venues like the United Nations, the Office of the High Commissioner on Human Rights, and the Inter-American Commission on Human Rights, where EFF and our allies are helping—with great success—the legal minds there wrap their heads around this new age of state violations of the right to privacy and free expression.

Meanwhile, back in Washington...

7. Stop NSA overreach through impact litigation and new U.S. laws

Executive Order 12333 may be the presidential command that sets the agenda for mass surveillance, but U.S. law also plays a huge role. The NSA claims (often wrongly) that certain U.S. laws allow surveillance of all Internet users, with almost zero oversight of its spying on non-U.S. persons. There's the FISA Amendments Act, which the NSA believes allows it to spy on groups of people instead of with directed warrants and scoop up all of the Internet traffic it can, and grants it carte blanche to target anyone overseas on the grounds that they are potentially relevant to America's "foreign interests." And then there's the Patriot Act, which has been loosely interpreted by the NSA to permit the dragnet surveillance of phone records.

 

EFF Legal Team

Fighting these laws is the bread and butter of our domestic legal team. Our lawsuits, like Jewel v. NSA, aim to demonstrate that warrantless surveillance is illegal and unconstitutional. Our grassroots advocacy is dedicated to showing American lawmakers exactly how U.S. law is broken, what must be done to fix it, and the powerful movement of people working for change.

You can read more details about American law in our addendum below, but here's the upshot: we have to fix the law if we're to stop these secret agencies spying on the world. And we have to make sure that no new tricks are being planned.

That means chipping away at the culture of secrecy that lies at the heart of this mess.

8. Bring transparency to surveillance laws and practices

One of the greatest challenges we face in attempting to end mass surveillance is that we don’t know what we don’t know. Thanks to whistleblower evidence, statements by certain public officials, and years of aggressive litigation under the Freedom of Information Act, we’ve confirmed that the NSA is engaged in mass surveillance of our communications and that it is primarily relying on three legal authorities to justify this surveillance.

But what if the NSA is relying on seven other legal authorities? What if there are other forms of surveillance we have not yet heard about? What if the NSA is partnering with other entities (different countries or different branches of the U.S. government) to collect data in ways we can’t imagine?

It’s extremely difficult to reform the world of surveillance when we don’t have a full picture of what the government is doing and how it’s legally justifying those actions.

With that in mind, we are working to fight for more transparency by:

• Working to reform the broken classification system, which keeps the government’s actions hidden from public oversight.
• Using Freedom of Information Act requests and lawsuits to gain access to government documents that detail surveillance practices (and their legal justifications).
• Helping allies, like Germany and Brazil, to put pressure on the United States to justify its surveillance practices.
• Educating people about the value of whistleblowers and the important role they play in combating secrecy. This includes advocacy for organizations and platforms like Wikileaks that defend and promote the work of whistleblowers. It also includes highlighting the important contributions provided by whistleblowers like Mark Klein, Bill Binney, Thomas Drake, Edward Snowden, and others.

Global Solutions for a Global Problem

Mass surveillance affects people worldwide, reaching everywhere that the Internet reaches (and many places that it doesn’t!). But laws and court systems are divvied up by jurisdictional lines that don’t make sense for the Internet today. This means we need a range of tactics that include impact litigation, technological solutions, and policy changes both in the United States and across the globe.

This game plan is designed to give you insight into how U.S. laws and policies affect people worldwide, and how we can work to protect people outside of America’s borders.

We're up against more than just a few elements in the American administration here. We're up against a growing despondency about digital privacy, and we're up against the desire of spooks, autocrats, and corporations jockeying for intelligence contracts in every nation, all of whom want to shore up these surveillance powers for themselves. But we work side-by-side with hundreds of other organizations around the world and thousands of supporters in nearly every country. We have the amazing power of technology to protect privacy, organize opposition, and speak up against such damning violations of human rights.

We’re continuing to refine our plan, but we wanted to help our friends understand our thinking so you can understand how each of our smaller campaigns fit into the ultimate objective: secure, private communications for people worldwide.

It's what we’re doing to fight surveillance. But what can you do?

You can join your local digital rights organization, of which there are now hundreds, in almost every nation (and if there isn't one in yours, ask us for advice on starting one). You can pressure companies to increase your protection against government espionage and support companies that make a stand.

You can sign our petition about Executive Order 12333 and help spread the word to others. You can use encryption to protect yourself and raise the cost of mass surveillance, and you can teach your friends and colleagues to use it too. You can personally refuse to cooperate with surveillance and promote privacy protections inside institutions you're a part of. You can tell your friends and colleagues the real risks we are running and how we can turn this mess around.

And whether you're in the United States or not, you can support our plan by becoming a member of EFF.

Addendum: Laws & Presidential Orders We Need to Change

One of the best ways to end mass surveillance by the NSA is to change the United States law to make clear that warrantless surveillance is illegal. However, that’s a little challenging. The NSA is relying on a patchwork of different laws and executive orders to justify its surveillance powers.

Here are a few we know we need to change. Note that there are other parts of U.S. law that may need revision (including provisions such as the Pen Register Trap and Trace and National Security Letters), but this is where we're focusing our energies currently as the primary known authorities used to justify mass surveillance:

Section 215 of the Patriot Act, Known as the "Business Records" Section

Read the law

What it does: The section of the law basically says that the government can compel the production of any "tangible things" that are “relevant" to an investigation.

Why you should care: The NSA relies on this authority to collect, in bulk, the phone records of millions of Americans. There are suggestions it's also being used to collect other types of records, like financial records or credit card records, in bulk as well.

How we can stop it: There are a few ways to fix Section 215. One way is to pass a reform bill, such as the USA FREEDOM Act, which would make clear that using Section 215 to conduct bulk collection is illegal. The USA FREEDOM Act failed to pass in the Senate in 2014, which means it would need to be reintroduced in 2015.

However, there’s an even easier way to defeat this provision of the law. This controversial section of the Patriot Act expires every few years and must be reauthorized by Congress. It’s up for renewal in June 2015, which means Congress must successfully reauthorize the section or it will cease to be a law. We’re going to be mounting a huge campaign to call on Congress not to reauthorize the bill.

We also have three legal cases challenging surveillance conducted under Section 215: Jewel v NSA, Smith v Obama, and First Unitarian Church of Los Angeles v. NSA.

Section 702 of the FISA Amendments Act

Read the law
What it does: This section of law is designed to allow the NSA to conduct warrantless surveillance within the U.S. when the intended target is overseas.

Why you should care: The NSA relies on this law to support PRISM, which compels Internet service providers like Google, Apple, and Facebook to produce its users communications. The NSA's upstream surveillance—which includes tapping into fiber optic cables of AT&T and other telecommunications providers—also relies on this provision. Through these two surveillance options, the NSA "targets" subjects for surveillance. But even when the NSA is "targeting" specific foreign intelligence subjects overseas, they’re "incidentally" collecting communications on millions of people, including both Americans and innocent people abroad.

How we can stop it: Currently, there aren’t any reform bills that show promise. We’re working on educating the public and Congress about the Section 702 and the FISA Amendments Act. In 2017, this authority will be up for reauthorization. We’ll be planning a big campaign to demolish this invasive and oft-abused surveillance authority.

Executive Order 12333

Read the executive order

What it does: Executive orders are legally binding orders given by the President of the United States which direct how government agencies should operate. Executive Order 12333 covers "most of what the NSA does" and is "the primary authority under which the country’s intelligence agencies conduct the majority of their operations."

Why you should care: Executive Order 12333 is the primary authority the NSA uses to conduct its surveillance operations—including mass surveillance programs—overseas. Reforming mass surveillance requires reforming the NSA's authority under EO 12333.

How we can stop it: Executive Order 12333 was created by a presidential order, and so a presidential order could undo all of this damage. That’s why we’re pressuring President Obama to issue a new executive order affirming the privacy rights of people worldwide and ending mass surveillance.

The Funding Hack

While passing a bill through Congress is extremely challenging, another (somewhat more controversial) method of ending this surveillance is through the budget system. Every year, Congress must approve the defense budget. This frequently becomes a contentious battle with numerous amendments introduced and debated. We may see an amendment that tackles some form of surveillance.

Related Cases

Smith v. Obama

Jewel v. NSA

First Unitarian Church of Los Angeles v. NSA