US Judge confuses privacy and security, concludes that you should have neither

Senior U.S. District Judge Henry Coke Morgan Jr. a federal judge for the Eastern District of Virginia has ruled that the user of any computer which connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.
The ruling made on June 23rd was reached in one of the many cases resulting from the FBI’s infiltration of PlayPen, a hidden child exploitation site on the Tor network. After taking control of the site, the FBI kept it up and running, using it to plant malware on visitors’ computers, gathering identifying information that was used to enable prosecution.
JCM ruled that the FBI’s actions in hacking visitors’ computers did not violate Fourth Amendment protections and did not require a warrant, stating that the “Defendant here should have been aware that by going [on-line] to access Playpen, he diminished his expectation of privacy.”
JCM offered as an analogy a previous case (Minnesota v. Carter 525 U.S. 83 – 1998) which ruled that a police officer looking through broken window blinds does not violate anyone’s Fourth Amendment rights, so hacking a computer does not either.

“Just as the area into which the officer in Carter peered - an apartment - usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user's computer. People who traverse the Internet ordinarily understand the risk associated with doing so.”

JCM notes that in 2007 the Ninth Circuit found that connecting to a network did not eliminate the reasonable expectation of privacy in one’s computer, but takes the position that in the last nine years things have changed enough to render this position outdated.

“Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in today's digital world, it appears to be a virtual certainty that computers accessing the Internet can - and eventually will - be hacked.”

As justification for this opinion, JCM cites the Ashley Madison hack and a Pew Research Center study on privacy and information sharing as evidence of the acceptance that hacking is inevitable. The Pew study looked at American’s attitudes to sharing personal information in return for receiving something of perceived value. Although the focus of the Pew report was on privacy and not security it did report that focus group participants “worried about hackers”. However, these concerns were expressed exclusively in terms of a hacker’s ability to gain access to personal data from compromised business computer systems, not personal systems in the home.
Judge Coke Morgan’s level of technical understanding appears to be highly selective. The same judge who ruled on a patent case between Vir2us, INC. and INVINCEA, INC. over competing claims covering advanced anti-malware products, fails to acknowledge that anti-malware products continue to advance. In offering that “Terrorists no longer can rely on Apple to protect their electronically stored private data, as it has been publicly reported that the Government can find alternative ways to unlock Apple users’ iPhones.” He ignores the level of expertise needed to identify the exploit that was used to access the phone used by one of the San Bernardino attackers, or that the hack in question was only applicable to the now superseded iPhone 5C. While it may be possible to unlock older iPhones running back-level OS releases lacking the most up-to-date security features, Apple continues to develop new hardware-based security features and works to fix security vulnerabilities as it finds them. While it is reasonable to claim that many computers are vulnerable to attack, in suggesting that this means it is “a virtual certainty that [all] computers accessing the Internet can – and eventually will – be hacked” or that there is nothing that can be done to mitigate this risk, JCM is either being deliberately disingenuous or is failing in his analysis.
Describing the ruling as “dangerously flawed” EFF Senior Staff Attorney Mark Rumold wrote “The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” But holds out that the ruling is “incorrect as a matter of law, and we expect there is little chance it would hold up on appeal.”

Drug-busting authorities “lied” about Tor weakness, devs claim

The November takedown of Silk Road 2.0 and other “dark markets” for drugs and weapons – originally touted as 410 hidden services by the authorities, then quietly revised down to 27 – was misrepresented as evidence of Tor’s vulnerability, developers of the anonymizing service have claimed.

Tor (The Onion Router) is a network of layers through which users can route their internet traffic, so as to obscure which sites and services they are visiting or using. Some so-called hidden services can only be accessed through Tor and, while many of these .onion addresses are legitimate attempts to evade censorship and surveillance, many are also gateways to illegal platforms for criminal activity.

“Psychological operation”

Speaking on Tuesday at the Chaos Communication Congress hacker conference in Hamburg, Germany, Tor project lead Roger Dingledine and developer Jacob Appelbaum accused Europol of a “psychological operation” that aimed to convince people that Tor was insecure. When it announced the success of Operation Onymous, Europol claimed that “criminals have considered themselves beyond reach” when on Tor, adding: “We can now show that they are neither invisible nor untouchable.”

“The Silk Road 2.0 guy wrote his name down somewhere so they brought him in and asked him questions,” Dingledine said, citing a chat he’d had with a contact in U.S. law enforcement, and presumably referring to Blake “Defcon” Benthall, who allegedly used his personal email address to set up the drugs marketplace. “He named 16 names, then they put out a press release saying they had an amazing Tor attack.”

Dingledine said the Tor team had taken away two lessons from the episode: this was another case where operational security had failed, as opposed to the underlying tech failing, and “these large law enforcement adversaries are happy to use press spin and lies and whatever else it takes to try and scare people away from having safety on the internet.”

“Europol’s people spoke about having some terrible attack,” Appelbaum added. “They really hyped it as much as they possibly could. It is a psychological operation against the civilian population.” Then again, he noted: “They could have some super-secret exploit, but as far as we can tell they don’t.”

Scare list

The developers also ran through various scares that have, through 2014, called Tor’s security into question. For example, the Russian government’s $110,000 “bounty” for cracking Tor was, according to Dingledine, a mistranslated misrepresentation of an unremarkable research call.

More serious, though, were several stories relating to the apparent ability of attackers to de-anonymize Tor users. The first involved the bogus Tor relays that aimed to de-anonymize users early in the year. The Tor crew seem convinced that this was the work of Carnegie Mellon researchers whose Black Hat talk about their Tor-attacking capabilities was cancelled at the behest of the university’s lawyers – Dingledine said Tor had subsequently built defences against such an attack, and Appelbaum said it was “disturbing that that talk was pulled… even if there’s egg on our face.”

Then, in November, reports of a research paper by Columbia professor Sambuddho Chakravarty said that more than 81 percent of Tor clients could be de-anonymized using a traffic correlation attack. This kind of attack involves being able to see both traffic going into Tor and traffic reaching certain services from Tor, and being able to correlate who’s visiting what as a result – it was also part of the apparent Carnegie Mellon attack.

As Dingledine noted, Chakravarty himself said journalists had misinterpreted his results — this was only an in-the-lab study, and the 81 percent figure referred to the proportion of his experiments that had resulted in successful de-anonymization within that environment. “Traffic correlation attacks are a big deal; they probably do work if you have enough resources,” the Tor lead said. “But that paper did not do the attack. The attack is real but the paper doesn’t tell us anything.”

A Der Spiegel report on Sunday – co-authored by Appelbaum with his “journalist hat” on – said the documents leaked by NSA contractor Edward Snowden had shown the agency has “major problems” in decrypting traffic flowing through Tor.

Sony PSN still struggling in wake of Christmas DDoS attacks

Frustrated users were still taking to Twitter to complain and Sony’s Playstation Network support page still showed intermittent connectivity Monday night in the wake of a serious wave on attacks that took both Sony’s gaming service and Microsoft’s Xbox services offline on Christmas Day.

The denial of service attacks hit the companies where it hurt, affecting millions of customers as they were unwrapping new consoles and games, some of which needed to be connected to their respective networks to work. Microsoft’s Xbox site reports that the Xbox service is running as of Monday night, but the IGN and Maxim apps are experiencing problems, but the Sony network seems to have some deeper problems. A colleague of mine reports that he couldn’t connect his PS3.

We have reached out to Sony for comment, and will update the story if we hear back. The “Lizard Squad,” a group of hackers taking credit for the DDoS attacks, had said it was moving on to target Tor, the anonymous routing software, so it’s unclear if Sony is experiencing new attacks or continued trouble from the previous ones.

For those trying to get their Playstations back online, Sony is tweeting out a link so users can attempt to reconnect:

Hackers say Xbox/Playstation attacks are over, target Tor

Christmas Day gamers ran into problems connecting their Xbox or Playstation to the internet thanks to a denial of service attack, and the hackers that have claimed credit are now naming a new target: online anonymity software Tor.

A group operating under the name “Lizard Squadposted a series of tweets today about a planned zero-day attack, which target unnoticed weaknesses. In this case, that appears to be taking over the majority of Tor’s nodes: a series of points through which data sent over the Tor network travels. Tor protects users’ identities with these nodes, which obscure the origin of any data. Lizard Squad’s thought is if it controls enough of the nodes, information will no longer be anonymized.

As of this afternoon, Lizard Squad had about 3,000 nodes — nearly half of the 8,000 in existance, according to Gizmodo. But Redditors are questioning if the 3,000 nodes have enough weight to have any effect, as new nodes are vetted before they receive encrypted data.

Why is a hacker group interested in taking down software that has benefited countless other hackers? Lizard Squad posted a tweet documenting a possible motive:

This story is still developing, as Lizard Squad is working to gain more nodes. What has ended is the attack on Xbox and Playstation consoles. Lizard Squad thanked Kim Dotcom, who gave the group vouchers for his secure file hosting service Mega in exchange for ceasing the attack.

International law enforcement effort takes out hundreds of “dark market” hidden sites

The U.S. and many European countries have cooperated to take down more than 410 hidden web services that were running “dark markets” for drugs and weapons. 17 people have been arrested, including the alleged proprietor of the Silk Road 2.0 site, Blake “Defcon” Benthall. In Benthall’s case, human intelligence (and human error) played a big part in the law enforcement success. Beyond that, the fact that so many hidden services running through Tor were targeted, raises questions over the security of the anonymous browsing network. Europol is not sharing details of its techniques. Earlier this year, Tor — also used by many activists and journalists in oppressive regimes — detected attackers trying to de-cloak hidden services and their users.

Tor team suspects NSA and GCHQ leakers are tipping it off about vulnerabilities

The anonymity network Tor has always enjoyed a paradoxical relationship with the U.S. authorities – part-funded by the State Department and previously the military; targeted by the NSA – but this is something else. Tor operations chief Andrew Lewman said in a BBC interview published Friday, that people in both the NSA and the U.K.’s GCHQ have tipped off the Tor team when those spy agencies found flaws in its software. That lets the team fix those vulnerabilities quickly, where they might otherwise have gone undiscovered. Lewman suggested this happened on a “probably monthly” basis, though this is all a “hunch” based on the expertise on display – Tor takes anonymous bug reports.

Aphex Twin promotes both new album and Tor through Deep Web publicity push

In what must surely be the best advert for Tor yet, the elusive electronic music maestro Aphex Twin has announced his new album Syro — his first in 13 years — through a webpage that can only be viewed through the anonymizing network. Those who haven’t downloaded the Tor Browser can still view a similar page in a boring old non-anonymizing browser, but all they’ll get is the information about their ISP and IP address, not the track-listing nor album title. The Tor-only .onion page is part of the “Deep Web”, a below-the-surface scene of hidden services that can’t be crawled by normal search engines.