Geeks are the New Guardians of Our Civil Liberties - #Anonymous #Hackers #Hacking #FTW

<3 <3 By @BiellaColeman <3 <3

A decade-plus of anthropological fieldwork among hackers and like-minded geeks has led me to the firm conviction that these people are building one of the most vibrant civil liberties movements we’ve ever seen. It is a culture committed to freeing information, insisting on privacy, and fighting censorship, which in turn propels wide-ranging political activity. In the last year alone, hackers have been behind some of the most powerful political currents out there. Before I elaborate, a brief word on the term “hacker” is probably in order. Even among hackers, it provokes debate. For instance, on the technical front, a hacker might program, administer a network, or tinker with hardware. Ethically and politically, the variability is just as prominent. Some hackers are part of a transgressive, law-breaking tradition, their activities opaque and below the radar. Other hackers write open-source software and pride themselves on access and transparency. While many steer clear of political activity, an increasingly important subset rise up to defend their productive autonomy, or engage in broader social justice and human rights campaigns. Despite their differences, there are certain websites and conferences that bring the various hacker clans together. Like any political movement, it is internally diverse but, under the right conditions, individuals with distinct abilities will work in unison toward a cause. Take, for instance, the reaction to the Stop Online Piracy Act (SOPA), a far-reaching copyright bill meant to curtail piracy online. SOPA was unraveled before being codified into law due to a massive and elaborate outpouring of dissent driven by the hacker movement. The linchpin was a “Blackout Day”—a Web-based protest of unprecedented scale. To voice their opposition to the bill, on January 17, 2012, nonprofits, some big Web companies, public interest groups, and thousands of individuals momentarily removed their websites from the Internet and thousands of other citizens called or e-mailed their representatives. Journalists eventually wrote a torrent of articles. Less than a week later, in response to these stunning events, SOPA and PIPA, its counterpart in the Senate, were tabled (see “SOPA Battle Won, but War Continues”). The victory hinged on its broad base of support cultivated by hackers and geeks. The participation of corporate giants like Google, respected Internet personalities like Jimmy Wales, and the civil liberties organization EFF was crucial to its success. But the geek and hacker contingent was palpably present, and included, of course, Anonymous. Since 2008, activists have rallied under this banner to initiate targeted demonstrations, publicize various wrongdoings, leak sensitive data, engage in digital direct action, and provide technology assistance for revolutionary movements. As part of the SOPA protests, Anonymous churned out videos and propaganda posters and provided constant updates on several prominent Twitter accounts, such as Your Anonymous News, which are brimming with followers. When the blackout ended, corporate players naturally receded from the limelight and went back to work. Anonymous and others, however, continue to fight for Internet freedoms. In fact, just the next day, on January 18, 2012, federal authorities orchestrated the takedown of the popular file-sharing site MegaUpload. The company’s gregarious and controversial founder Kim Dotcom was also arrested in a dramatic early morning raid in New Zealand. The removal of this popular website was received ominously by Anonymous activists: it seemed to confirm that if bills like SOPA become law, censorship would become a far more common fixture on the Internet. Even though no court had yet found Kim Dotcom guilty of piracy, his property was still confiscated and his website knocked off the Internet. As soon as the news broke, Anonymous coordinated its largest distributed denial of service campaign to date. It took down a slew of websites, including the homepage of Universal Music, the FBI, the U.S. Copyright Office, the Recording Industry Association of America, and the Motion Picture Association of America. Just a few weeks later, in Europe, as massive online and offline demonstrations, notably in Denmark and Poland, were unfolding to protest ACTA, another international copyright agreement, Anonymous again appeared (see “Europeans Protest Anti-Piracy Treaty”). After the Polish government agreed to ratify ACTA, Anonymous took down a slew of government websites and publicized street protests sweeping Krakow. Soon after, the left-leaning Polish Party, Palikot’s Movement Party, adopted the signature Anonymous symbol, the Guy Fawkes masks, wearing them during a parliamentary session to protest ACTA. Amidst this and many other outcries, the European Union scrapped this proposed law in July 2012. So powerful was Anonymous in these events that a few weeks after they passed, I received a call from a venture capitalist involved with organizing the SOPA protests. He wanted to learn more about how Anonymous operated and whether its participants could be harnessed a little more directly. The beauty and frustration of Anonymous lies in an unruly and unpredictable spontaneity—as they like to boast, “We are not your personal army.” But his intuition—that they were an important part of the mix—was correct. One key ingredient to the success of Anonymous lies in its participatory nature, especially when compared to spheres of hacker action where technical skill is a prerequisite for participation (and often respect). Skilled hackers are indeed vital to Anonymous’s networks—they set up communication infrastructure and grab most of the headlines—for instance, when they hack into servers to search for information on government or corporate corruption. Hacking, however, still remains one tool of many (and some Anonymous subgroups oppose hacking and defacing). There is other work to be done: stirring press releases to write, propaganda posters to design, and videos to edit. Geeks and hackers may have different skills sets, but they are often traveling companions online, ingesting similar news, following similar geeky cultural currents, and defending Internet freedom, although using distinct methods and styles of organizing. The depth, extent, and especially diversity of this geek political movement was made evident to me just recently, not at an official political event but at a memorial service that doubled as an informal political rally. Over a thousand people gathered in New York City’s regal Cooper Union Hall to honor Aaron Swartz, a hacker and self-proclaimed activist who had recently taken his own life, some say due to government overreach in his federal case concerning the legality of downloading millions of academic articles from MIT’s library website (see “Why Aaron Swartz’s Ideas Matter”). They spoke about Aaron’s life, quirky personality, and especially his political accomplishments and aspirations. Like his peers, he abhorred censorship, and thus naturally joined the fight against SOPA; the service featured snippets of his famous keynote address at the Freedom to Connect conference from May 2012, when Swartz said, “It was really stopped by the people themselves.” He had been instrumental in fundamental ways, for he had founded an organization, Demand Progress, a nonprofit that had effectively harnessed this citizen discontent over SOPA through petitions and other campaigns. Unlike Anonymous, which has no single mission, physical address, or official spokesperson, Demand Progress is an institution with a board and executive director located in the heart of political power, Washington, D.C. Although it channels, quite effectively, grassroots activities in the service of protecting civil liberties, a contained group can coördinate action with deliberation and precision. Clearly geeks and hackers are behind distinct modalities of political organizing, willing to deploy a diverse array of tactics. Demand Progress, along with the prominence of the Pirate Party in Western Europe, demonstrates the willingness of geeks and hackers to work within existing institutional channels. And all signs point to this type of traditional political activity becoming more common. But it will likely exist alongside the loosely organized acts of disobedience, defiance, and protests that have also become more frequent and visible in the last few years, in large part thanks to Anonymous. But on that Saturday afternoon, any differences were largely cast aside in favor of standing united in grief, in commemoration, especially in the conviction that the battle to preserve civil liberties has really only just begun.

#RED! « Independent Cinema Center - #RedHack #Anonymous #Documentary #FULL

Categories: Documentary Date: 16 March, 2013

The movie RED! produced by BSM – Independent Cinema Center, focuses on two subjects that gain globally more and more attraction every year: cyber activism and hacktivism. In the movie, these subjects are principally treated through Anonymous and RedHack. At the same time, the movie examines the relations between hacktivism and politics, ethic and law.

Watch RED! Movie Now for FREE and Support Us!

CLICK HERE TO WATCH!


The movie RED! produced by BSM – Independent Cinema Center, focuses on two subjects that gain globally more and more attraction every year: cyber activism and hacktivism. In the movie, these subjects are principally treated through Anonymous and RedHack. At the same time, the movie examines the relations between hacktivism and politics, ethic and law.
This documentary does not conceal being biased. It approachs cyber activism and hacktivism from a class struggle perspective. Considering the cyber world as a new battlefield, the movie examines how the cyber struggle can be linked to the class struggle.

Researcher: #Hackers can cause traffic jams by manipulating real-time traffic #datalove

Hackers can influence real-time traffic-flow-analysis systems to make people drive into traffic jams or to keep roads clear in areas where a lot of people use Google or Waze navigation systems, a German researcher demonstrated at BlackHat Europe.

Google and Waze both offer turn-by-turn navigation in smartphone apps and use information derived from those phones for real-time traffic analysis. However, because of the tradeoff between user privacy and data gathering, hackers can anonymously influence navigation software to trick the real-time traffic system into registering something that isn’t there, said Tobias Jeske, a doctoral student at the Institute for Security in Distributed Applications of the Hamburg University of Technology, during the security conference in Amsterdam.

“You don’t need special equipment for this and you can manipulate traffic data worldwide,” Jeske said.

Both Google and Waze use GPS as well as Wi-Fi in phones to track locations. If Wi-Fi alone is enabled, only information about wireless access points and radio cells in the surrounding area will be transferred, which lets the navigation systems approximate the location of the user, Jeske said.

Example of a simulated traffic jam in Hamburg, Germany

Google navigation uses real-time traffic information in Google Maps for mobile. The protocol used to send location information is protected by a TLS (Transport Layer Security) tunnel that ensures the data integrity so that it is impossible for an attacker to monitor a foreign phone or modify information without being detected by Google, said Jeske. However, TLS is useless if the attacker controls the beginning of the TLS tunnel, he added.

To be able to control the beginning of the tunnel, Jeske performed a man-in-the-middle attack on an Android 4.0.4 phone to insert himself into the communication between the smartphone and Google. When the attacker controls the beginning of the tunnel, false information can be sent without being detected and in this way attackers are able to influence the traffic-flow analysis, according to Jeske.

If, for example, an attacker drives a route and collects the data packets sent to Google, the hacker can replay them later with a modified cookie, platform key and time stamps, Jeske explained in his research paper. The attack can be intensified by sending several delayed transmissions with different cookies and platform keys, simulating multiple cars, Jeske added.

An attacker does not have to drive a route to manipulate data, because Google also accepts data from phones without information from surrounding access points, thus enabling an attacker to influence traffic data worldwide, he added.

A similar attack scenario can be applied to Waze, but it is more difficult to affect the navigation of other drivers, Jeske said. Waze associates position data with user accounts, so an attacker who wants to simulate more vehicles needs different accounts with different email addresses, he added.

Jeske also found a way to transfer position data to Waze without user authentication, rendering the attacker anonymous, he said, without elaborating on that method.

For an attacker to actual influence traffic, a substantial number of Waze or Google navigation users have to be in the same area. When it comes to Waze, that is probably not going to happen, for instance, around Hamburg, he said. Waze, however, had 20 million users worldwide in July last year, so there should be areas where it is possible, he said.

Although Jeske hasn’t tested the vulnerability of other services offering real-time traffic data, they work more or less the same way as Google and Waze, so he expects that similar attacks on those systems are possible, he said.

Companies that offer navigation apps can avoid this sort of attack by linking location information to one-time authentication that is time stamped and limited to a fixed amount of time, Jeske said. That would restrict the maximum number of valid data packets per time and device, helping to secure the system, he added.

#MSM -> #FED | Federal Reserve Confirms Security Breach, Calls #Anonymous Hack Claim 'Overstated' - #OpLastResort

A Federal Reserve spokesperson confirmed a temporary security breach of its computers to The Huffington Post on Tuesday morning.

“Information was obtained by exploiting a temporary vulnerability in a website vendor product,” the spokesperson told HuffPost in a phone interview, adding that the problem was “fixed after discovery and is no longer an issue.”

According to the spokesperson, who asked not to be identified by name, the breach “did not affect critical operations.”

The confirmation comes in the wake of a claim by hacker group Anonymous on Sunday that it had stolen sensitive information on 4,000 American bank executives from Federal Reserve computers.

Although the security breach has now been confirmed, the spokesperson called Anonymous’ claim “overstated,” and would not comment on the nature of the data obtained other than to confirm that contact information was taken.

Earlier this week, ZDNet reported that “login information … credentials, IP addresses, and contact information of American bank executives” were listed in a spreadsheet posted to a government site that Anonymous had hacked.

Even if the breach might not have been as serious as publicized by Anonymous, it is the first actual leak of information achieved by the group’s Operation Last Resort. Launched in January, OpLastResort is the Anonymous response to the suicide of Internet activist Aaron Swartz. The group demands “reform of computer crime laws” and investigation of “overzealous prosecutors.”

Federal Reserve computers have been hacked before. In 2010, a Malaysian man was arrested in a credit card scheme after managing to hack into and damage 10 computers associated with a Federal Reserve training system, Bloomberg News reported at the time. However, no data or information was accessed or compromised in that attack, a spokeswoman told Bloomberg.

In 2011, Federal Reserve developers discovered a cross-scripting bug in Adobe ColdFusion software, which is used by some Federal Reserve Bank websites. Such cross-site scripting allows an attacker to gain high-level access privileges to sensitive information by way of injecting malicious client-side scripts.

“Web developers working for the Federal Reserve Bank of Atlanta discovered the cross-site scripting vulnerability as part of an internal development project,” ThreatPost, an Internet security blog, reported at the time.

In December 2011, Adobe released a patch for ColdFusion that fixed weaknesses it said could be exploited in “a cross-site scripting attack.”

In an e-mail to HuffPost, Adobe senior communications manager Wiebke Lips wrote that the company could not comment on the specific breach confirmed Tuesday by the Federal Reserve. According to Lips, a patch released Jan. 15 by Adobe “addressed four vulnerabilities” that had been observed in active attacks against ColdFusion customers.

“These types of attacks are often referred to as ‘zero-days’ because a fix is not available at the time of the attack,” Lips wrote. “As soon as these vulnerabilities were reported to Adobe, we immediately addressed them in the software and provided the fix.”

According to an Adobe security bulletin, the recent patch for ColdFusion fixed loopholes that could have enabled a hacker to “circumvent authentication controls, potentially allowing the attacker to take control of the affected server … could result in information disclosure from a compromised server.”

Although it is unclear whether hackers used the recently patched vulnerabilities as a vector for attack, if a third party gained access to sensitive information through ColdFusion, it would follow that computers belonging to the Federal Reserve may have been compromised because their software was not up-to-date.

The Federal Reserve spokesperson would not elaborate on its security systems other than to say that measures against attacks were “absolutely” in place.

More

HERE (“Fed Confirms It Was Hacked By Anonymous”)

var HackingPolitics = function() {alert(“How Geeks, Progressives, the Tea Party, Gamers, Anarchists and Suits Teamed Up to Defeat SOPA and Save the Internet”);}

Dear Hacker Community - We Need To Talk. : by @AsherWolf <3

Foreword: I Know Your Feel!

~

LogoRoughIdea-1

Some parts of this article deal with misogyny, sexism, and harassment, while other aspects of it respond to experiences of down-right douche-baggery.

It doesn’t apply to all of you, but a number of you engage in it and many of you are bystanders.

I know a lot the community doesn’t want to talk about this stuff. I know I didn’t personally try to build a bridge between wannabe-crypto-users and hackers so I could deal with shitful sexism, misogyny and down-right crappy behavior.

I know most people would rather just delete a sexist webpage or image, apologize for the offensive comment, or shitty behavior and move on. Again.

But things aren’t changing for the better. And pasting anti-harassment rules on conference wikis doesn’t seem to be making a dent in obviously unacceptable behavior of some arseholes.

Yes, of course, there are arseholes in all communities. But some communities make sexists, misogynists, harassers and general arseholes truly unwelcome.

Unfortunately, the hacker community seems to flounder at making progress in the area of human relations.

“We’re trying!”

Yeah, I hear you, but it’s not good enough. Not good enough by far. 

Inequality doesn’t just spring up without a context. And women don’t just opt out of hacking and hacker communities because of the tired rhetoric “maths and hacking is boys’ business.”

No, women stay the hell away from hacker-spaces, conferences and tech initiatives because of on-going experiences of misogyny, abuse, threats, put downs, belittlement, harassment, rape.

Last infosec conference I went to – there was six females and over 1000 males in attendance. My female friend roped me into pretending I was her lesbian lover, simply to get a guy to let-the-fuck-go of her hand.

“Oh, I’ve never experienced misogyny at a hacker conference”, says someone.

Well great for you. Many of us have. Including myself.

So much, that last night, I quit as an organizer of Cryptoparty.

It was an initiative I cared about and was deeply involved with setting up.

And yes, after I quit I said “fuck” a whole lot, and cried an ocean, then packed my son the toddler off to my mother’s house for the night and got profoundly drunk.

And now I’m ready to talk about the arse-hattery that basically broke me over the last few months.

I’m not some wall-flower or “pearl-clutching” provoker of needless moral outrage.

As a teenager I lived in youth refuges and on the streets. I’m unwilling to put up with bullshit

I have no problem fighting back. I’m not scared of speaking up either.

So what went wrong?

Cryptoparty was created one very boring evening, in a very open and inclusive conversation on Twitter, a little over four months ago.

I thought if the gap between cryptographers, hackers and users could be bridged, perhaps some activists would have a chance at scaling back aspects of surveillance. If we could teach people how to use crypto – we could maybe begin to organize without surveillance.

I paid a friend to set up a wiki and Cryptoparty was born. Decentralised, DIY, psuedo-leadership. All the catchy keywords. It felt exciting. It took off. People were drawn to the concept. Beer, chips, party.

And it seemed so easy to set up a Cryptoparty. The only requirement was a venue, and people willing to learn.

My rule was “counter negative criticism with unbearably nice optimism.” Anyone who whinged about something was asked to fix it themselves. A “do-ocracy” supposedly.

As soon as the Cryptoparty wiki went online I asked that an anti-harassment statement be included, much to the expressed chagrin of some men. They said it wasn’t necessary. They said they’d help deal with harassment personally, if it happened (by the way – they didn’t.)

Later on, it was one of those same men who’d been so resistant to the idea of an anti-harassment declaration on the wiki – who participated in bullying and talking down to me.

Meanwhile, Cryptoparties were springing up around the world faster than I could keep track.

Anyway, at some point I broke – something in me broke or something broke me.

There were lots of little things, piling on me day by day. But let me try to explain the events of the last four months a little for the readers at home.

Here goes…

A number of Cyptoparty organizers regularly talked down to me when I questioned their choices, suggested I wasn’t qualified to comment on their actions.

And then they left me to face public scrutiny when the shit hit the fan over their stupid decisions:

Some examples:

“We’re writing a Cryptoparty manual, it’ll be crowd-sourced by a limited group over four days…” (What? When were they planning to run the peer review before publication? Never?)

“Ohai, I’m running a Cryptoparty at Google and Mozilla.” (Cryptoparty is supposedly commercially non-affiliated and non-profit. Allowing it to be hosted at Google and Mozilla raised a number of issues that were never addressed.)

“Our Cryptoparty has a “no-laptop” rule, to keep users safe.” (Great, fabulous, and how were you planning to help new-comers learn to install crypto-tools?)

“We ran a Cryptoparty with @OpenISP in Tunisia with a real-name policy, funded by USAID.” (What the holy fuck!? @*#*@$&*!!!!!!!!)

You get the picture…

When I communicated about concerns and issues – as well as complaints from Cryptoparty participants peeved with out-of-touch crypto-lecturers who wanted to teach command lines to crypto-newcomers – I got put downs, got brushed off, ignored, told “oh don’t worry, we’ll look after it, it won’t be a problem”, “don’t worry your head about it”, or aggravatingly – told that I wasn’t qualified to judge their choices as I wasn’t a crypto-expert or a hacker.

And I got told to quit. Quite a bit, actually.

And then I got emails telling me to stick to motherhood and tweeting.

When I criticised @RT_Com for airing a segment on Cryptoparty that promoted CryptoCat (an insecure host-based security tool, not a core tool taught at Cryptoparties) – Cryptocat’s founder, Nadim Kobeissi responded:

Screen Shot 2012-12-29 at 9.18.40 AM

I think I may have told him to go bite me.

Eventually we both apologized for niceties sake, but damage done.

I also copped flack for the technically inaccurate aspects of the Cryptoparty manual, despite not having worked on the technical aspects of the book and having suggested to the book’s organizers that the project’s time-frame was too short.

When the issue of technical flaws in the Cryptoparty Manual took off on the LiberationTech email-list I responded: “I didn’t work on the technical aspects of the book. I can’t. I don’t have the right skill set.”

Jacob Appelbaum responded:

“I believe that you are totally able to learn and I think that it is very demoralizing when people say they are *unable* or *unwilling* to learn.”

Jacob continued: “That isn’t to say that you will become a developer of cryptographic protocols.”

Appelbaum’s charming treatise finished with a flourish: “It is to say that many people will need to make choices about security and trusting a vanguard is dangerous. We’re always trusting someone and I realize that reality. I didn’t write my own compiler to compile my email client before sending this email with hand crafted electrons… However the high level view of most of this stuff is well within the grasp of each person – it just requires an interest and *educational resources* that empowers *all people* to learn.”

My response:

“Wait, I’m just trying to remember when I last slept more than 4 hours in a night while trying to educate myself.

I’ve gone from being a Facebook user to running OTR, PGP and Tor all in under a month. Note: I’m a sole parent, without access to child support, no childcare and trying to support myself, my son, put myself through postgraduate studies and contribute to social movements.”

I should point out, Jacob was invited to speak at the first Cryptoparty. He asked me to use PrivateGSM, which I found impossible to install on my phone. 48 hours without sleep, and finally I managed to get it working on a friend’s phone. Hours before the Cryptoparty, Jacob let me know he had yet to install it himself. And then a couple hours later, he messaged to pullout entirely.

Yes, I’m sure he was very busy.

The idea behind Cryptoparty had always been about building a bridge between the crypto-community and new-comers, but increasingly I felt locked-out.

Multiple Cryptoparty IRC channels were created and the people creating them didn’t inform the general public about them, and didn’t add them to the wiki. Some of the servers they placed the IRC channels for Cryptoparties on were almost impossible to access.

One day I made it into one of the Cryptoparty IRC rooms – under a different handle than usual – and watched.

I watched a bunch of male Cryptoparty organisers talking about me – about how I knew nothing about crypto (well, that much was true, but the point had always been to build an educational bridge) and that “real hackers” should be the face of Cryptoparty, not a “mommy-type.”

Mommy-type. As if having a uterus made me ineligible. But I said nothing. I let it slide, for the sake of keeping the peace. I was trying to be “nice.” But I should have said something at the time.

Instead, I decided to drop back a bit from organising Cryptoparties, focus on getting a personal website set up instead.

@SamTheTechie, an organizer from a Cryptoparty in London offered to make me a website, said it’d cost $700. Said it’d only take weeks. I was foolish, I handed the money over, emailed him the links I wanted uploaded and waited. And waited…

When my “web-developer” got in contact next it was to tell me he’d gone on holidays and had presented Cryptoparty at the European Commission’s “No Disconnect” meeting. He hadn’t discussed it with me before-hand. I still have no idea what representations he made to the E.C. about Cryptoparty. He never reported his talk with the E.C. to the Cryptoparty wiki.

When I tried to discuss the issue, he /rage-quit the conversation.

Oh, and he *still* hadn’t done any work on the website either…

(Thanks to @selfagency for creating this website voluntarily and free of charge – it’s appreciated.)

Eventually, a number of friends encouraged me to apply to speak at 29c3 about Cryptoparty. My family offered childcare, on the sole condition I gained a speaker spot at 29c3.

At AUS$3k for a return flight to Europe, affording an airfare would have required me to do some serious crowd-funding – an idea I hated – but was willing to do for the sake of the chance to visit 29c3. It would have been my first holiday since 2008.

In the background of my application to speak at 29c3 was the fact a Sydney-based male Cryptoparty organiser had already posted in an application to speak at 29c3…

In an attempt to bridge the issue, I invited the 29c3 application to be crowd-sourced and agreed to make the talk into a panel – including the individual who had originally put in an application. He sat in on the crowd-sourced process of writing of the application, contributing nothing except criticism to anything I wrote for hours.

He didn’t actually contribute any text himself.

Later, he texted to say he thought he may have a “bit of an ego issue.”

29c3 got in contact, asked if I was willing to take some people off the application for the panel. I felt unable to, under pressure to yield to everyone. The application for a Cryptoparty panel at 29c3 was rejected.

Rejection always sucks, but what really rubbed my nose in it was knowing a group of guys who had treated me like crap, who put me down, talked down to me, criticized and belittled me for months… were heading off to 29c3 and running a Cryptoparty workshop – as opposed to the panel I’d applied for – without me.

And so finally, the last few days…

Watching Jacob Appelbaum on stage talking about the fight against the surveillance state via a glitchy live-stream.

Watching the guy who spent hours criticizing a compromised, crowd-sourced application to 29c3 tweet about how he was on his way to the conference – oh boy!

And watching the person I paid $700 to create a website *months* ago tweet he’d be at 29c3… and how he was looking forward to hanging out with the guy who criticised the Cryptoparty 29c3 application non-stop too (wheeee!)

And no, the “web-developer” still hasn’t built me a website or paid me back.

So by the time 29c3 properly got underway, my nose was more than a little out of joint.

And I stopped sleeping properly.

I reached peak rage as the ‘Creeper Card’ issue unfolded at 29c3. You might have read about the cards, if you were watching the 29c3 twitter stream.

The ‘Creeper Cards’ originated at DefCon in 2011.

Red cards supposedly represented unacceptable behavior.

At 29C3, someone took a bunch of the ‘Creeper Cards’ and made them into a statement all of their own. An image of a headless female body.

Screen Shot 2012-12-29 at 7.47.44 AM

The ‘Creeper Cards’ were ripe for send-up. Let’s face it: the hacker community has begun to rely upon ouiji board-style methods often utilized by individuals with profound communication impairment.

The headless ‘Creeper Card’ female body image is one hell of a statement. It’s implied message: creeps will exist, where-ever and when-ever and despite the initiatives you take, your efforts will be subverted, and all your efforts will be subjugated to place the focus back on your body, your gender…

And I’m sure, if it wasn’t for the fact I was incredibly pissed off about how I’ve been treated by some elements of the hacker community, then maybe I would have found some aspect of the ‘Creeper Card’ image funny. Maybe.

I didn’t.

Instead, when I saw the Headless Female ‘Creeper Card’ image I blacked out with pure rage for more than a few seconds.

And then I publicly railed, in unholy unrestrained outrage for all the ways I had lost my faith in members of the hacker community over the last few months.

I quit Cryptoparty publicly, live on twitter, raging against the slimedom I’d encountered over the last four months.

And then I watched as twitter-users pounded me for the “drama” I’d “caused”, for being a potential “lolcow” for having an emotion, rather than just sweetly tweeting the news like a respectable automation.

Journalist Quinn Norton, responding to my decision to quit Cryptoparty wrote: “You know who is worse than hacker culture and really really doesn’t give a shit? The people we need to use crypto against.”

If the hacker community truly has no respect for the values flushed away by regimes who seek to crack crypto – and no will to fight harassment, discrimination and douchebaggery – then frankly we might as well give up and join the storm-troopers.

I didn’t create Cryptoparty just so a bunch of privileged white boys could exclusively hang out together, slurping down ClubMate while trying to figure out how to anonymously use BitCoin to buy Aderall off SilkRoad.

You shouldn’t need a red card wagged in your face to let you know your behavior is shitful.

Yes, it’s all so very well-meaning, but ultimately “Creeper Cards” are like all other responses so far in most parts of geek community – bullshit tokenism.

For the most part, the study of human relations within hacker culture is marginalised (except of course, the realm of social engineering and scholarly endeavours.)

Human relations issues such as discrimination and harassment are relegated to informal talks, given no space on the main stage – and anti-harassment statements are tacked-on, ignored on most conference websites.

After I quit Cryptoparty people responded I had to stay, had to take responsibility for changing the culture of the community.

I was beyond tact. I howled “fuck you” back at them repeatedly. I was sick to death of being constantly requested to fix other people’s shitty behavior.

I tried to build bridges and at the end of the day was left with the mockery of an option to flap little pieces of red fucking card in the air – and my public howl in despair at the absolute wankery I’d experienced over the last few months.

So you still want a solution to the issue of douchebaggery in hacker-spaces? Really?

Ok. Start by talking about it physically, formally in public spaces. Not just online, on wikis and in small working-groups or in informal talks run by feminists.

In workplaces around the world, human relations departments trot their workforces off to anti-discrimination workshops on a regular basis.

Human Relations departments do it because they know the cost of not formally addressing harassment and discrimination impacts upon the workplace, both in terms of productivity and culture.

I’m not suggesting we send the global hacker community off to a H.R. anti-discrimination/anti-harassment training session (though it probably wouldn’t hurt.)

But if you’re serious about dealing with discrimination and harassment – put it as a topic on the main-stage. I really mean it.

Put the anti-harassment policy as an opening statement at your hacker or infosec conference. Chose a “thought leader” to open the conference each year who will be willing to engage the topic of community standards, even for a few minutes.

Would 10 minutes at the start of a conference explaining anti-discrimination policy and acceptable conduct really infringe on anyone’s “fun”?

It won’t change the culture of asshattery over-night, but it will begin a conversation that’s needed – far more necessary than another article or blog post like this, or more red-card waving in the wind.

Is it selfish for me to quit Cryptoparty? Probably. But I believe Cryptoparty will survive without me.

Unfortunately I couldn’t find another way to get my message across that the culture has to change without walking away, at least for now.

And it is also self-preservation. I couldn’t stand another second of the crap I went through over the last 4 months.

So many of you are fucking bystanders, and my respect for you has gone down the toilet over the last few months. You knew what I went through. And you said nothing. Go to hell.

You’ll drink Club-Mate in your hackerspaces and tinker with stuff.

I’ll go back to child-rearing and tweeting in the lull while the toddler is occupied and amused…for now.

We’ll see what the future brings.

#MSM - New Accounting System Hack Could Cause 'Mayhem' >:P

Attacks against massive and proprietary enterprise accounting systems, in particular financial software such as SAP and Oracle, have been few and far between. That changed at this week’s Black Hat Abu Dhabi conference where a pair of researchers presented proof-of-concept code that could change the dynamic of the financially motivated attack landscape.

The attack, dubbed Project Mayhem, could enable an attacker to divert funds from a company’s accounting and financial systems without immediate detection. In addition to code, the attacker would be relying on the fact that midsized companies in particular, do not have complete control or visibility into financial processes or individual transactions, and are likely to miss fraud at first glance.

“Getting caught depends on the skills and resources available and whether an audit is performed or not,” wrote Tom Eston and Brett Kimmel of SecureState in a white paper explaining Project Mayhem in detail.

Eston and Kimmel’s presentation at Black Hat focused on Microsoft Dynamics Great Plains software, in particular targeting Dynamics’ SQL database, SQL server, or hijacking an account via a process injection attack. Microsoft Dynamics is used primarily in midsized companies. The duo said their motivation in developing this attack was to help penetration testers efforts in examining the defenses of these systems. SecureState is a consultancy provide security services such as pen-testing.

“If an attacker can control and manipulate the accounting system of the company to commit mass systems fraud, changing or manipulating financial data is just the beginning. As professional penetration testers, we must demonstrate more advanced attacks to show real impact to the business,” said Eston.

The key to the attack is to stealthily modify entries in the accounting system to commit fraud, i.e., transfer funds to an outside account. They began by doing some reconnaissance online to learn the names and structures of the Dynamics GP software’s database tables, as well as other pertinent identifiers in the tables. Knowing this helps an attacker target a particular segment of the database, the paper said.

An attacker could also hijack accounts by targeting GP users, again by doing reconnaissance online in social networks or searches in LinkedIn profiles, and then crafting a spear phishing attack that would convince the target to either visit a site hosting the Project Mayhem malware, or open an attachment infected with the code. The malware is then used to pivot internally to target GP processes.

The proof-of-concept code, developed by SecureState researcher Spencer McIntyre, uses function hooking and library injection to exploit the application’s front end.

“The goal is for the malware to open a channel back to a malicious attacker and allow them to issue commands specific to GP through the Dynamics GUI front end,” the white paper said. “The proof of concept code needs to be injected at run time but well known patching techniques could be employed to have the necessary components loaded automatically at run time.”

The malware hooks in to key locations, the paper said, and intercepts function calls, in particular those to the ODBC32 library; the malware creates function calls that interact with the database, a valid copy of legitimate handles that can inject malicious SQL commands as a legitimate user. Using a backdoor to the attacker’s server, SQL commands can be issued without detection and without the need for a password.

Once inside and manipulating the system, an attacker could manipulate existing vendor records forcing the system to remit payments to the attacker or a mule, rather than a vendor, or create new vendor entries, new manual check entries, increase customer credit limits, modify accounting records, create negative customer balances that force automated refunds, or simply steal credit card data, customer data or private financial records.

Such an attack against a financial system puts money and customer records at risk, but implicates compliance requirements, company reputation and harms customer relationships.

“Even with proper bank reconciliation, funds can be diverted without immediate detection. Fraud attacks like the ones described in our talk and whitepaper could last for months or years. Uncovering a fraud depends on the skills and resources available and whether an audit is performed or not,” said Kimmell.

Parastoo Hackers breached the International Atomic Energy Agency (IAEA) server

IAEA hacked

The International Atomic Energy Agency (IAEA) acknowledged Tuesday that one of its servers had been breached by a group of hackers and leaked contact details for more than 100 nuclear experts on the group’s website.

A hacker group called “Parastoo,” one of the most common Iranian female names, has claimed responsibility for the security breach.

“Israel owns a practical nuclear arsenal, tied to a growing military body and is not a member of internationally respected nuclear biochemical and chemical agreements” Parastoo said in the statement.

“We ask these individuals to sign a petition demanding to open IAEA investigation into activities at (Israel’s Negev Nuclear Research Center located near the southern city of) Dimona,” the group wrote.

IAEA spokeswoman Gill Tudor said the agency “deeply regrets this publication of information stolen from an old server”. She said the server had been shut down “some time ago” and experts had been trying to eliminate any “possible vulnerability” in it even before it was hacked.

She added that the IAEA was doing “everything possible to help ensure that no further information is vulnerable”

#Anonymous declares #Cyberwar on #Syria government sites - Syrian Embassy in #China under attack #OpSyria

anonymous hackers

The hacktivist group Anonymous has announced a cyber war against Syrian Government websites hosted outside the country.

“Today, at precisely 10:30 AM ET all Internet traffic into and out of Syria ceased. Within a half hour of this sudden shut down, the PBX land-lines were degraded by 90% and Mobile connectivity was degraded by 75%. The nation of Syria has gone dark. And Anonymous knows all to well what happens in the dark places.” Hacker said in the press release.

“When your government shuts down the Internet, shut down your government.” ~ Anonymous Egypt.

” Beginning at 9:00 PM ET USA Anonymous will begin removing from the Internet all web assets belonging to the Assad regime that are NOT hosted in Syria. We will begin with the websites and servers belonging to ALL Syrian Embassies abroad” Hacker said.

The hacker collective has launched distributed denial of service (DDOS) attack against the  website of the Syrian Embassy of in China(syria.org.cn).

They also hacked and defaced the Syrian Embassy website in Belgium (syrianembassy.be)

*Update* As part of the operation, Anonymous Australia has defaced the Industrial Bank of Syria (industrialbank.gov.sy) and left a message: “Sorry admin but your page was taked by us - Because from Latin America, we are sad seeing destroyed between brother countries. - Please governments.”

The press release can be found here:
http://www.anonpaste.me/anonpaste2/index.php?bb2a5f5ea4d78406#Kmh9zezlxKa3262RPC6TtgFwc5Vn2Ur+NEtOud0Q0bo=

New #SQLi prevention system left open a vulnerability, says #PKNIC

 Few days back, Pakistani Top Level domains including Google , Yahoo, Msn and more sites defaced by Turkish Hackers.  Following that incident , a Pakistani hacker contacted us with a report regarding the vulnerability resides in the website.  We have immediately notified about the vulnerabilities to PKNIC.

Today, PKNIC released the official statement that confirms the security breach. In an email sent to us, PKNIC informed us that the vulnerability has been fixed over the weekend. 

“PKNIC became aware of a vulnerability in one of its systems which caused a total of four user accounts to be breached on Friday evening 23rd November, impacting nine DNS records, out of a total of around fifty thousand. That led to several website addresses to be redirected to a blank message page for a few hours. Several of these websites were mirrors of global sites such as google.pk, ebay.pk, etc.” The official statement reads.

The changes caused by the incident were reverted within a few hours, by the PKNIC team, by late Friday night. The Team sent notification to affected accounts after the scope of the incident was identified.
The management said that website doesn’t store credit card or similar financial information in its database.

“PKNIC servers were not hacked and continued to operate normally. However, the vulnerability briefly exposed some information which could be used to modify the DNS for the four accounts.”

PKNIC’s executive chairman Ashar Nisar said that they ‘ve applied a new complex system to prevent from SQL injection attacks before the breach itself. However, the new system inadvertently left open a vulnerability, under certain obscure conditions and contexts, that was used in the recent security breach.

“As a result, in addition to a thorough investigation of our entire site and systems, we reverted to the simpler more robust model of filtering out everything unknown, instead of continuing to use the new system that had been tailored to the latest threats using more complicated algorithms.” He said.

The PKNIC team confirmed that there was no interruption to the root DNS or any other services provided by PKNIC. Additionally, other than the sites under the four accounts and seven DNS servers, all other .PK websites were unaffected and continued to operate normally.

 Invitation for Friendly Hackers:
To improve their web security, PKNIC plan to invite hackers to test their website security.  They’ve planned to announce the reward program for hackers who find vulnerability , as is done by leading global companies, like Google and others.

Top