News Bits
Items from security-related news (E117.Nov-2013)
The CIA, which has no authority to spy on US citizens, purchases data about their international calls from AT&T. The company has declined to comment on the program.
Yahoo to encrypt internal data
Ars Technica
by Sean Gallagher
Nov 18, 2013
"Yahoo will encrypt between data centers, use SSL for all sites. CEO Marissa Mayer promises Yahoo will be locked down by March 2014." This claim follows on the heels of revelations by Edard Snowden that Yahoo is a large information source for the NSA.
Microsoft
late to the data center encryption party
Ars Technica
by Chris Baraniuk
wired.co.uk
Nov 14, 2013
'We still don't encrypt server-to-server data,' admits Microsoft "This is why we are currently reviewing our security system." These remarks came in testimony to a European parliamentary committee. In the same meeting, a Google representative noted that Google has not completed encrypting all of its communication lines.
UK
diverts Internet traffic to goverment servers
Ars Technica
by Cyrus Farivar
Nov 10, 2013
The German newspapaer Der Spiegel reports "UK spies continue "quantum insert" attack via LinkedIn and Slashdot pages. Targets included engineers at Global Roaming Exchange providers and OPEC." The attack relies on having government controlled servers that can respond more quickly than the real servers. The attack seems to depend on known vulnerabilities in name lookups (DNS) [Ed. "Secure" DNS, which took nearly 20 years to get traction, was meant to prevent these attacks].
Op-ed: Lavabit's founder responds to cryptographer's criticism
Ars Technica
by Ladar Levison
Nov 7, 2013
"Ladar Levison, who shut down his secure email service under US goverment pressure, has learned a lot." His vision was protection for email "at rest" in a way that would make government search warrants useless. Instead, he got hit with a demand for the system's "data in transit" keys, implying a network surveillance capability that caught him unawares.
Computer
Scientists Not Totally Clueless About Passwords
Ars Technica
by Dan Goodin
Nov 8, 2013
"It's official: Computer scientists pick stronger passwords. Landmark study says people in business school choose weakest passwords." While it seems unsurprising that computer scientists, on the average, choose slightly better passwords than their peers in the arts, it is surprising that those in the arts surpass those in business school. Apparently the profit motive is insufficient.
Latest Release of Documents on N.S.A. Includes 2004 Ruling on Email Surveillance
NYTimes.com
By Charlie Savage and James Risen
November 18, 2013
A response to a Freedom of Information Act lawsuit, filed by the ACLU and the EFF, reveals that the secret Foreign Intelligence Surveillance Court approved the massive collection of American's email contents during the Bush administration. The Obama administration has declassified nearly 2000 pages of information abou surveillance operations.
Supreme Court allows NSA to continue looking at telephone records for now
CNN.Com
By Bill Mears, CNN Supreme Court Producer
November 18, 2013
A move by the Electronic Privacy Information Center (EPIC) have the US Supreme Court in intervene to stop surveillance of US phone communications records was denied on Monday. The petition claimed that the surveillance was illegal. The case may still be heard, the program will not stop while awaiting that hearing.