Archive for the ‘Nineteen Eighty-Four’ Category

Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass

May 26, 2014

Accounts accessed from Wi-Fi hotspots and other unsecured networks are wide open.

sad cookie

sad cookie

Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi connection or other unsecured network: It’s trivial for the script kiddie a few tables down to hijack your site even if it’s protected by two-factor authentication.

Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. The cookie, which carries the tag “wordpress_logged_in,” is set once an end user has entered a valid WordPress user name and password. It’s the website equivalent of a plastic bracelets used by nightclubs. Once a browser presents the cookie, WordPress servers will usher the user behind a velvet rope to highly privileged sections that reveal private messages, update some user settings, publish blog posts, and more. The move by WordPress engineers to allow the cookie to be transmitted unencrypted makes them susceptible to interception in many cases.

Zhu snagged a cookie for her own account the same way a malicious hacker might and then pasted it into a fresh browser profile. When she visited WordPress she was immediately logged in—without having to enter her credentials and even though she had enabled two-factor authentication. She was then able to publish blog posts, read private posts and blog stats, and post comments that were attributed to her account. As if that wasn’t enough, she was able to use the cookie to change the e-mail address assigned to the account and, if two-factor authentication wasn’t already in place, set up the feature. That means a hacker exploiting the vulnerability could lock out a vulnerable user. When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker. Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then. Zhu blogged about the vulnerability late Thursday.

In a Tweet made Thursday, WordPress lead developer Andrew Nacin confirmed that “cookies can be replayed until expiration.” He said a fix is scheduled for the next WordPress release. In fairness, the exploit doesn’t permit attackers to change passwords, since that setting requires a separate authentication cookie tagged “wordpress_sec,” containing the “secure” flag that causes it to be sent encrypted.

Fortunately, WordPress sites that are self-hosted on a server with full HTTPS support are not susceptible, as long as every page supports HTTPS and cookies contain the “secure” flag. Until a fix is available, WordPress users should ensure the site they’re logging into contains the full HTTPS support. If not, users should avoid logging in on unsecured networks. Even when using networks they trust, users should be aware that privileged employees at ISPs and network providers are able to intercept the unencrypted cookie, and government snoops may be able to do the same.

Republished from Ars Technica.

Guildford Big Brother

May 9, 2014
Guildford Big Brother

Guildford Big Brother

A disembodied voice, ordering people about.

Where was it coming from?

As far as I could tell, from a CCTV.

This is Big Brother writ large. It was like a scene out of Nineteen Eighty-four.

Edward Snowden talks to German TV

January 29, 2014

Edward Snowden talking to Germany’s NDR who he chose to make his first television interview since he blew the whistle on NSA’s global dragnet and illegal surveillance. The 30-minute interview was made in strict secrecy in an unspecified location in Russia, where Snowden is currently living under temporary asylum.

At the beginning of the interview, Edward Snowden talks of seeking Russian police protection, because of threats to kill him by the military-security-industrial complex in the US.

If we contract security and intelligence out to private companies, we run two risks: the first is they inflate the value of the intelligence for their own profit, the second is that they use the intelligence for their own commercial gain.

V for Vendetta

September 1, 2013

People should not be afraid of their governments, governments should be afraid of their people. — V

A revolution without dancing is a revolution not worth having. — V

Artists use lies to tell the truth, while politicians use them to cover the truth up. — V

A desperate disease requires a dangerous remedy. — Guy Fawkes

Why do we still commemorate the Fifth of November?

Remember, remember, the 5th of November
The Gunpowder Treason and plot;
I see of no reason why Gunpowder Treason
Should ever be forgot.

It was a long time ago.

Guy Fawkes (1570-1606), an English soldier and a member of a group of Roman Catholic conspirators, who attempted to carry out the Gunpowder Plot to assassinate King James I of England (James VI of Scotland) and the members of both houses of the Parliament of England with a huge explosion, which was prevented by his arrest on 5 November 1605.

Anonymous use the Guy Fawkes mask used in V for Vendetta and it has no become commonplace at protests.

A tweet from Egypt, reteweeted by Sharif Kouddous, events in Egypt mirror V for Vendetta if you watch the film backwards.

Made me wish to see the film.

I have never seen it anywhere. A week last Saturday, looking in the Oxfam Bookshop in Farnham, and not seeing, I asked, only no sooner had I asked there it was staring me in the face.

A brilliant, chilling film, very much the world portrayed in Nineteen Eighty-four.

This is the world we are sleepwalking into.

The Egyptian revolution started with one woman posting on youtube, I am going to stand in Tahrir Square, will anyone join me or do I stand alone?

Welcome to Police State UK

August 19, 2013
David Miranda and Glenn Greenwald

David Miranda and Glenn Greenwald

David Miranda, Brazilian associate of journalist Glenn Greenwald, detained and questioned by the police for nine hours, laptop, camera, mobile phone, memory stick seized, as he passed through Heathrow en route from Berlin to Brazil.

Detention was made using police powers, because they could.

Irrespective of the use of anti-terrorism legislation, it would appear to have been a crude attempt to intimidate Glenn Greenwald, and by implication, intimidation of Edward Snowden by association.

As Greenwald says, the detention had absolutely nothing to do with terrorism as no questions were asked on terrorism:

The stated purpose of this law, as the name suggests, is to question people about terrorism. The detention power, claims the UK government, is used “to determine whether that person is or has been involved in the commission, preparation or instigation of acts of terrorism.”

But they obviously had zero suspicion that David was associated with a terrorist organization or involved in any terrorist plot. Instead, they spent their time interrogating him about the NSA reporting which Laura Poitras, the Guardian and I are doing, as well the content of the electronic products he was carrying. They completely abused their own terrorism law for reasons having nothing whatsoever to do with terrorism: a potent reminder of how often governments lie when they claim that they need powers to stop “the terrorists”, and how dangerous it is to vest unchecked power with political officials in its name.

Worse, they kept David detained right up until the last minute: for the full 9 hours, something they very rarely do. Only at the last minute did they finally release him. We spent all day – as every hour passed – worried that he would be arrested and charged under a terrorism statute. This was obviously designed to send a message of intimidation to those of us working journalistically on reporting on the NSA and its British counterpart, the GCHQ.

Before letting him go, they seized numerous possessions of his, including his laptop, his cellphone, various video game consoles, DVDs, USB sticks, and other materials. They did not say when they would return any of it, or if they would.

David Miranda was en route from a meeting with independent filmmaker Laura Poitras. Laura Poitras has been repeatedly harassed by the US. David Miranda says during his nine hour period of detention, he was questioned by six different agents and asked about his entire life.

Under Schedule 7 of the Terrorism Act of 2000, police do not have to have reasonable suspicion to detain up nine hours and seize equipment for one week, they can do so because they are seeking information on terrorism. Those detained are obliged to answer questions, failure to do so is a criminal offence. Those detained are not entitled to be represented by a lawyer.

According to David Anderson, independent reviewer of Terrorism legislation, speaking on BBC Radio 4 lunchtime news programme World at One, 60-70,000 people have been detained under Schedule 7 but only 40 detained longer than six hours.

Tom Watson MP is demanding answers, as is Keith Vaaz MP chair of House of Commons Home Affairs Select Committee. Amnesty International has condemned the detention, as has Liberty, as the NUJ, as has the Society of Editors. Brazil has lodged a formal complaint with the UK.

Are all those who now question the state, now terrorists?

When Glenn Greenwald and Edward Snowden exposed the extent to which the state in the US and the UK was spying on its citizens, the knee-jerk reaction was at one end of the spectrum the two should be summarily executed for treason, to the other end of the spectrum the ordinary citizen has nothing to fear.

The detention of David Miranda for nine hours for no other reason than intimidation, shows the ordinary citizen has everything to fear.

Who ordered the detention? How did they know David Miranda was passing through? Were they aware of his visit to Laura Poitras? At the very least David Miranda must be on a watch list, his name flagged up.

Speaking on BBC Radio 4 evening news programme The World Tonight, John Schindler, former NSA and now Professor of National Security Affairs at the US Naval War College in Newport Rhode Island where he is a specialist on intelligence and terrorism, has said he does not regard Glenn Greenwald as a real journalist, and if he was he, he would be very careful where he traveled.

Writing in exile, is something dating from Aleksandr Solzhenitsyn and Stalinist Russia, or maybe Iranians outside of Iran. But no, Glenn Greenwald is having to write from Brazil. Guardian editor-in-chief Alan Rusbridger is now based outside the UK. The Guardian has had government agents pay them a visit and trash hard drives.

Does this sound like an open and democratic country?

Welcome to Police State UK!

Welcome to Police State USA

August 14, 2013

Lavabit, an encrypted email service believed to have been used by National Security Agency leaker Edward Snowden, has abruptly shut down. The move came amidst a legal fight that appeared to involve U.S. government attempts to win access to customer information.

Lavabit owner and founder Ladar Levison is not even allowed to discuss what is going on or why he has been gagged. He cannot even discuss with his lawyer.

Unfortunately, I can’t talk about it. I would like to, believe me. I think if the American public knew what our government was doing, they wouldn’t be allowed to do it anymore.

In a message to his customers last week, Levison said:

I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit.

Levison said he was barred from discussing the events over the past six weeks that led to his decision. Soon after, another secure email provider called Silent Circle also announced it was shutting down.

For six years, the FBI has barred a New York man from revealing that the agency had ordered him to hand over personal information about clients of his internet start-up. Finally allowed to speak, Nick Merrill joins Democracy Now in his first broadcast interview to talk about how he challenged the FBI’s use of national security letters.

In early 2004, Nicholas Merrill, who was running an Internet service provider in New York called Calyx, was issued a national security letter that ordered him to hand over detailed private records about some of his customers. Under the law, recipients of the letters are barred from telling anyone about their encounter with the FBI. While Merrill was not the first American to be gagged after receiving a national security letter, he was the first to challenge the FBI’s secret tactics. Merrill went to the American Civil Liberties Union, which then filed the first lawsuit challenging the national security letter statute. In the lawsuit, Merrill was simply identified as John Doe.

It was only in August 2010, after reaching a settlement with the FBI, that Merrill was able to reveal his identity.

[The case] resulted in the national security letter provision of the PATRIOT Act being ruled unconstitutional twice,” Merrill says. “The problem was, though, we were never able to get to the Supreme Court to get a final, binding ruling that would affect the whole country. … The concern about cybersecurity and the concerns about privacy are really two sides of the same coin. There are a lot of really uncontroversial examples in which organizations and people need confidentiality: Medicine is one, journalism is another, human rights organizations is an obvious third. We’re trying to make the case that if the right of Americans to encrypt their data and to have private information is taken away, that it’s going to have grave, far-reaching effects on many kinds of industries, on our democracy as a whole, and our standing in the world.

If you receive a National Security Letter, not signed by a judge, you cannot discuss it with anyone, not even that you have received one.

Nearly 200,000 National Security Letters have been served.

NSA Whistleblower Thomas Drake speaks at National Press Club

July 7, 2013

Edward Snowden is not the only NSA whistleblower. Another is Thomas Drake.

Forcing down Evo Morales’s plane was an act of air piracy

July 4, 2013

Denying the Bolivian president air space was a metaphor for the gangsterism that now rules the world

President Evo Morales arrives at El Alto airport in La Paz

President Evo Morales arrives at El Alto airport in La Paz

Imagine the aircraft of the president of France being forced down in Latin America on “suspicion” that it was carrying a political refugee to safety – and not just any refugee but someone who has provided the people of the world with proof of criminal activity on an epic scale.

Imagine the response from Paris, let alone the “international community”, as the governments of the west call themselves. To a chorus of baying indignation from Whitehall to Washington, Brussels to Madrid, heroic special forces would be dispatched to rescue their leader and, as sport, smash up the source of such flagrant international gangsterism. Editorials would cheer them on, perhaps reminding readers that this kind of piracy was exhibited by the German Reich in the 1930s.

The forcing down of Bolivian President Evo Morales’s plane – denied airspace by France, Spain and Portugal, followed by his 14-hour confinement while Austrian officials demanded to “inspect” his aircraft for the “fugitive” Edward Snowden – was an act of air piracy and state terrorism. It was a metaphor for the gangsterism that now rules the world and the cowardice and hypocrisy of bystanders who dare not speak its name.

In Moscow, Morales had been asked about Snowden – who remains trapped in the city’s airport. “If there were a request [for political asylum],” he said, “of course, we would be willing to debate and consider the idea.” That was clearly enough provocation for the Godfather. “We have been in touch with a range of countries that had a chance of having Snowden land or travel through their country,” said a US state department official.

The French – having squealed about Washington spying on their every move, as revealed by Snowden – were first off the mark, followed by the Portuguese. The Spanish then did their bit by enforcing a flight ban of their airspace, giving the Godfather’s Viennese hirelings enough time to find out if Snowden was indeed invoking article 14 of the Universal Declaration of Human Rights, which states: “Everyone has the right to seek and to enjoy in other countries asylum from persecution.”

Those paid to keep the record straight have played their part with a cat-and-mouse media game that reinforces the Godfather’s lie that this heroic young man is running from a system of justice, rather than preordained, vindictive incarceration that amounts to torture – ask Bradley Manning and the living ghosts in Guantánamo.

Historians seem to agree that the rise of fascism in Europe might have been averted had the liberal or left political class understood the true nature of its enemy. The parallels today are very different, but the Damocles sword over Snowden, like the casual abduction of Bolivia’s president, ought to stir us into recognising the true nature of the enemy.

Snowden’s revelations are not merely about privacy, or civil liberty, or even mass spying. They are about the unmentionable: that the democratic facades of the US now barely conceal a systematic gangsterism historically identified with, if not necessarily the same as, fascism. On Tuesday, a US drone killed 16 people in North Waziristan, “where many of the world’s most dangerous militants live”, said the few paragraphs I read. That by far the world’s most dangerous militants had hurled the drones was not a consideration. President Obama personally sends them every Tuesday.

In his acceptance of the 2005 Nobel prize in literature, Harold Pinter referred to “a vast tapestry of lies, upon which we feed”. He asked why “the systematic brutality, the widespread atrocities” of the Soviet Union were well known in the west while America’s crimes were “superficially recorded, let alone documented, let alone acknowledged”. The most enduring silence of the modern era covered the extinction and dispossession of countless human beings by a rampant US and its agents. “But you wouldn’t know it,” said Pinter. “It never happened. Even while it was happening it never happened.”

This hidden history – not really hidden, of course, but excluded from the consciousness of societies drilled in American myths and priorities – has never been more vulnerable to exposure. Snowden’s whistleblowing, like that of Manning and Julian Assange and WikiLeaks, threatens to break the silence Pinter described. In revealing a vast Orwellian police state apparatus servicing history’s greatest war-making machine, they illuminate the true extremism of the 21st century. Unprecedented, Germany’s Der Spiegel has described the Obama administration as “soft totalitarianism”. If the penny is falling, we might all look closer to home.

John Pilger

Published in The Guardian.

As this drama unfolded on Tuesday night, I was shocked, the presidential plane (which I assume has diplomatic immunity), of a neutral country with which we are not at war, was denied airspace over France, Portugal and Italy, and finally forced to land in Austria as an emergency as running out of fuel.

In the past this action would have been seen as an Act of War. The Bolivian Minister of Defence who was on board said it put at risk the lives of those on board the presidential aircraft.

The reason for the actions of these countries in denial airspace and Austria demanding to search the plane was rumours that Edward Snowden may be on board.

How spineless were these countries, jumping to the diktat of the US.

Wednesday I turned on the radio, expecting to hear extensive coverage. There was nothing, nada, a total news blackout.

I should not be shocked, not even surprised, this is the way the world works. The US super bully barks and the rest of the world jumps.

These same countries which denied airspace to President Morales of Bolivia, were only too happy to allow US extraordinary rendition flights taking captives to US offshore torture camps.

This is not even about detaining, capturing or killing Edward Snowden who has exposed the extent of the criminal activities of the US. This is about sending a very clear warning to any future whistle blowers, you will be hounded to the ends of the earth, if we catch you, you will be tortured as we have tortured as we have tortured Bradley Manning.

Glenn Greenwald Speaks Out

July 3, 2013

Glenn Greenwald on journalism, Ed Snowden and US mass surveillance.

Insider Threat

June 25, 2013

Spy on your fellow American citizen, if have the slightest suspicison, report them.

Does this not sound like Big Brother in Nineteen Eighty-Four?

Does this not sound like Stalinist Russia?

Does this not sound like North Korea?