Monday 24 March 2014

Windigo Hijacks 25,000 Servers to Spew Out Spam, Malware

cyber-attack Attackers infected and seized control of over 25,000 Unix servers to create a massive spam and malware distribution platform, ESET said. Linux and Unix administrators need to immediately check if their servers are among the victims.
The gang behind the attack campaign uses the infected servers to steal credentials, distribute spam and malware, and redirect users to malicious sites. The infected servers send 35 million spam messages each day, and redirect half a million Web visitors to malicious sites daily, said Pierre-Marc Bureau, a security intelligence program manager at ESET. The researchers believe the campaign, dubbed Operation Windigo, has hijacked over 25,000 servers in the past two-and-a-half years. The group currently has 10,000 servers under their control, Bureau said.
ESET released a technical paper with more details about the campaign, and included a simple ssh command which administrators can use to figure out if their servers have been hijacked. If that happens to be the case, administrators should re-install the operating system on the infected server and change all credentials ever used to log into the machine. Since Windigo harvested credentials, administrators should assume all passwords and private OpenSSH keys used on that machine are compromised and should be changed, ESET warned. The recommendations apply to both Unix and Linux administrators.
Wiping the machine and re-installing the operating system from scratch may sound a little extreme, but considering that the attackers had stolen administrator credentials, installed backdoors, and had gained remote access to the servers, taking the nuclear option seems necessary.
Attack ElementsWindigo relies on a cocktail of sophisticated malware to hijack and infect the servers, including Linux/Ebury, an OpenSSH backdoor and credential stealer, as well as five other pieces of malware. Over the course of a single weekend, ESET researchers observed more than 1.1 million different IP addresses passing through Windigo's infrastructure before being redirected to malicious sites.
Websites compromised by Windigo in turn infected Windows users with an exploit kit pushing click fraud and spam-sending malware, showed questionable advertisements for dating sites to Mac users, and redirected iPhone users to online porn sites. Well-known organizations such as cPanel and kernel.org were among the victims, although they have cleaned their systems, Bureau said.
Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and even Windows, Bureau said.
Rogue ServersConsidering that three in five of the world's websites are running on Linux servers, Windigo has plenty of potential victims to play with. The backdoor used to compromise the servers was installed manually and exploits poor configuration and security controls, not software vulnerabilities in the operating system, ESET said.
"This number [10,000 servers] is significant if you consider each of these systems has access to significant bandwidth, storage, computing power and memory," said Bureau.
A handful of malware-infected servers can cause a lot more harm than a large botnet of regular computers. Servers generally have better hardware and processing power, and have faster network connections than end-user computers. Recall that the powerful distributed denial of service attacks against various banking websites last year originated from infected Web servers in data centers. If the team behind Windigo ever switches tactics from just using the infrastructure to spread spam and malware to something even nastier, the resulting damage could be significant.

Fake video of Malaysia Airlines flight MH370 rescue is ‘callous’ cyber scam

A post promising a video of a plane landing on water has been circulating on Facebook, with a title suggesting that it contains news footage showing the rescue of passengers on board the missing Malaysia Airlines flight MH370 – but the video is a ‘callous’ cyber scam, according to Hoax-Slayer, and in fact shows a plane landing on water in Bali in 2013.
IT Pro Portal reports that one variant of the scam is a ‘video’ titled, “Malaysia Plane MH370 Has Been Spotted Somewhere Near Bermuda Triangle. Shocking Videos Release Today”, and that the video is being used to spread malware. Other reports say that variants of the scam are used to direct users to spread the video via Facebook, and complete bogus surveys, used by cybercriminals to harvest personal details from their victims.
IT Pro Portal points out that the Bermuda Triangle is 10,000 miles from the last point of contact with the flight.
The Epoch Times reports that the images show a plane crash near Bali in Indonesia in 2013, where 100 passengers were rescued after a plane landed on water. In all reported variants of the scam, there is no video to click through to – just surveys designed to steal personal information, or bogus downloads which are in fact malware.
Hoax-Slayer describe the scam as a ‘callous’ variant on a common cybercriminal trick of using posts which promise ‘sensational’ viral videos to harvest personal information or spread malware.
“The image used in the scam post shows a Lion Air passenger plane that crashed into the sea, when landing on Bali in April 2013. While there were some injuries in the crash, there were no fatalities. The picture has no connection whatsoever with flight MH370,” the site reports. “Once they have shared [on Facebook] as requested, users will then be taken to another fake page that supposedly hosts the video. However, a popup ‘Security Check’ window will appear that claims that they must prove that they are human by clicking a link and participating in an online survey or offer. But, no matter how many surveys or offers they complete, they will never get to see the promised video.”
Scammers often target Facebook with copies of viral content – or entirely fake, sensational videos, such as ‘Giant Snake Swallows Zookeeper’, as reported by We Live Security this year.
In many cases, scam videos will install a ‘rogue’ Facebook app to spread rapidly via the network – but as reported here, such scams can, in the worst case scenario, lead to tainted sites which infect users with malware.

Facebook’s ‘Deepface’ photo-matching is nearly as good as human brains

Facebook’s ‘Deepface’ photo-matching software can now ‘recognize’ pairs of human faces with an accuracy just a fraction of a percentage point behind human beings – a huge leap forward in the technology, which some see as having potentially alarming implications for privacy.
Deepface can now match two previously unseen photos of the same face with 97.25% accuracy – humans can do the same with around 97.5% accuracy, a difference which TechCrunch describes as “pretty much on par”.
Facebook uses its current facial recognition software to ‘tag’ people in photos, which is used widely around the world. Although Deepface is a research project, and unrelated to the technology used on the site, it “closes the vast majority of the performance gap” with human beings according to the Facebook researchers behind it (PDF research paper here), and can recognise people regardless of the orientation of their face, lighting conditions and image quality.
Publications such as Stuff magazine describe the technology as “creepy”, saying that were it implemented “in the wild” it should make site users “think twice” about posting images such as “selfies.”
Deepface uses deep learning to leap ahead of current technology – an area of AI which uses networks of simulated brain cells  to ‘recognize’ patterns in large datasets, according to MIT’s Technology Review.
Yaniv Taigman of Facebook’s AI team says, “You don’t normally see that sort of improvement. We closely approach human performance.”
The leap forward in performance cuts errors by more than 25% in the accuracy – achieved, Taigman says in Facebook’s brief description of the milestone, by 3D modeling faces, and using a “nine-layer deep neural network” to analyze 120 million parameters. Business Insider describes the process as akin to using the 3D software to turn faces “forward” for comparison.
Deepface was “trained” using a dataset of four million facial images belonging to 4,000 individuals, Taigman says.
“Our method reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 25%,” Taigman says, noting that the software is “Closely approaching human-level performance.”
 In a paper entitled, Deepface: Closing the Gap to Human-Level Performance in Face Verification, Taigman and his co-authors write, “We believe that this work, which departs from the recent trend of using more features and employing a more powerful metric learning technique, has addressed this challenge, closing the vast majority of this performance gap [as compared with humans],” saying that Deepface can be applied to various population, without regard to pose illumination or image quality.
“Our work demonstrates that coupling a 3D model-based alignment with large capacity feedforward models can effectively learn from many examples to overcome the drawbacks and limitations of previous methods.”

“You have cancer” phishing attack shows how low cybercriminals will go

A “particularly unpleasant” phishing email purporting to be the results of a blood count report showing that the recipient may have cancer is circulating in the UK, claiming to be sent from a government health care organization, and containing an infected attachment claiming to be a blood analysis report.
NICE (the National Institute for Health and Care Excellence) has posted a spam warning, saying, “NICE is aware that a spam email is being sent to members of the public regarding cancer test results. Please be assured that this email is not from NICE and we are currently investigating its origin. If you have received the email, do not open the attachments.”
Eduard Kovacs of Softpedia reports that the emails arrive with a subject line IMPORTANT: blood analysis results” and appear to come from the email address, “no_reply@nice.org.uk.”
British anti-fraud organization Action Fraud warns users that the file is “likely to contain malware” and reports that one variant of the email says, “We have been sent a sample of your blood analysis for further research. During the complete blood count (CBC) we have revealed that white blood cells is very low, and unfortunately we have a suspicion of a cancer… We suggest you to print out your CBC test results and interpretations in attachment below and visit your family doctor as soon as possible. Sincerely, Dr.Moon Earnest.”
ESET Senior Research Fellow David Harley describes the phishing attack as “particularly unpleasant” in a blog post,  and says, “This is more than spam: it contains an attachment claimed to be a blood count report suggesting that the recipient may have cancer, but in fact it’s a password stealer.”
Harley points out that certain features of the email are unconvincing, and that the criminals rely on users panicking, “Firstly, it’s likely that if you’d given a sample for a blood test you’d remember. However, there’s obviously a chance that some of these messages might reach people who have actually given samples recently, and would be more likely to be panicked into clicking on the malicious attachment. Secondly, NICE is not in the business of doing blood tests: its remit is rather more abstract. But again, the hope is that the victim will be too panicked to check properly.”

Revenue Service breach may have leaked data on 20,000 employees

Personal data for around 20,000 workers for the U.S. Internal Revenue Service (IRS), including names, social security numbers and addresses may have been exposed on the internet, after an employee plugged a thumb drive into a computer on an unsecured home network.
The breach affects 20,000 employees and ex-employees who worked in Pennsylvania, New Jersey and Delaware, the IRS said in a statement. No details about taxpayers, or tax records, were leaked in the breach, according to NBC’s report.
The commissioner of the IRS, John Koskinen, said that an unencrypted thumb drive had been plugged into an unsecured home network, meaning that the information had been potentially available to third parties online, according to news agency Reuters.

Koskinen
said that, “At this point we have no direct evidence to indicate that this personal information has been used for identity theft or other inappropriate uses.” Many of the employees affected by the breach no longer work for the IRS, Koskinen said, and the agency would reach out to ex-employees to offer free identity theft monitoring, according to NBC’s report. .
Koskinen said that the drive contained,  ”sensitive personnel information, including names, Social Security numbers and addresses, of some employees, former employees and contracted employees.”
ABC News reported that Republican Dave Camp, chairman of the House Ways and Means Committee, said, “In the past, the IRS has released personal taxpayer information to the public, and has not been able to effectively prevent and detect identity theft. This latest report is concerning. The IRS has repeatedly broken the American people’s trust, and the Ways and Means Committee will take a thorough look into this incident.”

Google Glass spyware lets snoopers “see through wearer’s eyes”

Spyware which stealthily takes photographs using Google Glass’s built-in camera and uploads them to a remote server without the user being aware has been demonstrated successfully on the eyepiece – despite Google’s policies explicitly forbidding programs which disable the screen while the camera is in use.
The spyware was designed by two California Polytechnic students, Mike Lady and Kim Paterson, who disguised their program as a note-taking app (albeit with a name that offers a clue to its actual function, Malnotes), and successfully loaded the app, which takes a photo every ten seconds and uploads it to the internet, according to Ars Technica’s report.
Google’s policies forbid programs which take pictures when its wearable Glass eyepieces are turned off – but there is nothing to stop users doing so, Forbes reported.
“The scary thing for us is that while it’s a policy that you can’t turn off the display when you use the camera, there’s nothing that actually prevents you from doing it,” Paterson told Forbes’ Andy Greenberg.
“As someone who owns Glass and wants to install more apps, I’d feel a lot better if it were simply impossible to do that. Policies don’t really protect us.”
The pair were able to upload Malnotes successfully to Google’s Play store, but were unable to sneak the app into the curated MyGlass store for Google Glass, Ars reports. Paterson noted that many Glass apps are currently “sideloaded” – ie not installed via official stores, but installed using developer tools in debug mode – as Glass is still in prototype.
“A lot of Glass developers are just hosting their apps from sites just to let other people try it. It’s sort of a wild-wild west atmosphere since very few apps are being released through the MyGlass store,” Paterson told Forbes. Paterson warned that if a user left Glass unattended, it would be easy to install such software without the wearer even being aware of its presence.
Google’s Glass eyepieces remain a hot topic for privacy advocates. Speaking to Business Insider, Daen de Leon, a software engineer, says that 13 bars and restaurants in San Francisco have an explicit “no Glass” policy, as well as others in Seattle, and Oakland, California.
After an incident where a Google Glass wearer was allegedly assaulted in a bar in Lower Haight for wearing the eyepieces, de Leon spoke to regulars and says that he, “”found her assumption that, as a complete stranger, she could enter a bar and just start recording regular customers without their permission quite disturbing.”

Target breach optioned as Sony feature film

The Target breach, and in particular the role of respected security blogger Brian Krebs in breaking the story, has been optioned as a feature film by Sony. The studio has bought the rights to the New York Times article, “Reporting From the Web’s Underbelly,” which told Krebs’ story in the wake of his exclusive revelations about the data breach at Target.
The Hollywood Reporter writes that the studio envisions the story as a “cyber thriller” set in the “high stakes world” of cybercrime.
Mashable reports that the studio has recruited Richard Wenk, writer of its recent version of The Equalizer, and action sequel The Expendables 2, to write the script.
Krebs’ blog, Krebs on Security, broke the story of the Target breach late last year, revealing that a large number of American debit and credit card details had been leaked from the retailer. The story had been leaked to Krebs, a former reporter at the Washington post, via officials at American credit card issuers.
In February this year, Nicole Perlroth’s profile article for the New York Times offered a portrait of Krebs, describing incidents such as Russian cybercriminals attempting to frame him with heroin purchased from the Silk Road “online drug market” (reported by We Live Security here), and describing how Krebs landed a string of exclusive stories, including several key revelations about the Target breach.
Perlroth described Krebs as, “A former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side.”

Bitcoin fixes Mt Gox theft bug – as exchange staff find 200,000 BTC in ‘forgotten’ wallet

Bitcoin’s developers have released a new version of the software, which includes a long-awaited fix for the “transaction malleability” bug said to have brought down large exchanges such as Mt Gox and Bitstamp.
The new version, called Bitcoin 0.9.0 was revealed by a bitcoin developer in a Tweet, according to ZDNet. The release notes say that the version of Bitcoin Core offers, “Bug fixes and new regression tests to correctly compute the balance of wallets containing double-spent (or mutated) transactions.”
The bug allowed users to alter the unique ID of BTC transactions, before they were confirmed, and thus allegedly steal coins according to ZDNet‘s report. Mt Gox blamed the “transaction malleability” bug for its loss of more than $400m in Bitcoin, and other collapsed banks and exchanges said they had fallen victim to the same bug.
VentureBeat reports that the new version of Bitcoin includes five fixes to prevent fraudulent transactions, with a function which stops “mutated transactions” being relayed, and two more functions which report double-spending and conflicting wallet transactions.
Early in March, Mt Gox admitted that nearly $500 million in bitcoin had “disappeared”, in a statement posted online, blaming abuse of the “transaction malleability” bug in the system.
The exchange, which filed for bankruptcy protection early in March, as reported by We Live Security here, posted a new message to its site on Monday, saying that bitcoins had been “illicitly moved through the abuse of a bug”, and that “Although the complete extent is not yet known, we found that approximately 750,000 bitcoins deposited by users and approximately 100,000 bitcoins belonging to us had disappeared.”
Meanwhile, questions remain over whether investors in Mt Gox will ever be able to reclaim their money. The exchange said this week that it had “found” 200,000 BTC in old wallets, during its bankruptcy procedures.
The Register commented,“That’s good news for creditors inasmuch as it means the exchange is “only” missing about 650,000 Bitcoin, so there’s some prospect of recovering some of their lost currency.”
The site said in a statement, “MtGox Co., Ltd. had certain old format wallets which were used in the past and which, MtGox thought, no longer held any bitcoins. Following the application for commencement of a civil rehabilitation proceeding, these wallets were rescanned and their balance researched. On March 7, 2014, MtGox Co., Ltd. confirmed that an old format wallet which was used prior to June 2011 held a balance of approximately 200,000 BTC (199,999.99 BTC)”

President Obama’s BlackBerry survives assault from Korean Androids

Contrary to reports late last week, the BlackBerry smartphones used by  White House staffers and the President are not to be replaced by Android or Windows Phone handsets from Korean manufacturers LG and Samsung.
The Wall Street Journal, quoting unnamed insiders, suggested that while Obama’s own BlackBerry was not under threat, but that smartphones from LG and Samsung were being tested for ‘internal use’. The news story caused a dip in BlackBerry’s stock price – the White House is one of the company’s most high-profile customers.
Few smartphones are as iconic as President Barack Obama’s faithful BlackBerry –  he was pictured with it so often during his 2008 Presidential campaign that the New York Times estimated that the “celebrity endorsement” could be worth up to $50 million to the company.
White House spokesman Jay Carney said, according to a report by ABC News, that no change was imminent, but that the White House Communications Agency was testing devices for “other areas of the administration.” The WHCA describses itself as “a one-of-a-kind military unit dedicated to providing premier, worldwide, vital information services and communications support to the president and his staff.”
President Obama was informed that he would have to give up his BlackBerry on taking office, but came to an agreement with intelligence agencies.
Silicon Beat reports that a BlackBerry spokesperson wrote a letter to the Wall Street Journal denying that the White House was considering a move away from BlackBerry handsets. Barbara Tate wrote, “Governments test new technologies frequently, but nevertheless the U.S. government continues to choose BlackBerry for its unmatched security and cost effectiveness. Other vendors such as Samsung and LG still have a long way to go to catch up to meet the government’s stringent requirements and certifications. BlackBerry’s operating system has already received the highest security approvals from the United States, Great Britain and NATO, and our latest operating system, BlackBerry 10, is already certified for high-security users in various NATO countries.”
Both Samsung and LG recently unveiled security software for their higher-end Android handsets, but reports from sites such as The Register suggested that upcoming Windows phones from the companies could be adopted instead by U.S. government agencies. The site reports that Windows Phone handsets recently overtook Android handsets in sales figures in the United States.
Venture Beat reports that BlackBerry, and its new CEO John Chen, are making efforts to ensure that their handsets retain their reputation for security – and their impressive list of state clients. Chen inaugurated a ‘security innovation’ center for the company this year, located in Washington DC. Chen said at the time, “We are committed to working with government and industry experts to solve some of the biggest challenges we face in securing mobile communication The Washington, D.C.-based security innovation center will be focused on creating lasting partnerships that will encourage ongoing dialogue aimed at making better products and policy.”

Hacker crashes Google Play -- twice

google play android A developer said he was testing a vulnerability. But when Google got the service back up and running, he crashed it again.
New Android apps and updates were blocked from appearing in Google's Play Store on Monday, after a hacker attacked Google's app publishing system. It's an outage you may not notice -- until it holds up the next update to Candy Crush, Plants v. Zombies or Clash of Clans. But developers are furious.
The publishing system known as Google's Developer Console first crashed mid-day Sunday. Many app developers still found themselves blocked from uploading to the Google Play Store on Monday. Some developers noted the issue appeared to be resolved on Monday, but another posted in a Google forum, "problem started again."
Meanwhile, Android users don't have access to new apps and updates. Existing apps are still available for download. Google's (GOOG, Fortune 500) Android software powers nearly 80% of the smartphone market.
Ibrahim Balic, a Turkish hacker, claimed responsibility for the attack. He said developer console crashed when he tried to test a vulnerability he discovered.
Balic wrote an app to exploit the flaw, which he expected to fail. But he said he didn't expect it to knock everyone offline as well.
Inside the mind of a hacker
Balic pleaded forgiveness from his online peers.
"I didn't have any malicious aim," he told CNNMoney. "I am so sorry for this damage."
He said the site crashed again when he uploaded the app to Google's publishing system a second time.
"I just wanted to be sure about (the) vulnerability," he said.
Related: Your hackable house
Balic said he notified Google of the issue but has yet to hear back.
On Tuesday, Google said the issue impacted "a subset of developers." The company underscored that the issue did not prevent Android users from downloading existing apps.
Google's press office did not immediately return a request for comment from CNN.
By his own account, this isn't Balic's first joust with smartphone app developers. He claimed to be the intruder behind an attempted hack of Apple's (AAPL, Fortune 500) Developer Center last summer.
Android developers blocked from uploads this week voiced their frustration on Google's site and elsewhere online. They wrote in outage reports from Ireland and Israel to Spain and Russia.
"You really uploaded that thing again?" one posted on Reddit. "Now it will be quite hard to explain that it was accidental..."
But amid the grievances, that poster found space for some advice:
"It's quite something what you did, but I would also get a lawyer to be safe."

Are Nation States Responsible for Evil Traffic Leaving Their Networks?

During recent talks to various audiences, I've mentioned discussions within the United Nations. One point from these discussions involved certain nation states agreeing to modes of behavior in cyber space. I found the document containing these recent statements: A/68/98, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (pdf). This document is hosted within the United Nations Office for Disarmament Affairs, in the developments in the field of information and telecommunications section.

Fifteen countries were involved in producing this document: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of Great Britain and Northern Ireland and the United States of America.

Within the section titled "Recommendations on norms, rules and principles of responsible behaviour by States," I found the following noteworthy:

19. International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment...

23. States must meet their international obligations regarding internationally wrongful acts attributable to them. States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-State actors for unlawful use of ICTs.

The first statement is important because it "imports" a large body of external law and agreements into the cyber field, for good or ill.

The second statement is important because, if States obey these principles, it has interesting effects upon malicious activity leaving State networks. Collectively these sentences imply that States are responsible for their networks. States can't claim that they are only innocent intrusion victims, and that any malicious activity leaving their State isn't their fault or problem.

Whether States try to meet these obligations, and whether others call them out for not meeting them, is another matter.

Weev Is in Jail Because the Government Doesn't Know What Hacking Is

Weev Is in Jail Because the Government Doesn't Know What Hacking Is
"I'm flabbergasted that this could be called anything other than a hack," the prosecutor said, addressing a trio of skeptical-looking judges in the US Third District Court of Appeals. The government was restating its case that, by obtaining private email addresses after exploiting a security loophole on AT&T's website and forwarding them to the media, Andrew "weev" Auernheimer had violated the Computer Fraud and Abuse Act.
Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison. 
"He had download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend.
Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations.
Goatse didn't steal passwords or hack into a server, Kerr argued. Instead, they effectively discovered a major security flaw in AT&T's network. When given the proper query, the telecom's public website would cough up a registered iPad owner's email address.

'He had to decrypt and decode, and do all of these things I don't even understand,' said the prosecutor. Later, he compared weev's deeds to hackers '[blowing] up a nuclear power plant in New Jersey.'

"There is no unauthorized access," Kerr said at the beginning of his appeal. When anyone can access data simply by entering an address onto a browser, "it is effectively public," he said.
Spitler and Auernheimer were able to pull 114,000 email addresses of iPad users—including those of high-profile individuals like Michael Bloomberg, Rahm Emmanuel, and the CEO of the New York Times—essentially by writing code that automatically entered those queries. Instead of quietly notifying Apple and AT&T, however, as security experts typically do, Goatse sent the addreses to Gawker, which published them in redacted form, along with a more detailed explanation of how the breach occurred.

Location, location, location

In the courtroom, Kerr was eager to argue why weev's actions didn't violate the CFAA, a 1986 law that has been criticized by law scholars for being too vague and outmoded. But the judges were more interested in examining the issue of venue.
That's because, in an apparently arbitrary decision, the US Justice Department moved Auernheimer's trial to New Jersey, from Arkansas, where he's from. Goatse's exploit had very little to do with New Jersey at all—a small percentage of the obtained email addresses belonged to Jerseyites, but none were ever made public—so Kerr argued that the impact to the state was circumstantial, not pivotal.
There was no reason this trial shouldn't have been held in Hawaii, as a judge later remarked.
"Almost the entire thing was about venue," Tor Ekeland, an attorney who also represents Auernheimer, told me after the trial. "Nothing happened in New Jersey. No victims, no possession." He guessed that the Justice Department had chosen the state because it had a large computer crimes department, or because AT&T's headquarters were there, which proved irrelevant to the case, as he wasn't charged with any crimes against the company.
Some observers said that it appeared that the court may have been considering rejecting the case on grounds of venue, in order to prevent a precedent that enabled computer crimes to be tried anywhere that they had obliquely impacted residents who use the internet, which could potentially be everywhere. Speculation arose that this would be grounds to overturn a weak case without making a direct affront on the CFAA itself. The prosecution stated for the record that neither Auernheimer nor his computer nor Gawker were located in New Jersey.
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue. "It doesn't matter where the server is located."
The judges did not appear to buy the argument.

Weev supporters outside of the courtroom this morning.
After the hearing, the dozens of supporters who'd filled the seats, many who'd made the trek from New York and beyond, filed out of the courtroom. "We have other interesting cases today, you know," one of the judges quipped, to scattered laughter.
Outside the courtroom, Kerr told me he was "cautiously optimistic" about his arguments' reception. He declined any further comment.
Journalists, lawyers, activists, and weev's friends anxiously congregated in the lobby. They generally seemed optimistic about the appeal, though many were also preoccupied with the treatment Auernheimer was receiving inside the prison. He'd been placed in a Secondary Housing Unit, and since last May, has been kept in solitary confinement most days. It was hard to say for certain, but weev's adversarial and anti-authoritarian nature—which continues to find an outlet on Twitter—was suspected to have played a role.
Katelan Foisy, a friend who corresponded with weev through letters, told me his typically exuberant outlook had grown dark.
"I would love to see him get out of solitary. That practice needs to be stopped," she said. "I hope this speeds things along."
Ekeland, his lawyer, also said the prison was isolating weev.
"He says he's sent me ten to twenty letters. I've received one." They're also not allowing him access to books or religious materials, Ekeland said. (Auernheimer is Mormon, though he only practices sporadically.)

The law should apply to everyone equally, not just precious snowflakes.

A couple dozen of his friends and supporters all went to lunch after the hearing, where they exchanged stories and talked politics. A software developer proudly showed me a page on the Encyclopedia Dramatica where he'd been made the target of weev's legendary trolling; it accused him of having ties to the mob and hosting websites with links to child pornography. Justine Tunney, the controversial Occupy Wall Street figure, showed off a little trolling of her own: a White House.gov petition that calls for replacing the federal government with tech companies.
When I asked each about weev, most smiled, almost guiltily.
The common line about weev is that there's no doubt he's done some terrible and distasteful things—the online stalking of a female blogger, the homophobic and anti-Semitic trolling, for instance. But, they say, he shouldn't be serving time for pointing out a flaw that AT&T and Apple left open to the public.
"The law should apply to everyone equally," Deviant Ollam told me, "not just precious snowflakes."
This issue of venue may offer weev a glimmer of hope for a way out of jail, and if it does, it could pave the way to an incrementally more just system for prosecuting computer crimes.
Still, the fundamental flaws of the CFAA looks as if they will remain unaddressed, granting prosecutors far too much power and leeway over digital activists and whistleblowers. The prosecution had compared internet traffic to kidnapping, hacktivism to nuclear terrorism, and admitted to not really grasping why, exactly, they had convicted this man.
As such, it's unlikely that the government would be able to process the complexities inherent in weev's motives and deeds. Sympathy for the internet's best troll was in short supply both outside and behind bars. His supporters understand this.
"Does weev deserve to be in jail? Probably. Yes. But not for this," someone said after the hearing. The table agreed—and these were his friends.

The NSA responds to Edward Snowden’s interview at TED

Richard Ledgett, Deputy Director, NSA, speaks with Chris Anderson via video at TED2014. Photo: Bret Hartman
Richard Ledgett, Deputy Director, NSA, speaks with Chris Anderson via video at TED2014. Photo: Bret Hartman
Rick Ledgett is the deputy director of the National Security Agency. He’s here to give a response to Edward Snowden’s onstage/virtual appearance at TED earlier in the week. (See the talk, Here’s how we take back the Internet.) On Tuesday, the former NSA sysadmin made the case for open government and private lives, arguing that “we don’t have to give up liberty to have security.” Here at TED with his own onstage/virtual appearance, speaking on behalf of both the NSA and the American government, Ledgett responds to questions from TED curator Chris Anderson, who started things off. An edited version of their conversation follows:
Rick, we appreciate you joining us. It’s a strong statement that the NSA was prepared to reach out to show a more open face here. You saw, I think, the talk and the interview Edward Snowden gave here. What did you make of it?
I think it was interesting. We didn’t realize he was going to show up there [the audience laughs], so kudos to you guys for arranging a nice surprise like that. I think a lot of things have come up since Mr. Snowden started disclosing classified information. There were some kernels of truth in there but a lot of extrapolations and half-truths in there. I’m looking forward to helping you address them. This is an important conversation, important and of import. We need to have that be a factor in this conversation. We need to make that happen.
The question a lot of people have: What do you make of Snowden’s motivations for doing what he did? Did he have an alternative way he could have gone?
He absolutely did have alternative ways he could have gone. I actually think that characterizing him as a whistleblower hurts legitimate whistleblowing activities. Someone who works in the NSA, and 35,000 people do who are great citizens, mothers, fathers, brothers, sisters, friends and relatives, and they’re all interested in doing the right thing for their country and for our allies internationally. There are a variety of venues to address if folks have a concern. First up, you can go to your supervisor through the supervising chain in the organization. If you’re not comfortable with that, there are inspectors general. In the case of Mr. Snowden, he had the option of the NSA Inspector General, the Navy Inspector General, the Pacific Fleet Inspector General, the Intelligence Committee Inspector General. Any of whom would have kept concerns in classified channels and addressed them. There are also Congressional committees and mechanisms in place. He didn’t do any of that.
[At this point, Chris Anderson calls a halt to the conversation, hoping a break will allow the tech team — which has been scrambling to set up a clear video line between Vancouver and Washington, DC — can fix some of the audio issues, including screechy feedack. As he says, “This is too important not to be able to hear it properly.”] Later, Ledgett takes up where he left off:
I thought that as has been the case in a lot of these discussions, there were some half-truths and distortions in what Edward Snowden said. I’m looking forward to the opportunity to address this. It’s an important national and international discussion that we’re having. It’s important to be informed, and we want to inform with facts, not conjecture and misinformation. I’m happy for the opportunity.
You said Edward Snowden had other avenues for raising concerns. There are a number of comebacks to that: 1. He certainly believes that as a contractor those avenues weren’t available to him; 2. There’s a track record of whistleblowers, such as, say, Thomas Drake, being treated harshly. And thirdly, he wasn’t taking on one specific flaw he discovered but programs approved by all three branches of government. In those circumstances, couldn’t you argue that what he did was reasonable?
No, I don’t agree with that. The actions he took were inappropriate because of the fact that he put people’s lives at risks in the long run. I know there’s been a lot of talk by Edward Snowden and journalists who say the things disclosed did not put national security or people at risk. That is categorically not true. They actually do. There’s also an amazing arrogance to the idea that he knows better than the framers of the Constitution how government should work, should be designed and work with the separation of powers. The executive and legislative branches have to work together, they have to balance each other, and then the judicial branch oversees that whole process. That’s extremely arrogant on his part.
Do you have a specific example of how he put lives at risk?
In the things he disclosed. The NSA is a capabilities-based organization. When we have foreign intelligence targets, legitimate things of interest — the terrorist is the iconic example but that also includes human traffickers, drug traffickers, people trying to build advanced weaponry or deliver systems for them — those capabilities are applied in very discrete and measured and controlled ways. So the unconstrained disclosure of those capabilities mean the targets see it and recognize it and move away from our ability to have insight into what they’re doing. Then we are at greater risk because we don’t see the threats coming and we might be vulnerable. We have seen targets in terrorism, in the nation state area, smugglers, who have moved away from our ability to have insight into what they’re doing. The net effect of that is that our people overseas in dangerous places, our military, our diplomats, our allies in similar situations, face a greater risk.
So you’re saying that your access to information has been closed down. One concern is that the nature of its access was not legitimate in the first place. Describe to us the Bullrun program, in which it’s alleged that the NSA deliberately weakened security to get access.
Legitimate foreign targets use the global telecommunications system, and let me say it’s a great system, it’s the most complex system devised by man. It’s a wonderful thing. It’s also used by those working against us and our allies. And in working against them I ned the capability to go after them. If we could make it so that all the bad guys used the same corner of the internet, if they all used badguy.com, that would be awesome, we could concentrate our capabilities there. That would be awesome. That’s not what happens. They’re trying to hide from the government’s ability to isolate and interdict their actions. We have to swim in the same space.
The NSA has two missions. The first is the signals and intelligence mission about which sadly we read so much in the press. The second is the information and assurance mission, to protect the security of the United States. That’s the communications the president uses, the communications we use to control nuclear weapons, the communications we use with our allies. We make recommendations on those standards — and we use the same standards. We are invested in making sure those communications are secure for their intended purposes.
It seems like when it comes to the Internet, any strategy is fair game if it improves America’s safety. I think that’s why there’s such a divide of opinion. People think very differently about the Internet; it’s a momentous invention of humanity on a par with the Gutenberg press. It’s the bringer of knowledge to all; the connecter of knowledge of all. It’s viewed in idealistic terms and when seen through that lens, what the NSA has done is the equivalent of the Germans inserting a device in printing press to reveal what people bought or read. Do you see how that feels outrageous?
I do understand that and I share that view of the utility of the Internet. But this is bigger than the Internet. This is a big chunk of the global telecommunications system. People have legitimate concerns about the balance between transparency and secrecy. It’s couched as privacy and national security, but I don’t think that’s the right framing. It’s really transparency and secrecy. That’s the national and international conversation we’re having to let people participate in an informed way.
There are things we need to be transparent about, our authorities, processes, our oversight, who we are. We at the NSA have not done a good job of that, and that’s part of the reason why this has been so sensational. We’re “Never Say Anything,” I’ve seen there’s takeoffs of our logo of an eagle with headphones around it — that’s the public characterization of our work. We need to be more transparent, but what we don’t need to be transparent about, because it’s bad to expose them, are the operations and capabilities that allow the people we’re working against, the bad guys, to counter those.
Isn’t it also bad to deal a body blow to the American companies that have essentially given the world the Internet services that matter?
It is. Companies are in as tough position as are we. We compel companies to provide information, just like every nation in world does. Every industrialized nation has a lawful intercept program compelling companies to provide information, and companies comply with those programs as they do in Russia, the UK, China, India or France, in any country you choose to name. The fact that these revelations have been broadly characterized as “you can’t trust Company A because your privacy is suspect with them” is only accurate in that it’s accurate with every other company in the world dealing with those countries in the world. It’s been marketed by countries, including some ally countries, that you can’t trust the US but “you can trust our telecoms because we’re safe.” They’re using that to counter the very large technology edge US companies have in the cloud.
You’re sitting there with the American flag behind you. The American Constitution guarantees against unnecessary search and seizure. Is there a right to privacy?
Of course there is. We devote inordinate, I shouldn’t say that, I should say appropriate time and effort to ensure we protect that privacy and beyond that the privacy of citizens around the world, not just Americans. We’re all on the same network. I use a particular internet email service that is the number-one email service of choice of terrorists. I’m right beside them in email space on the Internet. We need to pick that apart and find the information that’s relevant. In doing so, we’re going to necessarily encounter Americans and innocent foreign citizens going about their business. And when you find it, because you’re certain to find it, here’s how to protect it. We have minimization procedures approved by the Attorney General that are constitutionally based. And for citizens of the world going about their lawful business on a daily basis, the President laid out new protections in a January 17th speech. Absolutely folks have the right to privacy.
What about foreigners using American companies’ Internet services?
They do too. The only way we are able to compel one of those companies to provide us information is when it falls into one of three categories, that this particular person is associated with counterterrorism or proliferation or another intelligence target.
A lot of information you’ve obtained has been metadata, not necessarily words, but it’s who people wrote to when and so forth. It’s been argued that metadata is more invasive than core data. In core data you present yourself as you want to be presented. With metadata who knows conclusions drawn. What do you make of that?
I don’t really understand that argument. Metadata is important for a few reasons. It’s information that lets you find connections that people are trying to hide. So when a terrorist is corresponding with someone who’s not known to us but is supporting terrorist activities or violating sanctions, or is trying to hide activity because it’s because illicit, metadata lets you connect that. The alternative is less efficient and much more invasive to privacy, it’d be a giant collection of content. Metadata is privacy enhancing. We don’t grind out metadata profiles of average people. If you’re not connected to an intelligence target, you’re not of interest to us. [At that, a man at the back of the auditorium says clearly, "Thank you."]
Where would you place terrorism in terms of threats to Americans overall?
Terrorism is still number one. We have never been in a time where there are more places where things are going badly and forming the petri dish where terrorists can take advantage of a lack of governance. An old boss of mine, Tom Fargo, refers to “arcs of instability.” And you have a lot of them in the world right now. In Syria there’s a civil war and a massive number of foreign fighters flooding in there to learn to be terrorists. These are westerners with passports to European countries or the US. They are learning to do jihad and they have expressed intent to go out and do that in their home countries. Iraq is suffering from a high level of sectarian violence; it’s a breeding ground for violence. In the horn of Africa there’s lots of weak governance which forms a breeding ground for terrorist activities. Number two is cyberthreat, in three ways. One way is probably the most common way people have heard of and that’s the theft of IP. Basically foreign countries are stealing companies’ secrets and providing them to state enterprises or enterprises connected with government, which allows them to leapfrog technology or win business intelligence. That is hugely costly and several nation-states are doing it. Number three is distributed denial of service attacks, and there has been a spate of those against the US financial sector since 2012. That’s a nation-state doing so as semi-anonymous reprisal. And the last is destructive attacks, which concern me the most. In 2012 at Saudi Aremco, a Wiper-style virus took out thousands of computers. In March 2013, a South Korean attack attributed in the press to North Korea took out thousands of computers. Those are on the rise; we see people expressing interest in those capabilities.
A lot of people look at the risk and the numbers and don’t understand the belief that terrorism is still a threat. If you don’t include 9/11, in the last 30-40 years, 500 Americans have died of terrorism, mostly from homegrown terrorirsts. The chance of being killed of terrorism is less than being killed by lightning. Of course, nuclear or bioterrorism acts would change those numbers. Is that the point?
Two things. The reason there hasn’t been a major attack in the US since 9/11 is not an accident. That’s hard work we’ve done and folks in the military have done and allies around world have done. You’ve heard the numbers: 54 terrorist attacks were stopped. 25 of them were in Europe, 18 occurred in just three countries, some of them our allies, some of whom are beating the heck out of us over the NSA programs. But that’s not an accident, that’s hard work, that’s us finding intelligence through law enforcement, through cooperation and sometimes through military action. But your idea of nuclear or biothreat is not at all far-fetched. A number of groups have expressed the desire to obtain those capabilities and are working toward that.
So there were 54 incidents, but it’s been suggested that as few as zero of them were revealed because of the controversial programs Mr. Snowden revealed. They were revealed through other forms of intelligence. It’s almost like you’re looking for a needle in a haystack, and yet the controversial programs simply add hay to stack.
No. There are two programs typically implicated in that discussion. One is the Section 215 program, the other one is Section 702, the Fisa Amendment Act, popularly known as the Prism program. The Section 215 program is only relevant to threats directed against the US. There have been a dozen threats where that was implicated. You’ll see people say publicly there’s no “but for” case, no “but for that, the threat would have happened.” That indicates a lack of understanding of how investigations actually work. If you think about a television murder mystery, they start with the body and work to solve crime. We’re starting well before then, before the bodies, to figure out who the people are and what they’re trying to do. That involves a massive amount of information. Think of it as a mosaic; it’s hard to say which is the most important piece of a mosaic.
In 42 of those events, the Prism program was hugely relevant and material in contributing to stopping those attacks.
Edward Snowden said that terrorism provides almost an emotional cover for action. It allows the initiation of these programs to give powers an organization like yours couldn’t otherwise have. Is there internal debate about this?
Yes. We debate these things all the time. Discussion goes on in the executive branch and within the NSA and intelligence community about what’s right, what’s proportionate, what’s the right thing to do. These programs have been authorized by two Presidents, two political parties, by Congress twice and by federal judges 16 times. It’s not the NSA running off and doing these things. This is a legitimate activity of the US government, as agreed to by all branches of the government.
Yet when Congress discovered things that were being done, many were completely shocked. Is that not a legitimate reaction? Did they know exactly what you were doing?
Congress is a big body. In the lower house there are 535 of them and they change out frequently. The NSA provided all relevant information to the oversight committees; the dissemination of information through Congress is something they manage. I would say that Congress members had the opportunity to make themselves aware, and a significant number of them, those assigned oversight responsibility, did have oversight. And you have chairs of those committees say that in public.
You mentioned them previously: cyberattacks are a huge concern. Is there a tradeoff between strategies? In weakening encryption to find the bad guys, might you open the door to cyberattack?
Two things. One, you said weakened encryption, I didn’t. The other is that the NSA has both those missions. We’re heavily biased towards defense. The vulnerabilities we find in the majority of cases we disclose to those responsible for manufacturing or developing products. We’re working on a proposal to be transparent and publish reports in the same way Internet companies can publish reports. We want to be more transparent. We eat our own dogfood, we use the products we recommend. It’s in our interest to keep our communications protected in the way other people’s need to be.
After his talk, Edward Snowden was wandering the halls here. I heard a number of people ask, and he was very complimentary about the people at the NSA, saying that it’s a impassioned group of employees who are seeking to do right thing. The problems have come from badly conceived policies. He came over reasonably and calmly. He didn’t come across as a crazy man. Even if you disagree with how, does the fact that he opened debate matter?
I think the discussion is an important one to have. I do not like the way he did it; there were a number of other ways to do it that would not have endangered our people and people of other nations by losing visibility into what our adversaries are doing. But I do think it’s an important conversation.
There seems to be some disagreement over giving him amnesty. Your boss has said that would be a terrible example to others, that we can’t negotiate with someone who broke the law in that way. Yet you’ve been quoted as saying that if he can prove he surrendered all his documents, then a deal could be considered. Where do you stand?
Yes, 60 Minutes took a part of what I said … What I actually said in response to a question about entertaining a discussion of mitigating action against Mr. Snowden was that yes, it’s worth a conversation. The Attorney General of the US and the president have talked about this, and I defer to the Attorney General as this is his lane. There is a strong tradition in American jurisprudence of having discussions with people charged with crimes as it befits the government to get something out of that. There’s always room for discussion; I’m not presupposing any outcome.
It seems like he has things to offer the US, and perhaps you and others can use his insights to put things right and figure out smarter policy way forward for the future. Has that been entertained?
That’s out of my lane. That’s a Department of Justice discussion. I’ll defer to them.
So the other day I asked Edward Snowden for his idea worth spreading. What would be yours?
Learn the facts. This is a really important conversation that impacts not just the NSA or the government, but you and the Internet companies. The issue of privacy and personal data is much bigger than government. So don’t rely on headlines or soundbites, or on one-sided conversations, That’s an idea worth spreading. We wear badges here, and the lanyard of those people who do crypto-analytic work says “look at the data.” So that’s my idea worth spreading: look at the data.

Google encrypts all Gmail traffic to protect users from PRISM spooks

gmail-logo
Google has begun encrypting all Gmail communications in a bid to protect its customers from prying intelligence agencies and cyber criminals.
Gmail security engineering lead Nicolas Lidzborski, announced that all Gmail messages will now be run through an encrypted Hypertext Transfer Protocol Secure (HTTPS) connection, in a blog post.
"Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default," he said.
"Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers – no matter if you're using public WiFi or logging in from your computer, phone or tablet."
HTTPS is a popular internet security protocol that uses digital certificates to authenticate the identity of the web server a computer is communicating with and block man-in-the-middle attacks, for example. The protocol also encrypts any data passing between the server and the computer. Lidzborski said the use of HTTPS will stop intelligence agencies monitoring Gmail users' communications.
"Every single email message you send or receive – 100 percent of them – is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centres – something we made a top priority after last summer's revelations," he said.
Google is one of many companies known to have been targeted by the NSA during PRISM. News of the PRISM campaign broke earlier this year when whistleblower Edward Snowden leaked classified documents to the press, proving the NSA siphoned vast amounts of customer data from numerous technology companies.
Google has since worked to improve its security services to allay its customers' fears. The firm began encrypting its search data using the Secure Sockets Layer (SSL) protocol earlier in March.
Snowden listed encryption as a key way for companies to protect their customers from NSA spying during a privacy discussion at the SXSW conference in Texas earlier in March.
Despite the positive move, the use of HTTPS does not necessairly mean Gmail users are 100 percent protected from intelligence agencies such as the NSA. It is still unclear whether the NSA used hacking methods to collect data from companies such as Google without their knowledge or if it simply used Foreign Intelligence Surveillance Act (FISA) requests.
FISA requests are specific court orders that force US-based companies to hand data to the NSA. They include a gagging clause that blocks companies from disclosing key information about their involvement to the public.
NSA general counsel Rajesh De said the businesses involved were fully aware of what metadata was being collected during a hearing chaired by the US Privacy and Civil Liberties Oversight Board earlier this week. If true the NSA could still collect Gmail customer data from Google using FISA requests.

Turkey blocks Twitter but users find workarounds

Turkey map
Twitter appears to be blocked in Turkey as the prime minister attempts to clamp down on unrest in the country. However, users are flouting the ban, with Twitter itself publicising tactics to ensure messages can get through to the site.
Reuters reported that people in Turkey attempting to access Twitter were met with a statement from its telecoms regulator citing court orders that now prevent access to the site, under the orders of prime minister Recep Tayyip ErdoÄŸan.
“Twitter has been blocked as a preventive measure in order to prevent future damage to our citizens as a last resort,” the statement reportedly said.
The attempt to block access has been met with widespread protest, with European Commission vice president Neelie Kroes claiming it was nothing more than censorship.

In another odd twist on the situation, the president of Turkey Abdullah Gül  took to Twitter to say the prime minister is wrong to try and implement the ban.
The incidents underline the power of social media platforms and the concern they cause leaders in many nations. Many governments attempted to stop communications tools such as Twitter and Facebook, as well as text messages, from being used during unrest in the 2011 Arab Spring uprisings.
The UK government even considered blocking such tools in the aftermath of the riots that hit the UK in the summer of 2011, although these plans appear to have cooled over time.