The Electronic Frontier Foundation has asked Verizon, a certificate authority, to stop trusting the certificate issued to Etisalat.

Etisalat was caught using its authority to sign an update for blackberries in the United Arab Emirates which caused malicious code to be downloaded onto blackberry user's devices without their consent. This code (better called surveillance software) was used by the government of the UAE to spy on blackberry users.

Because browsers and other software trust Etisalat's authority, this means that any users SSL connection with any site could be hijacked completely transparently. This leaves their personal information vulnerable as well as their computers if they download executable code which is signed by Etisalat.

Hopefully Verizon revokes this certificate and the SSL trust system will be made slightly more secure. As long as trust for this system is not distributed and resides in a hierarchy, problems like this will continue to occur.

March 12th 2010, 6pm-9pm

Digital Security and Tactics For (and By) Anti Authoritarians is an one night attempt to share information and skills on digital security, tools, and news between an anti authoritarian tech and activist community. It will be a 3 hour meeting with presentations on basic digital security practices and tools from

* Ringo of Olympia Hackbloc presenting on basic computer security, privacy, encryption, and anonymity
* overview and use of Tor by Jacob Appelbaum,
* tentative report back from Elija of riseup.net,
* and a discussion of next generation tools for activists by Elliott Madison, arrested in PA during the G20 action for allegedly using twitter.

Oly Hackbloc to Lead Security, Communications Workshops in Denver Next Week!

Next Tuesday and Wednesday, December 22nd and 23rd, the Olympia Hackbloc (on tour!) will be leading a workshop series on security culture, computer security, encryption, and anonymity. These workshop is targeted towards activists, journalists, and members of the general public. We will also be giving a workshop on using Twitter as a communications system for actions. This system was used during the most recent RNC and the last two rounds of Port Militarization Resistance.

"This holiday season you have the chance to give a great gift to someone you love. That gift being security and peace of mind. This is a great chance for you to hone your skills and develop them if you feel overwhelmed by the topic. Two year ago I took Ringo's workshop and have taken one since then. Thats two and this one will be my third."

After years of wishing and hoping a distribution of linux that would have all that anarchists need in linux, i have begun a new project named, Anarchybuntu.

As of right now it is just a group on we.riseup.net, but hopefully we can get to the point of making a debian based distro that includes tools that anarchists care about such as

-Full Disk Encryption
-Tor, working, out of the box
-Forensics tools and tools that make sure information is *Really* deleted.

If you have ideas for this project, join the group and start the discussion: https://we.riseup.net/anarchybuntu

I remember Oly saying they'd do this... Check out http://bloomingtonsecuritycameras.com/

from http://anarchistnews.org/?q=node/6581:

We're excited to announce the launching of the Bloomington Security Camera Map. It can be found at http://bloomingtonsecuritycameras.com . We hope there will be a number of print versions in various locations in Bloomington within in the next couple of weeks. This project is intended to bring into the public consciousness the level to which we are observed and monitored, to help those who don't want to be seen stay hidden, and to inspire action to dismantle the policing and surveillance mechanisms that are ruining our communities..... Please send any questions, comments, critiques or other such comments to admin@bloomingtonsecuritycameras.com. thanks.....

With the recent release of the SSLSniff tool, other various privacy issues, and the need for security culture amongst activists, running our activist websites in a secure manner is increasingly important.  One of the ways that you can dramatically and easily increase the security and privacy of your server is to enable Secure Sockets Layer (SSL) for all of your clients, all of the time. 

The problem with only enabling SSL some of the time is twofold.  The first benefit is that your readers and end-users may not want everyone else on the net to know what they are reading, even if it is not traditionally sensetive material (i.e. passwords, etc.)   Some users of hackbloc may not want the other people on their lan to know anything about what they are reading (other than where it comes from of course).  This technique however will not prevent attacks like SSLSniff from working.

Hackbloc already uses this technique, if you look above you will see that you are at an https website!  So how do we enable this technique?  Simple, just copy and paste the following code into your .htaccess file:

RewriteCond %{HTTP_HOST} ^hackbloc\.org$ [NC]
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://hackbloc.org/$1 [L,R=301]

Of course, you will need to make sure that you have mod_rewrite enabled on your server.  But that is all you need!  There is one downside to this, if you do not have a certificate from a major cert company, your firefox using visitors will receive this lovely error screen.  Unfortunately there is no way around this other than getting a certificate from a major authority, or pestering the mozilla foundation into adding cacert.com to their root certificates.  So get to it!

This Saturday, Feb. 28, the Olympia Hackbloc (olyhackbloc.org) will be leading a workshop on security culture, computer security, intelligence, and privacy.

Topics to be covered:

• What encryption is and how it works -
• How to encrypt files, emails, or your entire computer
• How to 'harden' your computer (how to secure it)
• What security culture is and how to implement it
• How to protect your privacy online and in real life
• How to publish, communicate, and browse the web anonymously
• How to deal with informants, infiltrators, provocateurs, etc.
• How to work with sources and leak documents/information

All participants will receive digital copies of the presentation materials. To help cover costs, participants are asked to bring $5 with them or donate whatever they feel is fair. Nobody will be turned away because they don't have money. If you have a computer, you are highly encouraged to bring it. Flash drives and external hard drives would also be useful. A large portion of this workshop will be hands-on computer work. If you have extra computers, extension cords, power strips, blank CDs, flash drives, or external hard drives please bring them as well. This workshop is targeted towards activists, journalists, and members of the general public.

** Event information **

Security Culture, Computer Security, and Privacy: A Crash Course for Activists, Journalists, and the General Public Saturday Feb. 28 at The Evergreen State College 11 AM SHARP till Approx. 3 PM Meet in main floor lobby of the library building, and look for the Hackbloc signs. Bring your computer We are interested in filming portions of the workshop. If you have a video camera you can donate, please contact workshops@olyhackbloc.org asap. Media and press wishing to cover this event should contact press@olyhackbloc.org prior. For more information about Hackbloc, please see the Oly Hackbloc website at http://www.olyhackbloc.org.

-- Sponsored by Evergreen/Olympia Students for Democratic Society, which meets every Wednesday at 6:00 in the Solarium of the CAB building at Evergreen --

The New York Times, Democracy Now, Indymedia and several other sources are reporting that Brandon Darby, of Austin, TX has outed himself as an FBI informant.  Darby was most recently involved in the Republican National Convention last year and worked with the FBI to identify people that were planning on "violent" activity during the convention.  Darby got his start in the activist community working with Common Grounds after Hurricane Katrina.  From the New York times article:

In a telephone interview, Mr. Darby said that he had provided information leading to the arrest of Mr. Crowder and Mr. McKay, and that he planned to testify at their trial.

Mr. Darby would not provide details about his undercover activities, but said he had also worked as an informant in cases not involving the convention. He defended his decision to work with the F.B.I. as “a good moral way to use my time,” saying he wanted to prevent violence during the convention at the Xcel Energy Center.

Documents that activists said were given to defense lawyers by the prosecution and printed on F.B.I. letterhead indicated that an informant — now identified as Mr. Darby — carried out a thorough surveillance operation that dated back to at least 18 months before the Republican gathering. He first met Mr. Crowder and Mr. McKay in Austin six months before the convention.

Mr. Darby provided descriptions of meetings with the defendants and dozens of other people in Austin, Minneapolis and St. Paul. He wore recording devices at times, including a transmitter embedded in his belt during the convention. He also went to Minnesota with Mr. Crowder four months before the Republican gathering and gave detailed narratives to law enforcement authorities of several meetings they had with activists from New York, San Francisco, Montana and other places.

One of his last conversations with Mr. McKay ended in an alley in Minneapolis, according to court documents, with Mr. Darby recording Mr. McKay talking about plans to use Molotov cocktails."

This whole case raises some tough questions, how can we secure our own communities when even someone who is heavily involved in the activist community may decide to turn sides and become an FBI informant.  Darby was not someone like Anna, who came into the activist movement just to snitch, Darby was an established activist who decided one day to side with the FBI.  This must necessarily make us re-evaluate our security protocols and our levels of trust.
 

I came across an interesting paper today, "Keyboard Acoustic Emanations Revisited" [PDF] Li Zhuang, Feng Zhou, and J. D. Tygar, researchers at UC Berkeley, have discovered a way to tell what someone is typing using only the recorded audio of the typing session.  It works based on the fact that every key on your keyboard makes a slightly different but unique sound.  Armed with this knowledge and a standard cryptographic frequency analysis attack and a little bit of machine learning they are able to turn the sounds of the keyboard into text, with absolutely no training of the program beforehand and no previous samples.  Whats more, this attack has a %96 success rate and even works against random text such as a password.
A cryptographic frequency analysis attack works like this, we know that the most commonly used letters in the english language are E,T,A and S.  If we have a code where a symbol consistently represents one letter (or in this case a sound consistently represents one letter) then we can assume the most common symbol (sound) represents E, the next most common is T, and so forth.  This is the basic theory that the keyboard emanations works on.
Apparently this paper came out back in 2005, but it went largely unnoticed by the media, including blogs.  Definitely the most interesting thing about this attack is its ease of implementation and success rate.  Keyboard acoustic sniffing attacks had been written about before, but they required sample data for training and had a much lower success rate.  This attack requires no training data and even works with a microphone outside the room if using a parabolic microphone.  Some might say it is similar to Van Eck Phreaking.
Interestingly while researching this I came across a patent for the "method and apparatus for masking acoustic keyboard emanations." So you may already be able to stop this attack, and you may be committing patent infringement if you do it DIY.

We normally don't post security announcements, if you want these on a regular basis you should probably be following bugtrack or security focus.  But I found these ones to be of pretty important note, since there are some pretty large vulnerabilites here and since php is such a widely used language on a number of corporate and government, not to mention activist sites.  I hope that our readers will use the information here wisely in their pursuits.  Read on for the vulnerabilities...