Thirty years after the Berlin Wall fell, a Stasi spy puzzle remains unsolved
> In the aftermath of the fall of the Berlin Wall 30 years ago, East Germany’s secret police frantically tried to destroy millions of documents that laid bare the astounding reach of mass surveillance used to keep an iron grip on citizens.
> As shredders that were available jammed or broke down, Stasi officers resorted to tearing the documents by hand, stuffing them into bags to later be burned or pulped. But the effort came to a premature halt when citizens groups stormed and occupied Stasi offices to preserve the evidence.
> Three decades later, in the same rooms behind the foreboding gray facade of the former Stasi headquarters, Barbara Poenisch and nine fellow archivists are trying to piece those documents, and the history, back together.
> Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.
> In our paper we demonstrate this effect, successfully using light to inject malicious commands into several voice controlled devices such as smart speakers, tablets, and phones across large distances and through glass windows.
I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too.
> Little-known companies are amassing your data — like food orders and Airbnb messages — and selling the analysis to clients. Here’s how to get a copy of what they have on you.
> As of this summer, though, Sift does have a file on you, which it can produce upon request. I got mine, and I found it shocking: More than 400 pages long, it contained all the messages I’d ever sent to hosts on Airbnb; years of Yelp delivery orders; a log of every time I’d opened the Coinbase app on my iPhone. Many entries included detailed information about the device I used to do these things, including my IP address at the time.
Inside the Phone Company Secretly Run By Drug Traffickers
> All over the world, in Dutch clubs like the one Kok frequented, or Australian biker hangouts and Mexican drug safe houses, there is an underground trade of custom-engineered phones. These phones typically run software for sending encrypted emails or messages, and use their own server infrastructure for routing communications.
> For MPC, the process of setting up the devices was relatively simple: MPC would take a Google Nexus 5 or Nexus 5X Android phone, and then add its own security features and operating system, according to social media posts from MPC and a source with knowledge of the process. MPC then created the customer’s messaging accounts, added a data-only SIM card (which MPC paid about £20 a month for), and then sold the phone to the customer at £1,200. Six-month renewals cost £700, the source added. MPC only sold around 5,000 phones, the source said, but that still indicates the business netted the company some £6 million. At one point, a version of MPC’s phones also used code from an open-source, security-focused Android fork called CopperheadOS, three sources said.
Unexpected Norms Setters
> I wanted to do a line by line review of Ilina Georgieva’s recent piece on cyber norms because on a brief read-through, I liked a lot of it. That said, the difficulty with reviewing policy pieces is you tend to think the ones that AGREE with you are naturally genius, which is not always the case. So after a more thorough review, there are a lot of serious issues with the piece and these are painfully listed below (if you happen to be Iliana).
More Teenagers Mistakenly Think “Private” Chat Conversations Will Remain Private
> As you can see, the chat participants–especially 7Up and Lady Gaga–seemingly discuss killing S, his goldfish, and his dog. But in the context of nonsense teen chatter, I don’t think anyone could read this transcript and believe that any of participants actually planned to harm S or any animals.
> An unidentified person tipped off S to the thread’s existence. S asked “Me” about it. Me revealed the thread’s name to S. This got back to S’s mom, who told the principal, who brought the girls into his office, seized their phones, and turned them over to law enforcement. Prosecutors brought charges against 7Up/JP for misdemeanor online threats. A jury convicted 7Up. The appellate court reversed.
This is mostly nonsense, although it’s somewhat interesting to see court opinions wrestle with the conundrum of quoting screenshots.
Confession of Kim Philby made public for first time
Looking back at the Snowden revelations
> It’s no coincidence that this is a cryptography blog, which means that I’m not concerned with the same things as the general public. That is, I’m not terribly interested in debating the value of whistleblower laws (for some of that, see this excellent Twitter thread by Jake Williams). Instead, when it comes to Snowden’s leaks, I think the question we should be asking ourselves is very different. Namely:
> What did the Snowden leaks tell us about modern surveillance capabilities? And what did we learn about our ability to defend against them?
50 ways to leak your data: an exploration of apps’ circumvention of the Android permissions system
> This paper is a study of Android apps in the wild that leak permission protected data (identifiers which can be used for tracking, and location information), where those apps should not have been able to see such data due to a lack of granted permissions. By detecting such leakage and analysing the responsible apps, the authors uncover a number of covert and side channels in real-world use.
The secret-sharer: evaluating and testing unintended memorization in neural networks
> This is a really important paper for anyone working with language or generative models, and just in general for anyone interested in understanding some of the broader implications and possible unintended consequences of deep learning. There’s also a lovely sense of the human drama accompanying the discoveries that just creeps through around the edges.
> Disclosure of secrets is of particular concern in neural network models that classify or predict sequences of natural language text… even if sensitive or private training data text is very rare, one should assume that well-trained models have paid attention to its precise details…. The users of such models may discover— either by accident or on purpose— that entering certain text prefixes causes the models to output surprisingly revealing text completions.
It’s Scarily Easy To Track Someone Around A City Via Their Instagram Stories
> By cross-referencing just one hour of footage from public webcams with stories taken in Times Square, BuzzFeed News confirmed the full identities of a half dozen people.
How the woman who broke the news about World War II was also first to the ‘Third Man’ spy
> Much of the coverage following the death of Clare Hollingworth has focussed upon her reporting on the outbreak of World War II and the fact that she broke the first stories about Germany’s invasion of Poland. But a little more can perhaps be said about her role in another major 20th-century news story. Hollingworth played a significant part in the outing of Kim Philby as the so-called “Third Man” in the Cambridge Spy Ring, following his disappearance from Beirut in January 1963.
The NSA's regional Cryptologic Centers
> For many years, the US National Security Agency (NSA) was identified with its almost iconic dark-glass cube-shaped headquarters building at Fort Meade in Maryland. Only when Edward Snowden stepped forward in 2013, the public learned that there’s also a large NSA facility in Hawaii - which is actually one of four regional centers spread across the United States.
Women's Romanization for Hong Kong
> This is not to say that this type of ad hoc, spontaneous Romanization of Cantonese has not already existed for some time. Indeed, young people have been using it extensively for texting, on social media, etc. for years. What’s new is that it is now consciously being employed to out fake protesters who do not know Hong Kong Cantonese and its informal writing system.
The scramble to secure America’s voting machines
> Paperless voting devices are a gaping weakness in the patchwork U.S. election system, security experts say. But among these 14 states and their counties, efforts to replace these machines are slow and uneven, a POLITICO survey reveals.
Very annoying scroll interaction at the top, but eventually some content appears.
Moxie Marlinspike on encryption bans
> Host Molly Wood spoke with Moxie Marlinspike, founder and CEO of the private chat app Signal Messenger, about what a ban on encryption — or giving law enforcement a back door to messages — might mean. The following is an edited transcript of their conversation.
Investigating sources of PII used in Facebook’s targeted advertising
> We develop a novel technique that uses Facebook’s advertiser interface to check whether a given piece of PII can be used to target some Facebook user, and use this technique to study how Facebook’s advertising service obtains users’ PII. We investigate a range of potential sources of PII, finding that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users. These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings.
How Hacking Works
In which xkcd teaches us about cred stuffing.
The Model Estonian Soldier Who Spied for Russia
> I spoke to Metsavas under the auspices of KAPO, which gave The Atlantic virtually unrestricted access to him, but not to his friends or family. Notably, I was not allowed to speak with his wife, his mother, or his father, the last of whom played an integral role in his son’s ordeal. The rules of engagement were simple: I could ask my subject anything I liked, but he had been instructed beforehand not to divulge information that might compromise KAPO’s counterintelligence investigation, particularly any details that would telegraph to the Russians what the Estonians knew about their tradecraft and the secrets they had stolen. “They don’t deserve it,” Toots said.
> For KAPO, the interview was an opportunity to publicize its already legendary reputation of catching Russian spies. For me, it was an unmissable chance to speak to a contemporary spy and raise the curtain on the inner workings of a Russian intelligence agency whose century-long history of skulduggery—from election tampering to dirty wars, from attempted coups to assassination plots—shows no sign of abating. And for Metsavas, it was a chance to atone for his high crimes against his country, his comrades in the army, his friends and family. I believe he had little apparent incentive to lie: Everything he said would be within earshot of at least one KAPO case officer, tasked with ensuring that he didn’t speak out of turn, or embellish or misrepresent his autobiography. I got the impression that Metsavas, as much as the men who had unmasked him, took such matters earnestly. In general, there was a strange camaraderie between Metsavas and the KAPO case officers who flitted in and out of the interrogation room as our interview wore on. All interacted with him not as an enemy of the state, but as an old acquaintance, with an intimacy born of close proximity and repetition. I asked Metsavas whether he felt compelled in any way to talk to me. He said he didn’t and insisted that this whole thing was his idea in the first place. I eventually saw why.
I was 7 words away from being spear-phished
> I reflexively did some basic security hygiene checks. The email was from an @cam.ac.uk email address. I hovered over the link in the email - people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. It pointed to the same URL that the email text claimed it did, and was located on a valid cam.ac.uk subdomain. It did strike me as a little odd that the page was hosted inside gh327’s personal directory instead of the main economics department’s site; but hey, it’s probably less bureaucracy that way. I clicked on the link and read a little about the history of the Adam Smith prize.