Someone hacked the website of Linux Mint — which, according to Wikipedia’s traffic analysis report is the 3rd most popular desktop Linux distribution after Ubuntu and Fedora — and replaced links to ISO downloads with a backdoored version of the operating system. This blog post explains the situation.
Last week, during USENIX’s first Enigma conference, EFF hosted a small Capture the Flag hacking competition. I designed one of the challenges myself, entitled Usable Crypto. It requires you to use PGP as an attacker rather than a defender. It’s on the easy side, as far as CTF challenges go, and I think many people who have absolutely no hacking skills but some fumbling-around-with-PGP skills could beat it without too much trouble. And it might even demonstrate why verifying fingerprints really is rather important.
If you’d like to give it a go, it’s live at https://usable-crypto.ctf.micahflee.com/. The plot for Enigma’s CTF was loosely based off of Cory Doctorow’s novel Little Brother. You’re an X-NET hacker fighting the surveillance state’s Department of National Security. You win when you capture the flag, which is a string of text that starts with “FLAG_” (but please don’t post it in the comments).
We desperately need to work towards deprecating HTTP and replacing it only with HTTPS. The web is a huge part of what billions of people use the Internet for, and still most of it is not encrypted. Since the Snowden leaks started getting published we’ve learned that NSA and GCHQ spy on as close to the entire Internet as they can get.
It would be naive to think that the US and UK are the only governments doing this too. The network isn’t safe, and the only way to make it safe is to encrypt all the things. Websites that still use HTTP are putting users in danger. Here are a couple of examples.
Update: KTVU has taken down the story.
Recently I was interviewed about “doxing” by KTVU, a Bay Area news station based in Oakland. Doxing is when someone publishes documents (“dox”) about someone to the internet. It’s usually full of mundane info that can be found in a phone book and with a google search, but sometimes it also contains more sensitive information like the contents of personal emails, lists of passwords, etc.
I found out that the segment aired on TV last night when someone tweeted me asking if I really thought that “swatting” was protected by free speech laws. Swatting, I learned for the first time last night, is when someone dials 911 and reports something like a hostage situation or a terrorist bomb plot at someone else’s address in order to get a SWAT team to bust down their door.