Shazam keeps your Mac’s mic on

This is why I advocate for more software to be free/open source, because in some cases you have no idea what it’s actually doing. When the code is freely available under a free software or open source license, it becomes possible for third parties to do an audit of the code and to see what it actually does.

Shazam’s Mac app is misleading users by defining “off” as “well your mic is still on and we will only listen to what you say when the app is active, we promise”.

Surveillance Self-Defense Software

Check out this article from The Intercept, detailing how to defend yourself from government surveillance.

Here’s a list of the software that is mentioned, and while some of it is proprietary, I thought it would be alright to list it here because it does protect privacy through encryption technologies:

  • Signal (open source)
  • What’s App (proprietary)
  • Semaphor (proprietary), it’s like Slack but encrypted
  • Let’s Encrypt SSL certificates
  • Tor Browser
  • Qubes, a GNU/Linux distribution that runs everything in disposable virtual machines and compartmentalizes to protect you from USB drive viruses and PDF malware

Canadian spy agency, CSIS, uses illegal bulk data collection to subvert Canadian freedoms

On a beautiful Sunday morning, I have to link to this bit of ugliness on the illegal bulk data collection by the Canadian spy agency, CSIS. Only a handful members of government knew about and it was only revealed because of a court case.

From the article:

Many corporations and government agencies are now gravitating toward so-called big data computer analytics that can predict patterns of future behaviour based upon records about what has happened in the past. Spy agencies are no different, and the centre in question appears to be the Canadian Security Intelligence Service’s equivalent of a crystal ball – a place where intelligence analysts attempt to deduce future threats by examining, and re-examining, volumes of data.

Continue reading “Canadian spy agency, CSIS, uses illegal bulk data collection to subvert Canadian freedoms”

A Unique Approach to the Cryptography Debate

In this article, Paul Rosenberg explains the problem with how the cryptography debate is approached by technologists and pro-crypto and pro-privacy advocates. To refresh your memory, the FBI tried to force Apple to give up security keys, while the NSA has continually tried to break encryption algorithms. One side wants to weaken encryption so the government always has access, another side wants to weaken encryption on a case-by-case basis to give government access, and a third side wants to keep encryption strong even if it disallows all government surveillance.

The problem, according to him, is that the debate is approached by the third side, the pro-privacy side, with emotional arguments about whether politicians know enough about technology to even be proposing laws related to encryption, and that anti-privacy politicians just want to build a surveillance complex to benefit their pals in the surveillance industry. Furthermore, cryptography is presented as an all or nothing affair, it works or it doesn’t.

Mr Rosenberg argues that this approach is not helpful because it does not approach cryptography realistically and does not go deeper into the details, details which politicians and other people need to be informed on this debate.

The unique approach is to elevate the debate to a debate about government regulatory powers, especially their control over freedom of speech and freedom of expression.

Continue reading “A Unique Approach to the Cryptography Debate”

Dyn DNS was attacked by IoT devices

The post-mortem of the attack has been posted by Dyn and it contains a timeline and some information about the attack.

There is an attack timeline which is useful:

Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers.

After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.

And here is some information about the attack itself (not nearly enough information in my opinion):

At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack

The other articles about this attack are far more thorough in exploring how the Mirai code works and how it can infect Internet of Things devices and where the attacks originated from.

The article from Krebs on Security explains how the Mirai malware works and what types of devices were infected and how.