An Article Posted by Yan: Yahoo, Those Liars

What Yan posted is quoted in full.  This is an important thing to keep in mind:

“surveillance, whistleblowing, and security engineering”

Wed Oct 5, 2016

[Update (12/14/16): Reuters has specified that the rootkit was implemented as a Linux kernel module. Wow.]

“Yesterday morning, Reuters dropped a news story revealing that Yahoo installed a backdoor on their own infrastructure in 2015 in compliance with a secret order from either the FBI or the NSA. While we all know that the US government routinely asks tech companies for surveillance help, a couple aspects of the Yahoo story stand out:

  1. The backdoor was installed in such a way that it was intercepting and querying all Yahoo Mail users’ emails, not just emails of investigation targets.
  2. The program was implemented so carelessly that it could have allowed hackers to read all incoming Yahoo mail. Of course this also means FBI/NSA could have been reading all incoming Yahoo mail.
  3. Yahoo execs deliberately bypassed review from the security team when installing the backdoor. In fact, when members of the security team found it within weeks of its installation, they immediately assumed it had been installed by malicious hackers, rather than Yahoo’s own mail team. (This says something about what the backdoor code may have looked like.)
  4. Yahoo apparently made no effort to challenge this overly-broad surveillance order which needlessly put hundreds of millions of users at risk.

At the time this was happening, I was on the Yahoo Security team leading development on the End-to-End project. According to the Reuters report, the mail backdoor was installed at almost the exact same time that Alex Stamos and I announced the open-source launch of a Chrome extension for easy-to-use end-to-end encryption in Yahoo Mail at SXSW 2015. Ironically, if only we had been able to actually ship E2E, we would have given users a way to protect themselves from the exact backdoor scenario that they ended up in!

Imagine for a moment that you are a security engineer who discovers a backdoor that your company execs have been trying to hide from your team. Would you quit on ethical grounds or stay so that you can prevent this from happening again? I don’t think there is one right answer. Personally I am grateful both for those who left and blew the whistle, and for those who stayed to protect Yahoo’s 800 million users.

Part of the job function of security engineers and pen testers is being ready for the moment you encounter something that you think should be disclosed but your company wants to keep secret. Think about what you would be willing to lose. Be prepared to escalate internally. Know the terms of your NDA and your exit agreement; try your best to honor them. Most of all, keep pushing for end-to-end encryption.”


If your email provider is based in the United States, then you need to close it and go with Protonmail or something similar.

(Hushmail and Countermail are weakened)

Advertisements

Keybase Info for Patriot COMSEC

==================================================================
https://keybase.io/patriot
——————————————————————–

I hereby claim:

* I am an admin of http://www.patriotcomsec.wordpress.com
* I am patriot (https://keybase.io/patriot) on keybase.
* I have a public key with fingerprint 61C5 E958 38AD 4D1A A4C5 2B65 DF5F AE1F 95A9 8095

To do so, I am signing this object:

{
“body”: {
“key”: {
“eldest_kid”: “012058568e9f7e1db300b7ddfab499858d99a2e849fbf460a8355fdc084f7e48e4990a”,
“fingerprint”: “61c5e95838ad4d1aa4c52b65df5fae1f95a98095”,
“host”: “keybase.io”,
“key_id”: “df5fae1f95a98095”,
“kid”: “01014972ae3155888f526941db8c3b1ab1df786cb674f4179c46888f7ca3fded4bac0a”,
“uid”: “1155c23d603d643e73f8ba72c5d6b319”,
“username”: “patriot”
},
“service”: {
“hostname”: “www.patriotcomsec.wordpress.com”,
“protocol”: “http:”
},
“type”: “web_service_binding”,
“version”: 1
},
“ctime”: 1493519319,
“expire_in”: 157680000,
“prev”: “30c3847282a71700ce7098d58d3964079aa43a107c7875e9a8f4715925b4c72a”,
“seqno”: 8,
“tag”: “signature”
}

which yields the signature:

—–BEGIN PGP MESSAGE—–
Version: Keybase OpenPGP v2.0.68
Comment: https://keybase.io/crypto

yMN+AnicbZJ7UFRVHMehFjKUQYkFVwz0WiMo4L17X+euPJxRoocoMjsim7Dex7ns
5bF33b28BFrJUJmRyVEpDMEcZxh6gOEfJtFjliiGRLeaxsDV0DIqjQIFghGzswz+
15k5c+b85vP7nu/v9zt9oU8GhASOWDtjG9/b3xh4ydNeGpAb9MqPVZigSpWYqQor
gvMHLJagS7MWKRJmwnDCiNOAZgDkZBYSkkDiuMBKkswLFMcBGkgcxxshoDhZkCkG
5wFJ07Ik4oBCPAUgonAeS8BkxV4AnQ6nYteQLEOINORoQAJeoiSC5ymRNgoMLcm0
zENC5mieAzhHo0Sb6vJnIHMC74JJiopi6GKdt/c//GPfOEFxrJGHJEHTAACZNjIc
hQoAIikQvEBIMgsYUWBYSqYIlhMpxk+xIk/KEpQogRfnfZfOyxFIRDSSEoOjTZGQ
JWUg8KxRpCVGIAnOD7qg086XQEQ7eM2pqBpWk4ChYJkiQn9f/YUsAOXl5UkLkKiW
uKCYVK46JYcTulxJKIDUHE5VU0W1GME2TXOY/FpapWM+GQrWBVmroNgl1FiUUAad
LkW1YyYCkaKm+N9BHSBpgkP+EjBY4VCc0Kr4CZplAI6W/xlYhiRJXCQBxRqBkWcJ
FsdFyOIckNB0SY6hcJZDAyJ5AmdFFrBocDyQKZagOSMtUCJqMuYvdK9dxUwA2eQL
kKRLKbDzWqkTYjW9nt26gMCQgOCgJ/wfLiDk6aWPv+E3EWGPbJbLm8j+rOHExNVD
9pMbZi21v9jWPNdxr/nPjNjWlDVNPxiuDt2cjr2SlxzZ6611u6vOX/SEHV85wiUV
hEbqLGMxX42fHsxiRle/u686/7u619SNjaa4lrf33TSHN27864NZi/Dp8oijyXvi
Gz3RMzqyYsfYwJXWD6/3t6U3vxhfsXPppoaBlLTojPd7pq/9HrDNk1LzlnXIs1Zc
8llGG1c3c/JW1k+vp8KoEtdE9VbnBv0U9YdiLho5tOPZnwundJEDE4f7Lnvzz/Yt
Sl4f5anPPb/z6J2u4Y6gq5bSbwd90fe9d5oebteOHLn24MH1C/9snTp2MXvX/tBe
YHSfnjxg05+J7qx6aXaqK/HG4fG0vtynmgePnbmrZ/c+9GWTU922syVew6Kvw+dO
BdffIH8Lbqjf7O4aLTw+YJ45mPDlvXeAOXP7iRz2e5th8dol+mzh3OjLTuzzUl1/
5uI90ysrTWEHn8+LGxmKilfmWh8lNI81XLIa3LPTuyyvZl74ZNnygfacwe5DW2Im
O5IHK088E725okDji2IKf90im7S77tQxs8/bdu72qjS4uylumS5Z76MtvrY3rOlv
3vLWTprnPu4ObS/uMYysX7HuVN4XdZ1/mwu5jyLS1829YB0Htw/IzDab799UNTyi
JSIHeibEFdWgriVHGdYH5Zf1qmrG/UhDT3Bz5n/oBcVF
=ggAT
—–END PGP MESSAGE—–

And finally, I am proving ownership of this host by posting or
appending to this document.

View my publicly-auditable identity here: https://keybase.io/patriot

==================================================================

From Bruce Schneier’s Blog: On Why the US Intell Agencies are Schmendrick City

From reading the news closely, there is some cooperation between NSA and CIA, but then again there is some fighting and even downright, jaw-dropping subversion. If z’s job is x and z said y about the situation, but newly-arrived p bellies up to the bar in country v on z’s turf, and says negative y, that z and his boys know nothing, and can prove it, that’s a fight in which the bad guys (worse guys?) win. You would think that American intell people (“Romans are people who kill other Romans.”) would cooperate during war–take Afghanistan for example–but in many cases they did not. They were too busy fighting each other. Result? I am sorry to say it, but Afghanistan is about to go into the loss column. If you are focused on the fight with the foreign enemy, and you are in this kind of internecine turf-war environment, the war then becomes strange, even surreal.  One starts to think like this: the Taliban have no business getting in our fight, and one notices that a lot of money is involved. The Taliban wear plastic shoes in the winter, and they are so poor that they don’t matter. Afghanistan is like a stage set for a battle between Americans. The Taliban are props. The prizes are large.

Rogers almost lost his job as DIRNSA because he went to talk to Trump (and the leaders lacked the data). Flynn lost his job because of a straight-up political assassination. I am not saying that Flynn is an angel of light. I know someone who used to work for him. He rubs some people the wrong way, and he took the step of getting directly involved in a political campaign. Some people hate his guts. So when the NSA had some info on him that could be used to eject him from his job, the people privy to those tid-bits could not resist their desire to stick a knife in their former colleague, who, by the way, was extremely good at his job of defending the country. America rolls on.

Snowden got a bad evaluation at CIA and went rogue. His psychological profile is much like Timothy McVeigh’s, the difference being that the building Snowden blew up is not in Oklahoma City. Snowden hates the person who was his boss in Geneva, and his betrayal of his oath and his home is just hatred written large. The CIA and NSA are deeply antagonistic towards Russia, so Snowden went there out of spite.

Robert Hansen, who is mentally sick, betrayed America in the most injurious way. If he had only been arrested today and spoke of personal privacy, I think some people would listen and actually believe that he is a good guy. He is not a good guy at all. Some of these people who are talking about privacy and rights are the scum of the earth.  Julian Assange is a good example.  Having two warrants out for your arrest for rape is not normal.

Chelsea Manning is not exactly cut from the same cloth because she told her boss that she was no longer on the team. She tried to warn her supervisors that she was not OK. But she too was probably motivated by anger, by being gay and not being accepted. That kind of reminds me of Glenn Greenwald. Greenwald has been an important catalyst to Snowden’s perfidy, and Greenwald tells people up front that he wants them to be as angry as he is. But he is not as broken up about government spying as he is about not being accepted for being gay– his status as an outcast, as the condemned. Again, America rolls on.

Personal antagonism has increased between some people who work in U.S. government agencies, just as it has gotten worse in U.S. society. The number of people with high clearances has mushroomed, and this is an important factor in the increased number of leakers. The system has branched out like an unsecure computer network with unsecure routers. Contractors make things worse because they are not controlled to the same degree as military people. That is why you have so many military folks in the NSA.

There is no mystery. There is no new epic battle between Russian and American intell agencies. A lot of people had to neglect their jobs for Snowden to do what he did, and the same goes for the CIA. Look at the OPM disaster: no one cared enough to encrypt the personal information of everyone in the U.S. intell community. The belly laughs in Beijing must be just as big as their astonishment. A lot of Americans failed by omission in this particular disaster, and the reasonable explanation is that they just didn’t care.
The elephant in the room is China, which no one wants to talk about because they are winning, and they treated an American President with amused contempt when he tried get off his plane in Hangzhou last year. Every day they get stronger as people in the U.S. government fight each other and knock the U.S. down. It is a comfortable story to say that some mysterious battle is going on that is not our problem. This is not the case at all. A clear and present danger to the U.S. is in front of everyone’s eyes: that U.S. intell agencies are not doing their jobs well because of intensified internal fighting, and, perhaps in some cases, bloat and apathy.

Let’s Un-Schmendrick the Password Nightmare

At this moment, people all over the world are pecking a password into a computer.  It is often some weak password that can be broken in less than a second. A truly random password of eight characters drawn from a pool of sixty-eight characters can be broken by one good desktop computer in less than three days.  What people are doing today is not working.

If we have 93 possible symbols and our password is 36 symbols long, then we have this many possibilities if the symbols are in random order:

9336 = 7.334764054 E+70

or

              73,347,640,540,020,202,627,270,509,203,075,830,775,693,082,438,443,643,762,466,723,438,686,801

How can we give that number some kind of meaning that we can relate to?

How many sandwiches is that?  If Franz Kafka were hungry and every atom in his body could eat 10 billion sandwiches in one second, and he could clone himself 10 billion times, to reach the number of sandwiches above, he and his clones would have to eat for about 230,000 times longer than the universe has been here.  At least, for a while, he would have to give up his obsession with what space burial is about.

The chances of this password breaking to a brute force attack are astronomically low.

Patriot COMSEC has the answer to the password problem.  How can we have people make and use effective passwords?  Please stay tuned.  When our patent comes through, you too might want to use our innovative solution.

Internet Security For the Absolute Beginner, or (not complete–published draft) It is time to Un-shmendrick Your Information Life

We want to use the internet without sacrificing our privacy.  In order to do that, it seems that one needs to have worked at the NSA in cyber for thirty years.

In America, a herd mentality develops.  Because of pervasive advertising, people are lulled into believing that products from Google and Apple are safe and appealing.  The are certainly not safe, even though a lot of people use them.  Apple phones are wonderful for being controlled remotely, and Google’s Android phone is inherently unsecure.  In fact, it is a big, fat joke. Its apps come from all over the place, and there is a lot of tracking. Sorry to say, the purpose of that phone is to gather your information!  It is very difficult to check the integrity of most Google apps. Therefore, it is not just Google who is collecting your stuff.  Try calling one of those app providers for customer service:  Bosnia, Turkey, etc. Security and privacy is not emphasized at all; in fact, it is undermined.  Those in the herd are not supposed to complain, and the less they know the better.

There is a lot of deception going on.  Data is money, and they want your data.  It has gotten so bad that tracking blockers such as Ghostery and AdBlock Plus have actually become tracking tools (only limiting obtrusive ads).  People go to Ghostery and AdBlock Plus to limit tracking, but they only enable it.  All roads lead to Google.  They are depending on you being uninformed. But the good news is that people like the EFF have reacted, and a real tracking blocker is now available:  Privacy Badger.

Mobile devices are inherently unsecure unless extraordinary measures are taken.  Just in the news is a story about how mobile devices in China are being injected with malware by fake phone towers.  Passwords and banking information are being stolen and exfiltrated by SMS. There is no end to how your phone can be attacked and owned, and your information stolen. If you want a secure phone, then get a small old-school device with no camera, no apps, and no social media.  The amount of information that an attacker is going to get out of you is lessened greatly.

If you know someone who does cyber offense for a living and you ask for his of her personal email address, then you might get a wince:  “I don’t do email.”

If you know someone who does cellular offense for a living and ask for security advice about mobile phones, then you might get this:  “Your phone? Lose it.”

So, the question of our time:  how does a person live in this collection platform world?  First, you need to do a security assessment.  You need to know what level of security is right for you.  And you need to know what security products actually work.  We have already talked about Ghostery.  This is not only the era of fake news:  this is the era of fake security products that compromise your data, which is valuable.

The purpose of this website is to inform people about real information security.  Our emphasis is on how to use encryption.  There are very few clear explanations that enable an absolute beginner to use encryption well–that is, so that it works.  If you stick  to our site, you will gain assurance about your activity on the internet, and you can know that your information and privacy are really protected.  For the absolute beginner, we have to start from his or her viewpoint, and go step by step, clearly.  These sorts of explanations are largely missing from the internet today, even though they are sorely needed.

First, we will go over general principles, and then in subsequent posts we will do step-by-step actions (for using PGP, for creating an air-gapped system, for compressing files, for using symmetric encryption, for storing information securely, etc.) involving specific operating systems.

For All Internet Users

-there is no absolute security on the internet, but you can take steps to give yourself an extremely high expectation of privacy

 

Step 1: Get Rid of Your Mobile Device

A. We are not going to depend on a mobile device to secure our information.  Despite all the hype, all the advertising with smiling inter-racial volleyball matches on the beach with pretty girls in bikinis, those phones are designed to collect your information and turn you into another uninformed, schmendricked consumer. If you must have a phone, go old-school and use it for phone calls and SMS only.  All of that information is completely open to collection.

B. We are going to use a laptop, desktop, or netbook that we connect to the internet.  The next step, for those who need a very high level of security, is to set up an air-gapped device that never has, and never will, touch the big collection platform that we all love, the internet.

Step 2: Get Rid of Windows and Use a Linux-based Operating System

C. We are going to use a Linux-based operating system.  They are inherently more secure.  We are going to choose a flavor of Linux that we like, and we have several good choices.

  1.  TAILS is best
  2.  Fedora is very good
  3.  Ubuntu is good
  4.  Puppy is good

D. We must wipe the computer that will receive our new operating system.

E.  We must verify the integrity of the Linux-based operating system ISO file that we download.  We must also make sure that it came from the place we think it came from.

 

Step 3: Be Aware of the General Security Principles for Everyone (What Must be Done)

For the absolute beginner, it is very helpful to learn some of the basic
terminology and principles of information security. Don't be intimidated
by tech speak.  We will supply you a list of important words and ideas,
along with clear explanations.  This will help you enormously.  Please see
the list at the bottom:  Basic Terminology and Principles.  Don't
 be afraid to read this list before you proceed. Words in the list will
be highlighted in purple to make them easier to identify.

A.  Use a Linux-based operating system that you verified, but don’t get over-confident.  This is just a step in the right direction, not a cure-all.

B. If we put the OS on the hard drive, as opposed to running it as a live system (on a USB, for example), we must encrypt the full hard drive, or, at least, our home folder

C. And we must use a real password, one that is at least 24 characters long; uses as much of the full range of letters, numbers, and symbols as possible, etc.  Password management is one of the worst problems in information security, and it had not yet been fixed–until now.  We are going to show you how to do this the easy way.  Full disclosure:  we are getting a patent for this and it is going to be a product for sale. There will also be a free version.

D. Applications are a huge threat vector.  We need to keep an eye on them, harden them, update them properly, and make sure that we don’t maintain applications that we never use.  Some operating systems make this easier than others.  AppArmor or SELinux are important tools in this effort.

E.  We must harden and configure our BIOS

F.  We must properly configure, manage, and use a firewall

G.  We must make sure our display locks after a certain period, and that a password is required to re-open it.  Yes, that can be inconvenient, but convenience is the enemy of security.

H.  We must check for rootkitsChkrootkit is not easy to understand, and it can give false positives. Using chkrootkit properly starts with verifying it after download. Getting a baseline reading of chkrootkit results is important for tracking changes.

I. We must limit and manage the connections of our device to the internet.  We need to turn off remote control and manage how our computer operates its listening services.  External ports that are not needed do not need to be listening.

J. It is important to know who to turn to when you have questions about your operating system or an application.

K. We must not use root permission when it is not needed.

L.  We must make sure that our system is updated, especially for security.  Fedora is especially good at this.  TAILS also does a very good job.

Step 4: Set it Up for Security

 

Step 5: Choose a VPN and a Commercial Email Provider

A. A good VPN is one that is not based in the United States, sorry to say, and has a minimum of logging, uses strong encryption, has its own DNS servers and a NAT firewall, and has good customer service.  Expressvpn is a very good choice. VyprVPN is a good choice. Make sure to connect to a server that is not in the U.S., Canada, Australia, New Zealand, or Great Britain.  It is often useful to connect to a server in a time zone that has low traffic (between midnight and six in the morning, their time).

B. A good commercial email provider is one that is not based in the United States, sorry to say, nor in Canada, Australia, New Zealand, or Great Britain., and it is uses strong encryption end-to-end.  Protonmail is an excellent choice. Protonmail is end-to-end encrypted, security conscious, and based out of the inside of a mountain in Switzerland. Tutanota is a good choice. It does not track you either, and it is based out of Germany.

Step 6: Let’s Choose a Browser

A. That is easy.  Go with Mozilla Firefox, and take advantage of their security and privacy add-ons.  Be careful, though, of the poisoned pills:  some add-ons do the opposite of what they purport to do.  This is a pathetic situation, but your information is valuable, and a lot of tricks are being played against decent people.

B. Choose add-ons for your Firefox browser.

Congratulations! You have gone a long way to un-schmendrick your information life.  Malicious actors are not going to be able to piggy-back on Google and Microsoft products to steal from you.   Now let’s talk about PGP.  Wait, we already did!  If you chose Protonmail, you are using state-of-the-art encryption already.  Let’s talk about PGP anyway, and encrypt some files.

Poisoned Pills: Ghostery, AdBlock Plus, Countermail

We are in the era of fake news and fake security.  That Ghostery and AdBlock Plus have enabled ads, have monetized and betrayed the trust of well-meaning people, is a disgrace on them.  Joining their ranks is Countermail:  an expired signing certificate, the use of SHA-1 (very unsecure), and the use of TLS 1.0 (very unsecure and long outdated).  But there is some good news:  Protonmail for your email, and Privacy Badger for blocking cookies and ads.

The question remains:  how many more poisoned pills are out there?

 

Ghostery is Fake

Ghostery sells your information to advertising companies.  This is akin to how AdBlock Plus does not block Google.  AdBlock Plus and Ghostery are playing tricks.

From Business Insider:

“Ghostery, one of the most popular ad-blocking services on the web, is owned by a company that uses the data it collects from its users to help advertisers target their ads better, the MIT Technology Review reports.

Ghostery is a widget users can install in their web browsers, and it’s made by a company called Evidon. It blocks the tracking code that advertisers use to target you with ads, keeping your browsing private. MIT says:

Yet few of those who advocate Ghostery as a way to escape the clutches of the online ad industry realize that the company behind it, Evidon, is in fact part of that selfsame industry.

Evidon helps companies that want to improve their use of tracking code by selling them data collected from the 8 million Ghostery users who have enabled the tool’s data sharing feature.

“This is not a scheme,” MIT quotes Scott Meyer, Evidon’s CEO, as saying. It’s helpful to give advertisers Ghostery’s data because advertisers don’t generally want to target people who have opted out of advertising, he says.

It’s no secret, either. Evidon was originally called “Better Advertising,” as its own web site makes clear.”

Google is Evil

Google = Deception

In 2011 Google settled a lawsuit for $500,000,000 because they were profiting from ads for companies that sell illegal drugs.  Google, and other large companies like them, are not social services organizations.  They also spend a lot of time avoiding taxes.  They take advantage of Byzantine tax rules to make sure that their take stays with them–instead of going to communities across America.  And they love diversity–it is better to hire that programmer from New Delhi because he or she will take a lower salary. America’s best interests and your best interests are at the center of their hearts, really. They would never sell drugs to kids in Mexico either, never.  It is not all about the money; they are honorable.  Their honor compares favorably with all definitions of honor, even those in North Korea.

What can we do?  Now that taking people’s personal information has become normal, which it never should have become, we can only limit their collection and help others to limit it.  Google has a trick for every day of the week, as do the other big IT companies such as Microsoft.

1. Do not by Google products

2. Do not use Android:  use Ubuntu

https://developer.ubuntu.com/en/phone/devices/installing-ubuntu-for-devices/

3. Do not visit Google Play or YouTube

4. Do not use Chrome:  use Fedora                                             https://getfedora.org/

5. Do not use Google’s search engine:   use Duckduckgo          https://duckduckgo.com

6. Block Google on your desktop, laptop, or netbook

   -block them in your browser by using Firefox with the following add-ons:  Ghostery (to block cookies and identify trackers, bugs, and beacons, etc.), RequestPolicy (to control third-party requests across websites), AdBlock Plus (to block ads by address and block elements; but one must be careful because some Google ads are whitelisted), uBlock Origin (content filtering and ad blocking), NoScript (it controls executable content, etc.).

7.  If Google is linked to your current device, wipe it.

Reuters and Google: Deceptive Business Practices Now Normalized

Not so long ago, we had real news.  People could choose between ABC, CBS, and NBC, for their televised news.  Fast forward to 2017:  news gets mixed with advertising, which gets mixed with fake social media that advises you to buy an anti-virus that implies you will have a safe phone forever–cost you $30.  What a joke.

And you need to go to Google Play to download it, which means you need a phone registered to them. Like the NSA wanting to do some monitoring, Google now owns your phone.

Android phones are inherently unsecure because the apps can come from here, there, and everywhere.  It is a security nightmare, and they know it.  Do you think they care?  But they do care about your data. They want your information because they can  sell it.  So we get the deception, the cloying tug to get you to become one of the herd, the fake social media posts which are actually advertising. It is vulgar, and it plays to people who are uninformed and who need a hug.

Reuters colludes in this.  If it were not profitable, it would not be done.  Instead, people should make informed decisions that do not follow the endemic deception and nampby-pamby herd mentality of large companies such as Google, Microsoft, and Facebook.  The distinction between news and advertising needs to be obvious, as it used to be.