In a blog post “Tweets still must flow” Twitter announced today that it will introduce the ability to censor tweets based on geo-location of users.

“… we will enter countries that have different ideas about the contours of freedom of expression. Some differ so much from our ideas that we will not be able to exist there.

 

Until now, the only way we could take account of those countries’ limits was to remove content globally.

 

Starting today, we give ourselves the ability to reactively withhold content from users in a specific country — while keeping it available in the rest of the world. We have also built in a way to communicate transparently to users when content is withheld, and why.”

The keyword in the above sentence is “reactively withhold content” -  gone a bit under noticed, it failed at “withholding” the inevitable rage in twitter land.

Megaupload, the popular file-sharing site, was just shut down by the Feds following an order issued by a U.S District Court.

As you can read in the image below, the federal grand Jury has indicted several individual and news sites report that the US Department of Justice arrested four people and executed more than 20 search warrants in the U.S. and eight foreign countries, seizing 18 domain names and servers run in Virginia and Washington, D.C.

A small search on the internet and I found the court document – It is a 72 pages – you can view on http://mireille.it/MegaIndictment.pdf ,

Here is a print screen of who the Indicted people are

What jumps out is that all the names look so “un-american-ish”  – so here is  a little info about each of them – taken from justice.gov article on the operation [source] ( this site is probably down now due to DDOS )

• Kim Schmitz – also known as Kim dotcom – Founder of  MegaUpload – German.
• Finn Batato, 38, a citizen and resident of Germany, who is the chief marketing officer;
• Julius Bencko, 35, a citizen and resident of Slovakia, who is the graphic designer;
• Sven Echternach, 39, a citizen and resident of Germany, who is the head of business development;
• Mathias Ortmann, 40, a citizen of Germany and resident of both Germany and Hong Kong, who is the chief technical officer, co-founder and director;
• Andrus Nomm, 32, a citizen of Estonia and resident of both Turkey and Estonia, who is a software programmer and head of the development software division;
• Bram van der Kolk, aka Bramos, 29, a Dutch citizen and resident of both the Netherlands and New Zealand, who oversees programming and the underlying network structure for the Mega conspiracy websites.

Dotcom, Batato, Ortmann and van der Kolk were arrested today in Auckland, New Zealand, by New Zealand authorities.

Reactions

As the news immediately spread on twitter, very few words can better describe the reactions then this priceless picture

Yes, as you can see 6 out of 10 worldwide trending topics were about the Megaupload case. It takes no genius to tell that a shitstorm of hacking was released and obviously people around the world were seeking their own justice.

#AnonymousFTW (for the win) was leading – people were cursing at the RIAA and Universal Music – Department of Justice – and Tango Down was trending! – “Tango Down” is the military hacking word when a “website” is down.

If Tango Down is trending – trust me, this is one hell of a hacking shitstorm. The Anon chat rooms were busy to the point you could not read words as they scrolled. Here is a print screen of an anon complaining on the IRC channel.

Damn, It’s impossible to read a fucking line here… slow down guys

Here are also some anon tweets that speak of the speed of response and number of people joining in operation Megaupload

FBI, Department of Justice, Universal Music Group, RIAA and Motion Picture Association of America sites were down within minutes – and as sarcastically anons pointed, they got their forced SOPA blackout !

Making sense of it all

No Trial: websites and domain names are a multi-gazillion dollar businesses with costs and all – regardless of opinion about megaupload or similar sites offering controversial services that can be turned by users for piracy – shutting down a site is like a death sentence – I find it mind boggling that it was done without trial and legit users worldwide ,not just US citizens, were affected- they had no previous warning their data is gonna be wiped out and

Besides, how on earth does the policy of one govt get to decide? Unsatisfied with being real life global police force, does the US wants to be Internet police force too?

Timing of the bust : It’s a pretty spectacular coincidence that the Dept of Justice was able to destroy a copyright villain without any help from SOPA or PIPA just one day after the internet’s giant SOPA protest.

Quoting gizmodo :

Do you hear that, lawmakers? The law, as it stands right now was able to kill Megaupload.com, no draconian censorship powers required. The power you have now—with due process—is achieving the things you say you want to do. Your IP is protected. Online piracy was stopped, except for the dozens of Megaupload rivals like HulkShare and MediaFire. And I wouldn’t be surprised if they’re next.

See – we don’t need NEW draconian censorship powers !

The villains of the town – a closer look

Here is a little graph about Megaupload

Yes, companies and humans need file sharing ! in fact, Megaupload owners during previous disputes argued that most of their traffic is legal and offered to co-ordinate on the illegal part.

So seriously, is there an effort to crack down on file sharing? IPv6 is gonna be out by end of next year and will render any crackdown impossible. Why are governments engaging in such efforts ?

Crime and punishment – quoting Justice.org

“Seven individuals and two corporations have been charged in the United States with running an international organized criminal enterprise allegedly responsible for massive worldwide online piracy of numerous types of copyrighted works, through Megaupload.com and other related sites, generating more than $175 million in criminal proceeds “

“This action is among the largest criminal copyright cases ever brought by the United States and directly targets the misuse of a public content” etc

Now, let’s hear out possible sentence

“charged with engaging in a racketeering conspiracy, conspiring to commit copyright infringement, conspiring to commit money laundering and two substantive counts of criminal copyright infringement. The individuals each face a maximum penalty of 20 years in prison on the charge of conspiracy to commit racketeering, five years in prison on the charge of conspiracy to commit copyright infringement, 20 years in prison on the charge of conspiracy to commit money laundering and five years in prison on each of the substantive charges of criminal copyright infringement.

Is it me or is that a bit too strong language and too much penalty ? no death sentence yet ? (sarcasm)

Could it be that after getting used to reading wikileaks and the kind of crimes that happen that my judgement is impaired? $175 million dollars compared to the thousands of crimes against humanity, kinda seem ridiculous.

In an effort to”get things right” – here are some of my findings

EMI Ex-President

“Going to sue customers for file sharing is like trying to sell soap by throwing dirt on your customers,” Merrill said. He then deadpanned, “That’s not theft, that’s try-before-you-buy marketing and we weren’t even paying for it… so it makes sense to sue them.” [source]

What do the starving artists think of this ?

I really don’t buy that all this crackdown is to protect the starving artists – but anyway – here is what some of the TOP artists say

“I like what’s going on because I feel closer to the fans and the people who appreciate the music. It’s the democratisation of music in a way, and music is a gift. That’s what it should be, a gift.” — Shakira

“If people hear it I’m happy. I’m not going to say go and steal my album, but you know I think its great that young people who don’t have a lot of money can listen to music and be exposed to new things.” — Norah Jones

“If you love music you’re going to make it anyway. You’ll find an audience, and you may not make like millions of dollars but you’ll make enough to have a house and a family and a car.” — Nelly Furtado

Another controversial point is that a Bunch Of RIAA Label Artists Endorse MegaUpload even tho RIAA Insists It’s A ‘Rogue’ Site.
Among the stars taking part: P Diddy, Will.i.am, Alicia Keys, Kanye West, Snoop Dogg, Chris Brown, The Game, Mary J Blige , Kim Kardashian, Floyd Mayweather and Jamie Foxx.

What do Americans think of this ?

According to a CBS News poll, in 2009 58%  of Americans who follow the file sharing issue, considered it acceptable in at least some circumstances; with 18 to 29 year olds this percentage reached as much as 70%.

It means that general tendency in the US, specially with the younger general – a 70% support of file sharing

The cute cat theory

a last thing you must read about is the cute cat theory - it explains it all – trust me. I’ll blog about it in details later

SOPA is a bill that was introduced in the United States House of Representatives on October 26, 2011.

If passed the bill would authorize the U.S. Department of Justice to seek court orders against websites outside U.S. jurisdiction accused of infringing on copyrights, or of enabling or facilitating copyright infringement. After delivering a court order, the U.S. Attorney General could require US-directed Internet service providers, ad networks, and payment processors to suspend doing business with sites found to infringe on federal criminal intellectual property laws. The Attorney General could also bar search engines from displaying links to the sites.

The bill would require websites to police their user generated content and it provides immunity from liability to the ad and payment networks that comply with this Act or that take voluntary action to cut ties to such sites.

Here is one really nice and awesome video that puts it all into perspective with cool animation and all. This video really explains why SOPA is no good.

PROTECT IP / SOPA Breaks The Internet from Fight for the Future on Vimeo.

Who is against SOPA ? just the pirates, right ?

Actually all major tech and internet companies, tons of legislators, smart content providers like Tim O’Reilly and almost every activist is against SOPA.

To name a few companies : EFF, Google, Facebook, twitter, Wikipedia, tumblr, Yahoo!, paypal, LinkedIn, Kaspersky, foursquare, Huffingtonpost, Github, Stackexchange, Quora, , Techcrunch, eBay, AOL… and more

There is also a nice website on Members of Congress Stand on SOPA and PIPA that details each member stand, how much money they got and all the nice corrupty stuff you’d want to read about.

My favorite quotes on the topic

Mozilla

“The fact is that this legislation as written won’t stop piracy. But it would pose a serious threat to social media and user generated content sites (like YouTube) across the internet. It could also undermine some of the core technical systems underlying the internet, creating new cybersecurity risks.

“As a non-profit committed to keeping the web open and accessible to all, Mozilla wants to ensure that this legislation does not jeopardize the foundational structure of the Internet.”

O’Reilly on Google+ account

The solution to piracy must be a market solution, not a government intervention, especially not one as ill-targeted as SOPA and PIPA.

Policies designed to protect industry players who are unwilling or unable to address unmet market needs are always bad policies. They retard the growth of new business models, and prop up inefficient companies. But in the end, they don’t even help the companies they try to protect. Because those companies are trying to preserve old business models and pricing power rather than trying to reach new customers, they ultimately cede the market not to pirates but to legitimate players who have more fully embraced the new opportunity. We’ve already seen this story play out in the success of Apple and Amazon. While the existing music companies were focused on fighting file sharing, Apple went on to provide a compelling new way to buy and enjoy music, and became the largest music retailer in the world. While book publishers have been fighting the imagined threat of piracy, Amazon, not pirates, has become the biggest threat to their business by offering authors an alternative way to reach the market without recourse to their former gatekeepers.

Nothing wiser could have been said !

Why, should I, a Lebanese care ?

Being a lebanese, doesn’t stop you from being an internet user – the SOPA will affect the internet in a bad way and it involves websites outside the US, and that’s yours.

SOPA punishes people who enable or facilitate copyright infringement and that’s proxies, TOR, anonymity tools – that would be punishing the same people and banning the same tools Lebanese, arabs and activists use worldwide against censorship.

Altering and having such a deeper control over the internet in the united states will create the possibility of black hole – where content from the “outside” may not be able to penetrate internet blockade because not only the site address , but also search engine, payment and everything around it will be blocked – other countries are likely to follow the lead in legislation – and in a gloomy scenario we no longer have an “open internet”.

You should care and be pissed of, because, like it or not, the internet doesn’t exist in the clouds, it is made of companies that exist in countries and have to answer to local laws despite the fact that internet is “global”. This fact is making people worldwide care about the SOPA legislation – and even though you may feel powerless, you still should care and take online action – because all citizens in cyberspace are created equal and so their actions resonate equally :)

What can I do ? what are actions being taken ?

Websites worldwide are protesting SOPA by blacking out their sites on January 18, Wikipedia and Reddit are leading the way as well as tons of activists and bloggers who will be blacking out their sites.

The Easiest way to join the SOPA protests

WordPress plugin

Sasha Gerrand kindly created a wordpress plugin to easily implement this. Check it out on github.

Javascript ( http://sopablackout.org/ )

The following will present a blackout banner when users visit your site, which can be circumvented by clicking anywhere:

The following will blackout an element of a specific id:

<script type="text/javascript">// <![CDATA[
sopablackout_id = 'sopa';
// ]]></script>

Should you need more help in taking action and blacking out your site,specially if you are not a techy, do not hesitate to ask

For similar interesting stuff, tune in to KnoozRoom, an audio news program based in the Middle East. It aims to provide quality news by gathering stories and perspectives that are pressing, relevant, inspiring and fair.
Knooz is powered by the lesser-known ‘gold nuggets’ of the Arab world who provide personal accounts of the events that they witness, as well as creative analyses and solutions for seemingly ever-present social, economic and political problems

Jun 13, 2010

As we move into an era of a digital (r)evolution we are facing new questions and challenges that touch our very intimate human privacy and rights.

Like never before, we are able to store and process data in huge amounts and like never before our reliance on computer and digital systems is increasing exponentially. We are not only using computers to manage our money, assets and wealth but also to help us in our health challenges or in our everyday life:no business can exist without heavy reliance on information systems, each one of us is now having an online presence through a blog ( personal or professional one ), we are tweeting what we eat, how we feel, where we are or sharing pictures of what we did, who we were with.

Naturally big questions that arises : Who is gaining control over all this data? How much privacy do we have left ? What guarantees do we have over no future mis-use of our personal details ? and the funniest question is : How is the government going to protect us and who is going to protect us from our government ? because let us face it , all governments are information hungry. Intelligence/security/economy/……/health/social analysis systems all need information in order to predict trends, avoid security breaches, build studies or just for the most basis principle governments feed on : power.

While you may say having those “worries” over privacy in itself is “suspicious” or “unjustified” , Only criminals have stuff to hide, right? , or as recently google CEO has –sadly- repeated twice : “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

As right as those arguments are – their main fail point is that they accept the idea that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

I was catching on my reading list and preparing a report with numbers and stats when I came across this in the Annual TRA Report :

BlackBerry services have recently raised security concerns in Lebanon as well as in other countries around the world (KSA, UAE and India).

Therefore, the TRA closely coordinated with the concerned Lebanese authorities, and initiated discussions on the implementation of the Lawful Interception Law and subsequent Decrees in order to define the national requirements to ensure the compliance of BlackBerry services with the Lebanese Laws.

The TRA was commissioned to lead the discussions and negotiations with Research in Motion (RIM) -provider of BlackBerry services- related to the current Lawful Interception concerns and potential solutions.

The TRA held several discussions, conference calls, and meetings with RIM technical, legal and commercial representatives. RIM has proposed a solution that is still being studied by the TRA and the concerned Lebanese authorities.

hmm so after all the mocking and pitying of users in KSA and UAE, it turned out that our Lebanese politicians are keeping their radars on the censorship – let’s hope they don’t feel like following the lead.

So I felt like sharing in case you didn’t know or didn’t have time to read the annual report of TRA.

This also leaves me in thoughts on how/when/what are we going to have when it comes to laws related to digital stuff and how the online community is going to re-act to bad kinds of laws or un-justified censorship and how are we going to “fix things” when it comes to piracy and online cyber security concerns.

oh n btw – it seems that the e-Transaction law is being brought up again and I have no idea or time to read that draft – so if you have it and can brief me, leave a comment or use the contact page :)

note: DO NOT PANIC AND START SPREADING RUMORS THAT WE ARE DOOMED AND CENSORSHIP IS BANGING ON OUR FRONT DOORS, THE GUYS ONLY MET AND DISCUSSED

Biometric access control systems are obviously systems that use biometrics like finger print, hand shape , facial recognition, retina and the such to identify humans and authorize their access to facilities.
They usually automatically log all the transactions(who went where) along with the time for live monitoring or later checks.
They offer advantage over keys and locks that can be easily lost or bumped and ID cards that can be lost,stolen, faked, switched…

However, using biometric systems means we are linking physical security and access to electronic devices.

4 or 5 years ago (boy! i am old and i should have blogged this ages ago)
i had the chance to work with different hardware manufacturers for those systems mostly from china and the UK.

After reading the manuals and after the initial fascination/confusion faded, i was curious on how secure those machines are and how easy it is to hack them.

and it seems i was not the only one – the guys in myth busters  had this myth tested as well, here is the video of their experiments :

http://www.youtube.com/watch?v=LA4Xx5Noxyo

as you probably watched, they basically beat one of those “advanced” machines by using a finger print of the person, putting it on latex , printing it and licking the paper.

It is of course fun to watch something that is supposed to be advanced technology fail using basic techniques. But in real life scenarios,
it is bit tricky to provide yourself with a latex copy of a finger print and even if you do, you can not easily walk in to a company with latex on your finger. It will look suspisous and will fail in case of face recognition for example ( I am assuming you won’t cut people heads and start walking around)

Since the title of the post says hacking biometric access control systems it means that you will be reading how to do so with a more tech approach.

step 1 : connecting to the machine:

Biometric machines can be connected to a computer via serial or network connection.

Serial cable connection have distance limitation and are harder to install, Meaning that if the entrance with the machine is situated a distance away from PC, there are risk of data loss.
Also connecting a biometric all the way in the building to a computer is a harder task then plugging it in the nearest network output.
Most modern computers don’t come with a serial port anymore,you will need to buy a usb to serial connector.

This is why most IT people prefer to connect their machines over network, which as you can see makes the job of hacking into them easier

step 2 : the SDK

Each hardware maker publishes a software development kit usually on their website. Those SDKs are easily obtainable if you contact sales dept, you don’t need much social engineering skills. Each type of machine needs its specific SDK
After getting the SDK, you can run a typical ipscan on the network and do some guesswork on which are computers, which are machines (ip ranges and computer names can be easily recognisable)
Each SDK will have a “connect to machine” functions and most of the time there is already a nice demo with the SDK you can use.
All you have to do is input different IP address and click connect.
This is the process that will likely take most time. Who said that the life of an E-Key Bumper is easy ;p

step 3 : Getting access

Now that you are connected, you can use one of some concepts that are present in every single machine i’ve seen so far ranging from finger print to hand and face recognition:

1 – Sensitivity factor : there is no possible way you can place your finger/hand/face each time in the absolute same exact position you did when you enrolled the first time – there are some millimeters differences – this is why every single machine has a sensitivity parameter. Most machines offer access to this parameter via the administration interface. This value is accessible via programming too. So once you get the SDK and you are connected to the machine, find the function – it is usually also in the demo, set the value to something unreasonbly low.

2 – User data: each user has their own measurable data, for example, in hand recognition, here is a sample of the actual data of a user: 37 124 174 123 108 135 134 113 56 0 0 . If you set the data to be something that matches yours or to some values that work on anyone like 255 255 … 255 255 . It is the same concept as those master key – a key that would work on any lock or in our case a record that would match any user

3 – Enroll yourself : you can enroll yourself on the machine – using data from the above example or by using password, not finger print (many machines are multi-purpose). All SDK have this function to create users usually used in backing up and Restoring of data.

4 – Change user data : you can change the field that define who is an admin and who is not, this is how you can elevate access for you or someone you know who happens to be on the system, once root access is on, adding and tinkering with the biometric machine is easy.

5 – Delete/reset logs to hide trannsactions : machines contain all the transaction log – those can be deleted to hide trace of whom gained control to what or simply to create confusion and sabotage the process of payroll processing for example

6 – Reset the machine : Just like routers, biometric machines have a tiny little dot or hole or button you can use to reset the machine. Once you reset it the first person ever to enroll is an administrator. ( I am not sure tho what happens to the access control configuration)

7- Mess with the time : you can use the SDK to set the time of the machine, it can come in handy if those machines are used to clock attendance in payroll

I am un-comfortable with the idea of more people trusting biometrics just because they sound complicated, have flashy marketing presentation and look like part of a movie scene.

The idea of people being able to compromise physical access after a 1 hour coding top is bit scary. The ugly thing about those machines is that they can not be security aware and i hope that this post shows how un-secure those systems are. Don’t fire your security guard yet!

I am trying to document the “original” ways i think of for avoiding censorship :) – So in case you are wondering – outsmarting censorship 1 is here

I was working with yahoo pipes the other day and a light bulb came up – yes you can use those pipes to aggregate content from one or many sources and read them ( considering they have full RSS )  – and this is a hell of a nice way to avoid censorship for blocked domain names .

1 – go to http://pipes.yahoo.com/pipes/

2 – Click : create a pipe

3 – Drag and drop “Fetch site feed” into the working area – simply enter the url

4 – Connect the dots

Here is an example – click for full view

Save your feed – once it gives pipe saved – click the “run pipe ” like

You will see the following screen – click for full view

as you can see the link to the pipe is : http://pipes.yahoo.com/pipes/pipe.info?_id=583f9de3d2b8ca104fed56f7a03c8c74

it is no longer the “censored” migh.info

You can read it using RSS – subscribe with google reader , yahoo reader – you can even get the PHP code and embed it in your site.

The main “Benefits” of this are :

- No compromising of internet speed like using TOR example.

- Reading and subscribing to all “censored” content in one click once you get bit familiar and aggregate all your “censored blogs” in one place :)

Hope you find this useful :) – I thought i’d quick share it – hope you won’t need it

Social media and demonstrations are 2 buzz words that go well together everywhere – specially in Lebanon.

With all the protesting going around – it is really engaging, exciting and supporting if people can LIVE tweet, receive feedback (encouragement, tips, warnings), spread the word – share pics and videos ….

But In Lebanon and maybe some other countries the problem faced are :

• No 3G
• Even if there is 3G, Huge number of people (thousands) in limited number of cells make 3G useless or least to say very slow
• Internet plans for cell phones in Lebanon are super lame – i can get 25MB/month quota non-renewable even if i want to repay
• Access to internet from laptops not phones is sometimes needed to upload more “advanced” content on the spot.

So the solution i want to share is super simple – super easy and super effective :

• Get one of those small laptops with a decent battery life ( laptops have an easy 5 hours battery life now)
• Connect it to a mobile internet solution like mobi
• Turn your computer into a hot spot and share your internet connection with others, walk around casually holding the laptop semi-open or put ur laptop somewhere within eye-sight
• Enjoy being the “heart of the party” – the hot spot of the demonstration

How to turn your computer into a hotspot and share your internet with others :

It may sound complicated – but it is super easy actually – Here is a tutorial from lifehacker how to do it – but there is even an easier way that I recommend .

Go to Connectify.me – download the 2.4 MB software – Install on your computer (next, next , next , finish )

There is an Easy setup wizard for you that takes less than 2 mins – things can not go wrong :)

Happy Hactivism !

(you can turn also your cell into a hotspot btw and you can also notify me about the demo so i can auto aggregate all the images to ImageFeed )

Aaron Barr the now former CEO of technology and security consulting firm HBGary claimed that Anonymous – the famous hacker collective – is a bunch of kids and script kiddies with a DDOS tool and no real technical skills, he claimed  that the group is made of 20 to 40 members at most, they get joined by more trolls at times like Operation Egypt, he also said that tracked their leadership blablabla….

Well anonymous did not really like it – so within a day, Anonymous had managed to infiltrate HBGary Federal’s website and take it down, replacing it with a pro-Anonymous message , they got into HBGary Federal’s e-mail server, for which Barr was the admin, and compromised it, extracting over 71 800 e-mails and putting them up on The Pirate Bay.

Anonymous members also bragged about how they had gone even further, deleting 1TB of HBGary backup data. They even claimed to have wiped Barr’s iPad remotely and had full access to all HBGary financials and social security numbers.

The Email leaks were made public on http://search.hbgary.anonleaks.ch/, some people took the initiative of reading those 71K and came up with the following conclusion :

For at least two years, the U.S. has been conducting a secretive and immensely sophisticated campaign of mass surveillance and data mining against the Arab world, allowing the intelligence community to monitor the habits, conversations, and activity of millions of individuals at once.

Google, Apple, AT&T, many are in the game, you can read about all this conspiracy theory here

So, after reading all the buzz in the media, I put in our lovely country name and got this in the search results :

” It will be very low risk to sniff traffic on this platform, as well as cost-effective – a single monitoring station could cover many targets at once. The only challenge is getting the equipment in country.

A good cover would be standing up a wireless testing & development company, even hiring some engineers to work on commerical projects in the area. You could probably find legitimate venture captial and even have it funded from outside.”

oh – come on !  why are we always the easiest country to do, i’d like to dream that we have a strong cyber defense army n stuff n leet haxors helping them…. *sigh

I hope this sheds the light about – how easy and cost effective it is to sniff Lebanese traffic – and I am quoting the founder of HBGary