Slashdot Mirror

Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices. The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"

Attorney Jennifer Granick has defended many high profile hackers, including researcher Christopher Soghoian, creator of a fake boarding pass generator (2006); Michael Lynn versus Cisco/ISS (2005); Jerome Heckenkamp; and Luke Smith and Nelson Pavlosky in Online Policy Group v. Diebold Election Systems (now Premier Election Solutions), a copyright misuse case related to electronic voting. Granick also won an exemption from the U.S. Copyright Office in 2006 allowing phone unlocking despite the anti-circumvention provisions of the Digital Millennium Copyright Act, which set the stage for renewal of the exemption and for the jailbreaking exemption in 2009. At Stanford, Granick worked with Lawrence Lessig on constitutional copyright cases and taught six years worth of law students about computers, technology and civil liberties. While Civil Liberties Director at the EFF, Granick started the Coders' Rights Project and participated in litigation against ATT and the federal government for violation of surveillance regulations. Now an attorney at ZwillGen PLLC, Granick assists individuals and companies creating new products and services. And now, she's graciously agreed to answer your questions. Please, as usual, ask as many questions as you'd like, but confine each question to a separate post.

lee1 writes "Dropbox faces a possible FTC investigation because of misleading statements it has made about the privacy and security of its 25 million users' files. The cloud storage company previously claimed that it was impossible for its employees to access file contents, but in fact, as the encryption keys are in their possession, this is false. The complaint (PDF) points out that their false security claims gave Dropbox a competitive advantage over other firms offering similar services who actually did provide secure encryption."

PatPending writes "A 10-page Powerpoint presentation (PDF) that security and privacy analyst Christopher Soghoian recently obtained through a Freedom of Information Act Request to the Department of Justice reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transactions. The government's guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections."

jamie tips an article by Slashdot vet Keith Dawson about the uncertain state of privacy protection for one-to-one online communications through social sites and services. Quoting: "The privacy of these communications is protected mainly under a law — ECPA, the Electronic Communications Privacy Act — dating from 1986 and crafted for then-existing email (think Compuserve and Prodigy) and emerging cellular networks. This law is an increasingly poor fit for modern and emerging communication modalities. Email stored on servers is treated differently depending on whether or not the user has read a particular message; and messages older than 6 months in storage enjoy different protection than newer messages. In attempting to apply the ECPA to social networking media, courts have interpreted users' privacy rights in a variety of ways. ... One shortcoming of the ECPA is that it does not require email, search engine, cloud computing or social networking sites to report how many requests for private data they get from authorities. Whatever the number, it almost certainly dwarfs the number of real-time online intercepts (wiretap, pen register, and trap and trace orders), for which statistics must be kept."

An anonymous reader sends along Chris Soghoian's blog entry revealing that Sprint Nextel provided law enforcement agencies with its customers' GPS location information over 8 million times between September 2008 and October 2009. The data point comes from a closed industry conference that Soghoian attended, at which Paul Taylor, Electronic Surveillance Manager at Sprint Nextel, said: "[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in." Soghoian's post details the laws around disclosure of wiretap and other interception data — one of which the Department of Justice has been violating since 2004 — and calls for more disclosure of the levels of all forms of surveillance.

sjbe sends in an old story with a poetic justice ending. Almost a year ago Chris Soghoian blogged about multiple security holes exposing visitors to a TSA site to possible identity theft. Wired and others picked up the story and the TSA took down the insecure site and fixed the problems. On Friday the US House of Representatives Committee on Oversight and Government Reform released a report (PDF; HTML summary) finding that the TSA contractor, Desyne Web Services, had received a no-bid contract for the faulty site from a former employee who was then a TSA project manager. TSA has taken no action to sanction the responsible parties for the vulnerabilities. The poetic justice is that Soghoian had been investigated for 6 months by the FBI and TSA because he pointed out a vulnerability in the US air transport system; no charges were ever filed.

An anonymous reader writes "Many makers of extensions or add-ons for Firefox are introducing ways for bad guys to hijack the Web browser, new research suggests. A great many add-ons are updated over insecure (non https://) connections, providing an avenue for attackers to replace the extension with an evil update. Google's add-ons are particularly vulnerable, because they update automatically without notifying the user. From the story: '[I]f an attacker were to hijack a public Wi-Fi hot spot at a coffeehouse or bookstore — a fairly trivial attack given the myriad free, point-and-click hacking tools available today — he could also intercept this update process and replace a Firefox add-on with a malicious one.'" Here is security researcher Chris Soghoian's description of the vulnerability and a video of a simulated takeover.

Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."

Christopher Soghoian writes "Yesterday, I published a tool that allows you to Create your own boarding pass for Northwest flights. This was an attempt to document the fragile and broken state of identity/security for domestic flights in the US. Today, Congressman Markey (D-Mass) has called for my arrest." From the ABC article: "'I don't want to help terrorists or help bad guys do bad things on airplanes, but what we have now is what we in the industry call security theater. It's made to make you think you're secure without actually making you secure,' Soghoian said. 'As a member of the academic research community, I consider this to be a public service.' Soghoian admits that he hasn't actually tried to use one of the boarding passes yet."