With laptops banned onboard aircraft, your data is no longer yours if you fly

Gadget Gurus
Privacy Online NewsPrivacy Online News wrote the following post Sun, 16 Apr 2017 09:47:04 -0500

With laptops banned onboard aircraft, your data is no longer yours if you fly

New US regulations ban laptops on board some aircraft, requiring laptops to be in checked luggage. One of the first things you learn in information security is that if an adversary has had physical access to your computer, then it is not your computer anymore. This effectively means that the US three-letter agencies are taking themselves the right to compromise any computer from any traveler on these flights.

According to the United States Department of Homeland Security, which bills the ban as a “change to carry-on items” that affect “ten out of the more than 250 airports that serve the United States internationally”, there is a “security enhancement” because explosives can now be built into “consumer items”, and therefore laptops must now be banned from carry-on luggage and instead checked in.

When looking at this justification, the DHS notably fails to describe how it would be any safer flying with such alleged explosives in checked luggage rather than carry-on luggage onboard the same aircraft. In other words, the justification is utter nonsense, and so, there must be a different reason they issue this edict that they’re not writing about.
“The aviation security enhancements will include requiring that all personal electronic devices larger than a cell phone or smart phone be placed in checked baggage at 10 airports where flights are departing for the United States.”

When Microsoft (finally) trained every single one of their employees in security in the big so-called “security push” around the turn of the century, there were about a dozen insights that they really hammered home, again and again. One of the most important ones related to this was the simple insight of “if an adversary has had physical access to your computer, then it’s not your computer anymore”.

After all, if somebody has had physical access to the machine itself, then they will have been able to do everything from installing hardware keyloggers to booting the machine from USB and possibly get root access to some part of the filesystem – even on a fully encrypted GNU/Linux system, there is a small bootstrap portion that is unencrypted, and which can be compromised with assorted malware if somebody has physical access. They could conceivably even have replaced the entire processor or motherboard with hostile versions.

This is a much more probable reason for requiring all exploitable electronics to be outside of passengers’ field of view.

Remember that both the NSA and the CIA have a history of routinely pwning devices, even from the factory, or intercepting them while being shipped from the factory. (There was one incident where this was revealed last year, after the courier’s package tracking page showed how a new keyboard shipped to a Tor developer had taken a detour around the entire country, with a remarkable two-day stop – marked “delivered” – at a known NSA infiltration facility.)

Now imagine that the laptops and other large computing devices of these travelers — remember that the Tor developer in question was an American citizen! — that these devices will be required to be surrendered to the TSA, the CIA, the NSA, the TLA, and the WTF for several hours while inflight. It’s just not your device anymore when you get it back from the aircraft’s luggage hold – if it was ever there.
If your laptop has been checked in and has been in the TSA’s control, it can no longer be considered your laptop. Any further login to the compromised laptop will compromise your encrypted data, too.

The choice of the ten particular airports is also interesting. It’s the key airports of Dubai, Turkey, Egypt, Saudi Arabia, Kuwait… all predominantly Muslim countries. Some have pointed this out as racial profiling, but there are signs it may be something else entirely and more worrying.

For example, the Intercept presents the measure as a “muslim laptop ban”. The might or might not be an accurate framing, but the worrying part is that this is a best case scenario. More likely, it is a so-called “political test balloon” to check for how much protesting erupts, and to put it bluntly, if they get away with it. If they do, then this can be a precursor to a much wider ban on in-flight laptops – or, as you would more correctly have it, a much wider access for three-letter agencies to people’s laptops and data.

Privacy remains your own responsibility.

The post With laptops banned onboard aircraft, your data is no longer yours if you fly appeared first on Privacy Online News.

#Privacy #Security
Tom Grz
 from Diaspora
Where can I hide my microSD card? Oh, they will probe you there too?
Tom Grz
 from Diaspora
Where can I hide my microSD card? ...Oh, they will probe you There too?
Seth Martin
  last edited: Fri, 21 Apr 2017 18:02:48 -0500  
Once more, with passion: Fingerprints suck as passwords

Biometric data is identity (public), never authentication (secret). You leave a copy of your fingerprints literally on everything you touch.

#Privacy #Security #Passwords #Cybersecurity #Biometrics @Gadget Gurus+ @LibertyPod+
So while it's easy to update your password or get a new credit card number, you can't get a new finger.


and 10 years ago CCC showed how to fake a fingerprint with superglue and wood glue easily:
https://www.youtube.com/watch?v=OPtzRQNHzl0 sorry video is in german.
But (!) fingerprints work well in allowing security agencies to track you around.

believe That is the reason for the push for bio-metrics and fingerprint scanners, in particular.

I have doubt in most security things; originating from Facebook, Apple, Google or Microsoft.
But (!) fingerprints work well in allowing security agencies to track you around.

I believe That is the reason for the push for bio-metrics and fingerprint scanners, in particular.

I have doubt in most security things; originating from Facebook, Apple, Google or Microsoft.
Mozilla’s First Internet Health Report Tackles Privacy and Security

Seth Martin
The Internet Health Report


Welcome to Mozilla’s new open source initiative to document and explain what’s happening to the health of the Internet. Combining research from multiple sources, we collect data on five key topics and offer a brief overview of each.

#Decentralization #Privacy #Internet #Security #Cybersecurity #Mozilla @LibertyPod+ @Gadget Guru+
Secure Messaging Takes Some Steps Forward, Some Steps Back: 2016 In Review

Seth Martin
DeeplinksDeeplinks wrote the following post Thu, 29 Dec 2016 18:10:08 -0600

Secure Messaging Takes Some Steps Forward, Some Steps Back: 2016 In Review

This year has been full of developments in messaging platforms that employ encryption to protect users. 2016 saw an increase in the level of security for some major messaging services, bringing end-to-end encryption to over a billion people. Unfortunately, we’ve also seen major platforms making poor decisions for users and potentially undermining the strong cryptography built into their apps.

WhatsApp makes big improvements, but concerning privacy changes
In late March, the Facebook-owned messaging service WhatsApp introduced end-to-end encryption for its over 1 billion monthly active users.  The enormous significance of rolling out strong encryption to such a large user-base was combined with the fact that underlying Whatsapp’s new feature was the Signal Protocol, a well-regarded and independently reviewed encryption protocol. WhatsApp was not only protecting users’ chats, but also doing so with one of the best end-to-end encrypted messaging protocols out there. At the time, we praised WhatsApp and created a guide for both iOS and Android on how you could protect your communications using it.

In August, however, we were alarmed to see WhatsApp establish data-sharing practices that signaled a shift in its attitude toward user privacy. In its first privacy policy change since 2012, WhatsApp laid the groundwork for expanded data-sharing with its parent company, Facebook. This change allows Facebook access to several pieces of users’ WhatsApp information, including WhatsApp phone number, contact list, and usage data (e.g. when a user last used WhatsApp, what device it was used it on, and what OS it was run on). This new data-sharing compounded our previous concerns about some of WhatsApp’s non-privacy-friendly default settings.

Signal takes steps forward
Meanwhile, the well-regarded end-to-end encryption app Signal, for which the Signal Protocol was created, has grown its user-base and introduced new features.  Available for iOS and Android (as well as desktop if you have either of the previous two), Signal recently introduced disappearing messages to its platform.  With this, users can be assured that after a chosen amount of time, messages will be deleted from both their own and their contact’s devices.

Signal also recently changed the way users verify their communications, introducing the concept of “safety numbers” to authenticate conversations and verify the long-lived keys of contacts in a more streamlined way.

Mixed-mode messaging
2016  reminded us that it’s not as black-and-white as secure messaging apps vs. not-secure ones. This year we saw several existing players in the messaging space add end-to-end encrypted options to their platforms. Facebook Messenger added “secret” messaging, and Google released Allo Messenger with “incognito” mode. These end-to-end encrypted options co-exist on the apps with a default option that is only encrypted in transit.

Unfortunately, this “mixed mode” design may do more harm than good by teaching users the wrong lessons about encryption. Branding end-to-end encryption as “secret,” “incognito,” or “private” may encourage users to use end-to-end encryption only when they are doing something shady or embarrassing. And if end-to-end encryption is a feature that you only use when you want to hide or protect something, then the simple act of using it functions as a red flag for valuable, sensitive information. Instead, encryption should be an automatic, straightforward, easy-to-use status quo to protect all communications.

Further, mixing end-to-end encrypted modes with less sensitive defaults has been demonstrated to result in users making mistakes and inadvertently sending sensitive messages without end-to-end encryption.

In contrast, the end-to-end encrypted “letter sealing” that LINE expanded this year is enabled by default. Since first introducing it for 1-on-1 chats in 2015, LINE has made end-to-end encryption the default and progressively expanded the feature to group chats and 1-on-1 calls. Users can still send messages on LINE without end-to-end encryption by changing security settings, but the company recommends leaving the default “letter sealing” enabled at all times. This kind of default design makes it easier for users to communicate with encryption from the get-go, and much more difficult for them to make dangerous mistakes.

The dangers of unsecure messaging
In stark contrast to the above-mentioned secure messaging apps, a November report from Citizen Lab exposes China’s WeChat messenger’s practice of performing selective censorship on its over 806 million monthly active users.  When a user registers with a Chinese phone number, WeChat will censor content critical of the regime no matter where that user is. The censorship effectively “follows them around,” even if the user switches to an international phone number or leaves China to travel abroad. Effectively, WeChat users may be under the control of China’s censorship regime no matter where they go.

Compared to the secure messaging practices EFF advocates for, WeChat represents the other end of the messaging spectrum, employing algorithms to control and limit access rather than using privacy-enhancing technologies to allow communication. This is an urgent reminder of how users can be put in danger when their communications are available to platform providers and governments, and why it is so important to continue promoting privacy-enhancing technologies and secure messaging.

This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2016.

Like what you're reading? Support digital freedom defense today!

Share this: Image/photo Image/photo Image/photo Image/photo Join EFF

#Encryption #Privacy #Communications #Messaging #Security #WhatsApp #Signal #LINE #Allo #incognito  
@Gadget Guru+ @LibertyPod+
Seth Martin
  last edited: Mon, 02 Jan 2017 10:23:59 -0600  
I would like to highlight the part about "Mixed-mode messaging". I believe that it's especially important that end-to-end encryption be always-on [edit]by default[/edit].
Mike Macgirvin
I tend to disagree about mixed mode messaging. We need a range of communication tools, from hush-hush ultra top secret to public and open. Both ends of the spectrum have problems. That's why you need privacy.
Seth Martin
  last edited: Mon, 02 Jan 2017 10:46:52 -0600  
I agree with you, Mike. I just think it's important for these messaging apps to have encryption on by default to curb authorities targeting those that use the feature selectively.
With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive

Seth Martin
DeeplinksDeeplinks wrote the following post Wed, 17 Aug 2016 09:12:52 -0500

With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive


Microsoft had an ambitious goal with the launch of Windows 10: a billion devices running the software by the end of 2018. In its quest to reach that goal, the company aggressively pushed Windows 10 on its users and went so far as to offer free upgrades for a whole year. However, the company’s strategy for user adoption has trampled on essential aspects of modern computing: user choice and privacy. We think that’s wrong.

You don’t need to search long to come across stories of people who are horrified and amazed at just how far Microsoft has gone in order to increase Windows 10’s install base. Sure, there is some misinformation and hyperbole, but there are also some real concerns that current and future users of Windows 10 should be aware of. As the company is currently rolling out its “Anniversary Update” to Windows 10, we think it’s an appropriate time to focus on and examine the company’s strategy behind deploying Windows 10.

Disregarding User Choice

The tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious. Some highlights: Microsoft installed an app in users’ system trays advertising the free upgrade to Windows 10. The app couldn’t be easily hidden or removed, but some enterprising users figured out a way. Then, the company kept changing the app and bundling it into various security patches, creating a cat-and-mouse game to uninstall it.

Eventually, Microsoft started pushing Windows 10 via its Windows Update system. It started off by pre-selecting the download for users and downloading it on their machines. Not satisfied, the company eventually made Windows 10 a recommended update so users receiving critical security updates were now also downloading an entirely new operating system onto their machines without their knowledge. Microsoft even rolled in the Windows 10 ad as part of an Internet Explorer security patch. Suffice to say, this is not the standard when it comes to security updates, and isn’t how most users expect them to work. When installing security updates, users expect to patch their existing operating system, and not see an advertisement or find out that they have downloaded an entirely new operating system in the process.

In May 2016, in an action designed in a way we think was highly deceptive, Microsoft actually changed the expected behavior of a dialog window, a user interface element that’s been around and acted the same way since the birth of the modern desktop. Specifically, when prompted with a Windows 10 update, if the user chose to decline it by hitting the ‘X’ in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10.

Time after time, with each update, Microsoft chose to employ questionable tactics to cause users to download a piece of software that many didn’t want. What users actually wanted didn’t seem to matter. In an extreme case, members of a wildlife conservation group in the African jungle felt that the automatic download of Windows 10 on a limited bandwidth connection could have endangered their lives if a forced upgrade had begun during a mission.

Disregarding User Privacy

The trouble with Windows 10 doesn’t end with forcing users to download the operating system. By default, Windows 10 sends an unprecedented amount of usage data back to Microsoft, and the company claims most of it is to “personalize” the software by feeding it to the OS assistant called Cortana. Here’s a non-exhaustive list of data sent back: location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.

While we understand that many users find features like Cortana useful, and that such features would be difficult (though not necessarily impossible) to implement in a way that doesn’t send data back to the cloud, the fact remains that many users would much prefer to opt out of these features in exchange for maintaining their privacy.

And while users can opt-out of some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so. Microsoft also won’t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.

Microsoft has tried to explain this lack of choice by saying that Windows Update won’t function properly on copies of the operating system with telemetry reporting turned to its lowest level. In other words, Microsoft is claiming that giving ordinary users more privacy by letting them turn telemetry reporting down to its lowest level would risk their security since they would no longer get security updates1. (Notably, this is not something many articles about Windows 10 have touched on.)

But this is a false choice that is entirely of Microsoft’s own creation. There’s no good reason why the types of data Microsoft collects at each telemetry level couldn’t be adjusted so that even at the lowest level of telemetry collection, users could still benefit from Windows Update and secure their machines from vulnerabilities, without having to send back things like app usage data or unique IDs like an IMEI number.

And if this wasn’t bad enough, Microsoft’s questionable upgrade tactics of bundling Windows 10 into various levels of security updates have also managed to lower users’ trust in the necessity of security updates. Sadly, this has led some people to forego security updates entirely, meaning that there are users whose machines are at risk of being attacked.

There’s no doubt that Windows 10 has some great security improvements over previous versions of the operating system. But it’s a shame that Microsoft made users choose between having privacy and security.

The Way Forward

Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.

Otherwise it will face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.

We at EFF have heard from many users who have asked us to take action, and we urge Microsoft to listen to these concerns and incorporate this feedback into the next release of its operating system. Otherwise, Microsoft may find that it has inadvertently discovered just how far it can push its users before they abandon a once-trusted company for a better, more privacy-protective solution.
  • 1. Confusingly, Microsoft calls the lowest level of telemetry reporting (which is not available on Home or Professional editions of Windows 10) the “security” level—even though it prevents security patches from being delivered via Windows Update.
Share this: Image/photo Image/photo Image/photo Image/photo Join EFF

#Privacy #Security #Microsoft #Windows #Cybersecurity @Gadget Guru+ @LibertyPod+
  last edited: Tue, 23 Aug 2016 12:25:46 -0500  
My main OS at home is kubuntu.
Inventor of The Internet’s Most Terrifying Search Engine Shows Us How To Use It

Gadget Gurus
  last edited: Sat, 20 Aug 2016 16:23:21 -0500  
MotherboardMotherboard wrote the following post Sat, 20 Aug 2016 10:00:00 -0500

Inventor of The Internet’s Most Terrifying Search Engine Shows Us How To Use It



The internet isn’t just made of Facebook, Motherboard, 4chan and all your other favorite websites. There are thousands of devices, such as webcams, smart light bulbs, printers, and even smart homes, connected to it and there’s a special search engine that allows you to find them.

It’s called Shodan and it’s a great tool to find insecure devices, so that people can fix them and make the internet safer. Shodan crawls the internet and collects all kind of stuff connected to the internet, from mundane smart fridges to industrial control systems. It’s a powerful tool, and you don’t really appreciate it until you use it yourself, or, better yet, until its inventor shows you what it can do.

We met with Shodan’s creator John Matherly, who gave us a glimpse of all the crazy things you can find with Shodan.

“There’s so many homes connected to the internet,” Shodan’s inventor John Matherly says.

Check out the deleted scene above to learn about Shodan, and check out VICELAND’s documentary series CYBERWAR every Tuesday at 10:30 PM on VICELAND.

#Shodan #Security #Hacking #Privacy #IoT #Cybersecurity
Researchers Discover Tor Nodes Designed to Spy on Hidden Services

Seth Martin
  last edited: Sat, 21 Jan 2017 11:49:04 -0600  
Suspicion Confirmed.

Schneier on SecuritySchneier on Security wrote the following post Fri, 08 Jul 2016 07:01:18 -0500

Researchers Discover Tor Nodes Designed to Spy on Hidden Services

Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow explains:
These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used "honeypot" .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of "infowar" weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

The Tor project is working on redesigning its system to block this attack.

Vice Motherboard article. Defcon talk announcement.

#Tor #Security #Cybersecurity #Spying #Surveillance @LibertyPod+  @Gadget Guru+
That is very sad news to hear. I'm a free software advocate, that is “free” as in freedom. I very much enjoyed going to libertypod.org in order use social media in a system that I knew respected my freedom. You facilitated a way for me and others to use a network run by volunteers and members of our community. You and others actually cared about free speech and refused to allow all social life on the Internet to be turned into a commodity bought and sold from one master to another. You were not interested in impressing shareholders and you were not interested in the surveillance of your users for money. Instead you were interested in an alternative way we could share ideas outside the control and risk of centralized censorship systems. You were interested in fighting the horrors of the tech society that is being created without privacy and freedom in it. I saw things I was sure Facebook administrators would have deleted and I rejoiced in the fact we were so free that these things were not censored at a whim. I am grateful to have been a part of this great community, made to increase the control of users over social networks. While I am unsure if I will join another pod, use another network like gnusocial or something else I still wanted to thank you Seth, for all the work that you have done to make this possible.
Vecchio Giac
  last edited: Tue, 19 Jul 2016 09:02:13 -0500  
Kris, if you like also open source  and not just free Stallman software , Hubzilla is a fantastic option, a wonderful tool, much different from diaspora gnusocial  etc ...
Seth Martin
Kris, while you're here at lastauth.com, a Hubzilla website, try visiting https://lastauth.com/settings/featured and enable the diaspora protocol so you can communicate with people on diaspora pods. We also have a GNUsocial federation plugin as well. Give it a try, see what you think.