Use of Tor and e-mail crypto could increase chances that NSA keeps your data

Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they’re collected inadvertently, according to a secret government document published Thursday.

The document, titled Minimization Procedures by the NSA in Connection with Acquisitions of Foreign Intelligence, is the. latest bombshell leak to be dropped by UK-based newspaper The Guardian. It and a second, top-secret document detail the circumstances in which data collected on US persons under foreign intelligence authority must be destroyed or can be retained. The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on US citizens and residents.

While the documents make clear that data collection and interception must cease immediately once it’s determined a target is within the US, they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project- “will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person’s communications give rise to a reasonable belief that such person is a United States person,” the secret document stated.

And in the event that an intercepted communication is later deemed to be from a US person, the requirement to promptly destroy the material may be suspended in a variety of circumstances. Among the exceptions are “communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis.”

Other conditions under which intercepted US communications may be retained include when it is “reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed.”

The document, dated July 28, 2009, bears the signature of US Attorney General Eric Holder.

Supporters of the recently exposed NSA surveillance program have frequently argued that it is narrowly tailored so that it doesn’t track the communications of ordinary US citizens and residents. Rules requiring inadvertently collected US communications to be destroyed once the error is discovered would appear to be key in supporting that view. The exceptions to that requirement may give critics new ammunition. Tor is a staple of many human rights advocates who want to prevent repressive governments from tracking their location or intercepting and reading their e-mail and instant messages. Encrypted e-mail, while by no means easy to use, remains a core practice among lawyers, corporate executives, and privacy advocates.

It’s hard to read the documents and not be struck by the irony that use of these services may subject people on US soil to a much higher likelihood that their communications will be retained by an agency that’s supposed to focus on foreign targets.

Source: Ars Technica

Millions At Risk As WordPress Plugins Ridden With Critical Vulnerabilities

A host of WordPress plugins contain serious flaws, including many e-commerce add-ons dealing with online payments, researchers have warned.

The vulnerable WordPress plugins detected by Tel-Aviv-based security firm Checkmarx were downloaded millions of times. The researchers warned the flaws could allow hackers to use the WordPress platform, the most popular CMS in the world, as a vehicle for mass infection and malware distribution.

As the plugins are open source, as the WordPress platform itself is, Checkmarx was able to scan code of the top 50 most downloaded plugins on two occasions, once in January, then in early June.

The first test uncovered 18 vulnerable plugins, which were downloaded 18.5 million times. Some of those were produced by WordPress itself, which has now issued fixes, Checkmarx said.

All 18 had been updated by the time Checkmarx did its second test, but just six of the plugins were properly fixed by that time.

In its June test, the firm also found over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. Any sites running these vulnerable plugins are therefore vulnerable too.

SQLi sees attackers attempt to get databases to cough up false information, usually by entering queries into search boxes or in a URL to cause the related SQL database to falter. Automated tools make this kind of hit much easier to carry out.

“If the plugin is vulnerable, say to SQLi, so is the website vulnerable to that type of attack,” Maty Siman, Checkmarx CTO, told TechWeekEurope. “A hacker looking to perform a SQLi attack can simply take any one of the existing automated attack tools, point it to the vulnerable site and attempt to exploit it.”

The researchers also discovered seven out of top 10 most popular e-commerce plugins contained flaws. They were downloaded 1.7 million times.

Checkmarx did not reveal which plugins were vulnerable, but said they included social ones linking to Facebook and certain APIs.

The researchers said whilst it was clear there were some serious security problems with WordPress plugins, other platform providers suffer similar problems.

“The impact? Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details,” the company’s report read.

“Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”

Source: Tech Week Europe

How Facebook Hashtags Impact Your Privacy

Facebook users: Get ready to see a lot more of the hashtag in your News Feed.

The social network announced that it is rolling out the popular feature to users over the next few weeks.

Hashtags, made famous by microblogging site Twitter and used on a number of other social sites such as Instagram, Pinterest and Tumblr, turn topics and phrases into clickable links on your personal timeline or your Page. They also make your post searchable.

“To date, there has not been a simple way to see the larger view of what’s happening or what people are talking about,” says Greg Lindley, product manager at Facebook. Hashtags, he says, will help bring more conversations to the forefront.

According to Facebook, hashtags will appear blue and will redirect to a search page with other posts that include the same hashtag.

As part of the rollout, Facebook says you will also be able to click hashtags that originated on other services, such as Instagram, which is owned by Facebook. It also plans to roll out additional features, including trending hashtags, in the near future, it says.

While hashtags are widely used on other sites, there are a couple of things you need to know about the new feature and how it does and doesn’t affect your Facebook privacy.

First, adding a hashtag does not affect the privacy of your post. If your privacy settings are set to Friends, for example, only your friends can view it. Similarly, if your friends search for a hashtag that you’ve used in the past, your post will appear only to them-and no one else-in search results, Facebook says.

“As always, you control the audience for your posts, including those with hashtags,” Lindley says.

Second, if you use a hashtag in a post you publish and you want it to be searchable to everyone, remember that your most-recent privacy setting is the one Facebook will default to for subsequent posts, unless you change it back.

For example, say your privacy settings are “Friends Only” You decide to change the privacy setting for one particular post to “Public.” Your subsequent posts will be public unless you change it back to “Friends Only.”

Source: Network World

DARPA’s Warrior Web Augments Carrying Capacity and Endurance

Unless you’ve been there yourself, it’s hard to imagine being a soldier in the field, trekking through rugged terrain while carrying gear weighing 100 lbs (45.35 kg) and beyond. There has a been a lot of research into exoskeleton over the years to alleviate these heavy loads, but strapping a person into a robotic outfit just isn’t practical in a combat zone yet. Instead, DARPA’s Warrior Web program aims to build a lightweight suit that improves a soldier’s endurance and overall effectiveness, while preventing injuries.

The basic goal of the Warrior Web program is to produce a soft, flexible suit that can be worn underneath clothes to redistribute the wearer’s weight without any added discomfort. Ideally, the final suit would specifically accommodate the soft tissues connected to the skeletal system as well as ankle, knee, and hip joints to reduce the chance of injury. The developers would also like the suit to augment the wearer’s muscle movements and detect any injuries, while only requiring 100W of electric power or less from a small battery.

The project seems similar to Harvard’s “smart suit,” which was also funded by DARPA, but the Warrior Web adds more electronics and focuses on carrying abilities. Though the program is mainly geared towards improving soldiers’ effectiveness in combat, DARPA is also exploring how the suit could be used to help locate and heal certain injuries.

Researchers are currently working on identifying which features would be absolutely required for the Warrior Web to function correctly, and then producing them. Their goal is to provide five essential components to the user: core injury mitigation technologies, comprehensive analytical representations, regenerative actuation, adaptive sensing and control, and a suit human-to-wearer interface.

Over the past five months, the US Army Research Laboratory Human Research and Engineering Directorate (ARL HRED) has been evaluating a number of prototypes to determine which approaches would work best to meet the program’s goals. Using a motion capture system and numerous sensors, the research team has been studying how various devices affect a soldier’s gait, balance, oxygen consumption, and muscle activity, among other traits. Later this year, the group plans to integrate the selected technologies into a wearable suit and begin testing its capabilities under realistic conditions.

The brief video below shows how a prototype Warrior Web is tested while a soldier carries a 61-lb (27.67-kg) load.

Source: Gizmag

Oculus Rift + Microsoft Kinect = full-on Virtual Reality?

The ledge I’m standing on has a strange existential duality. In the physical realm, it’s a thin strip of red, millimeters above the floor of a pristine white booth in a basement in Shoreditch, London where the 3D tinkerers and technologists (of everything from 3D film to 3D printing) at Inition keep their toys. In the digital realm, which, thanks to the Oculus Rift wrapped around my head, my senses have decided is the more real, the ledge is the only thing between me and a 300-foot plunge.

The voice from the other realm telling me to reach forward with my arms belongs to Inition founder Andy Millns. He’s concerned I’m going to bang my head (or perhaps his Oculus Rift) against the booth wall. That’s easy for him to say. My arms are otherwise engaged in an inept flailing in a simultaneous attempt to not fall off (inside the game, a fail state) or over (inside the booth, an ultra-fail state).

This isn’t Gizmag’s first play with an Oculus Rift. Back in February, Jonathan looked at a pre-launch version. Today, two things are different. Firstly, Inition’s Rift is the finished article (the current developer model, at any rate), and secondly, much more significantly, Inition has wired its Rift up to a Kinect, via a computer running the company’s in-house VR vertigo simulator, that is. To get across that ledge I can’t just push up on a thumbstick, or a W key. I physically have to walk. Or jump, as a previous tester (or perhaps victim) apparently attempted, having abandoned reality outright.

This is proper virtual reality, in other words, albeit it a compact form. The demo begins in a room which, unlike the ledge, I am not free to navigate. I can turn my head, of course, to examine a virtual chandelier, or to look out of a virtual window. As I’d come to hope, latency was all but imperceptible. As I’m impelled across the room by an external force (i.e. someone at Inition operating a keyboard), I come to face a door. The room, it turns out, was at the top of a skyscraper, built very close to another skyscraper which is inevitably though somewhat inexplicably connected by said ledge.

Now I’m free to move, and though, deep down, I’m perfectly content to observe proceedings from the doorway, it seems rude not to try to cross. The Kinect, looking down at me from above, can see the bright red ledge and map my progress across it: Inition’s demo simultaneously Augmented and Virtual Reality. Somehow, I manage to get to the other side without falling, and ready myself for the return journey (all 5 feet of it). But by now the effort of not falling off or falling over is overwhelming, and with one self-righting misstep, I plunge from the ledge and come crashing down to Earth without a thump, there to admire the virtual grass.

It’s great fun, and if I had difficulty, it may have been down to my unwillingness to let go of reality. As I lowered the Rift over my eyes, my brain clung on to the visual memory of the red ledge, conscious that even the minuscule difference in height could cause me to trip. I became convinced, rightly or wrongly, that where the Rift was telling me the ledge was didn’t match its actual location. Practice doubtless helps, but a safe playing environment will be essential for people to immerse themselves fully.

Coincidentally, that’s precisely the intention of Julian Williams, CEO of Wizdish. As part of Inition’s current AR vs VR event, part of the Digital Shoreditch festival, Williams is showing off his invention, which, accompanied by another Kinect sensor and Oculus Rift, lets people navigate a VR space by donning special shoes and sliding their feet over the slippery dish. Spotting an opportunity for more inept flailing, I gave it a whirl.

This time a Kinect was trained on my ankles. When detecting a walking motion (or something like it), the demo moved me forward in the direction I was looking. The VR itself was rudimentary, but the point here is that the Wizdish does a good job of allowing users to walk about in a virtual space without the worry of bumping into things. The combination of shoes and Wizdish does take some getting used to, but even the few minutes I spent skidding about the thing were sufficient to tell that using it would soon become second nature. The challenge future games makers face is to get the Kinect to determine which way the gamer is facing.

In one final effort to completely freak me out, Millns introduced me to Mark Lewis of Animazoo, makers of the IGS Glove. It’s an electronic glove which can track the motion of hands and fingers using inertial gyros without need of a camera (or Kinect sensor for that matter). Lewis invited me to place my hand on the “chopping block” in front of me. “You’re not afraid of electric shocks are you?” Millns quipped. He’s such a kidder. Still, I couldn’t help but think “oh dear” as I pulled another Rift over my eyes. At least this time I’d get to sit down.

“Nice statue,” I said, pointing vaguely ahead of me, forgetting that so far as Millns and Lewis were concerned, I was pointing at Julian Williams and his Wizdish at the other side of the room. It was then that I caught a glimpse of my hand, or its digital proxy. “You’ll notice a few fingers are already missing,” said Lewis. Thank you, yes, I had noticed that. What I was only just beginning to notice was the bloodied guillotine just above me.

It would be an exaggeration to say that my rational mind (what there is of it) had to overpower my instincts in order to place my hand under the guillotine, but this demo certainly has the power to disconcert. It’s not so much the drop of the blade as the anticipation of it, though Lewis gently touching my wrist to coincide with the incision of the blade was certainly effective. I had been expecting to lose another finger or two. Instead my whole hand had gone.

If the Oculus Rift demos by Inition and friends tell us anything, it’s that though the device may be well suited to standard video games, it has much greater potential for immersion when combined with a dedicated, safe environment (as with the vertigo demo) or when complemented by other technology like Kinect, the Wizdish and IGS Glove. If there were shortcomings in any of the demos, the limiting factor seemed to be the Kinect, not the Rift. And the Kinect, we’re told, has been greatly improved for Xbox One. Whether it will allow accurate tracking of body motion is perhaps doubtful, but it’s precisely this that the Rift is crying out for. Otherwise, barring a resolution bump or two, the Oculus Rift itself isn’t far away from perfection.

Source: Gizmag