Quebec’s organized-crime crackdown hinges on BlackBerry intercepts:
Code-named Operation Clemenza, the operation by a joint anti-mob squad of Mounties and Montreal police targeted two organized crime cells
Over 1 million PIN to PIN messages intercepted. Hopefully consumers will begin to realize that Blackberry has largely been blowing smoke about the security of their consumer-grade backend infrastructure.
One (user-friendly) way of considering a gradient of ‘privacy levels’ for the Internet. Certainly a reasonable way of thinking about things generally.
Online security is a horrifying nightmare. Heartbleed. Target. Apple. Linux. Microsoft. Yahoo. eBay. X.509. Whatever security cataclysm erupts next, probably..
One of the better, more cogent, recent articles on the hell that is contemporary Internet security.
Four weeks on, huge swaths of the Internet remain vulnerable to Heartbleed:
Some 300,000 systems remain susceptible to catastrophic exploits, one scan shows.
With the media off (most) companies’ backs there’s just no way/reason that these remaining companies are going to patch the heartbleed vulnerability. One can only hope that civil suits are launched against these remaining companies to show via the market that patching is a requirement for contemporary digitally-enabled businesses.
Ethical hackers say government regulations put information at risk:
Why “white hat” hackers – who cyber security experts argue are vital to security research – are sometimes leery of reporting vulnerabilities.
…according to Parsons, reporting those findings to vendors risks bringing on defamation or SLAPP (Strategic Litigation Against Public Participation) suits – a long and costly legal endeavour.
“Let’s say you discovered that there was vulnerability in something the CRA was running separate to Heartbleed – the CRA purchased that from a vendor, so the vendor would have an interest in that not becoming public because it could damage them,” he said.
“They will say if you disclose this we will sue you – and it might be a SLAPP case, but unless you are well-off financially the cost of defending yourself against a SLAPP suit could cost hundreds of thousands of dollars.”
Global News contacted Shared Services Canada, the agency responsible for IT infrastructures for all government departments, for comment regarding whether outside researchers would be allowed to report vulnerabilities found within government websites without risking legal action.
Shared Services Canada did not immediately respond to a request for comment.
The chilling effect of vulnerability disclosure stems from potential legal liability for reporting vulnerabilities to software vendors. While it’s often (though not always) the case that technical staff understand the problems and may work to mitigate them, things can go to hell pretty quickly once non-technical staff such as legal or public relations get involved.
In effect, the incentive model for White Hats to come forward to help the commons of software users breaks down incredibly quickly in the face of harsh penalties for individuals ‘breaking digital locks’ or found to violate terms of service, penalties that corporate vendors can (and do) leverage in order to maintain their public reputations.
Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL:
OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL.
This is really excellent news: the large companies and organizations that rely on open-source critical infrastructure projects need to (ideally) contribute back through either code contributions of financial support. Hopefully we’ll not just see money but efforts to improve and develop the code of these projects, projects which often are the hidden veins that enable contemporary Internet experiences.
If you’re interested in why it’s so hard to patch a huge portion of the Internet in secret, and what forced the (relatively) early public disclosure of Heartbleed, then this is a good article to read.
The internet is currently atwitter with talk about Heartbleed bug, an encryption fault which caused a horrific ripple effect in the OpenSSL system that put your passwords on sites like RedTube, & Yahoo.
Chris Parsons nearly predicted the CRA’s vulnerability just before they decided to shut down their tax websites, while some of his colleagues and followers criticized the Canadian Cyber Incident Response Centre (CCIRC) for not alerting the public sooner, when it was already obvious the CRA was using a vulnerable version of SSL. Chris discussed the potential ramifications of the CRA’s Heartbleed vulnerability with me:
“A significant amount of highly sensitive tax-related personal information is passed through CRA’s online service gateways. A third-party could have, potentially, accessed logins and passwords of Canadians or the private keys of CRA’s services. The former set of information would let that party log into CRA and impersonate the person in question. The latter set of data could let the third-party decrypt previously captured client-server information and, as a result, decode not just passwords and logins but also the tax data that individuals provided to CRA.”
First time that I’ve been quoted (extensively) in Vice!
Source: Heartbleed Ripped a Hole in the Internet | VICE Canada
A really good example of how services can, and should, warn users about how to respond to the Heartbleed OpenSSL vulnerability.
Researchers have discovered a serious security flaw known as the “Heartbleed” bug in the software commonly used by thousands of Websites to encrypt and secure sensitive data being transmitted across the Internet
This was an absolute gift to intelligence agencies all over the world. And one that was – and is – being widely exploited in the wild by criminals and other unauthorized third-parties.
Source: Heartbleed bug found in key encryption technology risks exposing private data
Excited Pixels