Wednesday, June 11, 2014

Hope? Federal Appeals Court ruled Police need Warrant for cell phone location history


"For the first time, a federal appeals court has ruled that law enforcement must obtain a warrant to get people’s phone location histories from their cell service companies."
Source & full article at https://www.aclu.org/technology-and-liberty/first-time-appeals-court-rules-warrant-required-cell-phone-location-tracking

PDF of the ruling itself at https://www.aclu.org/sites/default/files/assets/q_davis_opinion_0.pdf

A little hope, my understanding is that this ruling would only apply to jurisdiction of the court that made the ruling, and I suspect governments (local/state/federal?) will appeal.


Security & Hacking: Windows Patch Tuesday Reminder

In case you forgot, yesterday was patch Tuesday for Windows.

Some critical fixes in this patch, for quick details on Patch Tuesdays I always recommend Brian Krebs posts http://krebsonsecurity.com/2014/06/adobe-microsoft-push-critical-security-fixes-4/

Excellent match from SPL2014: Maru vs effOrt



Jinair vs CJ series, Maru vs effOrt match.

Great game, I really liked seeing a Zerg that uses Overlords more effectively than typical Zerg.

Don't want to spoil it, so no more comments for now.




Thursday, May 29, 2014

Snowden responds to email NSA released via ICON

I Blogged here about supposedly only email NSA could find where Snowden seemed to be following procedure for complaints, concerns, & whistle blowing.

I had more than one sad chuckle reading Snowden's response at The Washington Post http://www.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html

Like I speculated in my previous blog post, Snowden realized the official system wasn't designed to correct problems.

He states that in the article linked above.

But more telling, he mentions another specific correspondence that they certainly have:

"Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities - such as breaking into the back-haul communications of major US internet companies - are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations."

Source for quote same as link at top http://www.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html

Sure sounds to me like Snowden's focus is to bring accountability to NSA & other agencies under the DNI http://en.wikipedia.org/wiki/Director_of_National_Intelligence.

I'd also suggest reading http://www.emptywheel.net/2014/05/29/snowdens-emailed-question-addresses-one-abuse-revealed-by-his-leaks/

TrueCrypt Alternatives

Updated:  Wanted to add https://www.grc.com/misc/truecrypt/truecrypt.htm green shaded box (scroll down a little) shows correspondence from devs of Truecrypt.

TL:DR Confirms that this was just an odd way of quitting.


****

For the couple people that might have missed drama with TrueCrypt see http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

TL:DR Looks like people(s) behind TrueCrypt are done supporting it & suggest people use something else, additionally version released with this information only decrypts previously encrypted data, won't encrypt.

In light of this situation, many people are looking for alternatives, best list I have found so far, though I know very little about the suggestions, is http://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/

Security & Hacking: NSA & Snowden email correspondence

http://icontherecord.tumblr.com/post/87218708448/edward-j-snowden-email-inquiry-to-the-nsa-office is link for most recently released email, released by NSA, of correspondence between Snowden & Office of General Counsel.

[Edited to add:  Strange that they released this email, they claimed Snowden's emails were exempt from FOIA & that they didn't have records, because he was never a NSA or CSS employee? see https://www.muckrock.com/foi/united-states-of-america-10/edward-snowden-employeecontractor-reviewsagreements-5971/]

He asks for some clarification about Executive Orders, that they are of lesser authority than Federal Statues.

In addition to the email, IC On The Record states that they can't find any other evidence that Snowden was trying to fix problems through official procedures or channels.

Based on this statement:
"There are numerous avenues that Mr. Snowden could have used to raise other concerns or whistleblower allegations. We have searched for additional indications of outreach from him in those areas and to date have not discovered any engagements related to his claims."
It seems clear they (Executive Branch of Government) are continuing to portray Snowden as someone who refused to follow correct procedures and just wanted some personal gain or revenge.

That doesn't fit the facts very well.

Consider that Snowden turned over the document collection to the reporters that he had decided to trust.  And refused to dictate the agenda.

He certainly could have released fewer documents, or only documents that targeted what he wanted revenge against, or even had sold the documents.

He didn't do that.

Funny thing is, many of the claims of government officials & politicians have repeatedly been proven to be false by the documents released so far.

Not to mention court cases that had been denied because standing couldn't be proved until documents Snowden released were published by reporters.  Or in other words, Snowden enabled Courts to actually provide a check on Executive branch of government, including NSA, like they are supposed to do.

More on US Seperation of Powers:


More on IC On The Record, according to info on their site http://icontherecord.tumblr.com/post/58838654347/welcome-to-ic-on-the-recordCreated at the direction of the President of the United States, IC ON THE RECORD provides immediate, ongoing and direct access to factual information related to the lawful foreign surveillance activities carried out by the U.S. Intelligence Community

Despite that data, some still try to claim Snowden did this for fame/notoriety or out of spite.

I suppose that is possible based on the evidence we have so far, but it doesn't seem targeted, or focused, with that as a primary goal.

Also based on the pattern of denials by Government, followed by documentation that prove those denials false, I wouldn't be surprised if eventually, documentation surfaces showing that Snowden did attempt to resolve at least some issues through official means.

Need to remember that Snowden seems smart, one of the most frequent comments from people that meet him.

Note smart people tend to learn quickly, I doubt it would have taken many failures to fix things through official means for Snowden to realize the official means were designed to maintain status quo, not fix things.

Being a smart nerd, he would have then searched for some way to fix that problem.


Thursday, May 8, 2014

Security & Hacking: DEFCON 20 "Can You Track Me Now?"



DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data

This was posted on Youtube November 22, 2012, so was well before Snowden release of information in May of 2013.

Main emphasis of this talk was tracking of cell phones.

But Christopher Soghoian briefly covers, at 31:05, that both Android (Google) & iOS (Apple) device encryption can be defeated by Google & Apple respectively.

This is a service they provide for Law Enforcement & other Government agencies.

Google can force a password reset for Android device, they don't require physical access.

Apple appears to use what Soghoian calls a "Master Skeleton key," they require departments to provide actual device (ie physical access).  They then provide unencrypted data on a CD, while device remains encrypted.

I wonder if they might actually need device to decrypt data with way devices since iPhone 4S & iPad 2 have been designed (they have hardware based encryption).

Entire video is worth watching, though it is rather long, they joke about having 3 different audience during the course of the talk.
 



Monday, May 5, 2014

Pen Testing: Pwnie Express new Nexus 5 based phone

Pwnie Express is a pretty awesome company, https://www.pwnieexpress.com/, you have probably heard of their Pwn Plug even if you don't recognize the company's name.

They have a new Pen Testing phone out called:  Pwn Phone 2014

Product link https://www.pwnieexpress.com/penetration-testing-vulnerability-assessment-products/sensors/pwn-phone-2014-penetration-testing-phone/

They aren't cheap, but Pwnie Express also provides free downloads for the entire software suite they use in their products.

It usually take a little time for new product's software to be added, but they already have software for 2014 Pwn Pad, Nexus 7 based, available.

Download https://www.pwnieexpress.com/support/downloads/ if you want to use your existing Nexus 7, they should have the Nexus 5 download available in near future as well.

The downloads for DIY are listed under "Community Editions & Legacy Product Downloads"

If I can find the time this week, I will also track down current hardware accessories they offer, & update this post or make post dealing with accessories.

Meanwhile you can view hardware accessories I listed for the 2013 Pwn Pad http://cliffsesportcorner.blogspot.com/2013/02/pen-testing-pwn-pad-by-pwnie-express.html.

Probably newer options available for some of those products, but those should work.

Just click following labels for more blog posts on Pwnie Express or Pen Testing, labels can be found at bottom left of every blog post, easy way to find similar or related content.

Select labels can also be found in label cloud at left side of Blog.

Hardware Hacking: "MacBook Pro Thunderbolt 2 Sonnet III-D GTX 780 Ti




Link for Youtube http://youtu.be/G0M05rJkTQY

Link with detailshttp://forum.techinferno.com/diy-e-gpu-projects/6689-%5Bguide%5D-2013-15-macbook-pro-gtx780ti%4020gbps-tb2-sonnet-echo-express-iii-d-win8.html

Anandtech article:  http://www.anandtech.com/show/7987/running-an-nvidia-gtx-780-ti-over-thunderbolt-2

Very Interesting!

Something I have been interested in since Thunderbolt came out, though I don't think it is going to be practical enough for me.

I've decided for my needs & wants the new (2014) 14" Razer Blade laptop makes lot more sense http://www.razerzone.com/gaming-systems/razer-blade/ & http://www.anandtech.com/show/7858/razer-announces-the-new-razer-blade-14-qhd-with-gtx-870m what I am saving up to get as replacement for my Windows 7 laptop.

Still think external GPU, specially combined with docking station or high res monitor & docking connector (something like Apple's Thunderbolt display, but with 4K, and external GPU(s) to game on it) makes a lot of sense.

Problem is most people just want cheap netbook or a tablet.

Plus, since many (most?) gamers either make their own machines or have friends build them a gaming rig, I doubt the companies that could reasonably make dock with external GPU would ever be able to make profit.

TT

Tuesday, April 1, 2014

Starcraft 2 Thoughts: Special Tactics in SPL 2014 Maru vs Super



Link for those that don't want embeded video http://youtu.be/Oxe42fznuXs

Link here to jump right before things start to happen http://youtu.be/Oxe42fznuXs?t=3m26s

I can't say how very much I enjoyed this game, it was exceptional!

Been so long since I have seen a game that I felt was worth a Starcraft 2 Thoughts post.

Really cool game, not simple cheese, I'm not sure it is even an all in, need to do some testing to see if it is.

Go back and watch replay again, note that Protoss is constantly making Probes, found it particularly funny that as one caster is saying this is an "economically light" build Probes are being made.

Though to be fair, hard for the English casters to follow everything since they don't have full access to game, they are basically just viewing what Korean Observer is showing, just like we are, and they aren't always aware when the production or unit tab will be open.

Reason I not sure I would classify this as Cheese, is that IMHO, Cheese relies on not being scouted to be effective.

I doubt think this build relies on that at all, not just because Super won after it was scouted early, but because Probe production was constant.

Also Protoss take Natural during the attack.

Will take some serious testing, but I suspect this build works, at least on this type of map vs Reaper opening, even if Oracle(s) don't do any direct damage at beginning.

It will Pin Terran in their base, also forces minerals into early bunkers and/or Turrets.

I wonder if the strongest Terran defense to this would be to counter attack all in with SCV pull?

Or maybe counter attack with few SCV's to tank for Marines, but not full all in?


I suspect Mines might also be one of the better Terran responses to this if they can make some fast enough, depending on Terran build.

Though full wall off is probably critical as well, part of what made this a game ending attack instead of just gaining a modest advantage, was the fact that a Zealot & Stalker were able to get into the main.

This allowed serious attacks from multiple angles (similar concept to flanking & surrounding), as well as buying time for critical mass of Oracles for the small number of Marines.

Hard to say without some testing, would really like to see Day9 or Artosis work with MVP and go over some of the in house practice and testing of this build.

But really doubt that they would be willing to do that, because it would reveal lot of info to other teams on how they specifically prepare, among other issues.

Really awesome game!

Lot of depth to this game, many things that happened long before actual match.

Really cool!

For more posts like this exploring Strategy & Tactics in SC2 click on the Label: Starcraft 2 Thoughts or for somewhat related posts see Starcraft 2 Skills.

Selected Labels can be found in the Label Cloud at left side of blog, and every blog post has Labels at bottom left of post, so you can easily cross reference topics.