Slashdot Mirror
Journalists' Yahoo E-Mail Accounts Compromised In China
andy1307 writes "According to this article in the New York Times, 'In what appears to be a coordinated assault, the e-mail accounts of at least a dozen rights activists, academics and journalists who cover China have been compromised by unknown intruders. The infiltrations, which involved Yahoo e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible, according to those who were affected. In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address. ... The victims of the most recent intrusions included a law professor in the United States, an analyst who writes about China's security apparatus and several print journalists based in Beijing and Taipei, the capital of Taiwan."
With reports like "Yahoo 'helped jail China writer'" in 2005 ... would most people with any public or private interest in China stay with Yahoo's products in any form after its "complicity" over the past years?
http://news.bbc.co.uk/2/hi/4221538.stm
Domestic spying is now "Benign Information Gathering"
> But wiretapping at the ISP level doesn't help if their victims use HTTPS or SSL IMAP/POP like pretty much all Gmail (and Yahoo?) users do.
1) Yahoo mail is not encrypted. Only the login is. So it is possible to sniff the session credentials (cookies etc) and do stuff like change the passwords.
And it's not just Yahoo. None of them (Yahoo, Hotmail, Google) allowed you to use https for the entire email session, including Gmail, until the recent Google hack incident.
The banks I use don't even allow you to access their main pages via https. Which does make it hard to get a known trusted login page to log in to the bank.
Yes their login forms submit stuff via https, but how does that help if you've already got a tampered login form?
2) The browser makers put in lots of CA certs but do nothing to help you realize that the server's cert has changed[1], or the server's CA has changed, or the server CA country has changed...
As a result doing stuff securely is hard - the service providers and browser makers aren't helping.
[1] See the discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=286107
To add insult to injury, in EU, chinese imports SIMPLY PAY NO TAXES, sinking the local producers in the process.
What utter rubbish. Here is the site on the eu website that will allow you to calculate the duty:
http://ec.europa.eu/taxation_customs/dds/cgi-bin/tarchap?Lang=EN
It takes a while to figure out how it works, but I just searched for a DVD Recorder (TARIC CODE = 8521900090) and the import duty was 13.9%. Here is the result for non-magnetic tape video recording apparatus:
http://ec.europa.eu/taxation_customs/dds/cgi-bin/tarduty?Taric=8521900090&SimDate=20100331&Action=1&ProdLine=80&Country=CN/0720&Type=0&Action=1&YesNo=1&Indent=-1&Flag=1&Test=tarduty&Periodic=0&Download=0&Lang=EN&Description=yes
I am sure there is the odd product that is not covered by duty, but you seem to think everything imported to the EU from China pays no duty, that is plainly not true.
I dont read
Well, there's SSLSniff that was used to demonstrate faking Paypal certificates (via NULL attacks in browsers). There's also the neat SSLStrip that transforms a HTTPS transaction down to an HTTP one.
They work by ARP spoofing right now, and if you combine with the IE WPAD (web proxy auto-discovery) mechanism, you could put together a pretty nice MITM attack unit.
And wasn't there reports of a box sold to governments that was designed to do this MITM stuff? Like this appliance? This one's better than SSLSniff as it uses subverted CAs.
More info - http://arstechnica.com/security/news/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users.ars
Gmail has offered the option to use HTTPS for your entire session for several years now, I remember discovering it back in '05 while perusing the preferences. It just wasn't the default.
grep -iw skynet