Someone hacked the website of Linux Mint — which, according to Wikipedia’s traffic analysis report is the 3rd most popular desktop Linux distribution after Ubuntu and Fedora — and replaced links to ISO downloads with a backdoored version of the operating system. This blog post explains the situation.
Last week, during USENIX’s first Enigma conference, EFF hosted a small Capture the Flag hacking competition. I designed one of the challenges myself, entitled Usable Crypto. It requires you to use PGP as an attacker rather than a defender. It’s on the easy side, as far as CTF challenges go, and I think many people who have absolutely no hacking skills but some fumbling-around-with-PGP skills could beat it without too much trouble. And it might even demonstrate why verifying fingerprints really is rather important.
If you’d like to give it a go, it’s live at https://usable-crypto.ctf.micahflee.com/. The plot for Enigma’s CTF was loosely based off of Cory Doctorow’s novel Little Brother. You’re an X-NET hacker fighting the surveillance state’s Department of National Security. You win when you capture the flag, which is a string of text that starts with “FLAG_” (but please don’t post it in the comments).
I recently built a desktop system that I think is reasonably secure. It’s running Debian sid, also known as “unstable” — though in the Debian desktop world that just means you get to use the newest software. It’s just about as stable as “stable”, and besides, #yolo. It’s also running a grsecurity-patched Linux kernel and PaX, technologies that make Linux way more secure. Grsecurity protects you against memory corruption attacks, such as buffer overflows.
Last October I traveled to Moscow and interviewed Edward Snowden. Here’s one of the things he told me:
“Something that we haven’t seen that we need to see is a greater hardening of the overall kernels of every operating system through things like grsecurity, but unfortunately there’s a big usability gap between the capabilities that are out there, that are possible, and what is attainable for the average user.”
Since I just set up Debian with a grsec kernel, I figured I’d write a tutorial for how to do it. It’s still a long way before the average user can take advantage of this stuff – it breaks everything, and the user needs to learn how to diagnose and fix it themselves – but I think that it’s well within the capabilities of Linux nerds who are comfortable using a terminal. You can probably also follow along no matter what Linux distribution you’re using. Also, I’m fairly new to grsecurity myself, so if you have tips or suggestions, or if I got something wrong, please post in the comments.
I recently took a trip to Moscow to interview National Security Agency whistblower Edward Snowden about operational security. In the article I published on The Intercept, I mentioned that I used a faraday bag.
Our first meeting would be in the hotel lobby, and I arrived with all my important electronic gear in tow. I had powered down my smartphone and placed it in a “faraday bag” designed to block all radio emissions.
Since I published my interview, many people have asked me for more information about this faraday bag — which product did I get, what does it protect against, how does it work? So here are some quick thoughts on the topic.
I’ve been writing a computer security column for the Intercept. In most of my columns I mention Linux. Even when it’s not directly relevant (though it often is), most of my columns are in the form of tutorials, and I’d like my tutorials to be equally useful for Linux users as they are for Windows and Mac users.
For one thing, I love free and open source software. These projects are critical for security, privacy, and for the ability to tinker with and learn about your own computer. As the number of people who run free (as in speech) operating systems rise, so will the development resources that get poured into those operating systems until they “just work” at least as well as Windows and OS X do, so I talk about them every chance I get. Many of my readers already run free operating systems, and I would hate to leave them out.
After writing a column about how to communicate in secret while we’re all being watched, I got an email from Richard Stallman saying when I say Linux I clearly mean the GNU system, and he asked that I start referring to Linux distributions as GNU/Linux “so as to give us equal mention when you talk about our work.” And after writing my most recent column about how VMs can be used for isolation security, Stallman wrote a comment again saying that I mean “GNU and Linux” and asking that I give GNU equal mention. This is a really common point of view (though not at all a consensus) in the free software community, and one that I shared for a long time. But I’ve come to change my mind.
I’m switching from my old key:
pub 4096R/EBA34B1C 2014-05-08 [expires: 2016-05-05] Key fingerprint = 0B14 9192 9806 5962 5470 0155 FD72 0AD9 EBA3 4B1C uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> sub 4096R/64B1D8D1 2014-05-08 [expires: 2016-05-05]
to the following key:
pub 4096R/CD994F73 2015-08-14 [expires: 2016-08-13] Key fingerprint = 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73 uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> uid Micah Lee <email@example.com> uid Micah Lee <firstname.lastname@example.org> sub 4096R/5D5F1356 2015-08-14 [expires: 2016-08-13]
If you’ve been able to ignore Pando Daily’s 100% non-technical smear campaign against the Tor Project and its developers and supporters, you’re lucky, and you may wish to stop reading now. Otherwise, read on, and perhaps prepare to lose a few brain cells.
Yasha Levine’s “investigation” against Tor unveiled what’s already prominently displayed on Tor’s website: that it was designed by the Navy and that it receives a lot of federal funding, the bulk of which comes from the Department of Defense.
To be clear, talking about Tor’s government funding is a very important discussion to have. But Yasha didn’t discuss potential threats to Tor users’ anonymity that this funding might cause, nor what potential solutions would be. Instead, he implied that there’s some sort of conspiracy between Tor developers and the US government, and that the Tor network cannot be trusted, apparently oblivious that the decentralized and open nature of the Tor network and it’s codebase makes planting backdoors nearly impossible.
Our universe is built out of mathematics. Humans have been learning, discovering, and using mathematics for thousands of years because it’s the only thing that can accurately describe what happens around us. The laws of physics are written in mathematics, and they cannot be broken.
One year ago today the Snowden revelations began. Since then there has been a flood of calls for reform. A federal judge called the NSA “almost Orwellian”. Congress and President Obama have admitted that bulk surveillance of Americans is wrong and should end. But so far we haven’t seen real reform in the US, and we might never see it. Even if the US does pass meaningful surveillance reforms the problem won’t be solved. There are billions of people all over the world that rely on the Internet, and their privacy will continue to get violated by governments around the world.
I maintain a piece of software called Tor Browser Launcher. It takes care of downloading Tor Browser Bundle for you, verifying the gpg signature, making sure you’re always using the latest version of Tor Browser, and making it easier to launch.
I originally only made Tor Browser Launcher work in Debian-based distributions, but since the default templates in Qubes are based on Fedora, I recently ported it to RPM-based distributions as well. Here’s how to set it up.