Featured post

Quick Reference Resource Introduction: WikiLeaks CIA Vault 7 Leaks

This series covers links to and analysis of each of the WikiLeaks CIA Vault 7 leaks including:

  1. The WikiLeaks pages;
  2. The associated CIA documents – Specification Documents, Systems Requirements, Installation Guides, User Guides, User Manuals, Test Plans, Tactics Documents, Slides and so on;
  3. Links to a “splash” analysis of each leak on The Hacker News;
  4. Analysis by other third party publications of each leak;
  5. General comments, notes, and links added by AirGap Anonymity Collective as each leak and its previous deployment is more clearly understood;
  6. Analysis and examples of the subsequent use and deployment of theses hacking tools by cyber criminals, cyber terrorists, state actors, hackers, and others;

These documents are marked with various security classifications. To understand what these classifications mean see Understanding NSA / INR Security Classifications on Intelligence Assessments;

Posts in this series to date:

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon;

All third party content is explicitly acknowledged and content or imagery that has been altered or amended for ease of use is clearly marked.  

ENDS

Boiling Privacy Frogs

I really wish that I understood more about psychology and the human condition. The behaviour that puzzles me over and over again and for which I have no explanation is our ability to observe something happening that is detrimental to us in every way and yet do nothing.

It is the “Boiling Frog Phenomenon” which was allegedly a 19th century science experiment where a frog was placed in a pan of boiling water, the frog quickly jumped out. However, when the frog was put in cold water and the water slowly boiled over time, the frog did not perceive the danger and just boiled to death. The hypothesis being that the change in temperature was so gradual that the frog did not realize it was boiling to death.

To demonstrate the same effect in terms of the privacy, surveillance, unwarranted government intrusion debate just trace the evolving public attitude to the J. Edgar Hoover’s Subversive Files, COINTELPRO, The Iraq WMD Lie, Snowden & PRISM, and WikiLeaks Vault 7.

I have come to the conclusion that in relation to our right to privacy that we are all frogs in tepid water, the temperature of which is starting to rise rapidly, and we have no intention of jumping out.

ENDS

The Laurel & Hardy of Cybersecurity

When Turnbull and Brandis shuffle off to some home for the bewildered in a few years it is all of us that will be left with the legacy of their carry-on.

Here are some of the victories that these two beauties have presided over, and they don’t even know how it works, not even a little bit:

In an effort to drag the continent out from under the “stupid boy” stereotype, the Lowy Institute for International Policy, has just attempted to polish a turd by proposing that despite everything “Australia might be on the right encryption-cracking track” after all.

“From a cyber security perspective, as Patrick Gray has pointed out, sufficient safeguards could be placed around these ‘updates’ to ensure that they couldn’t be reverse engineered – they wouldn’t need to be a ‘backdoor,’ open to abuse. And by focusing on a device rather than a specific app, the displacement effect, so obvious in focusing government efforts on just What’s App or Telegram, would not apply.

In theory then, this model appears promising. How closely it aligns with the legislation promised by Turnbull and George Brandis last week remains to be seen. But whichever legislative model Australia pursues, its progress will be watched closely by governments across the world. And of course, by a whole host of technology and communications companies.

Recent developments suggest that underneath the techno-babble, political point scoring and counter-terrorism blame game, governments the world over are faced by a very real policy problem. Australia may prove to be the test case for a policy solution that has far reaching consequences for privacy, technological development and the future of law enforcement operations.”

Try again gents.

ENDS

Australia Is A Proxy War for the Five Eyes & Also Hogwarts

The Aussie government is pushing a Five Eyes agenda. Australia seems to have become a proxy war in the ongoing assault on privacy. They are to the Surveillance Wars what Yemen is to the Saudi-Iran ideological conflict. It is always a good idea to vary the cast but in reality they are May acolytes. A testing ground.

The amount of nonsense emanating from the encryption debate Down Under though is astonishing. If you have not been keeping up to speed with some of the recent comments down under then here is a quick recap for you:

  1. The George Brandis metadata interview;
  2. George again (36th Attorney-General for Australia) and the summary of his “over a cuppa” conversation with the GCHQ chappie on the feasibility of reading messages sent by platforms implementing end to end encryption such as WhatsApp and Signal – “Last Wednesday I met with the chief cryptographer at GCHQ … And he assured me that this was feasible.”;
  3. Malcolm Turnbull (the Prime Minister) and his alternative theory on the exceptional laws that govern Australian reality “Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia”;
  4. And a much more eloquent articulation by Troy Hunt of the whole phenomenon “Firstly, a quick apology from Australia: we’re sorry. Look, our Prime Minister and Attorney General didn’t try to launch us onto the World Encryption Comedy Stage but unfortunately, here we are.

In an effort to find something of the same equivalence on the stupidity index as 1-3 above I chose to google “Harry Potter and places where the laws of mathematics do not apply, excluding Australia and Hogwarts”.

One of the things that I found in the search results was the perfectly reasonably comment by a HP fan on a Reddit forum that “Gamp’s Laws of Transfiguration and the Fundamental Laws of Magic spring to mind, they’re pretty much what you can and can’t do with magic. They’re a lot like Newton’s Laws in that they both deal with nature.

This guy really meant it and so did the other guys he was chatting with. They all really, really believed or rather really, really wanted to believe that it was all real and true and factual.

Just like Brandis and Turnbull believe.

Totally lost in a universe of their own creation where mathematics and people work differently.

And then I found a scholarly dissertation by Shevaun Donelli O’Connell of Indiana University of Pennsylvania titled “Harry Potter and the Order of the Metatext: A Study of Nonfiction Fan Compositions and Disciplinary Writing

” which said on P.24 that “I already knew that Harry Potter was an important part of my relationships with my family and friends, but increasingly I realized that Harry Potter metaphors and analogies were working their way into my thinking and teaching about writing.“.

And there it was. The struggle is real. It seems many, many people are having trouble distinguishing fantasy from reality.

Christ help us when VRSNs arrive on the scene.

ENDS

So, So Reasonable, The Politics of Fear – Retrofitting Abnormality

I have read many, many reasonable articles about the need for law enforcement and intelligence agencies to have the ability to access the communications of person’s of interest.

Patrick Gray recently wrote in “No encryption was harmed in the making of this intercept” that:

“Over the last few days people have been losing their minds over an announcement by the Australian government that it will soon introduce laws to compel technology companies to hand over the communications of their users. This has largely been portrayed as some sort of anti-encryption push, but that’s not my take. At all. Before we look at the government’s proposed “solution,” it might make sense to define some problems, as far as law enforcement and intelligence agencies are concerned. The first problem has very little to do with end-to-end encryption and a lot more to do with access to messaging metadata.”

he continues …

“Thanks to our pal Phineas Fisher, we’ve had a glimpse into the sausage factory that is the law enforcement trojanware industry. Gamma Group and Hacking Team, two companies that make surveillance software for mobile phones, were both hacked by Mr. Fisher and the gory details of their operations laid bare. What we learned is that law enforcement organisations already have perfectly functional trojans that they can install on a target’s phone. These trojans canalready intercept communications from encrypted apps.”

and then …

“Do we believe that law enforcement bodies should have the authority to monitor the communications of people suspected of serious criminal offences? If so, what should the legal process for provisioning that access look like? I mentioned auditing access under this scheme a couple of paragraphs ago. If we’re going to have a regime like this, can we have a decent access auditing scheme please? These are the sorts of things I would prefer to be talking about.”

Think about everything that is happening at the moment in terms of the erosion of your privacy, free speech, and civil liberties. And then ask yourself the following:

  1. Do I think that politicians are concerned with striking an appropriate balance between the right to privacyfreedom of speech, and the preservation of civil liberties with the need to maintain the rule of law;
  2. Do I think that the current wave of proposed surveillance legislation is an attempt to normalise abnormal and illegal  practices by our governments and intelligence agencies, now that they have been exposed;
  3. Do I think that all of this proposed legislation is engineered to save our governments and intelligence agencies the bother of the endless crisis room PR;
  4. Do I think that our governments and intelligence agencies are tired of having to react to the publication of their illegal practices by whistleblowers;
  5. Do I think instead that they wish to fob off all objections to Mass Surveillance with a dismissive “we’ve heard it all before” hand wave, the benefit of a statute, while mumbling “imminent threat”, “terrorists”, “pedophiles”, “dark markets”;

ENDS

People That Like To Throw Grenades Into Your Privacy

For good or for bad I have a tattoo that reads “Fidarsi è bene non fidarsi è meglio” which literally translated is “To trust is good but to not trust is better.” or colloquially “Better safe than sorry”. At least that’s what Google translate told me. I have to trust it. But Veritas Language Solutions have previously reported on the perils of foreign language tats. Like the man who wanted the Chinese symbols for “Live and let live” on his arm but ended up with the Mandarin for “Sweet and Sour Chicken”. I like sweet and sour chicken.

Your “Mass Surveillance” Reality 

In case you have forgotten the reality of the world that you live in right now (in terms of your Privacy), here is a reminder, before it gets exponentially worse:

“The attitude of these politicians (Trump, May, Valls & Co.) and their intelligence organisations and the new “laws” – in the form of the revised Patriot Act and the Investigatory Powers Act – means that’s the vast majority of the worlds English speaking population now live under governments who can – legally – invade their privacy at will – whether at home, at work or at leisure – store the information and use it for any purpose, at any time, at any point in the future – for any reason.”

But that is not good enough. Now they want all of your encrypted data too. Just in case.

Pop Quiz

With that as a backdrop here is a pop quiz and my answers to same (Note: I am a paranoid git, and grumpy):

  1. Do I trust Theresa May? – No;
  2. Do I trust Malcolm Turnbull – No;
  3. Do I trust Donald Trump – F**k No;
  4. Do I trust the Five Eyes Intelligence Alliance – No;
  5. Do I trust the Nine Eyes, the Fourteen Eyes, NSA, GCHQ, MI6, ASD, GCSB, CIA, or CSEC – No;
  6. Do I trust the government of the country of my birth or their national security credentials – No;
  7. Do I think that politicians are concerned with striking an appropriate balance between the right to privacy, freedom of speech, and the preservation of civil liberties with the need to maintain the rule of law – No;
  8. Do I trust any bugger who asks me to trust them with the infinite power to snoop on my personal, professional, online, offline, awake, asleep life – Eh, No.

Do you?

ENDS

“Dark Web Criminal Mastermind Kingpin Puppet Master…” Middle Class White Kids

Alexandre Cazes (no a.k.a. yet that I am aware of, but I guess in bad taste a.k.a dead) and Ross Ulbricht, a.k.a Dread Pirate Roberts have clearly got a number of things in common.

Even though Mr. Cazes has only had a couple of weeks of the media spotlight, we know an awful lot about him, mostly from people who did not know him.

One of the things that these men have in common are meaningless labels. These men are – according to the Alphabet Agencies’s and the Main Stream Media – “dark net drug lords”, “criminal mastermind’s”, “kingpin’s”.

You too can make up your own throwaway and meaningless tag for the sake of variety. Everyone is at it, so why not you too. The most recent Gothamesque label that I have read is that Cazes was a “deep web puppet master”.

It all reads like a particularly bad penny dreadful.

We do not have to worry about prejudicing the Cazes trial and we can dispense with using words like “allegedly”. Because he is dead.

That is the second thing that the two men have in common. Cazes won’t be getting a trial, and neither did Ulbricht. No, Ulbricht did not get a trial and do not try to tell me that he did.

Ulbricht got to make a defence – overnight after the Court disallowed the entirety of his prepared defence – in the impossibly biased and corralled environment that was imposed on him.

Guilty or innocent everyone is meant to be entitled to a fair trial. But, not really. Anymore. Trial by media is much better and such a useful tool when trying to get a defendant to cop a plea.

Like refusing Ulbricht a witness list prior to the trial on the basis that he might have them killed. And that on the basis that the original indictment contained a baseless “murder for hire” allegation which was never pursued. It’s called manufacturing your own reality.

Cazes is dead by way of apparent suicide in a Thai jail. Two things that never raise an eyebrow when they appear in the same sentence are “war crimes and Nazis” and “suicide and Thai jail”.

But what does raise my unwieldy eyebrows is that after the “incredibly sophisticated takedown” of Cazes, in the words of those who performed the “takedown” #self-praise, is that these same guys who are so adept at “incredibly sophisticated” activities could not stay in that groove and keep the guy alive long enough to have him extradited.

Probably best (for them) considering the judicial aftermath of the Ulbricht trial. Everyone likes a neat bundle. Especially when dubiously legal and borderline activities like hacking sovereign nations, or breaching international law are key tools of your “sophisticated” activities.

Just like people have been removed from the reality of the source of their food, their power, their light, now too it seems that one can run an eye-wateringly successful drug empire without ever needing to meet a drug dealer.

A laptop, bitcoins, a couple of offshore accounts, and growing up on the mean streets of a well funded, middle class upbringing full of loving parents, and college educations is all that one needs, apparently.

Also key to these successful enterprises is a manifesto. One must also have a manifesto. No need for a gun, or rudeness. Guns and rudeness are passé in the cyber drug world.

From law enforcements perspective it also helps, and without fear of contradiction or oxymoron, if your “incredibly sophisticated takedown” has an “incredibly unsophisticated” end. Such as this in the Cazes case …

“His assets were listed in a spreadsheet on his unencrypted laptop, which authorities, including the Royal Thai Police, the FBI and the DEA, found when they raided his primary residence in Thailand on July 5. They also discovered he was logged into the AlphaBay website as the site administrator and they were able to find passwords for AlphaBay servers, and then seized information and cryptocurrencies from those servers.”

Here are some striking similarities between these two “criminal masterminds” that do not sit well with the labels:

  1. Ulbricht – “hotmail” email address in the header files / welcome messages at the outset which personally identified him;
  2. Cazes – “gmail” email address in the header files / welcome messages at the outset which personally identified him;
  3. Ulbricht – “logged in an as the site administrator (Silk Road)” at the “Glen Park branch of the San Francisco Public Library” when arrested;
  4. Cazes – “logged in an as the site administrator (AlphaBay)” at home when arrested;
  5. Ulbricht – all the passwords for “Silk Road” on his laptop, unencrypted; (need to fact check this more)
  6. Cazes – all the passwords for “AlphaBay” on his laptop, unencrypted;
  7. Ulbricht – all the cryptocurrency details on his laptop;
  8. Cazes – all the cryptocurrency details on his laptop;

I guess the new batch of dark net Lex Luthor’s should add to the drug empire “creation myth” to-do list:

  1. Do not forget to remove my personal details from the header files;
  2. Do not forget to remove my personal details from the welcome messages;
  3. Encrypt my laptop, just a little bit;
  4. Look over my shoulder regularly, but most importantly
  5. Get Mom and Dad to pay for “Dark Net Mastermind for Middle Class White Kids” classes;

OR

The FBI, the CIA (illegally operating in domestic criminal cases (DPR)), and the DEA should vary the script that they provide to the media after these “incredibly sophisticated takedowns” with their very unsophisticated but incredibly convenient endings.

ENDS