Tag Archives: Syria

Moonhack 2017: a new world record!

Post Syndicated from Katherine Leadbetter original https://www.raspberrypi.org/blog/moonhack-2017-world-record/

With the incredible success of this year’s Moonhack under their belt, here’s Code Club Australia‘s Kelly Tagalan with a lowdown on the event, and why challenges such as these are so important.

On 15 August 2017, Code Clubs around the globe set a world record for the most kids coding in a day! From Madrid to Manila and from Sydney to Seoul, kids in Code Clubs, homes, and community centres around the world used code in order to ‘hack the moon’.

Moonhack 2017 Recap: WORLDWIDE CODING

We set a world record of the most kids coding at the same time not only across Australia….but across the WORLD! Watch our recap of our day hackathon of kids coding across the globe.

The Moonhack movement

The first Moonhack took place in Sydney in 2016, where we set a record of 10207 kids coding in a day.

Images of children taking part in Code Club Australia's Moonhack 2017

The response to Moonhack, not just in Australia but around the world, blew us away, and this year we decided to make the challenge as global as possible.

“I want to create anything that can benefit the life of one person, hundreds of people, or maybe even thousands.” – Moonhack Code Club kid, Australia.

The Code Club New Zealand team helped to create and execute projects with help from Code Club in the UK, and Code Club Canada, France, South Korea, Bangladesh, and Croatia created translated materials to allow even more kids to take part.

Moonhack 2017

The children had 24 hours to try coding a specially made Moonhack project using Python, Scratch or Scratch Jr. Creative Moonhackers even made their own custom projects, and we saw amazing submissions on a range of themes, from moon football to heroic dogs saving our natural satellite from alien invaders!

Images of children taking part in Code Club Australia's Moonhack 2017

In the end, 28575 kids from 56 countries and from 600 Code Clubs took part in Moonhack to set a new record. Record Setter founder and Senior Adjudicator, Corey Henderson, travelled to Sydney to Moonhack Mission Control to verify the record, and we were thrilled to hear that we came close to tripling the number of kids who took part last year!

The top five Moonhack contributing countries were Australia, New Zealand, the USA, the UK, and Croatia, but we saw contributions from so many more amazing places, including Syria and Guatemala. The event was a truly international Code Club collaboration!

Images of children taking part in Code Club Australia's Moonhack 2017

The founder of Code Club Bangladesh, Shajan Miah, summed up the spirit of Moonhack well: “Moonhack was a great opportunity for children in Bangladesh to take part in a global event. It connected the children with like-minded people across the world, and this motivated them to want to continue learning coding and programming. They really enjoyed the challenge!”

Images of children taking part in Code Club Australia's Moonhack 2017

Of course, the most important thing about Moonhack was that the kids had fun taking part and experienced what it feels like to create with code. One astute nine-year-old told us, “What I love about coding is that you can create your own games. Coding is becoming more important in the work environment and I want to understand it and write it.”

This is why we Moonhack: to get kids excited about coding, and to bring them into the global Code Club community. We hope that every Moonhacker who isn’t yet part of a Code Club will decide to join one soon, and that their experience will help guide them towards a future involving digital making. Here’s to Moonhack 2018!

Join Code Club

With new school terms starting and new clubs forming, there’s never been a better time to volunteer for a Code Club! With the official extension of the Code Club age range from 9-11 to 9-13, there are even more opportunities to get involved.

The Code Club logo with added robots - Moonhack 2017

If you’re ready to volunteer and are looking for a club to join, head to the Code Club International website to find your local network. There you’ll also find information on starting a new club from scratch, anywhere in the world, and you can read all about making your venue, such as a library, youth club, or office, available as a space for a Code Club.

The post Moonhack 2017: a new world record! appeared first on Raspberry Pi.

EFF: Bassel Khartabil, In Memoriam

Post Syndicated from ris original https://lwn.net/Articles/729644/rss

The Electronic Frontier Foundation reports
that Bassel Khartabil, Syrian open source developer, blogger,
entrepreneur, hackerspace founder, and free culture advocate, was executed
by the Syrian authorities. “Bassel was a central figure in the
global free culture movement, connecting it and promoting it to Syria’s
emerging tech community as it existed before the country was ransacked by
civil war. He co-founded Aiki Lab, Syria’s first hackerspace, in Damascus
in 2010. He was a contributor to Mozilla’s Firefox browser and the Syrian
lead for Creative Commons. His influence went beyond Syria, however: he was
a key attendee at the Middle East’s bloggers’ conferences, and played a
vital role in the negotiations in Doha in 2010 that led to a common
language for discussing fair use and copyright across the Arab-speaking
world.
” (Thanks to Paul Wise)

Surveillance and our Insecure Infrastructure

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/surveillance_an_2.html

Since Edward Snowden revealed to the world the extent of the NSA’s global surveillance network, there has been a vigorous debate in the technological community about what its limits should be.

Less discussed is how many of these same surveillance techniques are used by other — smaller and poorer — more totalitarian countries to spy on political opponents, dissidents, human rights defenders; the press in Toronto has documented some of the many abuses, by countries like Ethiopia , the UAE, Iran, Syria, Kazakhstan , Sudan, Ecuador, Malaysia, and China.

That these countries can use network surveillance technologies to violate human rights is a shame on the world, and there’s a lot of blame to go around.

We can point to the governments that are using surveillance against their own citizens.

We can certainly blame the cyberweapons arms manufacturers that are selling those systems, and the countries — mostly European — that allow those arms manufacturers to sell those systems.

There’s a lot more the global Internet community could do to limit the availability of sophisticated Internet and telephony surveillance equipment to totalitarian governments. But I want to focus on another contributing cause to this problem: the fundamental insecurity of our digital systems that makes this a problem in the first place.

IMSI catchers are fake mobile phone towers. They allow someone to impersonate a cell network and collect information about phones in the vicinity of the device and they’re used to create lists of people who were at a particular event or near a particular location.

Fundamentally, the technology works because the phone in your pocket automatically trusts any cell tower to which it connects. There’s no security in the connection protocols between the phones and the towers.

IP intercept systems are used to eavesdrop on what people do on the Internet. Unlike the surveillance that happens at the sites you visit, by companies like Facebook and Google, this surveillance happens at the point where your computer connects to the Internet. Here, someone can eavesdrop on everything you do.

This system also exploits existing vulnerabilities in the underlying Internet communications protocols. Most of the traffic between your computer and the Internet is unencrypted, and what is encrypted is often vulnerable to man-in-the-middle attacks because of insecurities in both the Internet protocols and the encryption protocols that protect it.

There are many other examples. What they all have in common is that they are vulnerabilities in our underlying digital communications systems that allow someone — whether it’s a country’s secret police, a rival national intelligence organization, or criminal group — to break or bypass what security there is and spy on the users of these systems.

These insecurities exist for two reasons. First, they were designed in an era where computer hardware was expensive and inaccessibility was a reasonable proxy for security. When the mobile phone network was designed, faking a cell tower was an incredibly difficult technical exercise, and it was reasonable to assume that only legitimate cell providers would go to the effort of creating such towers.

At the same time, computers were less powerful and software was much slower, so adding security into the system seemed like a waste of resources. Fast forward to today: computers are cheap and software is fast, and what was impossible only a few decades ago is now easy.

The second reason is that governments use these surveillance capabilities for their own purposes. The FBI has used IMSI-catchers for years to investigate crimes. The NSA uses IP interception systems to collect foreign intelligence. Both of these agencies, as well as their counterparts in other countries, have put pressure on the standards bodies that create these systems to not implement strong security.

Of course, technology isn’t static. With time, things become cheaper and easier. What was once a secret NSA interception program or a secret FBI investigative tool becomes usable by less-capable governments and cybercriminals.

Man-in-the-middle attacks against Internet connections are a common criminal tool to steal credentials from users and hack their accounts.

IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.

Despite their uses by democratic governments for legitimate purposes, our security would be much better served by fixing these vulnerabilities in our infrastructures.

These systems are not only used by dissidents in totalitarian countries, they’re also used by legislators, corporate executives, critical infrastructure providers, and many others in the US and elsewhere.

That we allow people to remain insecure and vulnerable is both wrongheaded and dangerous.

Earlier this month, two American legislators — Senator Ron Wyden and Rep Ted Lieu — sent a letter to the chairman of the Federal Communications Commission, demanding that he do something about the country’s insecure telecommunications infrastructure.

They pointed out that not only are insecurities rampant in the underlying protocols and systems of the telecommunications infrastructure, but also that the FCC knows about these vulnerabilities and isn’t doing anything to force the telcos to fix them.

Wyden and Lieu make the point that fixing these vulnerabilities is a matter of US national security, but it’s also a matter of international human rights. All modern communications technologies are global, and anything the US does to improve its own security will also improve security worldwide.

Yes, it means that the FBI and the NSA will have a harder job spying, but it also means that the world will be a safer and more secure place.

This essay previously appeared on AlJazeera.com.

‘Bowl of Skittles’ Photographer Sues Trump for Copyright Infringement

Post Syndicated from Ernesto original https://torrentfreak.com/bowl-of-skittles-photographer-sues-trump-for-copyright-infringement-161019/

trumpdWith the U.S. presidential elections just weeks away there’s plenty of mud-slinging going on from every imaginable angle.

It’s safe to say that a few lines have been crossed here and there, and according to a complaint that was filed at an Illinois District Court this week, Donald Trump’s a pirate.

The case in question was filed by UK-based photographer David Kittos, who shares a lot of his work publicly on Flickr. This includes a photo of a bowl of Skittles, which he took to experiment with a light tent and off-camera flash.

The photo was uploaded with an “all rights reserved” notice and didn’t really get any attention, until it became part of Trump’s presidential campaign in the form of the following “advertisement” tweeted by Donald Trump Jr.

“If I had a bowl of skittles and I told you just three would kill you. Would you take a handful? That’s our Syrian refugee problem.”

trumpskittles

While the message itself has been widely debated already, few people knew that the image was used without permission. Making things even worse, the photographer in question turns out to be a refugee himself, as stated in the complaint.

“The unauthorized use of the Photograph is reprehensibly offensive to Plaintiff as he is a refugee of the Republic of Cyprus who was forced to flee his home at the age of six years old,” Kittos’ lawyer writes (pdf).

“Plaintiff never authorized Defendant Trump for President, Inc. or the other Defendants to use the Photograph as part of the Advertisement or for any other purpose,” the complaint adds.

In addition to Donald Trump Sr, the complaint also lists running mate Mike Pence and Trump Jr. as defendants. All are accused of both direct and secondary copyright infringement, by sharing the image online.

After about a week Trump’s tweet was removed, following a complaint from Kittos’ lawyer, but others continued to share it on social media and elsewhere.

In the lawsuit the photographer asks for an injunction, hoping to prevent further copyright infringements. In addition, he wants damages for copyright infringement, as well as compensation from any profits that were made in the process.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Scott Atran on Why People Become Terrorists

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/scott_atran_on_.html

Scott Atran has done some really interesting research on why ordinary people become terrorists.

Academics who study warfare and terrorism typically don’t conduct research just kilometers from the front lines of battle. But taking the laboratory to the fight is crucial for figuring out what impels people to make the ultimate sacrifice to, for example, impose Islamic law on others, says Atran, who is affiliated with the National Center for Scientific Research in Paris.

Atran’s war zone research over the last few years, and interviews during the last decade with members of various groups engaged in militant jihad (or holy war in the name of Islamic law), give him a gritty perspective on this issue. He rejects popular assumptions that people frequently join up, fight and die for terrorist groups due to mental problems, poverty, brainwashing or savvy recruitment efforts by jihadist organizations.

Instead, he argues, young people adrift in a globalized world find their own way to ISIS, looking to don a social identity that gives their lives significance. Groups of dissatisfied young adult friends around the world ­ often with little knowledge of Islam but yearning for lives of profound meaning and glory ­ typically choose to become volunteers in the Islamic State army in Syria and Iraq, Atran contends. Many of these individuals connect via the internet and social media to form a global community of alienated youth seeking heroic sacrifice, he proposes.

Preliminary experimental evidence suggests that not only global terrorism, but also festering state and ethnic conflicts, revolutions and even human rights movements — think of the U.S. civil rights movement in the 1960s — depend on what Atran refers to as devoted actors. These individuals, he argues, will sacrifice themselves, their families and anyone or anything else when a volatile mix of conditions are in play. First, devoted actors adopt values they regard as sacred and nonnegotiable, to be defended at all costs. Then, when they join a like-minded group of nonkin that feels like a family ­ a band of brothers ­ a collective sense of invincibility and special destiny overwhelms feelings of individuality. As members of a tightly bound group that perceives its sacred values under attack, devoted actors will kill and die for each other.

Paper.

EDITED TO ADD (8/13): Related paper, also by Atran.

How the Iranian Government Hacks Dissidents

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/how_the_iranian.html

Citizen Lab has a new report on an Iranian government hacking program that targets dissidents. From a Washington Post op-ed by Ron Deibert:

Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail “Assad Crimes,” she could easily have opened it. Instead, she shared it with us at the Citizen Lab.

As we detail in a new report, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called “Droidjack,” that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.

Here’s the report. And a news article.

Detecting Explosives

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/05/detecting_explo.html

Really interesting article on the difficulties involved with explosive detection at airport security checkpoints.

Abstract: The mid-air bombing of a Somali passenger jet in February was a wake-up call for security agencies and those working in the field of explosive detection. It was also a reminder that terrorist groups from Yemen to Syria to East Africa continue to explore innovative ways to get bombs onto passenger jets by trying to beat detection systems or recruit insiders. The layered state-of-the-art detection systems that are now in place at most airports in the developed world make it very hard for terrorists to sneak bombs onto planes, but the international aviation sector remains vulnerable because many airports in the developing world either have not deployed these technologies or have not provided rigorous training for operators. Technologies and security measures will need to improve to stay one step ahead of innovative terrorists. Given the pattern of recent Islamic State attacks, there is a strong argument for extending state-of-the-art explosive detection systems beyond the aviation sector to locations such as sports arenas and music venues.

I disagree with his conclusions — the last sentence above — but the technical information on explosives detection technology is really interesting.

Freaking out over the DBIR

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/05/freaking-out-over-dbir.html

Many in the community are upset over the recent “Verizon DBIR” because it claims widespread exploitation of the “FREAK” vulnerability. They know this is impossible, because of the vulnerability details. But really, the problem lies in misconceptions about how “intrusion detection” (IDS) works. As a sort of expert in intrusion detection (by which, I mean the expert), I thought I’d describe what really went wrong.
First let’s talk FREAK. It’s a man-in-the-middle attack. In other words, you can’t attack a web server remotely by sending bad data at it. Instead, you have to break into a network somewhere and install a man-in-the-middle computer. This fact alone means it cannot be the most widely exploited attack.
Second, let’s talk FREAK. It works by downgrading RSA to 512-bit keys, which can be cracked by supercomputers. This fact alone means it cannot be the most widely exploited attack — even the NSA does not have sufficient compute power to crack as many keys as the Verizon DBIR claim were cracked.
Now let’s talk about how Verizon calculates when a vulnerability is responsible for an attack. They use this methodology:
  1. look at a compromised system (identified by AV scanning, IoCs, etc.)
  2. look at which unpatched vulnerabilities the system has (vuln scans)
  3. see if the system was attacked via those vulnerabilities (IDS)
In other words, if you are vulnerable to FREAK, and the IDS tells you people attacked you with FREAK, and indeed you were compromised, then it seems only logical that they compromised you through FREAK.
This sounds like a really good methodology — but only to stupids. (Sorry for being harsh, I’ve been pointing out this methodology sucks for 15 years, and am getting frustrated people still believe in it.)
Here’s the problem with all data breach investigations. Systems get hacked, and we don’t know why. Yet, there is enormous pressure to figure out why. Therefore, we seize on any plausible explanation. We then go through the gauntlet of logical fallacies, such as “confirmation bias”, to support our conclusion. They torture the data until it produces the right results.
In the majority of breach reports I’ve seen, the identified source of the compromise is bogus. That’s why I never believed North Korea was behind the Sony attack — I’ve read too many data breach reports fingering the wrong cause. Political pressure to come up with a cause, any cause, is immense.
This specific logic, “vulnerable to X and attacked with X == breached with X” has been around with us for a long time. 15 years ago, IDS vendors integrated with vulnerability scanners to produce exactly these sorts of events. It’s nonsense that never produced actionable data.
In other words, in the Verizon report, things went this direction. FIRST, they investigated a system and found IoCs (indicators that the system had been compromised). SECOND, they did the correlation between vuln/IDS. They didn’t do it the other way around, because such a system produces too much false data. False data is false data. If you aren’t starting with this vuln/IDS correlation, then looking for IoCs, then there is no reason to believe such correlations will be robust afterwards.
On of the reasons the data isn’t robust is that IDS events do not mean what you think they mean. Most people in our industry treat them as “magic”, that if an IDS triggers on a “FREAK” attack, then that’s what happen.
But that’s not what happened. First of all, there is the issue of false-positives, whereby the system claims a “FREAK” attack happened, when nothing related to the issue happened. Looking at various IDSs, this should be rare for FREAK, but happens for other kinds of attacks.
Then there is the issue of another level of false-positives. It’s plausible, for example, that older browsers, email clients, and other systems may accidentally be downgrading to “export” ciphers simply because these are the only ciphers old and new computers have in common. Thus, you’ll see a lot of “FREAK” events, where this downgrade did indeed occur, but not for malicious reasons.
In other words, this is not a truly false-positive, because the bad thing really did occur, but it is a semi-false-positive, because this was not malicious.
Then there is the problem of misunderstood events. For FREAK, both client and server must be vulnerable — and clients reveal their vulnerability in every SSL request. Therefore, some IDSs trigger on that, telling you about vulnerable clients. The EmergingThreats rules have one called “ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)”. The key word here is “POLICY” — it’s not an attack signature but a policy signature.
But a lot of people are confused and think it’s an attack. For example, this website lists it as an attack.
If somebody has these POLICY events enabled, then it will appear that their servers are under constant attack with the FREAK vulnerability, as random people around the Internet with old browsers/clients connect to their servers, regardless if the server itself is vulnerable.
Another source of semi-false-positives are vulnerability scanners, which simply scan for the vulnerability without fully exploiting/attacking the target. Again, this is a semi-false-positive, where it is correctly identified as FREAK, but incorrectly identified as an attack rather than a scan. As other critics of the Verizon report have pointed out, people have been doing Internet-wide scans for this bug. If you have a server exposed to the Internet, then it’s been scanned for “FREAK”. If you have internal servers, but run vulnerability scanners, they have been scanned for “FREAK”. But none of these are malicious “attacks” that can be correlated according to the Verizon DBIR methodology.
Lastly, there are “real” attacks. There are no real FREAK attacks, except maybe twice in Syria when the NSA needed to compromise some SSL communications. And the NSA never does something if they can get caught. Therefore, no IDS event identifying “FREAK” has ever been a true attack.
So here’s the thing. Knowing all this, we can reduce the factors in the Verizon DBIR methodology. The factor “has the system been attacked with FREAK?” can be reduced to “does the system support SSL?“, because all SSL supporting systems have been attacked with FREAK, according to IDS. Furthermore, since people just apply all or none of the Microsoft patches, we don’t ask “is the system vulnerable to FREAK?” so much as “has it been patched recently?“.
Thus, the Verizon DBIR methodology becomes:
1. has the system been compromised?
2. has the system been patched recently?
3. does the system support SSL?
If all three answers are “yes”, then it claims the system was compromised with FREAK. As you can plainly see, this is idiotic methodology.
In the case of FREAK, we already knew the right answer, and worked backward to find the flaw. But in truth, all the other vulnerabilities have the same flaw, for related reasons. The root of the problem is that people just don’t understand IDS information. They, like Verizon, treat the IDS as some sort of magic black box or oracle, and never question the data.
Conclusion

An IDS is wonderfully useful tool if you pay attention to how it works and why it triggers on the things it does. It’s not, however, an “intrusion detection” tool, whereby every event it produces should be acted upon as if it were an intrusion. It’s not a magical system — you really need to pay attention to the details.
Verizon didn’t pay attention to the details. They simply dumped the output of an IDS inappropriately into some sort of analysis. Since the input data was garbage, no amount of manipulation and analysis would ever produce a valid result.


False-positives: Notice I list a range of “false-positives”, from things that might trigger that have nothing to do with FREAK, to a range of things that are FREAK, but aren’t attacks, and which cannot be treated as “intrusions”. Such subtleties is why we can’t have nice things in infosec. Everyone studies “false-positives” when studying for their CISSP examine, but truly don’t understand them.

That’s why when vendors claim “no false positives” they are blowing smoke. The issue is much more subtle than that.

Pocket FM: independent radio in Syria

Post Syndicated from Liz Upton original https://www.raspberrypi.org/blog/pocket-fm-independent-radio-syria/

When we started thinking about the Raspberry Pi project back in 2009, our ambitions were small, and very focussed on local education.

We realised we were doing something bigger than that pretty rapidly, but all the same, some of the projects we come across leave us shocked at their scale, their gravity and their importance. This is one of them.

"Do you have a radio? 87.7 FM"

Do you have a radio? 87.7 FM

In Syria, a German group called Media in Cooperation and Transition (MiCT) has been equipping towns with transmitters called PocketFM, built around Raspberry Pis, to provide Syrians with independent radio. Each transmitter has 4 to 6km (2.5 to 3.75 miles) of range, which is sufficient to reach a whole town.

In many parts of Syria, it’s impossible and politically unwise to build large transmitters, so a small device like PocketFM that can be easily concealed and transported, and that can be run off solar power or a car battery, is ideal.

pocketfm

A group of around a dozen independent Syrian radio stations has come together to form a group called Syrnet, who work together on programmes and topics and produce a joint station to be broadcast via the PocketFM transmitters; MiCT deal with the mix, distribution and transmission. “The variety of voices in a broadcast effectively illustrates Syria’s state of mind,” says one of the broadcasters. Using PocketFM, Syrnet is reaching 1.5 million citizens in north and north-western Syria, including Homs and Aleppo; they are currently making efforts to widen the network to more regions.

radio stations

The project is about enabling freedom of expression; it also strengthens feelings of solidarity. “We are not for anyone, or against anyone. No one can escape our criticism, even ourselves.”

Between them, the participating stations have access to hundreds of reporters. As well as news, music and entertainment, they’re broadcasting vital information on security, health and nutrition. “One of our strongest programmes is called Alternatives. It describes how to keep warm without any fuel, or how to pick up the internet signal of neighbouring countries when the Syrian internet is down. The difficulties of life – and how to overcome them.”

Syria Radio Network

Syria Radio Network (Syrnet) is an initiative to support independent radio production in Syria with professional training and outreach. Syrnet is a mixed live programme, sourced from Syrian radio stations. Our program is available 24 hours and seven days a week.

In a warzone, radio can be one of the easiest ways to get information. If the power grid is down, you just need batteries.

“We lost one device in Kobane”, says Philipp Hochleichter from MiCT, who is the project’s technical lead. “But due to the bombing – not due to a malfunction.”

“At the moment our journalists are safe with the opposition, but it’s still a war zone with gunfire and shelling,” said Marwa, a journalist with Hara FM, one of the Syrnet stations, based in Turkey.

“I worry about our staff in Aleppo, but no journalist can be 100% safe anywhere in the world.

“For any journalist, telling the truth puts them in danger.”

These bold people are doing something extraordinary. We send them all our very best wishes, and our hopes for a swift end to the conflict.

The post Pocket FM: independent radio in Syria appeared first on Raspberry Pi.