Archive for the ‘CrashBlogging’ Category

Spyware demo shows how spooks hack mobile phones

Wednesday, August 12th, 2015

Intelligence agencies’ secretive techniques for spying on mobile phones are seldom made public.

But a UK security firm has shown the BBC how one tool, sold around the world to spooks, actually works.

It allows spies to take secret pictures with a phone’s camera and record conversations with the microphone, without the phone owner knowing.

Hacking Team’s software was recently stolen from the company by hackers and published on the web.

Almost any data on a phone, tablet or PC can be accessed by the tool and it is fascinating how much it can do.

When Joe Greenwood, of cybersecurity firm 4Armed, saw that source code for the program had been dumped online by hackers, he couldn’t resist experimenting with it.

Although he had to fiddle with the code to make it work, it only took a day before he had it up and running.

The software consists of the surveillance console, which displays data retrieved from a hacked device, and malware planted on the target device itself.

4Armed was careful to note that using it to spy on someone without their consent would be against the law.

Listening in

After testing the software on his own PC, Mr Greenwood soon realised the scope of its capabilities.

“You can download files, record microphones, webcam images, websites visited, see what programs are running, intercept Skype calls,” he told the BBC.

The software even has some in-built features to track Bitcoin payments, which can be difficult to associate with individuals without additional data about when and how transactions were performed.

In a live demonstration of the system, Mr Greenwood showed how an infected phone could be made to record audio from the microphone, even when the device was locked, and use the phone’s camera without its owner knowing.

“We can actually take photos without them realising.

“So the camera in the background is running, taking photos every number of seconds,” explained Mr Greenwood.

It was also possible to listen in on phone calls, access the list of contacts stored on the device and track what websites the phone user was visiting.

 

Both Mr Greenwood and 4Armed’s technical director, Marc Wickenden, said they were surprised by the sleekness of the interface.

Both point out, though, that customers could be paying upwards of £1m for the software and would expect it to be user-friendly, especially if it was intended for use by law enforcers on the beat.

For the tracked user, though, there are very few ways of finding out that they are being watched.

One red flag, according to Mr Greenwood, is a sudden spike in network data usage, indicating that information is being sent somewhere in the background. Experienced spies, however, would be careful to minimise this in order to remain incognito.

At present, spy software like this is only likely to be secretly deployed on the phones and computers of people who are key targets for an intelligence agency.

Spy catcher

The version of the spyware distributed online is now likely to be more easily detected by anti-virus programs because companies analysing the source code are in the process of updating their systems to recognise it.

Security expert Graham Cluley said it should be as easy to detect as malware.

“The danger will be that malicious hackers could take that code and augment it or change it so it no longer looks like Hacking Team’s versions, which might avoid detection,” he added.

The best course of action, said Mr Cluley, is to keep operating systems and software as up to date as possible.

In a statement, a spokesman for Hacking Team said it advised its customers not to use the software once the breach was discovered.

“As soon as the event was discovered, Hacking Team immediately advised all clients to discontinue the use of that version of the software, and the company provided a patch to assure that client surveillance data and other information stored on client systems was secure.

“From the beginning Hacking Team has assumed that the code that has been released is compromised,” he said.

The spokesman added that the software would be operated by clients of Hacking Team, not Hacking Team itself, and therefore no sensitive data relating to ongoing investigations had been compromised in the breach.

“Of course, there are many who would use for their own purposes the information released by the criminals who attacked Hacking Team.

“This was apparently not a concern of the attackers who recklessly published the material for all online.

“Compiling the software would take considerable technical skill, so not just anyone could do that, but that is not to say it is impossible,” he said.

– To the original:  

 

HOW COVERT AGENTS INFILTRATE THE INTERNET TO MANIPULATE, DECEIVE, AND DESTROY REPUTATIONS

Tuesday, August 11th, 2015

– This piece was written by Glenn Greewald on 24 Feb 2014 but it is still relevent.

– dennis

= = = = = = = = = = = = = = = = = = = = = = = = = = =

One of the many pressing stories that remains to be told from the Snowden archive is how western intelligence agencies are attempting to manipulate and control online discourse with extreme tactics of deception and reputation-destruction. It’s time to tell a chunk of that story, complete with the relevant documents.

Over the last several weeks, I worked with NBC News to publish a series of articles about “dirty trick” tactics used by GCHQ’s previously secret unit, JTRIG (Joint Threat Research Intelligence Group). These were based on four classified GCHQ documents presented to the NSA and the other three partners in the English-speaking “Five Eyes” alliance. Today, we at the Intercept are publishing another new JTRIG document, in full, entitled “The Art of Deception: Training for Online Covert Operations.”

By publishing these stories one by one, our NBC reporting highlighted some of the key, discrete revelations: the monitoring of YouTube and Blogger, the targeting of Anonymous with the very same DDoS attacks they accuse “hacktivists” of using, the use of “honey traps” (luring people into compromising situations using sex) and destructive viruses. But, here, I want to focus and elaborate on the overarching point revealed by all of these documents: namely, that these agencies are attempting to control, infiltrate, manipulate, and warp online discourse, and in doing so, are compromising the integrity of the internet itself.

Among the core self-identified purposes of JTRIG are two tactics: (1) to inject all sorts of false material onto the internet in order to destroy the reputation of its targets; and (2) to use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable. To see how extremist these programs are, just consider the tactics they boast of using to achieve those ends: “false flag operations” (posting material to the internet and falsely attributing it to someone else), fake victim blog posts (pretending to be a victim of the individual whose reputation they want to destroy), and posting “negative information” on various forums. Here is one illustrative list of tactics from the latest GCHQ document we’re publishing today:

– This article continues and you will do best to read it in its original form as it has many graphic elements.

– to see the original, click here:

 

Websites can track us by the way we type

Friday, July 31st, 2015

– Here’s an article explaining how websites can identify who is typing by watching patterns in how we touch the keys.  I.e., how long you hold particular keys down and how much time elapses between different keystrokes.

– And the article describes a Google Chrome add-on that will mask this for you so you can become anonymous again.

– It is getting harder and harder to move about in the world anonymously.  There are some who would say, “If you are not doing anything wrong, why would you care?”  I don’t subscribe to that.  We are, by common social agreement and oftentimes by the rule of law, innocent until proved guilty.

– The people that hold and use these tools may be benign towards us today but there’s no guarantee that they will remain so in the future.  So, it seems obvious to me that if someone wants to exert greater control over us in the future, they will already have all the tools they need to win the battle to control us before a shot is fired.

– dennis

= = = = = = = = = = = = =

Meet KeyboardPrivacy: a proof-of-concept Google Chrome extension that masks how long your fingers linger on each key you depress as you type and how much of a time lag there is between each of your key presses.

And just why would you need to disguise these typing traits – also known as periodicity – which are as unique to individuals as fingerprints?

Because there’s technology out there that can measure our typing characteristics, on the scale of millisecond-long delays and key presses, and use the data to profile us with such a high degree of accuracy that – Tor or no Tor – you won’t stay anonymous when browsing online.

Examples include profiling technology from a Swedish company called BehavioSec that can identify site visitors, based on their typing habits, with a session score of 99% and a confidence rate of 80%.

That type of success comes after the technology has been trained on a mere 44 input characters.

The extension, designed to obfuscate our typing patterns, comes from security researchers Per Thorsheim and Paul Moore.

On Tuesday, Moore said on his blog that UK banks are rumored to be actively trialing such technology to try to detect and minimize the risk of fraud.

That rumor is backed up by news reports mentioning that, as of March 2013, BehavioSec counted Sweden’s top ten national banks – along with Samsung – among its clients.

Why would the researchers want to fight off banks’ efforts to detect fraudulent activity on our accounts?

And why would bank customers want to reduce security by throwing a monkey wrench – or, really, in this case, it’s more like introducing the technical equivalent of a highly accurate cat walking across our keyboards – into banks’ efforts?

Because as it is, we’re trading privacy for security, Moore said.

…More:

 

Climate change threat must be taken as seriously as nuclear war – UK minister

Wednesday, July 15th, 2015

In foreword to Foreign Office report, Baroness Joyce Anelay highlights holistic risks of global warming, including food security, terrorism and lethal heat levels

The threat of climate change needs to be assessed in the same comprehensive way as nuclear weapons proliferation, according to a UK foreign minister.

Baroness Joyce Anelay, minister of state at the Commonwealth and Foreign Office, said the indirect impacts of global warming, such as deteriorating international security, could be far greater than the direct effects, such as flooding. She issued the warning in a foreword to a new report on the risks of climate change led by the UK’s climate change envoy, Prof Sir David King.

The report, commissioned by the Foreign Office, and written by experts from the UK, US, China and India, is stark in its assessment of the wide-ranging dangers posed by unchecked global warming, including:

  • very large risks to global food security, including a tripling of food prices
  • unprecedented migration overwhelming international assistance
  • increased risk of terrorism as states fail
  • lethal heat even for people resting in shade

The world’s nations are preparing for a crunch UN summit in Paris in December, at which they must agree a deal to combat climate change.

Monday’s report states that existing plans to curb carbon emissions would heighten the chances of the climate passing tipping points “beyond which the inconvenient may become intolerable”. In 2004, King, then the government’s chief scientific adviser, warned that climate change is a more serious threat to the world than terrorism.

“Assessing the risk around [nuclear weapon proliferation] depends on understanding inter-dependent elements, including: what the science tells us is possible; what our political analysis tells us a country may intend; and what the systemic factors are, such as regional power dynamics,” said Anelay. “The risk of climate change demands a similarly holistic assessment.”

The report sets out the direct risks of climate change. “Humans have limited tolerance for heat stress,” it states. “In the current climate, safe climatic conditions for work are already exceeded frequently for short periods in hot countries, and heatwaves already cause fatalities. In future, climatic conditions could exceed potentially lethal limits of heat stress even for individuals resting in the shade.”

It notes that “the number of people exposed to extreme water shortage is projected to double, globally, by mid century due to population growth alone. Climate change could increase the risk in some regions.”

In the worst case, what is today a once-in-30-year flood could happen every three years in the highly populated river basins of the Yellow, Ganges and Indus rivers, the report said. Without dramatic cuts to carbon emissions, extreme drought affecting farmland could double around the world, with impacts in southern Africa, the US and south Asia.

Areas affected by the knock-on or systemic risks of global warming include global security with extreme droughts and competition for farmland causing conflicts. “Migration from some regions may become more a necessity than a choice, and could take place on a historically unprecedented scale,” the report says. “It seems likely that the capacity of the international community for humanitarian assistance would be overwhelmed.”

“The risks of state failure could rise significantly, affecting many countries simultaneously, and even threatening those that are currently considered developed and stable,” says the report. “The expansion of ungoverned territories would in turn increase the risks of terrorism.”

The report also assesses the systemic risk to global food supply, saying that rising extreme weather events could mean shocks to global food prices previously expected once a century could come every 30 years. “A plausible worst-case scenario could produce unprecedented price spikes on the global market, with a trebling of the prices of the worst-affected grains,” the report concludes.

The greatest risks are tipping points, the report finds, where the climate shifts rapidly into a new, dangerous phase state. But the report also states that political leadership, technology and investment patterns can also change abruptly too.

The report concludes: “The risks of climate change may be greater than is commonly realised, but so is our capacity to confront them. An honest assessment of risk is no reason for fatalism.”

– to the original article:

 

Some personal communications

Wednesday, July 15th, 2015

I was talking with some friends of mine, recently, on-line about whether or not Representative Democracies are the best option we have to deal with the world’s increasingly critical problems.

One of them said said:

“Frankly, I think representative democracy is the best tool available to deal with modern 21st Century social and public policy given that democracy is very imperfect form of government but the all the alternatives are far less desirable. Of course, I am all ears if political theorists and politicians can conceive and implement a new form of governance than those over the last several millennia.”

And I agreed with that assertion, though I found it disappointing when juxtaposed with something else that he said (and to which I also agreed). He said:

“Regardless of governance type, I unable to imagine how public policy at the international level needed for global problems, such as climate change, can be addressed rapidly and effectively. The problem is simply too complex, the decisional bodies involved too diverse, and the combined resources required too enormous to do so.”

Earlier in the exchange, this friend had written a detailed discussion of how Representative Democracies work, and in that he referred to the fact that the actors at all levels in such Democracies are all (or almost all) making their choices based on their self interests. This includes the voters on the street, the elected officials and the lobbyists who represent special interests.

From this, I get that Representative Democracies are a method of governance in which competing self-interests have achieved a state of relatively stable balance.

But, self-interests are not the only possible inputs to governance.

Common interests could, and should, be valid inputs as well.

Indeed, we as a species are failing to come to grips with the problems we are facing globally because we haven’t been able to find a way to transcend our self-interests to work for our common good.

Of course the following criticisms of the common good idea could be raised at once:

1. It is extremely unlikely that any group or groups focused on common interests could wrest the power to set governmental policy away from the intrenched self-interests.

2. And hasn’t this been tried before? And wasn’t it called, in its purest form, Communism?

I haven’t any answer for the first criticism. Though I would love to hear some good ideas.

I do note that within our current Representative Democratic systems, there are many NGOs operating. And many of those are focused on issues concerning our common good. But I also note that while they are sincere, and while they do good work, they are nowhere near to wresting control away from the forces that focus on self-interests.

On the second point, I would assert that Communism is not the only system we can formulate that holds our common interests as its highest goal.

A system of governance could be conceived in which there was a Prime Directive (i.e., the highest priority) of governance. And that Prime Directive would be to maximize the quality of life for all of us; both for now and into the indefinite future.

That would certainly be in our global common interest. Singapore, is perhaps the one place I’ve seen that seems to have a glimmer of this.

But beyond the primacy of the Prime Directive, we would all be free to do as we pleased; each in accordance with his or her own special interests.

So, for example, if someone wanted to form a company to go out cut trees for wood, the government would allow them to do so – so long as they did not cut trees faster than they could grow back and so long as nothing they did resulted in a net degradation of the environment we all share.

Capitalists could still be Capitalists.

But their possible activities would be constrained by the Prime Directive if those activities came into conflict with the Prime Directive.

In other words, the common good would always trump self-interest. But, so long as the common good was not threatened, the freedom to do as you like would be guaranteed (Probably as the Second Directive).

I think you can all see the basic idea here which is that what we lack with our current Representative Democracies is any meaningful acknowledgement of our common interests.

And the lack of this puts us in a very untenable place indeed when you consider my friend’s two quotes, above.

—–

Postscript:

After I wrote this, another friend pointed out to me an idea that’s been known and discussed in academia and elsewhere for some time.  It is called “The Tragedy of the Commons” (see Here).  And, his comment was that this idea correlated, quite significantly with the ideas I’ve been exploring here.

So, I went and read the Wikipedia article on The Tragedy of the Common and I quite agreed – there’s a good match.

Privacy groups walk out of US talks on facial recognition guidelines

Monday, July 6th, 2015

– Yes, I have a problem with systems that require us to ‘opt out’ before we can avoid them.

– In New Zealand, recently, one of the airlines was selling its passengers insurance that they specifically had to opt out of if they didn’t want to buy it.

– This one, having to do with facial recognition, is outrageous. It is a simple case of what’s good for the average Joe vs. what’s good for the corporations. And IMHO, the balance should always come down to favoring the average Joe and not the corporations.

– Look at how blatant the corporations are: “Not a single industry representative would agree on the most basic premise: that targets of facial recognition should opt in before companies identify them.

– dennis

= = = = = = = = = = = = = = = = = =

A 16-month effort to set guidelines for use of facial recognition technology that satisfy consumers’ expectations of privacy and meet existing state laws went up in flames on Tuesday.

That’s when all nine civil liberties and consumer advocate groups participating in talks with trade associations on a voluntary code of conduct for US businesses to use facial recognition walked away from the table.

Their reason?

Not a single industry representative would agree on the most basic premise: that targets of facial recognition should opt in before companies identify them.

They’d been at it since February 2014, when the US Department of Commerce’s National Telecommunication and Information Administration (NTIA) brought together industry representatives and privacy advocates to come up with voluntary guidelines.

The nine pro-privacy advocates, including the Electronic Frontier Foundation, the American Civil Liberties Union, the Center for Digital Democracy and other consumer advocates, put up a joint statementexplaining their move.

From the statement:

At this point, we do not believe that the NTIA process is likely to yield a set of privacy rules that offer adequate protections for the use of facial recognition technology. We are convinced that in many contexts, facial recognition of consumers should only occur when an individual has affirmatively decided to allow it to occur. In recent NTIA meetings, however, industry stakeholders were unable to agree on any concrete scenario where companies should employ facial recognition only with a consumer's permission.

According to The Washington Post, the camel’s back broke last Thursday, at the NTIA’s 12th meeting on the issue.

Insiders told the newspaper that this is how it went down:

First, Alvaro Bedoya, the executive director of Georgetown University's Center on Privacy and Law, asked if companies could agree to making opt-in for facial recognition technology the default for when identifying people - meaning that if companies wanted to use someone's face to name them, the person would have to agree to it. No companies or trade associations would commit to that, according to multiple attendees at the meeting.

That’s right: not a single company would agree that consumers should have the say-so in facial recognition.

But while this industry/advocates collaboration on voluntary guidelines has fallen apart, the images companies are collecting without any federal direction haven’t gone anywhere.

Face-slurping companies include tech giants Facebook, Google and Apple.

For its part, Facebook is facing a class action lawsuit over facial recognition, started by an Illinois man who claims the social network violated state privacy laws by not providing him with written notification that his biometric data was being collected or stored.

Also in the mix are retailers, such as Wal-Mart, which love to spot who’s looking at what and for how long inside their stores.

In the UK, things are very similar: Tesco, the UK’s largest supermarket chain, in 2013 announced it was to install facial recognition technology in all 450 of its petrol station forecourts – all the better to target-market at you, my pretty.

The companies trying to hammer out guidelines in the US have turned away not only from the basic premise of opt-in, but also from a specific, concrete scenario of opt-in that was offered up by Justin Brookman, the director of the Center for Democracy & Technology’s consumer privacy project.

According to The Washington Post, Brookman sketched out the concrete scenario like so:

What if a company set up a camera on a public street and surreptitiously used it [to] identify people by name? Could companies agree to opt-in consent there?

The results were the same: not a single company went for opt-in, even under such specific circumstances.

Privacy advocates have said that their withdrawals from the multi-stakeholder process will be a fatal blow to the perceived legitimacy of the NTIA’s efforts, now that it’s just the foxes – as in, the companies implementing facial recognition – guarding the hen house (the hens being all us being surveilled).

But the NTIA says the talks will go on.

An agency spokesperson said this to The Washington Post:

NTIA is disappointed that some stakeholders have chosen to stop participating in our multi-stakeholder engagement process regarding privacy and commercial facial recognition technology. A substantial number of stakeholders want to continue the process and are establishing a working group that will tackle some of the thorniest privacy topics concerning facial recognition technology. The process is the strongest when all interested parties participate and are willing to engage on all issues.

The privacy advocates said in their letter that the barest minimum privacy expectation should be that we can simply walk down the street without our every movement being tracked and without then being identified by name, all thanks to the ever-more-sophisticated technology of facial recognition.

Unfortunately, we have been unable to obtain agreement even with that basic, specific premise. The position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.

It might look good, at least on the surface, that the industry representatives are apparently playing ball by not walking away from the official guidelines-setting process.

But it’s hard to imagine anything privacy-positive coming out of that process now that the privacy advocates have walked away.

And without any guidelines, these companies will continue to use facial recognition in an unregulated environment.

– To the original:  

 

Afghanistan: No Country for Women

Sunday, July 5th, 2015

In war-torn Afghanistan it is not the Taliban that poses the greatest threat to women – it is their own families.

Thirteen years after the fall of the Taliban, women in Afghanistan continue to suffer oppression and abuse.

Research by Global Rights estimates that almost nine out of 10 Afghan women face physical, sexual or psychological violence, or are forced into marriage.

In the majority of cases the abuse is committed by the people they love and trust the most – their families.

While shelters are trying to provide protection and legal help to some, many women return to abusive homes because there is no alternative. Unable to escape their circumstances, some are turning to drastic measures like self-immolation to end their suffering.

…More:  

 

Sixth mass extinction has begun: Study

Monday, June 22nd, 2015

“We emphasise that our calculations very likely underestimate the severity of the extinction crisis, because our aim was to place a realistic lower bound on humanity’s impact on biodiversity,” the researchers wrote.

– We wander through our cities, each trapped in his or her little local world with no idea that the aggregate of all of us is destroying the planet’s ecosphere.  And how are we to know when those we trust to lead us sell our interests and the interests of our children and other species for momentary wealth.  They sell all the future generations and indeed a planet full of billions of years of biodiversity, they sell it all so that they can have ‘the better things’ in their small local dream of what their life’s about. Where are the leaders who truly lead and look out for the long and short term good of all of us?  Without them, we are doomed.  This beautiful world we are looking at is beginning to fade under our aggregate assault and most of us have no idea.

– dennis

New York, June 20 (IANS) The world is witnessing the sixth mass extinction that threatens even our very own existence, warns a new study.

The new study, published in the journal Science Advances, shows that even with extremely conservative estimates, species are disappearing up to about 100 times faster than the normal rate.

The world has seen five recognisable mass extinctions till now and the final one wiped out the dinosaurs 66 million years ago.

“(The study) shows without any significant doubt that we are now entering the sixth great mass extinction event,” said Paul Ehrlich, senior fellow at the Stanford Woods Institute for the Environment.

The researchers have warned that humans could be among the species lost as a result of the current mass extinction event.

“If it is allowed to continue, life would take many millions of years to recover, and our species itself would likely disappear early on,” said lead author Gerardo Ceballos from the Universidad Autonoma de Mexico.

There is general agreement among scientists that extinction rates have reached unparalleled levels since the dinosaurs died out 66 million years ago.

However, some have challenged the theory, believing earlier estimates rested on assumptions that overestimated the crisis.

Using fossil records and extinction counts from a range of records, the researchers compared a highly conservative estimate of current extinctions with a normal “background” rate estimate twice as high as those widely used in previous analyses.

This way, they brought the two estimates – current extinction rate and average background or going-on-all-the-time extinction rate – as close to each other as possible.

“We emphasise that our calculations very likely underestimate the severity of the extinction crisis, because our aim was to place a realistic lower bound on humanity’s impact on biodiversity,” the researchers wrote.

Now, the specter of extinction hangs over about 41 percent of all amphibian species and 26 percent of all mammals, according to the International Union for Conservation of Nature, which maintains an authoritative list of threatened and extinct species.

“There are examples of species all over the world that are essentially the walking dead,” Ehrlich said.

Questions about ISIS

Friday, May 8th, 2015
Sun in Montreal
 
Its a beautiful Spring day here in Montreal, Canada, where I am now.  My partner, Colette, and I just spent an hour eating our sandwiches, sitting in the sun beside a huge square near the center of the city and watching the thousands of people nearby.  People were walking, talking, sitting and eating their lunches, sharing petitions to be signed, visiting, taking in the sun, clowning around, flirting and all of the many things free people do to enjoy such a gorgeous day.
 
In the past few years, Colette and I have spent extended time in several of our advanced democracies. I’m thinking here of New Zealand, France, Australia, The United States and now Canada.
 
Everywhere we’ve gone, I’ve seen people enjoying their rights and their freedoms.  In truth, most of us unconsciously assume the presence of our rights and freedoms; much as the birds assume the air and the fish assume the water.

 
It is so easy for us to forget that it was a long and hard struggle to bring our societies to where they are now.  These rights and freedoms have been with us for so long now that it is easy to forget the desperate places from where we began.
 
In the advanced democracies, that we now live in, we can freely practice our religions. We have certain inalienable human rights. Our women have the same rights as our men. The Rule of Law is firmly established and protects us from the arbitrary taking of our lives, our freedoms, and our goods  by those who think they can simply take what they want from us because they have more brains, money, weapons or power than we do.  We have democratic elections so we can freely choose who will perform the public service functions of our governments. We can go to a government office and get a license for driving, hunting or fishing without having to pay a bribe. We know that if we’re arrested and accused of committing a crime, that we have a right to a trial before a jury of our peers. 
 
You and I could both go on adding to this list.  We have so many fundamental freedoms and rights that we take for granted that it’s hard to even remember what they all are now.
 
But keen students of history and eclectic readers know that it wasn’t always this way. And intrepid world travelers know from direct experience that it is not this way in much of the world around us.
 
A Dark Cloud Rising
 
There is a dark cloud rising in the world.  And I find it is hard to say just why it is arising.  
 
Oh, there’s no shortage of theories and ideas around; including my own.  But they are all just like leaves whirling in a summer zephyr.
 
Saddam Hussein invaded Kuwait in 1990.  I still remember getting up to find the story on my TV screen one morning.  Little did I know all that would follow from that one morning’s news.
 
But somehow, now, 25 years on, the middle-east has become a maelstrom.  
 
I read the news from Iraq, from Afghanistan and from Yemen and I have no idea anymore who the main players are.  Or even if the players I am reading about are good guys or bad guys.  
 
The Shia, the Sunnis, Al Qaeda, Al Shabaab, the Houtis, ISIS, the Syrian Rebels, and on and on.  Refugees are everywhere and they are risking their lives by the tens of thousands in leaky boats and desperate treks to get into Europe where they believe stability exists.  Or perhaps they are striving just to get away from where ever the terror is reigning the hardest behind them.
 
I watch BBC America most nights here in Montreal and often they will have important talking-heads who are former ambassadors or generals coming on to discuss the Middle-East.  I listen but I don’t hear clarity coming from what they have to say.  It all puts me in mind of the three blind men and the elephant parable elevated to the glitter of world news.
 
But, amid all of this, there is a particularly dark cloud to be seen in the midst of all the chaos and confusion and its name is ISIS.  
 
And ISIS puzzles me deeply.  How have they become so powerful so quickly in a world in which the flow of money is so highly regulated and where there are already so many people and weapons staked out on highly contested ground?  
 
Where does ISIS get its money, who is selling them their arms and who is secretly supporting them with both?
 
Everyone publicly disavows them, including the vast majority of moderate Muslims across the world.  And yet their political power, their wealth, their Internet presence, their numbers and their military power continue to grow.  How can this be so?
 
As I said, there are a lot of theories.  
 
One thing I’ve noticed is that in this latest upsurge in Middle-Eastern violence, the U.S. has remaining largely absent.  The U.S. went in after Saddam invaded Kuwait, and then it went in later to oust him, and then it went in after 9/11 to sort out Afghanistan.  
 
And each ‘going in’ was accompanied by great publicly expressed hopes that we’d ‘sort the mess out’ and spread American ideals like democracy, freedom and education far and wide.  And each time that was not the result obtained.  
 
Many American lives were lost, many more of our young lives were blighted by wounding, permanent crippling, and by mental damage from what they’d seen, done and experienced.  Billions of dollars of U.S. tax payer money was blown and the only obvious beneficiaries from these interventions were those U.S. industries that benefit from war.
 
In each case, what the U.S. left behind from their interventions was a bigger mess than when they arrived.  
 
In my mind, the only possible exception to this was when the U.S. ejected Saddam from Kuwait in 1991 and drove him back home with his tail behind his legs and left him there to lick his wounds.
 
So, maybe why we don’t see much U.S. presence in the current middle-eastern mess is because America’s lost heart with the idea that America can ‘sort things out’ with American boots-on-the-ground and American money because most times, it just hasn’t turned out well.  
 
Or, more cynically, maybe the American war industries just don’t see the opportunities for vast profits that they saw before.
 
Regardless of all that blather and the current confusion about what all is going on in the Middle-East, the simple and stark fact is that ISIS is there and they are rising and they are a dark cloud indeed.
 
Sunlight and shadows
 
I began this with a description of an idyllic afternoon in a square in Montreal and I was reflecting on all the hard-won freedoms and rights we enjoy in the advanced democracies.   And, so musing, I commented that after folks have had those rights and freedoms for a long time, it is easy to forget how precious they are and how hard the struggle was to secure them.
 
ISIS is forcing people to convert to their brand of fundamentalist Islam or to face death or slavery.
 
ISIS executes the opposition soldiers they capture in public and horrific manners to instill fear and submission into all that have not yet encountered them.
 
ISIS forces the women they capture to ‘marry’ their soldiers as sexual slaves.
 
ISIS has no tolerance for those who believe differently than they believe. 
 
ISIS takes over areas and imposes a new strict Muslim fundamentalist lifestyle on all whom they conquer.  Even when those whom they conquer are Muslims like themselves, they impose their will without exception.  They rule on how things should be done under penalty of death.  Girls shall not go to school and men shall not shave their beards and so on and so on.
 
I’ve read two chilling accounts of ISIS recently and I’d like to give you the links to these stories here.  I suggest that if you find what I am writing here of interest, that you go sideways for a few minutes and read these two articles.  They are chilling.
 
Article 1: http://tinyurl.com/o3tn7p7  “What ISIS Really Wants” from the Atlantic Magazine.
 
Article 2: http://tinyurl.com/mnajk2e “Searching for mercy in ISIS territory” from CBC Radio
 
Some tough questions you won’t find asked in the press
 
How, in an age wherein virtually everything we do on-line is analyzed under a microscope by governments, internet companies and those who want to sell us things … how can ISIS have such a huge presence on the Internet spewing hate and enticing new recruits and no one seems to be able to do anything about it?  If all these wanna-be jehadi kids are capable of find ISIS’s on-line propaganda, how can the western security services not find it?  And which Internet Service providers in which countries are putting up the web pages?
 
How, in an age when countries are swapping vast amounts of banking and tax information in an effort to clamp down on tax evasion, an age when every bank is mandated to “Know your customer”, how can ISIS own, move and spend millions of dollars on weapons and Internet propaganda?  These folks don’t even have a country!
 
How, in an age when oil supplies and prices are tracked with global precision, can ISIS profitably sell huge amounts of oil from the territories they take over?  Who is buying millions and millions of dollars of this oil and how can the international community not know that it is going on?
 
They have money, they have Internet presence and they are selling oil hand over fist … and it all seems to be a mystery to our governments how they can do such things?
 
And all this in a time when France has just passed new draconian security laws (http://tinyurl.com/mjatkbv) and Canada is about to vote on its new security law, C-51 (http://tinyurl.com/obf9svo).   And when the U.S.’s NSA has got their nose so deep in my underwear drawer that I’m sure they know all the brand names in there.  
 
How is ISIS even able to walk down the global street without getting mugged from six directions by our security services?
 
Where to from here, Dorothy?
 
Generally, I’m considered to be a liberal.  Cut me and you’ll find a tree hugger inside.  But I’m not cut from only one cloth.  
 
For instance, I believe in Capital Punishment.  Show me an incorrigible criminal who shows no signs of ever changing and who has blown several chances already and I’m quite willing to ‘off’ that person so the rest of us can get on with the business of making this a better world.
 
Perhaps, when you reflect on the hard-won freedoms we all enjoy, you may see why I am so deeply opposed to, and intolerant of, ISIS and Muslim Fundamentalism – or any fundamentalism, for that matter, that would impose its view of the world on me by force or stealth.  
 
These people want to throw away the hard-won advances it has taken us literally centuries to put into place like women’s rights, the rule of law and freedom from religious oppression.  
 
They want to take us back to Mohammed’s day in the 6th century.  
 
And I am bitterly opposed to this.  No one who has understood how long a road it has been to move from warlords to democracies, from woman as chattels to women as equals, and from power and corruption to the Rule of Law would ever want to go back.  
 
I am not afraid to tell you, my friends, that I would see the earth under their feet melted into nuclear glass before I would personally let them have a ghost of a chance at succeeding.
 
This world of our is, in fact, a damn mess; regardless of how nice it might be out in the sunlight in a square in Montreal on any given day.  We have got a ton of problems and a huge need to get them sorted out.  
 
But what we don’t need is a bunch of fanatics full of fundamentalist religious fervor who want to take us to the 6th century as a way to solve the world’s problems.
 
But back to the tough questions
 
I asked some questions earlier that I’ve wondered about a lot.  Questions that I have not seen in the press – and yet they are questions that demand answers.   
 
Here are some more.
 
Remember when U.S. forces simply blasted most of Saddam’s army to rubble in a matter of days once the U.S. decided to eject him and his Republican Guard from Kuwait in 1991?  I remember seeing videos of literally miles and miles of burned and destroyed military assets along the roads leading from Kuwait to Iraq.  He was barely left with two sticks to rub together.
 
Contrast this with the fact that more recently we hear that in Iraq ISIS’s forces are ‘threatening’ some town or other in Iraq.  They are coming towards the town and they are gathering outside the town and it is going to be a desperate battle; in spite of U.S. air strikes, we’re told.  What’s wrong with this picture?  ISIS must look like fleas on a linen napkin sitting out there in the desert ‘gathering’.  
 
But no, no one can do anything and after a short while, they take the town.  The U.S. made good efforts with its airstrikes – but what could be done?
 
Even more recently, we hear that the Iraqi’s have finally gotten their sh*t together and were going to eject ISIS from the Iraqi town of Tikrit.   There’s massive buildup of Iraqi forces on one side of Tikrit and then the Iraqi’s attack.  
 
What does ISIS do?  They fight a bit and then pull out of town on the other side and vanish to fight another day.  
 
Oh, nascent military strategists, what’s wrong with this picture?  Could someone not have been bright enough to have thought to have bottled them up from all sides – and ended their fighting days altogether?
 
A lot of this type of lame ‘news’ makes me really suspicious.
 
Here’s one that goes way back:  Remember a long time ago, in 2001, when U.S. forces had gone into Afghanistan and were closing in on Osama bin Laden in the Tora Bora Caves of the White Mountains of Eastern Afghanistan?  Reports at the time said they had him ‘Bottled up’ with no escape.  Later, it was revealed that he had escaped into the tribal zones of western Pakistan.
 
How had this happened to the best and brightest of our military?   
 
Well, it came out later that the U.S. forces had let some of the local Afgani forces, who were fighting as allies of the U.S. military, into the plan.
 
Amazing!  Just damned amazing!   Think of all the fighting and dying that followed his escape – and we’d actually had him.
 
If the U.S. military had anyone on staff who understood Afghani culture, they would have known that tribal loyalties in Afghanistan cut far, far deeper than any loyalty that might be engendered by giving someone a rifle, a uniform and some pay for a few days.  
 
So, the locals who learned of the plan, communicated it to bin Laden’s folks and there you go … he was gone after all that cost, blood and effort to capture him.  And a lot of bad stuff followed on from that oversight.
 
So, where am I leading with all this cynicism?
 
Well, this is my suspicion, nasty as it may sound:
 
I think the folks in the U.S. who make such massive profits from war don’t mind if things run on for a bit.  After all, the money is made from conducting a war, not from ending it.
 
I think the folks in the U.S. who make such massive profits from war have been stung though in recent years by criticisms over how much they’ve spent and how little it has accomplished in the Middle-East.  
 
Every adventure they’ve lead into the Middle-East has left the area in even more turmoil.  And people are getting tired of it.  
 
The world is in worse and worse shape, the U.S. debt is climbing like crazy, the U.S. economy is struggling and we’ve poured billions of dollars into all of this – with very little to show for it.
 
I think the war industry folks have decided to hang back for awhile.   They have no doubt that they can crush ISIS when they need to – but they are in no hurry to proceed.
 
Let the killing and the atrocities continue.  Let the American people get really clear on just how bad ISIS really is.  
 
Let the perception grow that ISIS might get loose and begin attacking people anywhere out in the world.  Wait for the public to rethink its reservations about interventions in the Middle-East and then, when they are squeaking and scared, roll out the forces of truth, goodness and light and obliterate the bad guys.  
 
And, with such a build up and delay, the profits will be even better.

Hacking BIOS Chips isn’t just the NSA’s domain anymore

Monday, March 23rd, 2015

– I’m coming to believe that the only secrets left are the things in your head that you’ve never told another soul.  And I’m increasingly fearful that those who want to dominate our societies in the name of ‘security’ are developing the tools to disarm any who might try to organize against them.

– In the coming years, when the various dominator powers war against each other for global domination, those of us who understand little of these cyber wars will be like rats beneath the wheels of the passing chariots.

– As I see it, the only saving grace is that the type of intelligence it takes to participate in these wars is in no way exclusive to those with the urge to dominate.  But the Dominators do have the enviable advantage of money and organizational power.

– And note well, my friends, that nothing I’ve just said acknowledges in any way the other preeminent fact of our times – that our presence within, expansion into and carelessness with the natural environment around us is virtually certain to bring it down around our ears, unless we change our ways.

– Those going forward from here will increasingly live in ‘interesting times’.  We are truly at a pivot-point in human history and most of us are deeply asleep with regard to how fragile the world around us is becoming.

– dennis

= = = = = = = = = = = = = = = = = = = = = =

THE ABILITY TO hack the BIOS chip at the heart of every computer is no longer reserved for the NSA and other three-letter agencies.  Millions of machines contain basic BIOS vulnerabilities that let anyone with moderately sophisticated hacking skills compromise and control a system surreptitiously, according to two researchers.

The revelation comes two years after a catalogue of NSA spy tools leaked to journalists in Germany surprised everyone with its talk about the NSA’s efforts to infect BIOS firmware with malicious implants.

The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed.

BIOS-hacking until now has been largely the domain of advanced hackers like those of the NSA. But researchers Xeno Kovah and Corey Kallenberg presented a proof-of-concept attack today at the CanSecWest conference in Vancouver, showing how they could remotely infect the BIOS of multiple systems using a host of new vulnerabilities that took them just hours to uncover. They also found a way to gain high-level system privileges for their BIOS malware to undermine the security of specialized operating systems like Tails—used by journalists and activists for stealth communications and handling sensitive data.

Although most BIOS have protections to prevent unauthorized modifications, the researchers were able to bypass these to reflash the BIOS and implant their malicious code.

Kovah and Kallenberg recently left MITRE, a government contractor that conducts research for the Defense Department and other federal agencies, to launch LegbaCore, a firmware security consultancy. They note that the recent discovery of a firmware-hacking tool by Kaspersky Lab researchers makes it clear that firmware hacking like their BIOS demo is something the security community should be focusing on.

Because many BIOS share some of the same code, they were able to uncover vulnerabilities in 80 percent of the PCs they examined, including ones from Dell, Lenovo and HP. The vulnerabilities, which they’re calling incursion vulnerabilities, were so easy to find that they wrote a script to automate the process and eventually stopped counting the vulns it uncovered because there were too many.

“There’s one type of vulnerability, which there’s literally dozens of instances of it in every given BIOS,” says Kovah. They disclosed the vulnerabilities to the vendors and patches are in the works but have not yet been released. Kovah says, however, that even when vendors have produced BIOS patches in the past, few people have applied them.

“Because people haven’t been patching their BIOSes, all of the vulnerabilities that have been disclosed over the last couple of years are all open and available to an attacker,” he notes. “We spent the last couple of years at MITRE running around to companies trying to get them to do patches. They think BIOS is out of sight out of mind [because] they don’t hear a lot about it being attacked in the wild.”

An attacker could compromise the BIOS in two ways—through remote exploitation by delivering the attack code via a phishing email or some other method, or through physical interdiction of a system. In that case, the researchers found that if they had physical access to a system they could infect the BIOS on some machines in just two minutes. This highlights just how quickly and easy it would be, for example, for a government agent or law enforcement officer with a moment’s access to a system to compromise it.

Their malware, dubbed LightEater, uses the incursion vulnerabilities to break into and hijack the system management mode to gain escalated privileges on the system. System management mode, or SMM, is an operations mode in Intel processors that firmware uses to do certain functions with high-level system privileges that exceed even administrative and root-level privileges, Kovah notes. Using this mode, they can rewrite the contents of the BIOS chip to install an implant that gives them a persistent and stealth foothold. From there, they can install root kits and steal passwords and other data from the system.

But more significantly, SMM gives their malware the ability to read all data and code that appears in a machine’s memory. This would allow their malware, Kovah points out, to subvert any computer using the Tails operating system—the security and privacy-oriented operating system Edward Snowden and journalist Glenn Greenwald used to handle NSA documents Snowden leaked. By reading data in memory, they could steal the encryption key of a Tails user to unlock encrypted data or swipe files and other content as it appears in memory. Tails is meant to be run from a secure USB flash drive or other removable media—so that conceivably it won’t be affected by viruses or other malware that may have infected the computer. It operates in the computer’s memory and once the operating system is shut down, Tails scrubs the RAM to erase any traces of its activity. But because the LightEater malware uses the system management mode to read the contents of memory, it can grab the data while in memory before it gets scrubbed and store it in a safe place from which it can later be exfiltrated. And it can do this while all the while remaining stealth.

“Our SMM attacker lives in a place nobody checks today to see if there’s an attacker,” Kovah says. “System management mode can read everyone’s RAM, but nobody can read System Management Mode’s RAM.”

Such an attack shows, he says, that the operating system Snowden chose to protect himself can’t actually protect him from the NSA or anyone else who can design an attack like LightEater.

– To the original article:  

– research thanks to: K. M.