Fire Hydrant of Freedom

Portland protesters worry violence is taking away from Black Lives Matter message
https://www.usatoday.com/story/news/nation/2020/07/24/portland-protests-violence-continues-amid-calls-for-police-reform/5499523002/


“A lot of the people who are doing it are not Black. They throw shit and start shit and run away and yell 'Black Lives Matter,' and then go home and take off their clothes. But I can’t take off my black," Phillips said. "And the more damage they do to this building— well, everyone thinks it’s people of color doing all this and it’s not."

This is a short clip, I dont know the context around what initiated the conflict but one of the lines shouted by a supposed BLM supporter is alarming to say the least.  I just dont know how else to describe it. 

Short summary
There is an altercation. Guy in blue gets chased, knocked down/out, kicked in the head and "BLM" supporters are shouting things and among one of the phrases heard was "Black Lives Matter F*ggot"

https://www.facebook.com/LGBTrump2020/videos/329673171536745/

https://www.bizpacreview.com/2020/07/14/masked-antifa-protester-taught-a-hard-knock-lesson-after-picking-the-wrong-man-to-mess-with-946542?utm_medium=Newsletter&utm_source=Get+Response&utm_term=EMAIL&utm_content=Newsletter&utm_campaign=bizpac

Ive been following various people on Twitter.  In another post protestors harassed an Asian man because they thought he was Andy Ngo becuase his ears "matched" another photo and, when he confronted them they accused him of walking around in business attire on purpose and called him a PoS.

My wife and I recently  bought a Apple Watches and I have been using the SleepWatch App to track sleeping habits.  So far so good, Ill have to figure out how to share screenshots.
I tried a few of the other apps but SleepWatch seems to work the best for me.

https://mashtips.com/best-sleep-tracking-apps-apple-watch/

I'm guessing that this may be the appropriate thread, this article is from 2018.  If not let me know and Ill move/re-post in the appropriate thread.

Who Are the Proud Boys, and Why Are Nonwhite Men Joining White Supremacist Groups?
https://atlantablackstar.com/2018/10/24/who-are-the-proud-boys-and-why-are-nonwhite-men-joining-white-supremacist-groups/

Source: https://www.sans.org/newsletters/newsbites/xxii/46

--Researchers Find Serious Security Issues in OmniBallot Online Voting System

(June 7 & 8, 2020)

Researchers from the Massachusetts Institute of Technology (MIT) and the University of Michigan have released a report detailing their findings about the security of the OmniBallot Internet voting and ballot delivery system. OnmiBallot, which is produced by Democracy Live, has been used in the past to let voters print ballots, complete them by hand, and return them by mail. For the 2020 election, the system will include online ballot return. The researchers, J. Alex Halderman and Michael Specter, write that the safest option is to avoid using OmniBallot. They note that OmniBallot is vulnerable to vote manipulation by malware on the voters device and by insiders or other attackers and that it appears not to have a privacy policy.[Editor Comments][Pescatore] Two analogies here: (1) A few years ago, I had rotator cuff surgery and the morning of the operation the surgeon came to the prep room with a black marker and wrote This arm and his signature on my right arm; (2) I have never seen, and never want to see, a traffic light that is showing green in all four directions. Errors in presidential elections are pretty much up there with operations on the wrong body part or cars colliding at intersections. There needs to be both manual mechanisms and auditing and safety interlocks built-in to any software-based voting system, just as it is built into surgical procedures even though we have Electronic Health Records, and in traffic signal controller hardware even though we have online light control systems. Every state has rigorous control of traffic lights and there are national standards for them, as well. Since election systems are considered part of the critical national infrastructure, they should be treated just as rigorously.[Neely] If you must use OmniBallot, the most secure option for remote voting remains printing, hand marking, and then returning a paper ballot by mail. The electronic ballot return mechanisms dont include sufficient anti-tampering protections, and even when printing paper ballots, if youre using the application to mark your ballot, OmniBallot collects and sends privacy information from the voters for tabulation. As electronic voting continues to move forward, rigorous testing and validation of security is essential to election integrity and voter confidence.[Murray] There is a fundamental flaw in all such systems. If one makes the ballot unique, even though it would require collusion between the issuer and the counter of ballots, the voter cannot be sure that it cannot be identified with him.  Read more in:

Internet Policy: How to Protect Your Vote
https://internetpolicy.mit.edu/omniballot-advice/

Internet Policy: Security Analysis of the Democracy Live Online Voting System (PDF)
https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf

Statescoop: Researchers say OmniBallot online voting platform is vulnerable to manipulation
https://statescoop.com/researchers-say-omniballot-online-voting-platform-is-vulnerable-to-manipulation/

NYT: Amid Pandemic and Upheaval, New Cyberthreats to the Presidential Election
https://www.nytimes.com/2020/06/07/us/politics/remote-voting-hacking-coronavirus.html

Source: https://www.sans.org/newsletters/newsbites/xxii/48

--Cybersecurity Bills Introduced in US Senate

(June 15, 2020)

US Senator Gary D. Peters (D-Michigan) has introduced two bills aimed to improving the country's cyber security defenses. The Continuity of Economy Act would direct the White House to "develop a plan to ensure essential functions of the economy are able to continue operating in the event of a cyberattack." The bill grew out of a recommendation made by the Cyber Solarium Commission. The National Guard Cybersecurity Interoperability Act of 2020 would help ensure that the National Guard could provide remote cybersecurity support in the event of a cyber incident.


Read more in:

MeriTalk: Two Bills to Bolster Cyber Defenses Introduced in the Senate

https://www.meritalk.com/articles/two-bills-to-bolster-cyber-defenses-introduced-in-the-senate/

 

More cool info via the SANS newsletters

https://www.sans.org/newsletters/newsbites/xxii/43

--Open Letter Calls on Governments to Work Together to Stop Cyberattacks Targeting Healthcare Organizations

(May 25, 26, & 27, 2020)

In a joint statement, the International Committee of the Red Cross and the Cyber Peace Institute have called for governments to take steps to help prevent cyberattacks against healthcare organizations. The signatories of an open letter "call on the world's governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations."


Read more in:

ICRC: Call to governments: Work together to stop cyber attacks on health care

https://www.icrc.org/en/document/governments-work-together-stop-cyber-attacks-health-care

Cyber Peace Institute: A Call to All Governments: Work Together Now to Stop Cyberattacks on the Healthcare Sector

https://cyberpeaceinstitute.org/campaign/call-for-government

The Register: If someone could stop hackers pwning medical systems right now, that would be cool, say Red Cross and friends

https://www.theregister.co.uk/2020/05/26/red_cross_coronavirus_hacking/

ZDNet: Cyberattacks against hospitals must stop, says Red Cross

https://www.zdnet.com/article/cyberattacks-against-hospitals-must-stop-says-red-cross/

SC Magazine: Execs, dignitaries call on nations to help end cyberattacks on health care orgs

https://www.scmagazine.com/home/government/execs-dignitaries-call-on-nations-to-help-end-cyberattacks-on-health-care-orgs/

Love the bassline/groove in this song.
https://youtu.be/sEdqy8yWmww

Almost posted this in the "Power of Words" thread ....
https://youtu.be/8JC-di8CjCY


If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Negativity comes your way
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Positivity comes your way

If you say love, say strength
Speak good words in abundance
Say health and happiness
You better mean what you say
Say hope, say peace, forgiveness, over standing
Your strength and loyalty
They’re gonna show you the way

[Chorus]
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Negativity comes your way
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Positivity comes your way

 know you and you know me, keep it real, take it easy (easy)
Now what you trying to prove, who you trying to trick?
Because friendship and compassion, they can last forever
But I still need you to know

[Chorus]
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Negativity comes your way
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Positivity comes your way

Say love, say strength
Speak good words in abundance
Say health and happiness
You better mean what you say
Say hope, say peace, forgiveness, over standing
Your strength and loyalty
They’re gonna show you the way, but

[Chorus]
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Negativity comes your way
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Positivity comes your way

If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Negativity comes your way
If you don't think about what you say
Every single time, knowing in your mind
The power in the words won't go away
Positivity comes your way

I've been pretty inactive in various forums for various reasons but in terms of volunteering etc.  It can certainly do good for the soul and mind. My wife and I volunteer to coordinate quarterly Blood Drives at church, we volunteer every 3rd Saturday w/ an Autism event for Teens and Tweens and then I volunteer as the President of a Youth Rugby organization.  It's a lot of work and can kind of be like a side job or two but the rewards of helping the Red Cross save lives, help create an environment where kids on the spectrum can be themselves without anyone batting an eye and creating a program that I hope will grow and provide more opportunities for kids to be active along with potential opportunities for college scholarships other than your standard sports which are already highly competitive and I guess you could say saturated.

I realize most of the posts are in relation to scripture but I thought this may be worthy post in regards to the power of words.

https://www.youtube.com/watch?v=FGEeJy18elE

Very interesting!

I agree Guro, but with all this data sometimes it seems like you will need help interpreting it to make it useful, some of the info is obvious and then since all this data has the ability of being stored in the cloud here come the security issues.  

Which takes us to another thread of Cyber Security.  Now that I am working for a hospital in the InfoSec field I have become more aware of things that I just never thought of.  I read a few articles where your health information is more valuable than just your credit card.  Your health records never really expire and they contain a lot of data about you including your payment methods.

Excerpt:

There has been much discussion on when a big player such as Apple, Facebook or Google fully commit to digital health the industry will scale rapidly. Predictions say that when this happens the sociological tipping point will create a paradigm shift in much the same way the iPhone did for apps and mobile computing or like Amazon did for publishing.

While we aren’t there yet it seems we are moving in that direction and if one large corporation is helping to steer us there more than anyone else it would be Apple. Here’s three reasons why.

http://bionicly.com/2013/03/three-reasons-why-apple-will-bring-digital-health-mainstream/

Not sure if this should go into the Technology thread, its kind of both....

I really dig the new technology health \ fitness related technology that is coming.

http://bionicly.com/2014/04/forget-the-iwatch-10-examples-of-next-generation-body-sensors/

I have stuff like the Bodymedia device and I pitched in on another device by Push Strength.

LAS VEGAS National Security Agency director Gen. Keith Alexander was met with cheers and heckling Wednesday at the Black Hat conference in Las Vegas, an annual meeting of hackers and cybersecurity professionals.

Alexander was asked to give the keynote address at the conference before former NSA contractor Edward Snowden leaked documents to the media about PRISM -- a government surveillance program that collected metadata over telecommunication lines. Black Hat organizers say that he could have easily backed out, but chose to attend open a dialog with the hacking community.

The mood was one of respectful skepticism among a majority of audience members. But halfway through the address, which promised to answer tough questions in the wake of the PRISM leak, some in the audience decided they had heard enough.

Alexander was speaking about ways the controversial initiative FAA 702 has thwarted terrorism plots, when he said of the NSA: "We stand for freedom."

"Bulls***," a heckler in an audience of hundreds yelled out. After a handful of claps, he continued, "You lied to Congress. Why should we believe you're not lying to us?"

Unfazed by the comment, Alexander calmly replied, "I did not lie to Congress."

 
Play VIDEO
Rogers: NSA program stops real terrorist attacks
Alexander spent the majority of his speech explaining how the U.S. government arrived at its current cybersecurity posture and where to go next. The director pointed at some of the major terrorist attacks in the last 20 years, like the first World Trade Center bombing in 1993, the U.S.S. Cole bombing in 2000, and the September 11th attacks as examples of why the intelligence community had to step up its data gathering.

"The intelligence community failed to connect the dots," Alexander said.

Addressing the concerns that NSA analysts can access the personal data of Americans at will, Alexander said there is a misconception about how much information is being accessed, adding that the program can be completely audited.

Leaked documents give new insight into NSA searches
Administration declassifies more NSA surveillance documents
Alexander said there are only 22 people at the NSA who can approve the surveillance of a phone number, and 35 analysts who are authorized to review the queries. Of 300 phone numbers that were approved for query, 12 were reported to the Federal Bureau of Investigation.

The director said that if a query appeared unrelated to national security, its auditing tools would detect it and the analyst would have to explain their intent. He added that an audit conducted by Congress found no incidences of abuse of the program.

Alexander shared a slide that revealed a sample of what a document with metadata looks like. A snippet of a spreadsheet reveals columns including date, time, from address, to address, length, site and source -- not the content of the communication itself. The director added that the NSA does not "collect everything."

"It's focused," Alexander said. "We don't want to collect everything."

Alexander ended his speech with a plea to the audience, saying, "help us defend the country and find a greater solution.The whole reason I came here is to ask you to make it better."

"Read the constitution," a heckler in the audience yelled out.

"I have. You should too," Alexander calmly responded. His comment was followed by cheering from the audience.

http://www.infoworld.com/print/222266

By Roger A. Grimes
Created 2013-07-09 03:00AM

Much of the world is just learning that every major industrialized nation has a state-sponsored cyber army [1] -- though many of the groups, including team USA, have been around for decades.

I've met a few cyber warriors. As you might imagine, they can't talk much about their duties. But if you work shoulder to shoulder with them long enough, certain patterns emerge. For starters, there are a lot of them. They are well armed with cyber weaponry, and they're allowed to experiment and hack in ways that, as we all now know, might be considered illegal in some circles.

[ It's over: All private data is public [2] | Learn how to secure your systems with the Web Browser Deep Dive PDF special report [3] and Security Central newsletter [4], both from InfoWorld. ]

I've been a longtime friend to one cyber warrior. On condition of anonymity, he agreed to be interviewed about what he does for a living and allowed me to record our conversation on a device he controlled, from which I transcribed our conversation. I was able to ask clarifying questions the next day.

We met in person in my boat off the coast of Florida, which might sound very clandestine, except that our primary goal was to catch some fish. It's interesting to note that he did not want me to contact him by email or phone during the months leading up to this interview or for a few months after, even though what he revealed does not disclose any national security secrets. The following is an edited version of our conversation. Certain inconsequential details have been altered to protect his identity.

Grimes: Describe yourself and your occupation.

Cyber warrior: Middle-aged, white male, not married. Somewhat smart. Music lover. Lifetime hacker of all things. Currently working on behalf of armed services to break into other countries' computer systems.

Grimes: What is your background? How did you learn to hack?

Cyber warrior: I got into computers fairly early in my life, though I grew up in a foreign country. My dad split when I was young, and my mom worked a lot. I got into computers by visiting one of the few Radio Shacks near my neighborhood. The sales guy hated me at first because I was always on their computers, but after I taught him a few things, we became good friends for years. I realized I had an aptitude for computers ... that most of the adults around me did not have. By the time I was 15, I had dropped out of school (it wasn't as big of a deal in the country I was in, as it is in most developed countries), and I was working a full-time job as the head IT guy at a federal hospital.

I was hacking everything. I hacked their systems, which wasn't too much of a problem because I was already the head IT guy. They had lost some of the admin passwords to the network and other computer systems, so I had to use my hacking skills to reclaim those systems. I hacked everything: door locks, Master locks, burglar alarms -- anything. For a while, I thought I was a master spy and thief, even though I never stole anything. I would spend all my earnings on buying security systems, install them in my house, then spend all my time trying to bypass them without getting caught. I got pretty good, and soon I was breaking into any building I liked at night. I never got caught, although I did have to run from security guards a few times.

Grimes: What did you like hacking the most: security systems or computer systems?

Cyber warrior: Actually, I loved hacking airwaves the most.


Grimes: You mean 802.x stuff?

Cyber warrior: How cute. How quaint. No, I liked hacking everything that lives in the sky. Computer wireless networks are such a small part of the spectrum. I bought literally dozens of antennas, of all sizes, from small handheld stuff to multi-meter-long, steel antennas. I put them all in a storage shed I rented. I put the antennas up on the roof. I don't know how I didn't get in trouble or why the storage shed people didn't tell me to remove the antennas. I had to learn about electricity, soldering, and power generation. I had dozens of stacked computers. It was my own little cloud, way back when. I would listen for all the frequencies I could. I was next to an airbase and I captured everything I could.

Back then a lot more was open on the airwaves than today. But even the encrypted stuff wasn't that hard to figure out. I would order the same manuals as the equipment they were using and learn about backdoors in their equipment. I could readily break into most of their equipment, including their high-security telephone system. It was fun and heady stuff. I was maybe 16 or 17 then. I was living and sleeping in the shed more than at my home.

One day I started to see strange cars show up: black cars and trucks, with government markings, like out of movie. They cut the lock off my shed and came in the door. My loft was up near the rafters, so I scooted over into the next storage area, climbed down, and went out the side door at the far end of the shed area. I walked off into desert and never went back. I must have left $100,000 worth of computers, radio equipment, and oscilloscopes. To this day, I don't know what happened or would have happened had I stayed -- probably not as much as I was worried about.

Grimes: Then what did you do?

Cyber warrior: My mom got married to my stepdad, and we moved back to the States. I was able to get a computer network admin job pretty quickly. Instead of hacking everything, I started to build operating systems. I'm a big fan of open source, and I joined one of the distros. I wrote laptop drivers for a long time and started writing defensive tools. That evolved into hacking tools, including early fuzzers.

Eventually I got hired by a few of the big penetration-testing companies [5]. I found out that I was one of the elite, even in a group of elites. Most of those I met were using tools they found on the Internet or by the companies that hired us, but all that code was so [messed up]. I started writing all my own tools. I didn't trust any of the hacking tools that most penetration testers rely on. I loved to hack and break into to things, but to be honest, it was pretty boring. Everyone can break into everywhere -- so I made it a game. I would only break in using tools that I built, and I would only consider it a success if none of my probes or attacks ended up in a firewall or other log. That at least made it more challenging.

Grimes: How did you get into cyber warfare?

Cyber warrior: They called me up out of the blue one day -- well, an employment agency on behalf of the other team. They were offering a lot more money, which surprised me, because I had heard that the guys working on behalf of the feds made a lot less than we did. Not true -- it's certainly not true anymore, if you're any good.

I had to take a few tests. I had a few problems getting hired at first because I literally didn't have a background: no credit, no high school or college transcripts. Even the work I had done was not something you could easily verify. But I scored really well on the tests and I was honest on what I had done in the past. They didn't seem to care that I had hacked our own government years ago or that I smoked pot. I wasn't sure I was going to take the job, but then they showed me the work environment and introduced me to a few future coworkers. I was impressed.


Grimes: Explain.

Cyber warrior: They had thousands of people just like me. They had the best computers. They had multiple supercomputers. They had water-cooled computers running around on handtrucks like you would rent library books. The guys that interviewed me were definitely smarter than I was. I went from always being the smartest guy wherever I worked to being just one of the regular coworkers. It didn't hurt my ego. It excited me. I always want to learn more.

Grimes: What happened after you got hired?

Cyber warrior: I immediately went to work. Basically they sent me a list of software they needed me to hack. I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.

But I quickly went from writing individual buffer overflows to being assigned to make better fuzzers. You and I have talked about this before. The fuzzers were far faster at finding bugs than I was. What they didn't do well is recognize the difference between a bug and an exploitable bug or recognize an exploitable bug from one that could be weaponized or widely used. My first few years all I did was write better fuzzing modules.

Grimes: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.

Grimes: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.

Grimes: What do you like hacking now?

Cyber warrior: Funny enough, it's a lot of wireless stuff again: public equipment that everyone uses, plus a lot of military stuff that the general public knows nothing about. It's mostly hardware and controller hacking. But even that equipment is easy to exploit.

Grimes: Does your team sometimes do illegal things?

Cyber warrior: Not that I know of. We get trained in what we can and can't do. If we do something illegal, it's not on purpose. Well, I can't speak for everyone or every team, but I can tell you the thousands of people I work with will not do anything intentionally illegal. I'm sure it happens, but if it happens, it's by mistake. For instance, I know we accidentally intercepted some government official's conversations one day, someone high-level. We had to report it to our supervisors and erase the digital recordings, plus put that track on our red filter list.

Grimes: You say you don't do anything illegal, but our federal laws distinctly say what we cannot offensively hack other nations. And we are hacking other nations [6].

Cyber warrior: They say we can't hack other nations without oversight. John Q. Public and John Q. Corporation can't hack other nations, but our units operate under laws that make what we are doing not illegal.


Grimes: I know you from many years ago, and I think the young you would revile hacking any government by any government. I think I heard you say this many times, and you were passionate about it.

Cyber warrior: I'm still passionate about it, but the older self realizes that the young self didn't have all the facts. We have to do what we do because [other nation states and other armies] are doing it. If we didn't, we would literally be dead. It's already something that I don't know if we are winning. I know we have the best tools, the best people, but our laws actually stop us from being as good as we could be.

Grimes: What about your job would surprise the average American?

Cyber warrior: Nothing.

Grimes: I really think the average American would be surprised you do what you do.

Cyber warrior: I don't agree. I think everyone knows what we have to do to keep up.

Grimes: What does your work location look like?

Cyber warrior:  I work in obscure office park in Northern Virginia. It's close to DC. There's no lettering or identifiers on the building. We park our cars in an underground garage. There are about 5,000 people on my team. I still work for the same staffing company I was hired by. My badge does not say "U.S. government" on it. We are not allowed to bring any computers, electronics, or storage USB drives into the building. They aren't even allowed in our cars, so I'm the guy at lunch without a cellphone. If people were to look around, they could spot us. Look for the group of people being loud that don't have a single cellphone out -- no one texting. Heck, they should let us carry cellphones just so we don't look so obvious.

Grimes: What do you do for a hobby?

Cyber warrior: I play in a hardcore rap/EDM band, if you can imagine that. I play lots of instruments, make beats and percussion stuff. I wish I could make more money doing music than hacking. I'm even considering now leaving my job and doing music. I don't need much money. I have enough for retirement and enough to support my lifestyle.

Grimes: What do you wish we, as in America, could do better hacking-wise?

Cyber warrior: I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don't have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.

Grimes: What do you think of Snowden [7]?

Cyber warrior: I don't know him.

Grimes: Let me clarify, what do you think of Snowden for revealing secrets [8]?

Cyber warrior: It doesn't bother me one way or the other.

Grimes: What if it could lead to your program shutting down? You'd be without a job.

Cyber warrior: There's no way what we do will be shut down. First, I don't intentionally do anything that involves spying on domestic communications. I don't think anyone in my company does that, although I don't know for sure. Second, it would be very dangerous to stop what we do. We are the new army. You may not like what the army does, but you still want an army.

If I was out of job I'd just get better at playing my instruments. I like to hack them, too.

This story, "In his own words: Confessions of a cyber warrior [9]," was originally published at InfoWorld.com [10]. Keep up on the latest developments in network security [11] and read more of Roger Grimes' Security Adviser blog [12] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [13].

Security Hacking Government Security

--------------------------------------------------------------------------------

Source URL (retrieved on 2013-07-17 03:40PM): http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266
Links:
[1] http://www.infoworld.com/t/data-security/us-china-please-stop-hacking-our-companies-if-you-dont-mind-214322
[2] http://www.infoworld.com/d/security/its-over-all-private-data-public-220901?source=fssr
[3] http://www.infoworld.com/browser-security-deep-dive?idglg=?ifwelg_fssr
[4] http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr
[5] http://www.infoworld.com/d/security/penetration-testing-the-cheap-and-not-so-cheap-050
[6] http://www.infoworld.com/d/security-central/stuxnet-marks-the-start-the-next-security-arms-race-282
[7] http://www.infoworld.com/t/cringely/snowden-has-answers-nsa-still-holds-the-questions-220881
[8] http://www.infoworld.com/t/government/nsa-leaker-snowden-leaves-hong-kong-reportedly-russia-221306
[9] http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266?source=footer
[10] http://www.infoworld.com/?source=footer
[11] http://www.infoworld.com/d/security?source=footer
[12] http://www.infoworld.com/blogs/roger-a.-grimes?source=footer
[13] http://twitter.com/infoworld

http://www.google.com/search?hl=en&source=hp&q=Technical+Tactical+Procedures+&gbv=2&oq=Technical+Tactical+Procedures+&gs_l=heirloom-hp.13..0i22i30.641.641.0.2953.1.1.0.0.0.0.281.281.2-1.1.0...0.0...1ac.1.15.heirloom-hp.KIZwIFt223U


Michael Mimoso    July 12, 2013 , 2:25 pm
For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

—Jeff Moss

Those are the 105 words that have polarized the hacker community.

DEF CON founder Jeff Moss turned the annual hacker conference on its ear Wednesday night when he asked federal government employees to stay away from this year’s show, which starts Aug.1 in Las Vegas. Strained by the revelations of surveillance by the National Security Agency and accusations of unwarranted access to Americans’ online activities, Moss decided to ask for a timeout.

The reaction since has been mixed, if not predictable. Some think events such as DEF CON should be open and collaborative, and that includes with the feds, while others find it counterintuitive to include the feds at an event that fosters technology and thinking that leads to secure and private communication and enterprise.

Moss, who is currently ICANN’s chief security officer, told Reuters that it was a tough call for him to make.

“The community is digesting things that the Feds have had a decade to understand and come to terms with,” Moss told the news agency. “A little bit of time and distance can be a healthy thing, especially when emotions are running high.”

Moss told Threatpost that he is in Durban, South Africa for the ICANN 45 meetings and was not available for comment at the time of publication.

The fallout has begun already, however, with two researchers pulling out of DEF CON after Moss’ decision. Kevin Johnson and James Jardine of Secure Ideas were scheduled to deliver a talk on SharePoint security, but instead decided against giving the talk at the show. Johnson saw the post on Wednesday night from Moss and slept on it a night before meeting with Jardine and other colleagues and making their final decision.

“It sat wrong with me,” Johnson said. “My immediate reaction was that I don’t want to be part of this.”

“I had the same reaction,” Jardine said. “I said I don’t want to be part of something disallowing or not bringing certain groups invited in.”

Jardine and Johnson explained their position in a blogpost, stating that DEF CON is a neutral ground that encourage open communication regardless of industry.

“We believe the exclusion of the “feds” this year does the exact opposite at a critical time. James and I do not feel that this should be about anti/pro government, but rather a continuation of openness that this event has always encouraged,” Johnson wrote. “We both have much respect for DEF CON and the entire organization and security community. It is with this respect that we are pulling our talk from the DEF CON 21 lineup. We understand that this may cause unfortunate change of plans for some, but feel we have to support our beliefs of cooperative collaboration to improve the state of information security technology.”

Robert Graham, CEO of Errata Security, steered the discussion away from politics and said Moss and DEF CON are simply heading off conflict.

“A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate. From shouting matches, to physical violence, to ‘hack the fed’, something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict,” Graham, a past DEF CON presenter, wrote on his company’s blog. “The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren’t the ones who would be starting these fights. But here’s the thing: it’s not a fed convention but a hacker party. The feds don’t have a right to be there — the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it’s still the feds who have to go.”

Nick Selby, another security professional and frequent speaker at industry events, said Moss’ decision is self-defeating. He points out that most hackers understand full well the depths of surveillance by the signals intelligence community.

“The relationship between hackers and feds is symbiotic,” Selby wrote. “To deny this is shortsighted, wrong and panders to a constituency that is irrelevant to our shared goals. It also defies the concept that, ‘Our community operates in the spirit of openness, verified trust, and mutual respect.’”

Black Hat, which precedes DEF CON, features NSA director Gen. Keith B. Alexander as its keynote speaker and several sessions given by employees of government agencies. Black Hat general manager Trey Ford said he would not consider a similar decision to the one made by Moss.

“Black Hat strives to cultivate interaction, innovation, and partnership within the security ecosystem—offense and defense, public and private,” Ford said via email, adding that he hopes Black Hat will move the conversation forward regarding the revelations of NSA surveillance of Americans.

“I think the Prism announcement got more attention than prior leaks to the general population, but we in InfoSec have no excuse for acting like we didn’t know this was possible or happening. (it is done inside companies every day),” Ford said. “Privacy is a very real concern for both the security and intelligence communities and we look forward to encouraging conversations about this very topic onsite. Everyone that comes to Black Hat is serious about security, has a professional level of interest, and is here to engage and improve that conversation.”

Alexander, meanwhile, is still scheduled to deliver his keynote and Ford would not comment on a contingency plan should he pull out, nor did he have specifics on what the general will be speaking about.

“General Alexander faces hard decisions about where privacy and security cross, a way of thinking that the security community is also very familiar with,” Ford said. “I am hoping we get a glimpse into his world and thinking.”

Meanwhile, Johnson said he and Jardine did not make their decision to pull out of DEF CON lightly and their intention is not to have others follow suit.

“[Moss’] decision seems really opposite of what DEF CON stands for. From the reaction of some people, I find it hypocritical where some are saying that [the hacker community’s] idea of openness doesn’t involve the feds. I think that’s naïve,” Johnson said. “Openness has to involve everybody. People have been overwhelmed by political issues and the outing of spying and surveillance. They’re letting their feelings toward that overshadow what the DEF CON message has always been which is to get together, break stuff and learn together.”

Johnson and Jardine said they will still release a paper on their talk which covers an overarching plan for assessing SharePoint installations, including a tool they will release as open source, and guidelines for SharePoint assessments for pen-testers and internal teams to help them understand risks associated with the Microsoft collaboration platform.

*DEF CON image via leduardo‘s Flickr photostream, Creative Commons

http://www.cnn.com/2013/06/30/world/europe/eu-nsa/index.html

As disconcerting as the NSA Prism program is, worth noting is that other powers do this too. 

The question must be asked:

Are we to be the only who does not?

http://www.nytimes.com/2013/07/05/world/europe/france-too-is-collecting-data-newspaper-reveals.html?_r=0&pagewanted=print

By STEVEN ERLANGER
PARIS — Days after President François Hollande sternly told the United States to stop spying on its allies, the newspaper Le Monde disclosed on Thursday that France has its own large program of data collection, which sweeps up nearly all the data transmissions, including telephone calls, e-mails and social media activity, that come in and out of France.

Le Monde reported that the General Directorate for External Security does the same kind of data collection as the American National Security Agency and the British GCHQ, but does so without clear legal authority.

The system is run with “complete discretion, at the margins of legality and outside all serious control,” the newspaper said, describing it as “a-legal.”

Nonetheless, the French data is available to the various police and security agencies of France, the newspaper reported, and the data is stored for an indeterminate period. The main interest of the agency, the paper said, is to trace who is talking to whom, when and from where and for how long, rather than in listening in to random conversations. But the French also record data from large American networks like Google and Facebook, the newspaper said.

Le Monde’s report, which French officials would not comment on publicly, appeared to make some of the French outrage about the revelations of Edward J. Snowden, a former N.S.A. contractor, about the American data-collection program appear somewhat hollow.

But French officials did say privately on Thursday that there was a difference between data collection in the name of security and spying on allied nations and the European Union. While French officials have said that they do not spy on the American Embassy in France, American officials are skeptical of those reassurances, and have pointed out that France has an aggressive and amply financed espionage system of its own.

The French interior minister, Manuel Valls, said Thursday at the July 4 reception at the American ambassador’s residence in Paris that Mr. Hollande’s demands for clear explanations about the reports of American spying were justified because “such practices, if proven, do not have their place between allies and partners.” He said that “in the name of our friendship, we owe each other honesty.”

Separately, in a statement, Mr. Valls said that France had received an asylum request from Mr. Snowden, but that it would be rejected.

The European Parliament, meeting in Strasbourg, France, to debate the Snowden disclosures, overwhelmingly passed a resolution that “strongly condemns the spying on E.U. representations,” warned of its “potential impact on trans-Atlantic relations” and demanded “immediate clarification from the U.S. authorities on the matter.”

The legislators rejected an amendment calling for the postponement of talks scheduled for Monday on a potential European-American free-trade agreement. France and Mr. Hollande had called for the talks to be delayed, but the European Commission said that they would go ahead in parallel with talks on the American spying programs.

Many Europeans have been shocked and outraged less by the idea of American espionage than the sheer scale of the data-collection abroad. According to Mr. Snowden’s revelations, between 15 million and 60 million transmissions are collected by the Americans every day from Germany alone.

American officials had privately warned French officials to be careful about speaking with too much outrage about American espionage given that major European countries like France spy, too, and not just on their enemies.

http://www.deseretnews.com/article/765632912/Al-Qaida-said-to-be-changing-its-ways-after-leaks.html

WASHINGTON — U.S. intelligence agencies are scrambling to salvage their surveillance of al-Qaida and other terrorists who are working frantically to change how they communicate after a National Security Agency contractor leaked details of two NSA spying programs. It's an electronic game of cat-and-mouse that could have deadly consequences if a plot is missed or a terrorist operative manages to drop out of sight.

Terrorist groups had always taken care to avoid detection — from using anonymous email accounts, to multiple cellphones, to avoiding electronic communications at all, in the case of Osama bin Laden. But there were some methods of communication, like the Skype video teleconferencing software that some militants still used, thinking they were safe, according to U.S. counterterrorism officials who follow the groups. They spoke anonymously as a condition of describing their surveillance of the groups. Those militants now know to take care with Skype — one of the 9 U.S.-based Internet servers identified by former NSA contractor Edward Snowden's leaks to The Guardian and The Washington Post.

Two U.S. intelligence officials say members of virtually every terrorist group, including core al-Qaida members, are attempting to change how they communicate, based on what they are reading in the media, to hide from U.S. surveillance. It is the first time intelligence officials have described which groups are reacting to the leaks. The officials spoke anonymously because they were not authorized to speak about the intelligence matters publicly.

The officials wouldn't go into details on how they know this, whether it's terrorists switching email accounts or cellphone providers or adopting new encryption techniques, but a lawmaker briefed on the matter said al-Qaida's Yemeni offshoot, al-Qaida in the Arabian Peninsula, has been among the first to alter how it reaches out to its operatives.

The lawmaker spoke anonymously because he would not, by name, discuss the confidential briefing.

Shortly after Edward Snowden leaked documents about the secret NSA surveillance programs, chat rooms and websites used by like-minded extremists and would-be recruits advised users how to avoid NSA detection, from telling them not to use their real phone numbers to recommending specific online software programs to keep spies from tracking their computers' physical locations.

House Intelligence Committee Chairman Mike Rogers, R-Mich., said there are "changes we can already see being made by the folks who wish to do us harm, and our allies harm."

Sen. Angus King, I-Maine, said Tuesday that Snowden "has basically alerted people who are enemies of this country ... (like) al-Qaida, about what techniques we have been using to monitor their activities and foil plots, and compromised those efforts, and it's very conceivable that people will die as a result."

Privacy activists are more skeptical of the claims. "I assume my communication is being monitored," said Andrew Prasow, senior counterterrorism counsel for Human Rights Watch. She said that's why her group joined a lawsuit against the Director of National Intelligence to find out if its communications were being monitored. The case was dismissed by the U.S. Supreme Court last fall. "I would be shocked if terrorists didn't also assume that and take steps to protect against it," she said.

"The government is telling us, 'This has caused tremendous harm.' But also saying, 'Trust us we have all the information. The US government has to do a lot more than just say it," Prasow said.

At the same time, NSA and other counterterrorist analysts have been focusing their attention on the terrorists, watching their electronic communications and logging all changes, including following which Internet sites the terrorist suspects visit, trying to determine what system they might choose to avoid future detection, according to a former senior intelligence official speaking anonymously as a condition of discussing the intelligence operations.

"It's frustrating. You have to start all over again to track the target," said M.E. "Spike" Bowman, a former intelligence officer and deputy general counsel of the FBI, now a fellow at the University of Virginia's Center for National Security Law. But the NSA will catch up eventually, he predicted, because there are only so many ways a terrorist can communicate. "I have every confidence in their ability to regain access."

Terror groups switching to encrypted communication may slow the NSA, but encryption also flags the communication as something the U.S. agency considers worth listening to, according to a new batch of secret and top-secret NSA documents published last week by The Guardian, a British newspaper. They show that the NSA considers any encrypted communication between a foreigner they are watching and a U.S.-based person as fair game to gather and keep, for as long as it takes to break the code and examine it.

Documents released last week also show measures the NSA takes to gather foreign intelligence overseas, highlighting the possible fallout of the disclosures on more traditional spying. Many foreign diplomats use email systems like Hotmail for their personal correspondence. Two foreign diplomats reached this week who use U.S. email systems that the NSA monitors overseas say they plan no changes, because both diplomats said they already assumed the U.S. was able to read that type of correspondence. They spoke on condition of anonymity because they were not authorized to discuss their methods of communication publicly.

The changing terrorist behavior is part of the fallout of the release of dozens of top-secret documents to the news media by Snowden, 30, a former systems analyst on contract to the NSA.

The Office of the Director for National Intelligence and the NSA declined to comment on the fallout, but the NSA's director, Gen. Keith Alexander, told lawmakers that the leaks have caused "irreversible and significant damage to this nation."

"I believe it will hurt us and our allies," Alexander said.

"After the leak, jihadists posted Arabic news articles about it ... and recommended fellow jihadists to be very cautious, not to give their real phone number and other such information when registering for a website," said Adam Raisman of the SITE Intelligence Group, a private analysis firm. They also gave out specific advice, recommending jihadists use privacy-protecting email systems to hide their computer's IP address, and to use encrypted links to access jihadi forums, Raisman said.

Other analysts predicted a two-track evolution away from the now-exposed methods of communication: A terrorist who was using Skype to plan an attack might stop using that immediately so as not to expose the imminent operation, said Ben Venzke of the private analysis firm IntelCenter.

But if the jihadi group uses a now-exposed system like YouTube to disseminate information and recruit more followers, they'll make a gradual switch to something else that wasn't revealed by Snowden's leaks — moving slowly in part because they'll be trying to determine whether new systems they are considering aren't also compromised, and they'll have to reach their followers and signal the change. That will take time.

"Overall, for terrorist organizations and other hostile actors, leaks of this nature serve as a wake-up call to look more closely at how they're operating and improve their security," Venzke said. "If the CIA or the FBI was to learn tomorrow that its communications are being monitored, do you think it would be business as usual or do you think they would implement a series of changes over time?"

Terrorist groups have already adapted after learning from books and media coverage of "how U.S. intelligence mines information from their cellphones found at sites that get raided in war zones," said Scott Swanson, a forensics intelligence expert with Osprey Global Solutions. "Many are increasingly switching the temporary phones or SIM cards they use and throw them away more often, making it harder to track their network."

The disclosure that intelligence agencies were listening to Osama bin Laden drove him to drop the use of all electronic communications.

"When it leaked that bin Laden was using a Thuraya cellphone, he switched to couriers," said Jane Harman, former member of the House Intelligence Committee and now director of the Woodrow Wilson International Center. "The more they know, the clearer the road map is for them."

It took more than a decade to track bin Laden down to his hiding place in Abbottabad, Pakistan, by following one of those couriers.

Follow Kimberly Dozier on Twitter at http://twitter.com/kimberlydozier

Bradley Manning Trial Begins

The court-martial of Army Pfc. Bradley Manning for offenses related to the leak of classified information has begun. Manning, who has been detained since his 2010 arrest, allegedly gave more than 700,000 government and military documents to WikiLeaks. Among the 22 charges. Manning faces is a count of aiding the enemy, which could bring a life sentence without the chance of parole.

http://www.washingtonpost.com/world/national-security/bradley-manning-court-martial-opens/2013/06/03/9c65ea48-cc51-11e2-8f6b-67f40e176f03_story.html

http://www.washingtonpost.com/world/national-security/bradley-manning-leak-trial-set-to-open-monday-amid-secrecy-and-controversy/2013/06/01/b2bad2fa-c93a-11e2-9f1a-1a7cdee20287_story.html

Insert Quote
http://articles.washingtonpost.com/2013-05-31/opinions/39653041_1_national-security-leaks-npr-reporter-classified-information

Journalists trawling for leaks should be willing to share the risks
By Sarah Chayes,May 31, 2013
Sarah Chayes is a senior associate at the Carnegie Endowment for International Peace. She was an NPR reporter from 1997-2001 and special assistant to the chairman of the Joint Chiefs of Staff from 2010-2011.

“Are you kidding me?”

I was always stunned to hear reporters ask me — as they did half a dozen times when I worked at the Pentagon — to show them some classified document or other. They’d just pop the question blithely, unfazed, without an apparent thought for the implications. My incredulous retort would usually reap an only half-sheepish answer: “Well, I had to ask.”

Countless national security officials have had some version of this conversation – including the State Department security adviser that Fox News correspondent James Rosen  allegedly plumbed for information on North Korea. Rosen wrote in an e-mail that he’d “love to see some internal State Department analyses.”

I’ve served on both sides of the line, as an NPR reporter and a Defense Department official, and it’s from that split perspective that I’ve been observing the furor over the seizure of journalists’ telephone and e-mail records in Justice Department investigations of national security leaks. Especially troubling to some reporters and pundits is a search warrant application  suggesting that Rosen was “an aider and abettor and/or co-conspirator” with his source. Commentators have decried the Justice Department for criminalizing journalism itself.


The value to democracy of a courageous and unfettered press poking into back corners that agencies would rather keep hidden is incontrovertible. But I find myself wondering why journalists shouldn’t shoulder some responsibility for transgressions they often goad their sources to commit.

Every government employee who obtains a security clearance receives a briefing on the rules about accessing and using classified information, and, as part of his or her terms of employment, must sign a piece of paper acknowledging the potential consequences of violating the law. Many officials, including me, have been subjected to a polygraph exam — an exceedingly unpleasant experience for anyone with a conscience or a literal mind. National security staffers’ careers can be wrecked over how they handle documents stamped SECRET.

Reporters, on the other hand, have little to lose when trawling for leaks. No American journalist has been prosecuted for publishing classified information. And the media could gain even greater protections under a shield law or new procedures now being hammered out with the Justice Department .

I’ve heard from reporters and senior government figures alike that the Obama administration’s leak investigations are having a chilling effect on officials who normally interact with journalists. That’s unfortunate, because regular conversations about the business of government, as well as the injection of alternative perspectives by way of the questions reporters ask, or their reflections on what they hear, are critical to a healthy state.

But the stakes might be clearer if sources knew that reporters had skin in the game, too: if they understood that journalists weren’t asking questions idly — in hopes of a passing scoop, or even happy to be made use of in some messaging campaign — but because the information is so critical to the public interest that they are willing to risk repercussions for finding and airing it.


Ads by Google
Security Clearance Help Personnel Security Clearance (PCL) & Facility Security Clearance www.jeffreylawgroup.com
Comparatively unfettered though the press may be in the United States, its courage is frequently lacking. Washington relationships cemented by orchestrated leaks and background innuendo can verge on the sycophantic. Then again, government disingenuousness has also been on display in the current imbroglio.

Far too much information is protected by unwarranted classification. It’s hard to take a system seriously that places so many gigabytes of material that are not critical to national security under the same umbrella as the few nuggets that are. I’ve seen a New Yorker article included among prep documents for a National Security Council meeting stamped SECRET//NOFORN (meaning that only cleared U.S. citizens were allowed to read it). I’ve had a colleague contradict a sunny e-mail he sent me on the unclassified system with a SECRET snarl. Such misuse makes a mockery of rules that the leak investigations seek to enforce.

At least as troubling is the double standard that has seemed to apply in the recent investigations. The six criminal prosecutions under the Obama administration have all targeted working-level government employees. Meanwhile, senior officials leak — or authorize leaks — with impunity.

In September 2010, a flurry of coverage in major U.S. newspapers reported a supposed government decision on how corruption in Afghanistan would be handled. Perusing the articles with growing wonder, I looked down at a memo on my desk. Not only were passages quoted from it classified, the document was also watermarked DRAFT. No decision had been made yet because debate on the draft had not even reached the level of Cabinet secretaries. It was a classic Washington case of offensive leaking. For months, I was convinced that the perpetrator was the late Richard Holbrooke, then special representative to Afghanistan and Pakistan. But I kept asking reporters. Finally I traced the leak to a senior White House official, whose career has progressed untroubled.

Last year, Washington Post columnist David Ignatius was given an exclusive preview of 17 redacted documents that had been retrieved from Osama bin Laden’s compound in Abbottabad, Pakistan. Ignatius wrote that the documents had been declassified but had not yet been made available to the public. More than six weeks later, those 17 documents — and only those 17, out of some 1.5 million scooped up at Abbottabad — were released. How does such selectivity square with a coherent declassification policy?

Perhaps the most remarkable example of disclosure of classified information in plain sight was the detail offered up to the media in the wake of the raid that killed bin Laden — capped off by briefings from then-White House chief counterterrorism adviser John Brennan. The superfluous specificity left a number of officials who had helped plan the raid aghast, including a longtime Washington insider, then-Defense Secretary Robert Gates.

The law, including regulations protecting national security secrets, should be taken seriously, and decisions to break it for reasons of conscience should not be taken lightly. But by the same token, the law should not be stretched for purposes far beyond its original, legitimate intent. And most important, it should be applied equally to all who vow to uphold it.


UPDATE: Saturday, June 1, 2013. Sarah Chayes writes: Thanks to all who have contributed great comments. This is just the type of debate such a fraught issue should generate. One thing I regret in this piece is not taking my argument about over-classification beyond criticism. Could any of you -- particularly with government experience -- suggest practical recommendations for how to reduce the amount of material that gets classified, and how to change the incentives for over-classification? Who should issue what directives? What type of implementation and follow-up mechanisms would have to be designed? Let’s use the comments forum to start hammering out a solution to this long-festering problem.

This article is a 3 page article, probably better to read it at the direct link as it includes examples of how it was used.

Jefferson's Cipher for Lewis
http://lewis-clark.org/content/content-article.asp?ArticleID=2222

You got it Guro, just found another interesting article.

http://lewis-clark.org/content/content-article.asp?ArticleID=2222

This is a 3 page article, its easier to just share the link.

Not picking fights or starting new arguments but portion of a comment intrigued me. 
BTW - I'm still reading the articles listed below.

"...shut down their internet until they understand our concern." 

How easy is it to shut off a country’s Internet?
http://www.washingtonpost.com/blogs/wonkblog/wp/2012/12/01/how-easy-is-it-to-shut-off-a-countrys-internet/


Could It Happen In Your Country?
http://www.renesys.com/blog/2012/11/could-it-happen-in-your-countr.shtml


How did Syria cut off the entire country from the Internet?
http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/08/how-did-syria-cut-off-the-entire-country-from-the-internet/