GCHQ's Karma Police: Tracking And Profiling Every Web User, Every Website
This means that it is certain that many -- perhaps millions -- of UK citizens have been profiled by GCHQ using these newly-revealed programs, without any kind of warrant or authorization being given or even sought. The information stored in the Black Hole respository, and analyzed with tools like Samuel Pepys, provides unprecedented insights into the minutiae of their daily lives -- which websites they visit, which search terms they enter, who they contact by email or message on social networks. Within that material, there is likely to be a host of intimate facts that could prove highly damaging to the individual's career or relationships if revealed -- perfect blackmail material, in other words. Thanks to other Snowden documents, we know that the NSA had plans to use this kind of information in precisely this way. It would be naive to think it would never be used domestically, too.
You can find the report here.
Apple's App Store Got Infected With the Same Type of Malware the CIA Developed
Although XcodeGhost is the first malware to spread this way in the wild, the techniques it uses were previously developed and demonstrated by Central Intelligence Agency researchers at the CIA’s annual top-secret Jamboree conference in 2012. Using documents from NSA whistleblower Edward Snowden, The Intercept‘s Jeremy Scahill and Josh Begley described the CIA’s Xcode project in a story published in March.
The Intercept has the story.
published Tue, 22 Sep 2015 21:39:53 +0200 #cia #ios #malware #whistleblower #xcodeghost
Had a discussion about XcodeGhost: “Couldn't Apple detect that?”
No, they couldn't.
Actually detecting Malware or Backdoors in Object code is Halting problem equivalent. But couldn't Apple detect that it was their own code? Well, it was linked into binaries, which afterwards were signed by their developers.
But couldn't they detect a modified version of their own Object file? No, neither this. The LLVM linker does Atom based linking. So in the binaries there probably weren't such Object files left.
Detecting backdoors has to be done as Source Code review. This is why p≡p is based on that. And even then experts like SektionEins will not find everything with a hit rate of 100%.
But this is the best thing we have. So p≡p does it.
published Sun, 20 Sep 2015 20:44:34 +0200 #backdoor #codereview #linker #llvm #malware #p≡p #xcodeghost
Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users
The infected iOS apps include IMs, banking apps, mobile carrier’s app, maps, stock trading apps, SNS apps, and games. Among the more well-known apps are WeChat (developed by Tencent); Didi Chuxing (developed by Didi Kuaidi) the most popular Uber-like app in China; Railway 12306, the only official app used for purchasing train tickets in China; China Unicom Mobile Office, which is in use by the biggest mobile carrier in China; and Tonghuashun, one of most popular stock trading apps.
You can find the report here, and here you can find the analysis of the malware.
published Sun, 20 Sep 2015 14:11:19 +0200 #exploits #ios #malware #xcodeghost
Creepy Smartwatch Spies on What You Type on a Keyboard
Researchers have created an app that follows the micro-movements of your smartwatch and is able to detect what keys you're pressing with your left hand and thus guess what words you may be typing on a keyboard.
You can find the report here. That will be interesting malware!
published Mon, 14 Sep 2015 13:38:32 +0200 #hacks #sidechannel #smartwatch
Adrian Frutiger passed away
Adrian Frutiger was one of the greatest font designers ever. You can find an obituary here (in German language only).
published Sun, 13 Sep 2015 14:48:52 +0200 #fonts #typography
Collecting TrueCrypt forks and alternatives
The basic idea of pretty Easy privacy includes using a crypto container for your volume. This is not a big deal if you're using a BSD- or Linux-Desktop, MacOS X or one of the “professional” or “enterprise” versions of Windows. Because all of these operating systems bring a crypto container with them. You just need to enable it, and it's up and running. It's there with new Android and iOS versions as well.
On the other hand this can be still an issue if you're using Windows Home edition. Therefore p≡p decided to support TrueCrypt. Unfortunately this project faded away.
What is left is a small list of TrueCrypt forks. They're in detail:
https://veracrypt.codeplex.com/ Veracrypt offered a new version on Sun Aug 9, 2015. Looks like they're maintaining it actively.
https://ciphershed.org/ CipherShed looks good at first sight as well.
https://truecrypt.ch/ TCnext seems to deploy just the old TrueCrypt versions. I cannot see any development here.
Alternatives include:
published Sat, 12 Sep 2015 19:35:55 +0200 #cryptocontainer #p≡p #truecrypt
p≡p is hiring Objective C developers in Barcelona and Luxembourg
Are you an experienced iOS app expert? Or just an Objective C developer who likes creating userfriendly apps? p≡p is hiring now!
What we offer is a fair salary in a well financed company, nice working conditions on great locations, and work for a cypherpunk project this world is really needing – make people secure and help to protect everyone's privacy!
You also will be well-known to the community, because we publish all code. Here you can find what you should bring with you:
published Fri, 11 Sep 2015 19:21:16 +0200 #ios #jobs #objectivec #p≡p
p≡p is hiring C# developers in Barcelona and Luxembourg
Are you an experienced C# expert? Or just a C# developer who likes creating userfriendly apps? p≡p is hiring now!
What we offer is a fair salary in a well financed company, nice working conditions on great locations, and work for a cypherpunk project this world is really needing – make people secure and help to protect everyone's privacy!
You also will be well-known to the community, because we publish all code. Here you can find what you should bring with you:
p≡p is hiring Java developers in Barcelona and Luxembourg
Are you an experienced Android expert? Or just a Java developer who likes creating very userfriendly apps? p≡p is hiring now!
What we offer is a fair salary in a well financed company, nice working conditions on great locations, and work for a cypherpunk project this world is really needing – make people secure and help to protect everyone's privacy!
You also will be well-known to the community, because we publish all code. Here you can find what you should bring with you:
Hiring people with LinkedIn? Sorry, Dave, I'm afraid I can't do that!
We could offer jobs on LinkedIn, they said. That's a good option to find new members of staff, they said. I'm not so sure.
When I started to create an account, the first thing this webpage did was asking me to upload my full address book of contacts. All private data of all people I know I was asked to put into a central database on the Internet. Well, no ;-) And when I pressed “skip”, this thing even insisted. Sorry, that's totally impossible.
p≡p is a privacy project. It's about privacy of our users. How could I do such things ever?
So I will post the job offerings here in the blog now. Please spread them! And if you're interested to join in, just write to mailto:jobs-dev@pep-project.org! If you want to, you can optionally use this PGP key to encrypt (919A B074 4CC2 0F84 0E37 2D32 4B4A 2423 D041 C63D). We will take your inquiry serious and keep it confidential, so your privacy will be safe.
Sorry, LinkedIn, this isn't negotiable!
published Fri, 11 Sep 2015 15:28:17 +0200 #android #barcelona #ios #jobs #luxembourg #outlook #p≡p #zurich
There's some rumors in the Internet that we'll go public with our project results on October 1st
People are getting enthusiastic ;-)
No, really, please remember: there is no fixed date. We cannot forsee exactly when everything will be ready. Until end of August p≡p was a pure voluntarily driven project. Therefore, we had no real planning, because all was depending on what was possible and what not.
This acutally changed now. Since this September we have the possibility to hire people (which we do now). This will not help us with such narrow dates for obvious reasons, though, but with later releases.
I was asked to communicate more open. And, well: so I do ;-) What I can tell is, that we're very close with Outlook and Android now. With iOS it's looking very good as well. Let's see what's happening in October. Looks like we can manage to have the first release then.
Good News: Dietz and Edouard have p≡p for Android up and running for testing
Dietz is doing the K-9 fork. As p≡p engine is based on GnuPG, we're using GnuPG of the Guardian Project. Edouard has the JNI adapter becoming stable, and p≡p engine up and running.
This also is the first of the adapters, which is generated using YML toolchain. We're planning to generate all the adapters out of a Y language with the interface description, using YSLT.
Looks like this will work to present a very first Android version at beginning of October.
Had a phone call with Phil Zimmermann lately
Phil pointed out his great ZRTP protocol. For all what I can see this is really something we all should look at. It's implemented in Phil's Silent Phone implementation.
What I specially like is the idea of hash commitment as a derivate of Diffie-Hellman.
I went another path with Trustwords, because I have the problem not having a live connection all the time. Then I see no way to do it like this. But it's really something I'm thinking about using in p≡p now.
published Wed, 09 Sep 2015 11:06:03 +0200 #blackphone #crypto #pgp #p≡p #silentcircle #zrtp
Develop for p≡p!
p≡p is hiring now. There are open positions in Luxembourg, Barcelona (Spain) and Zurich (Switzerland).
Are you an iOS developer? An Android specialist? Do you like to build Windows solutions with C#? Or are you just amazed by developing Free Software on free platforms? Then send us your resume!
p≡p is based on an engine which is a small C library. Then there are adapters to different application development environments. And there is the work on the apps.
If you like being part of a Cypherpunk project, please don't hesitate to contact us here: mailto:jobs-dev@pep-project.org using this key (919A B074 4CC2 0F84 0E37 2D32 4B4A 2423 D041 C63D).
Enigmail and p≡p are partnering together for developing Enigmail/p≡p
Encryption add-on Enigmail and pretty Easy privacy (p≡p) are joining in development of a solution for the well-known mail client Thunderbird. The goal is to make encryption as easy as possible, said Enigmail's project lead Patrick Brunschwig and p≡p's head of development Volker Birk in a common press release. Enigmail and p≡p will offer p≡p technology for any Thunderbird user. Thunderbird is still most popular among free email programs on desktop PCs and Laptops.
“Enigmail offers the most-used solution for mail encryption as Free Software for many years now. But we don't want to rest on our laurels.”, Brunschwig explains. “Still way too few people are able to encrypt. But this is inevitable to protect privacy.” That is to be changed with the partnership. “p≡p is offering the possibility to encrypt fully automatically. This way our users are gaining the highest amount of security, while even not be touched by the process at all. At the same time p≡p is offering compatibility to OpenPGP and S/MIME, which is necessary to integrate into mail infrastructures.”
“Being the trailblazer, Enigmail managed to provide one of the greatest user interfaces for mail encryption.”, Birk says. “To date Enigmail is still the front-runner here. Together with Enigmail we're thinking beyond this: the default for email has to be encrypted and not unencrypted! For this purpose p≡p is offering the possibility to encrypt without any user interaction needed like managing keys. Thunderbird is for p≡p a strategic platform in Free Software: no other free mail program has reached this spread. Therefore, it was the logical choice to ask our colleagues at Enigmail for a cooperation. Who else could deliver more know-how of integrating encryption into Thunderbird?”
The development partnership is meant to lead into common project Enigmail/p≡p. As release date for a very first version Enigmail and p≡p are aiming for December 2015. See also our Twitter.
p≡p – state of affairs
At last things are getting close to milestones now ;-)
Android made us some extra troubles. Looks like NDK is not as well as we expected it to be. But we're coming to an end now. Same game for iOS: problems with NetPGP fixed (actually, Edouard nearly did a complete rewrite), but things are working now. Integration is being done into the App of our Inboxcube friends, which will be p≡p for iOS.
And for myself: p≡p for Outlook is still in beta testing. We changed some things, and I'm working on the Outlook 2010 version – just because this version of Outlook is still very common. Newer Outlooks already are supported well ;-) For all these stuff we set a milestone at October 1st 2015, when we'll publish all things mentioned.
There will be extra good news on the Free Software side as well; stay on hold.