Nous ne pouvons pas faire confiance aux gouvernements et encore moins aux entreprises pour assurer notre sécurité et notre vie privée. Nous pouvons, par contre, nous appuyer sur la société civile (comme l'EFF (eff.org) ou La Quadrature du Net, les lanceurs d'alerte (comme Chelsea Manning ou Edward Snowden) et sur des outils qui ne nous trahiront pas, comme les logiciels libres. La cryptographie fonctionne ! Et c'est une des nouvelles importantes de ces révélations. Il existe des tutoriaux partout sur le net pour se mettre à chiffrer ses communications. Je vous laisse aller voir OTR pour Jabber (messagerie instantanée), SSL/TLS pour à peu près tout (mails, chat,...), GPG (qui demande un niveau technique un peu supérieur), Tor, et surtout, surtout, je vous invite à venir à des cryptoparty / café vie privée pour apprendre à s'en servir :)
Faire le point sur un an de révélations que nous devons à Snowden permet de comprendre comment nous sommes passés peut-être définitivement dans l’ère de la défiance. Quand la machine ubiquiste de surveillance de masse nous considère tous comme des suspects potentiels, nous ne pouvons faire autrement que de soupçonner à priori le plus vertueux des opérateurs téléphoniques ou des fournisseurs d’accès à l’internet d’être bon gré mal gré un complice de la NSA et de lui remettre les clés de nos vies privées, de nos engagements politiques etc. sans même parler de l’espionnage des grands de ce monde .
"According to Glenn Greenwald, reporting in The Guardian: 'A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives – or intercepts – routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some "SIGINT tradecraft is very hands-on (literally!)".'"
In his Q&A http://www.youtube.com/watch?v=UFFTYRWB0Tk to his keynote address at the World Hosting Days Global 2014 conference in April, the world’s largest hosting and cloud event, Julian Assange discussed encryption technology in the context of hosting systems. He discussed the cypherpunk credo of how encryption can level the playing field between powerful governments and people, and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised.
I recommend watching his 36 minute Q&A in its entirety, keeping in mind my recent warnings about how Linux is almost entirely engineered by the government/military-affiliated Red Hat corporation.
The Voice of Russia website has an article http://voiceofrussia.com/news/2014_04_07/US-annexed-the-whole-world-through-mass-surveillance-Assange-6580/ on Assange’s address with a few quotes:
“To a degree this is a matter of national sovereignty. The news is all flush with talk about how Russia has annexed the Crimea, but the reality is, the Five Eyes intelligence alliance, principally the United States, have annexed the whole world as a result of annexing the computer systems and communications technology that is used to run the modern world,” stated Julian Assange in his keynote address…
Don’t just read the short article, listen to the address yourself, because Assange goes into many areas, and the work being done in these fields.
Assange mentions how Debian famously botched the SSL random number generator for years (which was clearly sabotaged – a known fact). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, and more, the nightmarish OpenSSL recently botched SSL again https://security-tracker.debian.org/tracker/CVE-2014-0160 . It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys were potentially compromised. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference. http://mirrors.dotsrc.org/fosdem/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm)
From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option.
A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned.
As Assange observed:
“The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].”
Article de S.Bortzmeyer : http://www.bortzmeyer.org/security-day-nsa.html les slides : http://www.bortzmeyer.org/files/esgi-security-day-nsa-SHOW.pdf
GCHQ used publicly available analytics software called Piwik to extract information from its surveillance stream, not only monitoring visits to targeted websites like WikiLeaks, but tracking the country of origin of each visitor.
Plus de 5000 sites web ont décidé de se mettre en berne, ce mardi 11 février 2014, afin de dénoncer la "surveillance de masse" mise en place par la NSA, les "grandes oreilles" américaines (& britanniques, canadiennes, australiennes, néo-zélandaises, associées à de nombreux autres pays -dont la France), et d'appeler à l'adoption des 13 principes internationaux sur l’application des droits de l’Homme à la surveillance des communications rédigés par plus de 360 ONG et juristes du monde entier (vous pouvez cliquer sur le bandeau, en bas du navigateur, pour signer la pétition).
Nombreux sont ceux qui ne comprennent toujours pas ce pour quoi ils peuvent bel et bien être "espionnés" (voir aussi ma Lettre ouverte à ceux qui n'ont rien à cacher). L'ACLU (la principale ONG US de défense des droits humains) l'a très bien résumé dans ce .gif : la NSA surveille voire espionne en effet tous ceux qui connaissent des gens qui connaissent des gens qui pourraient être des "terroristes" -ou diplomates, commerciaux dans une boîte du CAC40, une start-up, chercheurs, journalistes, etc.
Sniffmap is a project to map the potential Internet mass interception performed by NSA and its allies (USA, UK, Canada, Australia, New Zealand). Since Edward Snowden disclosure, the security space has changed: rumors have been confirmed, data points have been available and new knowledge about security exposure and attack vectors is now known. This project tries to put this in easy to grasp visual representation, within the bigger context of TelcoMap.org. Actually, we get route data not only per country but also per ISP and operator, but for now we didn't find a way to visualize that neatly
https://nsa-observer.laquadrature.net/
NSA-observer, hébergé par La Quadrature du Net, est un projet lancé depuis plusieurs mois par deux hacktivistes, Skhaen et Alban_C, et développé au sein de l'association de défense des libertés numériques. Il recense "un peu plus de 100 programmes 'à jour' (71 programmes, 35 vecteurs d'attaque)", selon un message posté par Skhaen sur LinuxFr. Il précise que le site est en bêta pour l'instant, et encore en recherche de contributeurs.
La base de données comporte deux sections : programmes et vecteurs d'attaques, eux-mêmes divisés en sous-catégories. On retrouve rapidement les programmes de collecte, de traitement, de stockage, de ciblage et d'attaque de la NSA, et on peut choisir de classer les vecteurs attaques selon qu'ils sont basés sur le hardware, le software ou via le réseau.
A chaque fois, une courte description du programme ou du vecteur d'attaque est donnée, ainsi que sa "catégorie", sa "famille", et la principale source ayant relayé l'information lors de sa révélation par Edward Snowden. Il n'y a plus qu'à fouiller - et oui, on avait oublié BEAUCOUP de ces programmes.
Jérémie Zimmermann : Elles sont capables de traiter ces informations car elles sont capables de les collecter. A partir du moment où on est capable de collecter des données sur les moindres faits et gestes des individus du monde entier, c’est évidemment qu’on a quelque chose à en faire.
Google, Facebook, Microsoft, and the other tech titans have had to fight for their lives against their own government. An exclusive look inside their year from hell—and why the Internet will never be the same.
En juillet 1789, alors que les États généraux convoqués par Louis XVI se sont proclamés Assemblée nationale constituante, la France est traversée par un mouvement de violences et d’émotions populaires, appelé « la Grande Peur », dont les motifs demeurent obscurs pour les historiens.
News & Features
Jobs
Housing
Money
Dating
Community
More
Opinion - Surveillance
"It's what you'd expect from a totalitarian state." Internet rights activists outraged over France's plans to expand online surveillance of its citizens. Photos: NotFrancois/K'sPhotos/Flickr
'The world needs to know what France is up to'
Published: 10 Dec 2013 12:36 GMT+01:00
Updated: 10 Dec 2013 12:36 GMT+01:00
Facebook Twitter Google+ reddit
After blasting the US in the wake of the NSA spying revelations, the last thing you would expect France to do is rush through a reform that opens the way for widespread surveillance of its citizens. A French digital rights group tells The Local why we should all be alarmed.
After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.
When it comes to modern firewalls for corporate computer networks, the world’s second largest network equipment manufacturer doesn’t skimp on praising its own work. According to Juniper Networks’ online PR copy, the company’s products are “ideal” for protecting large companies and computing centers from unwanted access from outside. They claim the performance of the company’s special computers is “unmatched” and their firewalls are the “best-in-class.” Despite these assurances, though, there is one attacker none of these products can fend off — the United States’ National Security Agency.
Hi,
I wanted to write to highlight some important documents that have
recently been released by Der Spiegel about the NSA and GCHQ. We worked
very hard and for quite some time on these stories - I hope that you'll
enjoy them.
Inside TAO: Documents Reveal Top NSA Hacking Unit:
Part 1: Documents Reveal Top NSA Hacking Unit:
Part 2: Targeting Mexico:
Part 3: The NSA's Shadow Network:
NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need:
Shopping for Spy Gear: Catalog Advertises NSA Toolbox:
Interactive Graphic: The NSA's Spy Catalog:
http://www.spiegel.de/international/world/a-941262.html
Neue Dokumente: Der geheime Werkzeugkasten der NSA:
NSA-Programm "Quantumtheory": Wie der US-Geheimdienst weltweit Rechner
knackt:
Der Spiegel 1 / 2014:
https://magazin.spiegel.de/digital/index_SP.html#SP/2014/1/124188114
http://www.spiegel.de/spiegel/index-7629.html
TAO slides:
NSA QUANTUM Tasking Techniques for the R&T Analyst:
Yahoo! user targeting and attack example with QUANTUM:
QUANTUMTHEORY and related QUANTUM programs:
If you'd like to detect the QUANTUM INSERT, I suggest reading about the
race condition details:
http://www.spiegel.de/fotostrecke/qfire-die-vorwaertsverteidigng-der-nsa-fotostrecke-105358-15.html
Details about the Man-On-The-Side with QUANTUM:
QFIRE (NSA-Geheimdokumente: "Vorwärtsverteidigung" mit QFIRE), TURMOIL,
TURBINE, TURBULENCE:
http://www.spiegel.de/fotostrecke/qfire-die-vorwaersverteidigng-der-nsa-fotostrecke-105358.html
MARINA:
More MARINA details:
Catalog of equipment covering around ~50 programs:
Other slides covering FOXACID and more:
NSA QUANTUMTHEORY capabilities list:
GCHQ QUANTUMTHEORY capabilities list:
OLYMPUSFIRE:
An overview of all of these articles is available in German:
Earlier this week, I also recently gave a talk titled "To Protect and
Infect: part two" at CCC's 30C3. In the talk I explain a number of these
topics - the video is a reasonable complement to the above stories:
https://www.youtube.com/watch?v=b0w36GAyZIA
There are quite a few news articles and most of them have focused on the
iPhone backdoor known as DROPOUTJEEP - they largely miss the big picture
asserting that the NSA needs physical access. This is a
misunderstanding. The way that the NSA and GCHQ compromise devices with
QUANTUMNATION does not require physical access - that is merely one way
to compromise an iPhone. Generally the NSA and GCHQ compromise the phone
through the network using QUANTUM/QUANTUMNATION/QUANTUMTHEORY related
attack capabilities.
An example of a vulnerable Apple user is shown:
"note: QUANTUMNATION and standard QUANTUM tasking results in the same
exploitation technique. The main difference is QUANTUNATION deploys a
state 0 implant and is able to be submitted by the TOPI. Any ios device
will always get VALIDATOR deployed."
They're not talking about Cisco in that slide, I assure you.
Details on VALIDATOR:
Welcome to 2014!
The truth is coming and it can't be stopped,
Jacob
Le vol du plan du réseau du câble sous-marin SEA-ME-WE4 par la NSA s’est rapidement transformé dans les médias en un piratage du réseau interne du consortium le gérant, accompagné d’écoutes de masse, y compris sur le réseau d’Orange. Une conclusion par trop hâtive, même si les plans du câble constitue une base de travail intéressante pour un éventuel piratage des communications.
After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.