Lies That WikiLeaks Tells You

Posted January 11, 2019 in drama wikileaks

Last weekend, WikiLeaks sent an email to journalists with a list of 140 things not to say about WikiLeaks and Julian Assange because they are "false and defamatory." Reuters first broke the story, and the next day Emma Best published the complete list. Many of the things on the list can't actually be "false" because they're subjective or nuanced ("It is false and defamatory to suggest that Julian Assange is a 'hacker'"), and many aren't defamatory, even if they are false ("It is false and defamatory to suggest that Julian Assange’s profession is 'computer programmer'.").

And many of the the things on the list are true, and WikiLeaks/Assange are being misleading. Some directly relate to me -- they came from Twitter fights I've with WikiLeaks and its minions. So I thought I'd fact check WikiLeaks' "false and defamatory" censorship list. This is by no means an exhaustive fact check -- for example, I'm not not covering the list items about the two Swedish women who accused Assange of rape, though I'm pretty confident a lot of that stuff is misleading as well. Before digging into the misinformation, I first want to take a moment to discuss how pathetic this is.

Continue reading →

Do you want to contribute to the next major version of OnionShare?

Posted December 22, 2018 in onionshare

OnionShare lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service.

Over the last 10 months volunteer developers, designers, translators, and I have been hard at work on OnionShare 2.0, and it’s nearly ready. If you’d like to chip in during the month or so before the final release, try out the latest development version and report any bugs. The best way to report bugs is by opening an issue on GitHub and describing the problem, or you can send me an email at micah@micahflee.com if you don’t have a GitHub account.

Continue reading →

OnionShare has some exciting new features

Posted February 26, 2018 in onionshare

It’s been some time since I’ve written about OnionShare, so I thought I’d write an update on all of the latest work. Today we released version 1.3 (and last month we released 1.2, so the releases are getting more frequent). You can get the latest version at onionshare.org.

But first, I owe a huge thanks to Miguel Jacq for churning out new features, taking over a lot of the GitHub issue triaging responsibilities, and becoming a core OnionShare developer.

If you haven’t tried it out in awhile, here are some things that are new:

Continue reading →

Breaking the Security Model of Subgraph OS

Posted April 11, 2017 in hackers linux qubes subgraph

I recently traveled to Amsterdam to attend a meeting with Tor Project staff, volunteers, and other members of the wider Tor community. Before trips like this, I prepare a separate travel computer, only bringing with me data and credentials that I might need during my trip. My primary laptop runs Qubes, but this time I decided to install Subgraph OS on my travel laptop. I had only briefly messed with it before, and there’s no better way to learn about a new operating system than by forcing yourself to actually use it for a few days.

Subgraph OS is an “adversary resistant computing platform.” It’s similar to Tails in that it’s based on Debian and all traffic is forced through Tor (that’s changing though: there’s now basic support for clearnet Chromium and OpenVPN). It uses a grsecurity Linux kernel, and many apps run in “oz sandboxes”, a homebrew sandbox solution that protects you even if an attacker manages to exploit a bug in one of these apps. Subgraph OS also includes the Subgraph Firewall, an application firewall similar to Little Snitch for macOS — something that’s pretty awesome, and hasn’t really existed in the Linux ecosystem before. Basically, it’s designed to be an easy-to-use Linux distro that’s extremely secure.

Continue reading →

Qubes Tip: Making Yubikey OpenPGP smart cards slightly more usable

Posted December 1, 2016 in qubes openpgp

Qubes 3.2 has support for USB passthrough. This one feature has made Qubes so much more useful for me. It means that a wide variety of devices — from my laptop’s internal webcam, to plugging in smartphones to transfer data or do Android development — are finally supported. I used to have to use a separate non-Qubes computer for several tasks that I can now more conveniently and securely do within Qubes.

Continue reading →

How Qubes makes handling PDFs way safer

Posted July 21, 2016 in qubes

Bart Gellman asked me on Twitter how to make PDFs safe to open. This is an excellent question, especially for a Pulitzer-winning surveillance/national security reporter who needs to open documents from random people on the internet, who may be trying to hack him or may be a valuable new source. PDFs, and all other document formats, can be terribly dangerous, and opening a malicious one can let an attacker take over your computer.

He was specifically asking if PDF Redact Tools, a tool that I developed to securely redact documents, could be used in Tails to safely sanitize potentially-malicious PDFs before opening them. Yes you can, but Qubes offers some built-in tools that do a better job of this, in a safer manner, with less hassle, and that’s quicker and easier.

Continue reading →

Qubes Tip: Opening links in your preferred AppVM

Posted June 22, 2016 in qubes

If you use Qubes like I do, you have many different AppVMs to compartmentalize different programs. You might have one VM for your email client, one for your jabber client, one for your password database. But if you click a link in any of these programs, it sure would be nice if that link opened in the browser VM of your choice. This isn’t all that hard to setup.

Continue reading →

Backdoored Linux Mint, and the Perils of Checksums

Posted February 20, 2016 in hackers linux openpgp security

Someone hacked the website of Linux Mint — which, according to Wikipedia’s traffic analysis report is the 3rd most popular desktop Linux distribution after Ubuntu and Fedora — and replaced links to ISO downloads with a backdoored version of the operating system. This blog post explains the situation.

Continue reading →

Usable Crypto Capture the Flag Challenge

Posted February 6, 2016 in hackers openpgp

Last week, during USENIX’s first Enigma conference, EFF hosted a small Capture the Flag hacking competition. I designed one of the challenges myself, entitled Usable Crypto. It requires you to use PGP as an attacker rather than a defender. It’s on the easy side, as far as CTF challenges go, and I think many people who have absolutely no hacking skills but some fumbling-around-with-PGP skills could beat it without too much trouble. And it might even demonstrate why verifying fingerprints really is rather important.

Continue reading →

Hardening Debian for the Desktop Using Grsecurity

Posted January 15, 2016 in sysadmin security linux

I recently built a desktop system that I think is reasonably secure. It’s running Debian sid, also known as “unstable” — though in the Debian desktop world that just means you get to use the newest software. It’s just about as stable as “stable”, and besides, #yolo. It’s also running a grsecurity-patched Linux kernel and PaX, technologies that make Linux way more secure. Grsecurity protects you against memory corruption attacks, such as buffer overflows.

Continue reading →