'The Washington elites fear liberty. They fear you'
Plus: 'I do not want my name to be on Apple's blacklist'
QuotW This was the week when the NSA PRISM scandal rumbled on with politician attempts to curb the spook agency's remit in the US House of Representatives. The Defense Appropriations Bill had an amendment stuck on to the end of it asking Congress to stop the phone and internet data sniffers from accessing the data of those not actually under investigation.
President Obama wasn't too pleased with that and issued a statement urging the government to vote against the amendment:
This blunt approach is not the product of an informed, open, or deliberative process. We urge the House to reject the Amash Amendment, and instead move forward with an approach that appropriately takes into account the need for a reasoned review of what tools can best secure the nation.
But Justin Amash (MI-R), who proposed the amendment, retorted:
#NSA's unconstitutional spying on ALL Americans was "not the product of an informed, open, or deliberative process." It must be stopped now.
When's the last time a president put out an emergency statement against an amendment? The Washington elites fear liberty. They fear you.
However, his pleas fell on deaf ears as the House voted against the measure, though only just.
The NSA was also in trouble on another front this week when it admitted that it had accidentally leaked information through Microsoft's SharePoint software. The data oozed out from a sysadmin given SharePoint privileges and NSA chief General Keith Alexander said it was a "huge break in trust and confidence":
This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed.
In other leaky ship news, the Linux distribution's online community Ubuntuforums.org was shut down after a security breach in which hackers made off with every user's local username, password and email address. Luckily, the passwords were salted and hashed rather than in plain text, but that didn't stop penguins from pouring bile down atop the head of alleged culprit, whom they fingered as Twitter user @Sputn1k_ (The Twitter handle has since been deleted.)
One tweeter said:
@Sputn1k_ You must feel proud defacing a site by volunteers. They dedicate time and effort to make a free distro. Worst kind of "hacker".
While another said:
@Sputn1k_ This jerk took down the Ubuntu Forums, one of the most important resources on the web. Let's hope he gets what's coming to him.
Meanwhile, London-based security researcher Ibrahim Balic claimed responsibility for shutting down Apple's Developer Centre website.
He said he found 13 vulnerabilities in the system and used them to pull up the details of 73 fruity workers, and also accessed over 100,000 developers' private data. But he insists he did this to demonstrate the flaws in the machine and said he had sent in a bug report:
I'm not feeling very happy with what I read and I'm a bit irritated, as I did not do this research [to cause] harm or damage.
I didn't attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users' details and Apple is informed about this. I didn't attempt to get the data first and report then, instead I have reported first.
I do not want my name to be on a blacklist. I'm keeping all the evidence, emails and images. Also I have the records of the bugs that I made through Apple's bug-report [system].
Good luck avoiding that Apple blacklist there, Balic. El Reg has been on it for years and there's no signs we'll be leaving it any time soon...
Another security researcher, this time German Karsten Nohl, founder of Berlin's Security Research Labs, has said that a quarter of mobiles using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone. He said:
We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.
He's holding back the details of the hack until this weekend's Black Hat Convention, but Reg Central's Bill Ray has some ideas here.
And finally, the act of giving birth was widely celebrated this week by the long-heralded arrival of the Royal Baby. Of course, spammers were likely to celebrate the rosy-cheeked future king George Alexander Louis with a deluge of spam, security bod Graham Cluley said before the actual birth:
Malware authors worldwide have been waiting ages for this... I don't want to scaremonger, but it's easy to imagine.
"Exclusive first pictures", "Secret video from inside delivery room" and "Sex revealed" were all prospective spam titles, he said, pointing out that the goings-on of Wills and Kate had been exploited by spammers for years. ®