"Superficial is the new intimate."

From the archive, a selection:

Like is the New Say, or How I Learned to Love The Quotative Like.

Fear is the new Comfort.

Data is the new Singularity.

Gray matter is the new black of the hip social scene.

In Cyberwar, Coding is the New Maneuver.

Wardriving is the new pop.

Jihad is the new punk.

The Internet is the new Afghanistan.

Muscular idealism is the new American realism.

Also, a variation on the theme:

Barack Obama is your new bicycle.

Saying Yes to Mess

The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows leakage of the Digest authentication response, which is computed from the password. An offline password attack is then possible and can recover most passwords based on the challenge response.

By making use of sipdigestleak.py which is included in VOIPPACK, one can automate the process of getting the phone to ring, obtaining a challenge response and performing a brute-force attack. In this tutorial we shall be looking at how this module makes the whole process an easy task.

From the archive:

In this Special Edition, I sat down with Cullen Jennings out at VoiceCon San Francisco in August 2007 to talk about SIP security.

How to exploit the SIP Digest Leak vulnerability

A new report from Ross Anderson:

In this note we document a case of malware-based electronic surveillance of a political organisation by the agents of a nation state. While malware attacks are not new, two aspects of this case make it worth serious study. First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high- grade malware. This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective. Few organisations outside the defence and intelligence sector could withstand such an attack, and al- though this particular case involved the agents of a ma jor power, the attack could in fact have been mounted by a capable motivated individual. This report is therefore of importance not just to companies who may attract the attention of government agencies, but to all organisations. As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll staff who use computers to make payments. Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge.

Acidus, from last year:

The first rule of Confidential Document Fight Club is you cannot acknowledge the existence of Confidential Document Fight Club.

The snooping dragon: social-malware surveillance of the Tibetan movement

When does a scene become a cult?

"They wanted me to be wasting my time on it just like they were wasting their time on it."

Facebook’s new “engagement” ads ask users to become fans of products and companies -- sometimes with the promise of discounts. If a person gives in, that commercial allegiance is then broadcast to all of the person’s friends on the site.

Dwindling secrets, and prying eyes, are at the heart of the Facebook conundrum. While offering an efficient and far-reaching way for people to bond, the site has also eroded sometimes natural barriers.

Samantha Power:

There are great benefits to connectedness, but we haven't wrapped our minds around the costs.

Peter Schiff:

I think things are going to get very bad.

Jack Kerouac:

"You boys going to get somewhere, or just going?" We didn't understand his question, and it was a damned good question.

Is Facebook Growing Up Too Fast?

Rob Minto interviews Lars Bak:

"In the US, there is an aggressiveness, the extra level of belief in yourself that is needed. The European way is less aggressive. But in the US, you can get promoted and stay in touch with the technical side. In Europe, you turn into a paper manager. It’s hard to get your fingers dirty."

Programming can be a very solitary pursuit. Although Bak and Kasper Lund work in close collaboration, there is still a sense of isolation from the rest of the world. You write code, test it, refine it, write more, and just keep going until something works like you need it to. For Bak, it’s very simple, and very secluded. And then, for some reason, the rest of the world wants in – to know about you and your work.

Far away, so close:

"Being in the water alone, surfing, sharpens a particular kind of concentration, an ability to agree with the ocean, to react with a force that is larger than you are."

If Schnabel is a surfer in the sense of knowing how to skim existence for its wonders, he is also a surfer in the more challenging sense of wanting to see where something bigger than himself, or the unknown, will take him, even with the knowledge that he might not come back from the trip.

... What does a man need---really need? A few pounds of food each day, heat and shelter, six feet to lie down in---and some form of working activity that will yield a sense of accomplishment. That's all---in the material sense.

The genius behind Google’s web browser

Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions.

"GhostNet" is a cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet. These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.

The report is also available on Scribd.

From John Markoff's coverage:

The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities.

"It’s a murky realm that we’re lifting the lid on."

Acidus, from last year:

The first rule of Confidential Document Fight Club is you cannot acknowledge the existence of Confidential Document Fight Club.

Tracking GhostNet: Investigating a Cyber Espionage Network

Robert D. Kaplan:

Americans are about to lead a great battle against culture and geography.

Literacy rates in the Pushtun belt of the south and east that has seen most of the serious fighting is under ten percent, with women's literacy hovering near zero in many places. One regional governor told us that he has to micromanage everything because there are so few competent people around him.

"This is not easy shit," says one American Army colonel. "But what's the alternative?"

Robert Levine:

The Great Depression brought the New Deal to the United States. It brought the rest of the world Nazism and universal war. This time, though, many nations have nuclear weapons.

"Maybe we could" is the limit of optimism in this paper. The world ahead looks difficult.

David Kilcullen:

We're now reaching the point where within one to six months we could see the collapse of the Pakistani state. The collapse of Pakistan, al-Qaeda acquiring nuclear weapons, an extremist takeover -- that would dwarf everything we've seen in the war on terror today.

Saving Afghanistan

Once a rarity, traffic cameras are filming away across the country. And they're not just focusing their sights on red-light runners.

Drivers -- many accusing law enforcement of using spy tactics to trap unsuspecting citizens -- are fighting back with everything from pick axes to camera-blocking Santa Clauses. They're moving beyond radar detectors and CB radios to wage their own tech war against detection, using sprays that promise to blur license numbers and Web sites that plot the cameras' locations and offer tips to beat them.

Municipalities are establishing ever-more-clever snares. New Haven, CT has put license-plate readers on tow trucks. They roam the streets searching for cars owned by people who haven't paid their parking tickets or car-property taxes.

Bruce Schneier:

This is wholesale surveillance; not "follow that car," but "follow every car."

More is coming.

Decius:

Unless there is some detail that I'm missing, this sounds positively Orwellian.

Get the Feeling You're Being Watched? If You're Driving, You Just Might Be

We live in the Global Location Age. “Where am I?” is being replaced by, “Where am I in relation to everything else?”

Penn State Public Broadcasting is developing the Geospatial Revolution Project, an integrated public service media and outreach initiative on the brave new world of digital mapping.

The project will include a 60-minute public television broadcast program, a structured outreach initiative with educational partners, a chaptered program DVD including educational toolkit components, and a Web site with information and additional resources.

Geospatial information influences nearly everything. Seamless layers of satellites, surveillance, and location-based technologies create a worldwide geographic knowledge base vital to solving myriad social and environmental problems in the interconnected global community. The sweeping application of these technologies also ushers in a future with many potential dangers. The public needs to become more aware of the inherent privacy and security challenges posed by this new, location-aware society.

Bruce Schneier:

This is wholesale surveillance; not "follow that car," but "follow every car."

More is coming.

Decius:

Unless there is some detail that I'm missing, this sounds positively Orwellian.

Geospatial Revolution Project

Bruce Schneier offers a recap of earlier MemeStreams privacy threads:

The problem is, in today's information society, the "expectation of privacy" definition test will rapidly leave us with no privacy at all.

Even if society still has some small expectation of digital privacy, that will change as these and other technologies become ubiquitous. In short, the problem with a normative expectation of privacy is that it changes with perceived threats, technology and large-scale abuses.

The trick here is to realize that a normative definition of the expectation of privacy doesn't need to depend on threats or technology, but rather on what we -- as society -- decide it should be. Sure, today's technology make it easier than ever to violate privacy. But it doesn't necessarily follow that we have to violate privacy.

Adam Shostack on Daniel Solove's book:

If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove's approach.

Decius on Jed Rubenfeld's essay:

We are very close to the point where the 4th amendment will be an anachronism - a technicality that has very little impact on everyday life - and a radical reconsideration will be necessary in order to re-establish it.

Orin Kerr:

The government could go to your Internet service provider and say, 'Copy all of your e-mail, but make the copy a millisecond after the email arrives,' and it would not be a wiretap.

Thomas Powers:

Is more what we really need?

It's Time to Drop the 'Expectation of Privacy' Test