I’m reading Neuromancer now, so this video about “code as a weapon” jumped out at me. I’m still not sure how much of the hacker talk these days is hype, and plenty of .mil folks have obvious motivations to scare the public about cyber threats and viruses crashing trains and taking down power grids and all the rest. That said, as more and more systems connect to the integrated info grid and store their data in the cloud, it’s inevitable that weaponized viruses will appear with the capacity to do serious damage. Whether it’s now or a decade from now.
Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.
Kind of shocking to see the phrase “false flag events” in PC magazine. I’m inclined to think LulzSec is legit, but who knows?
Out of the blue, Citigroup was hacked, then the CIA, and then the FBI and other groups were hacked. Now I’m finding this a little odd and wondering who is being set up here. Supposedly, some of the hacks of government agencies stem from the arrest of a few hackers in Europe. This is an attempt to make the hackers appear to be online versions of Hezbollah, as there are retaliatory attacks reported. You know, the way terrorists would do it.
It’s all possible, but I’m suspicious of the whole scene. These hackers, who are normally casual in their approach, are made to look like bomb throwing Trotskyites from the 1920s, each wielding a Molotov cocktail and out to overthrow the government.
This above mental image, of course, is for public benefit. By making any one of these hackers appear to be a horrendous threat to public safety, a number of initiatives can be rushed through Congress. All sorts of onerous laws will be passed, which probably will not affect the scene at all but will allow more government intrusion into the Internet. It will become illegal to sell any programming tools that can be used by a hacker, despite the usefulness of these tools to security experts. It will also become a felony to attempt to deconstruct a password or enter a system for whatever reason.
I have predicted for years that at some point people are going to have to be registered and licensed to use the Internet at all. You can see it coming as clear as day. These hackers, of course, have to be stopped, and this is how they’ll do it.
There are events in history known as false flag events. These are staged by a government usually to distress the public, so the government can do something that the public would otherwise disapprove.
via: Ars Technica
Why did the hackers at Lulz Security (“LulzSec”) invade Sony Pictures websites, take down cia.gov, and release 60,000+ e-mail addresses and passwords? For the lulz, of course—but what might look lulzy to one person could certainly enrage another. In honor of its 1,000th tweet, the witty wankers of LulzSec released a manifesto of sorts, defending their actions to the angry Internets.
Sure, they’re in it for the lulz, but they claim that their behavior is also in the public interest. What—don’t most public servants end their dispatches with “Thank you, bitches”?
via: Ars Technica
In a sure sign that the virtual currency Bitcoin has hit the mainstream, a new Trojan horse program discovered in the wild Thursday seeks out and steals victims’ Bitcoin wallets, the same way other malware goes for their banking passwords or credit card numbers.
You know those posters that show Obama painted up like the Joker from the last Batman movie? Those are incredibly dumb. For a lot of reasons, but mostly because what makes the Joker an interesting character in The Dark Knight is that he’s an agent of chaos. He is not concerned with money or power or prestige he just wants to destroy order, create mayhem, and expose the roiling, selfish mayhem that he thinks lurks within us all. Obama is a politician, and anyone who looks at his policies see a trend of increasing order and control, centralizing power and pacifying the masses. The Joker is in it for the lulz and doesn’t give a fuck about anything. Which seems similar to Lulzsec.
I wouldn’t call them nihilists, they’re just dicks who like breaking things and embarrassing people without troubling themselves with any political or social agenda. And they’re pretty good at what they do, so they’ve been able to create a pretty impressive amount of damage. Maybe they are a black op designed to raise cyber crime fears and justify restricting the Internet. There was recently a report that 1 in 4 hackers are working with law enforcement. I don’t think so, though. Their attacks are sometimes against “legitimate” targets, but a lot of them are against just silly targets like Eve Online. Their Twitter feed is often pretty amusing. Funnier than I think spooks and grunts could be. They really just seem like those amusing jerks we all knew in school who you generally tried to ignore and who did a lot of stuff that was just dumb, but every once in a while made a mean joke or a prank that you had to laugh at.
What does this have to do with civil resistance? They’re not like Anonymous who practices hacktivism. But they’re part of the new landscape, and they’re an important part of it. John Robb would call them superempowered individuals. They’re a small group with the power to wreak havoc on much larger organizations. Lulzsec will likely be brought down or disappear on its own eventually, but others will follow them.
Lulzsec attacks Infraguard
Who is lulzsec?
More “It’s not as bad as you think, it’s worse,” news about domestic surveillance. Obviously, the brave whislteblower responsible for providing the public with this information is being labeled a traitor by the gov.
via: The New Yorker
When Binney heard the rumors, he was convinced that the new domestic-surveillance program employed components of ThinThread: a bastardized version, stripped of privacy controls. “It was my brainchild,” he said. “But they removed the protections, the anonymization process. When you remove that, you can target anyone.” He said that although he was not “read in” to the new secret surveillance program, “my people were brought in, and they told me, ‘Can you believe they’re doing this? They’re getting billing records on U.S. citizens! They’re putting pen registers’ ”—logs of dialled phone numbers—“ ‘on everyone in the country!’ ”
Drake recalled that, after the October 4th directive, “strange things were happening. Equipment was being moved. People were coming to me and saying, ‘We’re now targeting our own country!’ ” Drake says that N.S.A. officials who helped the agency obtain FISA warrants were suddenly reassigned, a tipoff that the conventional process was being circumvented. He added, “I was concerned that it was illegal, and none of it was necessary.” In his view, domestic data mining “could have been done legally” if the N.S.A. had maintained privacy protections. “But they didn’t want an accountable system.”
Binney, for his part, believes that the agency now stores copies of all e-mails transmitted in America, in case the government wants to retrieve the details later. In the past few years, the N.S.A. has built enormous electronic-storage facilities in Texas and Utah. Binney says that an N.S.A. e-mail database can be searched with “dictionary selection,” in the manner of Google. After 9/11, he says, “General Hayden reassured everyone that the N.S.A. didn’t put out dragnets, and that was true. It had no need—it was getting every fish in the sea.”
This is still theoretical, but for anyone considering hacktivism, it’s something to keep in mind.
via: The Shape of Code
The source code of the ZeuS Botnet is now available for download. I imagine there are a few organizations who would like to talk to the author(s) of this code.
All developers have coding habits, that is they usually have a particular way of writing each coding construct. Different developers have different sets of habits and sometimes individual developers have a way of writing some language construct that is rarely used by other developers. Are developer habits sufficiently unique that they can be used to identify individuals from their code? I don’t have enough data to answer that question. Reading through the C++ source of ZeuS I spotted a few unusual usage patterns (I don’t know enough about common usage patterns in PHP to say much about this source) which readers might like to look for in code they encounter, perhaps putting name to the author of this code.
via: Secrecy News
The rise in national security secrecy in the first year of the Obama Administration was matched by a sharp increase in the financial costs of the classification system, according to a new report to the President.
The estimated costs of the national security classification system grew by 15% last year to reach $10.17 billion, according to the Information Security Oversight Office (ISOO). It was the first time that annual secrecy costs in government were reported to exceed $10 billion.
An additional $1.25 billion was incurred within industry to protect classified information, for a grand total of $11.42 in classification-related costs, also a new record high.
See Also: John Robb on The Secrecy Tax