Tinkers & Hacks

Surveillance and how we can troll back.

Let me start by using a quote from Benjamin Franklin

Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.

Edward Snowden

Last weekend, 29 year old Edward Snowden, a former Booz Allen Hamilton employee who did contract work for the NSA, leaked details about an NSA program called PRISM.

This post isn’t so much about PRISM, many people can write better about PRISM than I do, in addition to that, I feel like we are still speculating over how PRISM is exactly setup.I hope the Guardian will one day come forward with the technical details, many are interested in how this works. Only a small amount of slides got published from that much bigger Powerpoint set about PRISM. There are topics that need to be discussed *as* well and we need your help.

Alternatives

This blogpost is dedicated to the people who spend many hours at night programming open source software alternatives to commercial and terribly privacy invasive platforms like Facebook, Skype and Google. (The irony, i’m writing this on Tumblr)

Those computer programmers are dedicating countless of hours to write free and open source alternatives. Thanks to them you can use Diaspora instead of Facebook, Jitsi instead of Skype and Pidgin instead of proprietary software. 

Some of these, like Jitsi and Pidgin-OTR, provide cryptographic capabilities to chat or do a video-call with end-to-end encryption. This basically means that the server the data is passing through is going to have a bad time to decrypt the data.

Usability

Now the problem is : often these tools are not so easy to use, as it was shown yet again in the PRISM case when Showden tried to communicate securely with Glenn Greenwald. More on this can be read here.

We need to change this. We need to focus on the usability and user experience of the tools we recommend to the people out there.

We need excellent interface designers, we need better user experience designers to commit their time and effort to open source software so at least the content is encrypted between the various parties speaking, although that will probably set off other alarms, let fix one thing at a time.

One thing we can learn from crypto.cat, the software package needs to be cute and easy in order to encrypt the communication.

There’s a number of projects that could do with your help

https://torproject.org/
https://useotrproject.org/
http://cypherpunks.ca/otr/
https://pidgin.im/
https://jitsi.org/
http://www.enigmail.net/home/index.php
https://gpgtools.org/

I would like to *advise* you to download a piece of software from one of the links I listed and try it out with a friend. How easy was it to setup? Was there any documentation? Was the documentation sufficient to understand how the software works? What do you think of the user interface? How could it be improved? Make a sketch! Contribute!

Let’s prove Zooko wrong?

The tools listed above are no silver bullets to fighting state surveillance.

email: drwhax (@) 2600nl (dot) net

EOL

I will move my blog to somewhere else, possibly at the cryptohub.nl domain. Or i’ll just stop blogging. 

HITR2nDB agenda published!

As some of you might know, the WTF crew of HITR2nDB put up a small conference each year, this is our second year we’re doing it, and we’re pretty excited! It’s more or less a month away from happening!

Today we published the agenda and speakers, you can take a look at it here.

To view the video’s from last year click here, to get an impression of what happend and view pictures from last year, click here!

See you next month!

Some nice VIM plugins

https://github.com/Rip-Rip/clang_complete
https://github.com/ervandew/supertab
https://github.com/scrooloose/nerdcommenter
https://github.com/msanders/snipmate.vim
http://www.vim.org/scripts/script.php?script_id=3465
http://www.vim.org/scripts/script.php?script_id=2981
http://www.vim.org/scripts/script.php?script_id=2736
https://github.com/gmarik/vundle
https://github.com/fholgado/minibufexpl.vim 

Technologia Incognita

Hackerspaces, oh how I wanted one close to me, and apparently multiple people thought so the same. So we founded the Amsterdam hackspace, “Technologia Incognita”.

It took us quite a while to settle in a location, which was quite hard considering that it’s, A: Amsterdam and thus expensive, B: A large space with our own door would be nice and C: 24/7 access.

We sort of found a location where we are settled in for at least the next few months. We called it /tmp/inc/, since it’s a temporary space before we move to the ACTA building (yes! It’s really called ACTA!)

There are some nice events in the pipeline next to our social gatherings every wednesday starting around 19:00.

If you would be in the neighborhood and passing through Amsterdam and working on a kickass project you would like to present on. Then please email me! 

And everyone is invited to come on over and have a chat, snack and hack!

I hope to see you soon!

Month of Government Bugs, a little tale.

As some of you might have known, I did some research about the security of internet sites from the Dutch government, as a test to see how secure they were, and I was shocked to see how many sites were vulnerable too simple bugs or mistakes like, XSS, SQL injection, information leakage from privacy sensitive data from ministers, open admin panels on critical government websites, and a Kaminsky DNS attack at a bind9 server which wasn’t updated since 2008!

This is just a small selection of bugs from a few sites, you could argue that it are small bugs and could just email the admin hosting/maintaining the site, but due to “hackers” are only negatively in the spotlight it become’s hard to submit a bug report without getting prosecuted, without the bug getting fixed (low priority). Which is absolutely ridiculous! You are offering free help which could fix serious bugs like’s the one’s mentioned above, most are ignored or that person is hard to reach, would that be the infamous Dutch bureaucracy?

I have to make one thing clear, I never was going to publish bugs before they were patched by the admins or programmers. This would be counterproductive and maybe would leak personal information, after all, I wanted them to fix their bugs not to make it worse.

But to get back on topic, I started this research before Eth-0 summercamp and I talked about it during a lecture I gave about government and security, people thought with me what would be the best thing to do and how to release this information. One particular hack interested me to look at government sites and check their security, but at the same time it is illegal, but in my opinion it is the same as warning the owner of a car because he left his car unlocked in a parking lot, it’s ideology which drives us to make a secure government. (I am almost sounding patriotic o_O)

A month after Eth-0 summercamp, an acquaintance invited me to talk with Govcert which handles the Dutch IT incidents like hacked sites or breached systems, this sounded like a good idea, we talked for a while about how they work, what could be improved from their side and from the side of the government, which was more arguing then talking.. Enfin, they concluded I had to send the bugs and they would fix it, but I didn’t get a good feeling from that afternoon. Nothing would change in a constructive way, so I didn’t hand it over at that time but sort of abandoned the project until December.

December 2010 broke, exciting times, a lot was happening at that time, especially at the WikiLeaks front since cablegate just was released, but they were getting censored by the American government and companies like Visa, Mastercard and Amazon. Anonymous stroke with ddos attacks at those companies, including several dutch teenagers, one which came one or twice to revspace, the hackerspace of the Hague. Revspace decided they should organize a day with lots of interesting talks about the positive sides of hackers and to discuss what happend. I was invited to speak about government and IT security, the talk was also livestreamed over the internet which got attention from another Govcert member who thought it was important to talk again with Govcert to change and fix those bugs. Weeks went by, we thought it would be nice if I speak at a Govcert meeting, this happens every few months with members as municipalities, department of defense, public railroad companies and so on. I was really happy to speak at this venue, because it’s important to hear what the members had to say about the security. Some just hire a company to build a site and never let it get pentested, and if it get’s pentested it’s only for a few hours for a complex site. I explained that this is not the way to go, one need to invest in security or your image is gone, I also explained about security/privacy by design, let it get audited every few months, ask for secure programming certifications, if they are aware of the OWASP community, most were not unfortunately, but were shocked to see what a young adult can do to sites. The members were interested that Govcert would setup a site so security researchers could report a bug without getting prosecuted even if it’s illegal under Dutch law, after all, you are HELPING them for FREE and are not abusing the data or making the bug public, inherently you are a whistleblower. This was discussed in March, but until now I haven’t seen such a thing yet unfortunately, the government will stay at risk and innocent getting prosecuted while the programmers of that site should be punished.

But the IT security community is sick of seeing all the IT fails like the ovchipkaart, EPD, voting machines and Diginotar, it’s time to let the government step up and stop failing with these projects, let students and independent security researchers test the security and give advice. The hacker community has the knowledge and experience to test this, this has been done numerous times, but did the government listen? In most cases they did not :(

Let’s hope this will change before hell breaks loose.

Thanks for listening.

Further reading material: http://wordpress.metro.cx/2011/05/03/privacy-itsec-overheid-hackers-en-koffie/

Lawful interception

The military and the cia approves.. lawful in their own subconscious. So far only Thomas Drake came forward with a similair story who is now being charged for espionage charges. [1]

Barrett Brown, went through most of the emails from the HBgary leak with help from various anonymous people and uncovered a secret surveillance program, more can be found here: http://www.crikey.com.au/2011/06/23/revealed-us-program-to-spy-on-arab-social-media-and-mobile-users/

References:
[1] http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer
[2] https://twitter.com/#!/BarrettBrownLOLhttp://projects.washingtonpost.com/top-secret-america/
hbgary.anonleaks.ch