Over the past few months we've learned a lot about how the US government looks at its own citizens. We've learned this through the actions of Edward Snowden. He's done us a great service by forcing a conversation that the NSA and FBI didn't want us to have. The NSA lied to the Senate recently by claiming that it never tracked US citizens through Cell Phones. We would never have known about these activities if it wasn't for Snowden.
Snowden was using email to send information back and forth between himself and Glenn Greenwald. Since email is in one of those fuzzy gray areas of the law around data retention and government access to it this has caused a bit of a problem. It make things more difficult Snowden used an encrypted email service called Lavabit. It's encryption was at such a level that when the FBI requested data from it, they were confounded and essentially attempted to blackmail (legally of course) the owner into handing over the encryption key. This would have effectively rendered the service these people were paying for worthless. They were paying to have their email traffic be secured from both public and private entities.
As we hear and more about how the US government has been behaving towards internet security, the more we're learning that the NSA and other US agencies are doing their best to thwart it. They have worked with the NIST and weakened the encryption key they developed. The problem with these backdoors is that if it's there for the "good guys" (whoever that might be) it's also there for the "bad guys" (whoever that might be). This isn't just general encryption keys, it's things that we use every day without using it. Whenever we are using any website that includes "https" we are using a basic encryption protocol called SSL. Think about when you're banking, you see the https. Google now allows you to use this when you send information to and from them. This encryption has also been broken by the NSA. This is our personal stuff and if it's broken by the NSA it can be broken by other people. Now does this mean we're likely to have a rash of new fraud cases or theft cases? No, as it's been compromised for some time. However, people do know about it now and this of course is a greater cause for concern.
What can we do about this? Well, first, look into more secure encryption methods. I wouldn't be surprised if Google and applications like HTTPS everywhere will change their algorithm in result. Second, contact your representative and your senator. I'm lucky my senator in Oregon is very vocal (Ron Wyden) not everyone is so please help inform your leaders. Third, buy from companies that you know haven't given up data to the NSA, don't use Facebook and the like and basically try to follow the great writing that Sean did several months ago over on KBMOD. He nailed it then and it's even more pressing than before to keep up with security.
Showing posts with label FBI. Show all posts
Showing posts with label FBI. Show all posts
Saturday, October 5, 2013
Saturday, June 25, 2011
LulzSec, Anonymous, ICE, FBI and users Part III
Get caught up on this series Part I, and Part II.
So I've been talking about these four groups and how they have been interacting. However, these groups are not interacting in a vacuum. Theses groups are either hacking governmental organizations or they are hacking corporations.When Anonymous and LulzSec (or any other hacking group) goes after a company, they are trying to get one of two things, some times both, either user data or some sort of dirt on the company itself.
User information can range from names, locations, email address to IP addresses and credit card information. Since these guys are going after big companies, like Sony, Blizzard, and other gaming companies, they are most likely going after as much information as they can get their hands on. When it comes to dirt on a company, they go after big companies and small alike. They went after Bank of America in an attempt to reveal improper behavior to punish someone for the financial mess we're in. Small companies like HBGary was a bit of a grudge match. HBGary claimed that they were able to bring down all of Anonymous, which pissed the group off. HBGary was hack and completely discredited and also showed a lot of nastiness going on in the security world in general.
In some ways it's pretty obvious how stealing using information impacts the user. Recently, Sony's PlayStaion Network was down for a month, because of the security breach, which included some 1.3 million user's information being stolen including credit card information. In another case a game called Brink was hacked and 200,000 users information was stolen.
So, obviously these guys are in the wrong right? Well, yes and no. They think they are completely in the right here. They could have been doing all these things and not made it public. Just stole the information, then sell it to someone and make a lot of money from it. Or perhaps use it themselves. In some cases they did that. Anonymous ordered about 100 pizzas to a Sony Executive's house. In fact, Sony is currently being sued for the weakness of their network. We would not have known about it, without the hacker attack.
The US government is fighting back and taking down servers which have obvious impacts on users and hosting agents at the same time. However, both ICE and the FBI feel they are 100% in the right based on the law. ICE firmly believes that it has the required authority and rights to take down websites, and the FBI feels it can take whatever servers it needs to find these guys.
It's the immovable object versions the unstoppable force, with the regular internet users in the middle. Most users won't notice unless some website they are using goes down, or they find out their card has been hacked. Users that play games, watch movies, and create content have the most risk in this battle.
How can users mitigate their risk? Well, the best thing to do is to get a specific online credit card that has a low limit that will cover your gaming and general online purchases. If you're only spending $10/month on games then get a card that will have a maximum of $100 or something like that. Minimize the number of credit cards you use online, and try to avoid using debit cards as much as possible. Additionally, try to create difficult passwords, something with multiple capital letters, numbers and special characters if the website allows it. Such as: Dr.Wh0d^nn!t something more random might be better, but it's still a much more difficult password to deal with than drwhodunit. If you are unable to create passwords like this, then you should request it from the website you are using.
Finally, there's only so much you can do as a user. Some of this has to deal with how the internet is structured. I'll discuss this tomorrow. Protect yourself as much as you can.
The NY Times posted this article yesterday about LulzSec.
So I've been talking about these four groups and how they have been interacting. However, these groups are not interacting in a vacuum. Theses groups are either hacking governmental organizations or they are hacking corporations.When Anonymous and LulzSec (or any other hacking group) goes after a company, they are trying to get one of two things, some times both, either user data or some sort of dirt on the company itself.
User information can range from names, locations, email address to IP addresses and credit card information. Since these guys are going after big companies, like Sony, Blizzard, and other gaming companies, they are most likely going after as much information as they can get their hands on. When it comes to dirt on a company, they go after big companies and small alike. They went after Bank of America in an attempt to reveal improper behavior to punish someone for the financial mess we're in. Small companies like HBGary was a bit of a grudge match. HBGary claimed that they were able to bring down all of Anonymous, which pissed the group off. HBGary was hack and completely discredited and also showed a lot of nastiness going on in the security world in general.
In some ways it's pretty obvious how stealing using information impacts the user. Recently, Sony's PlayStaion Network was down for a month, because of the security breach, which included some 1.3 million user's information being stolen including credit card information. In another case a game called Brink was hacked and 200,000 users information was stolen.
So, obviously these guys are in the wrong right? Well, yes and no. They think they are completely in the right here. They could have been doing all these things and not made it public. Just stole the information, then sell it to someone and make a lot of money from it. Or perhaps use it themselves. In some cases they did that. Anonymous ordered about 100 pizzas to a Sony Executive's house. In fact, Sony is currently being sued for the weakness of their network. We would not have known about it, without the hacker attack.
The US government is fighting back and taking down servers which have obvious impacts on users and hosting agents at the same time. However, both ICE and the FBI feel they are 100% in the right based on the law. ICE firmly believes that it has the required authority and rights to take down websites, and the FBI feels it can take whatever servers it needs to find these guys.
It's the immovable object versions the unstoppable force, with the regular internet users in the middle. Most users won't notice unless some website they are using goes down, or they find out their card has been hacked. Users that play games, watch movies, and create content have the most risk in this battle.
How can users mitigate their risk? Well, the best thing to do is to get a specific online credit card that has a low limit that will cover your gaming and general online purchases. If you're only spending $10/month on games then get a card that will have a maximum of $100 or something like that. Minimize the number of credit cards you use online, and try to avoid using debit cards as much as possible. Additionally, try to create difficult passwords, something with multiple capital letters, numbers and special characters if the website allows it. Such as: Dr.Wh0d^nn!t something more random might be better, but it's still a much more difficult password to deal with than drwhodunit. If you are unable to create passwords like this, then you should request it from the website you are using.
Finally, there's only so much you can do as a user. Some of this has to deal with how the internet is structured. I'll discuss this tomorrow. Protect yourself as much as you can.
The NY Times posted this article yesterday about LulzSec.
Friday, June 24, 2011
LulzSec, Anonymous, ICE, FBI and users Part II
Yesterday, I discussed Users, Anonymous and ICE. Today I will introduce LulzSec and the FBI and how they interact with the other two groups, if I have space I'll also add some of the impact on users.
LulzSec is a rather new hacking group. I think I've been seeing posts about them since about June. I'm pretty sure they've been around longer than that, but within the last few weeks they've really picked up their online activity. This group claims they are fighting for the user and are going after, white hat, black hat, and government agencies. White hat and black hat are different types of hackers. White hats will find vulnerabilities, and then notify the firm of this vulnerabilities in their systems. The white hats help protect user data from the black hats, which are typically the bad hackers. LulzSec is something of a gray hat. They hack firms and then publicly display the vulnerabilities, by they claim they are doing this only to force the firms to change their behavior. They are also attempting to out bad apples, or so they say, in the white hat community. These guys are apparently pretty good, as their domain name was seized by ICE, and they took it back. On the ICE seizure page, in my previous post, they added this "rage guy" to it. They claim they only do it for the Lulz (lols or laughs).
This of course did not make the US government too happy. So, two days ago the FBI got involved in the situation. They proceeded to take the server which the LulzSec website was hosted. Which impacted innocent websites as well. As the hosting agent wasn't aware of this action until a few hours after it occurred. According to the hosting agent, the FBI took additional servers that weren't involved at all. Here's an article from the NY Times with a bit of a time line of the event. The LulzSec website is currently no longer up, as it appears the server with the website has been taken offline.
LulzSec has been targeted by both governmental agencies and some members of Anonymous and other hacking groups. The hackers are trying to show that these guys are a bunch of amateurs and aren't covering their tracks very well. There's been one LulzSec arrest so far in Spain. There have also been numerous Anonymous arrests as well. Each arrest supposedly is a leader in the movement, which each movement denies and mocks the arresting government as being incompetent and the person they caught is only a bit player in their campaign.
So what's the big idea? They hack stuff, they get arrested, they lose connection to the internet. What's the big deal? Well, I think that both Anonymous and LulzSec are using hacking as a means of protesting, but also attempting to fight over the structure of the internet. Anonymous feels that no one is listening to the larger internet community on how they feel firms should interact on the internet, and they also feel that the internet should be open and should be unregulated. LulzSec is a bit more of a loose cannon and are basically trying to cause as much mayhem as they possibly can. However, I think that they are using a different technique to achieve the same aims, an unregulated internet.
Tomorrow I'll discuss some of the impact on users and what the structure of the internet means for most users, and how it can affect how the internet works in the future.
LulzSec is a rather new hacking group. I think I've been seeing posts about them since about June. I'm pretty sure they've been around longer than that, but within the last few weeks they've really picked up their online activity. This group claims they are fighting for the user and are going after, white hat, black hat, and government agencies. White hat and black hat are different types of hackers. White hats will find vulnerabilities, and then notify the firm of this vulnerabilities in their systems. The white hats help protect user data from the black hats, which are typically the bad hackers. LulzSec is something of a gray hat. They hack firms and then publicly display the vulnerabilities, by they claim they are doing this only to force the firms to change their behavior. They are also attempting to out bad apples, or so they say, in the white hat community. These guys are apparently pretty good, as their domain name was seized by ICE, and they took it back. On the ICE seizure page, in my previous post, they added this "rage guy" to it. They claim they only do it for the Lulz (lols or laughs).
 |
| I found this on the Telegraph's website. No idea who owns the copyright |
LulzSec has been targeted by both governmental agencies and some members of Anonymous and other hacking groups. The hackers are trying to show that these guys are a bunch of amateurs and aren't covering their tracks very well. There's been one LulzSec arrest so far in Spain. There have also been numerous Anonymous arrests as well. Each arrest supposedly is a leader in the movement, which each movement denies and mocks the arresting government as being incompetent and the person they caught is only a bit player in their campaign.
So what's the big idea? They hack stuff, they get arrested, they lose connection to the internet. What's the big deal? Well, I think that both Anonymous and LulzSec are using hacking as a means of protesting, but also attempting to fight over the structure of the internet. Anonymous feels that no one is listening to the larger internet community on how they feel firms should interact on the internet, and they also feel that the internet should be open and should be unregulated. LulzSec is a bit more of a loose cannon and are basically trying to cause as much mayhem as they possibly can. However, I think that they are using a different technique to achieve the same aims, an unregulated internet.
Tomorrow I'll discuss some of the impact on users and what the structure of the internet means for most users, and how it can affect how the internet works in the future.
Thursday, June 23, 2011
LulzSec, Anonymous, ICE, FBI and users
I this post, and some future posts, I plan to discuss several different entities and how they are currently impacting web usage, some potential future impacts and how users fit in with all of this. First I'll talk about the users and then talk a little bit about each of the other entities and some of the current activities.
For users, I think every one is aware of the broad range of types of people on the internet. You have your grandma and grandpa who only use the internet for email, or I'll these users novices. Then you have the more sophisticated users, which use various chat programs and may look at different websites and get their news, these are basic users. Intermediate users and basic users kind of blur together they'll probably user online games, both paid games and simple online games like yahoo games etc. Next there are Advanced users. These people are consumers of content and may create some. They are probably also aware of how to create websites and pretty technically savvy people. Then you have the Power users. People that use massive amounts of content, create their own content and spread large amounts of information over sites like 4chan, reddit, digg, and various other Web 2.0 sites. These users are typically well aware of what's going on with these four groups I listed above. These groups do not have hard and fast end points, it's more of a continuum. In some cases it's difficult to tell the difference from an advanced user and a power user.
So why are the Power users, and some advanced users, aware of the activities of these groups more than other people? In some cases these power users are actually involved in Anonymous, or actively support the action of the members of Anonymous. Ok, is that a good or bad things? Well, that's a really difficult question to answer. I can only answer that by explaining who and what Anonymous is.
Anonymous came about from the chat rooms of 4chan, and similar groups such as that. I'm sure there are many other sources that I'm completely unaware of, probably IRC(Internet Relay Chat). But what do they do? Well, partially they are a response to the governmental responses to Wikileaks, an organization devoted to safely leaking government or business related information (whistle blower site). They decided to attack, through a Distributed Denial of Service attack (DDoS) (Which basically take a website offline), websites that didn't want to work with Wikileaks, like PayPal, MasterCard, Visa, and Amazon. However, it has since escalated to include many governmental agencies. Such as the US government and other organizations. This wouldn't really be that big of a problem if it was just DDoS, which are illegal but short lived. They also started to hack companies and steal information.
So who is ICE and why do I care about them? Well, ICE is the US commerce department. The same people that are in charge of the US boarders. Some how, they have been given broad authorization to target websites that are either streaming or directly distributing copyrighted material. They do this through seizing websites. Which has been considered very questionable under constitutional authority. See the picture below for an example of a website seized by ICE.
For users, I think every one is aware of the broad range of types of people on the internet. You have your grandma and grandpa who only use the internet for email, or I'll these users novices. Then you have the more sophisticated users, which use various chat programs and may look at different websites and get their news, these are basic users. Intermediate users and basic users kind of blur together they'll probably user online games, both paid games and simple online games like yahoo games etc. Next there are Advanced users. These people are consumers of content and may create some. They are probably also aware of how to create websites and pretty technically savvy people. Then you have the Power users. People that use massive amounts of content, create their own content and spread large amounts of information over sites like 4chan, reddit, digg, and various other Web 2.0 sites. These users are typically well aware of what's going on with these four groups I listed above. These groups do not have hard and fast end points, it's more of a continuum. In some cases it's difficult to tell the difference from an advanced user and a power user.
So why are the Power users, and some advanced users, aware of the activities of these groups more than other people? In some cases these power users are actually involved in Anonymous, or actively support the action of the members of Anonymous. Ok, is that a good or bad things? Well, that's a really difficult question to answer. I can only answer that by explaining who and what Anonymous is.
Anonymous came about from the chat rooms of 4chan, and similar groups such as that. I'm sure there are many other sources that I'm completely unaware of, probably IRC(Internet Relay Chat). But what do they do? Well, partially they are a response to the governmental responses to Wikileaks, an organization devoted to safely leaking government or business related information (whistle blower site). They decided to attack, through a Distributed Denial of Service attack (DDoS) (Which basically take a website offline), websites that didn't want to work with Wikileaks, like PayPal, MasterCard, Visa, and Amazon. However, it has since escalated to include many governmental agencies. Such as the US government and other organizations. This wouldn't really be that big of a problem if it was just DDoS, which are illegal but short lived. They also started to hack companies and steal information.
So who is ICE and why do I care about them? Well, ICE is the US commerce department. The same people that are in charge of the US boarders. Some how, they have been given broad authorization to target websites that are either streaming or directly distributing copyrighted material. They do this through seizing websites. Which has been considered very questionable under constitutional authority. See the picture below for an example of a website seized by ICE.
 |
| ICE Seizure web page |
Well, I still don't know if that's a good or a bad thing. They could be going after child pornography or shutting down those pirating websites. You know, those are good points. ICE, accidentally shut down a few websites, wrongly claiming the accused was distributing child porn. These were actual businesses that were shut down due to this.
Well, this post has gotten rather long. So tomorrow, I'll post about LulzSec and the FBI and hopefully discuss how all four of these groups intersect with each other. As a teaser, all four of these groups feel that they are fighting over the control and structure of the internet.
Subscribe to:
Posts (Atom)