GCHQ Releases Open-source Spy Tool on GitHub

Open source surveillance has changed the ball game somewhat after British Intelligence security service GCHQ has created an account on well-known code repository site, and one of the fairly recent targets of China’s Great Cannon attack tool, GitHub.

What has exactly been created? It’s an open sourced tool by the name of “Gaffer”, which according to Google is a British slang term for boss; anyway, the tool is written in Java and according to the tools official GitHub page, is a framework that simplifies the storage of “large-scale graphs in which the nodes and edges have statistics such as counts, histograms and sketches,” not exactly Spectre, but hey ho.  The tool has been primarily developed as a graph database with the aim of offering the capability to retrieve data on nodes of interest.

Below is a summary of the tool and its key features

  • Allow the creation of graphs with summarised properties within Accumulo with a very minimal amount of coding.
  • Allow flexibility of statistics that describe the entities and edges.
  • Allow easy addition of new types of nodes and edges.
  • Allow quick retrieval of data on nodes of interest.
  • Deal with data of different security levels – all data has a visibility, and this is used to restrict who can see data based on their authorizations.
  • Support automatic age-off of data.

Gaffer is being distributed under the Apache 2.0 licence which allows you and me to modify and distribute the code in any way, as long as the original copyright notice and disclaimer are preserved.

For those who are excited about updates to this tool, anyone? The official GitHub page for this tool also announces that Gaffer 2 is in development and aims to “create a more general framework that offers the best of Gaffer with improvements”

It will be rather worthwhile to follow this tool through various developments and applications to see how it’s being utilized in the wider world; it would not surprise me if it’s in the news very soon.

Image courtesy of theregister

Proposed “Online Safety Bill” Being Debated In the House Of Lords

Guess whose back? Indeed after a short hiatus I am back and raring to be creative concerning my written articles for eTeknix, although, in reality it has only been around 6 weeks since my last piece. So, what to write? I know, let’s delve into the proposed “Online Safety Bill” which is currently being debated in the UK courtesy of the House of Lords.

According to reports on the government’s own Parliament website, the bill is being debated at the “1st sitting committee stage” and proposes a law to compel “internet service providers and mobile phone operators to provide an internet service that excludes adult content” This includes provisions to offer strict and compulsory age verification checks to NSFW sites and also a role for Ofcom. There are also proposals to educate parents through digital on demand programme services and a licensing scheme for such websites.

It will be interesting to see how the debate develops and also the challenges of implementing such a law, after all, ISPs will first have to define what constitutes an “adult” website before blocking it to individuals who are under the age of 18. A further interesting angle is the proposal to “require electronic device manufacturers to provide a means of filtering internet content”.

Logically these proposals are unworkable and may in all probability be circumvented by various tech means; there is also the question of legitimate and educational sites that might fall under the banner of such a law. Another aspect which could cause concern is the proposed age verification checks, the only way this could be implemented is for a mechanism to be introduced to verify consumers through official identification without it being intercepted by hackers and a myriad of external cyber threats.

Image courtesy of echo

D-Link Inadvertently Publishes Its Private Code-Signing Keys

Hackers are viewed within the media and by films as master genius’s who are able to hack into protected systems with the intention of stealing a vast array of information. There is some truth in this assertion considering even multinational companies have been caught napping by cyber thieves, but, what happens if I don’t know, a tech firm accidentally publishes its private signing keys? Well, D-Link has managed to do this in what is known scientifically as stupididiotness.

Taiwan-based networking equipment manufacturer D-Link has published its Private code signing keys inside the company’s open source firmware packages. This was spotted by a user by the username “bartvbl” who had bought a D-Link DCS-5020L security camera and downloaded the firmware from D-Link which open sources its firmware under the GPL license.

All seemed well for “bartvbl” until they inspected the source code, only to find four private keys which are used for code signing. To test this, the user-created a windows application which was able to be signed by one of the four keys which appeared to be valid. Not only this, the user also discovered pass-phrases which are needed to sign the software,

It is yet unclear if any of these keys were used in attacks by malicious third parties, meanwhile, D-Link has seen the light and has responded to this embarrassment by revoking the certificate in question and subsequently releasing a new version which does not contain any code signing keys, which is good.

Thank you tweakers via Google Translate for providing us with this information.

Image courtesy of thehackernews.

Malwarebytes Offers Free Reprieve to Pirates

Oh the conundrum of pirated software, on one hand, it’s better to support the product, on the other hand it’s free, but loyalty is what counts, yeah but it’s free. Software companies have tried many avenues to stop pirates, from banning individuals from using particular online games to as in Microsoft’s case, offering free copies of Windows 10 to cracked software owners only to change their minds around 50 times.

Popular and successful Anti Virus Company Malwarebytes have taken a different view and are offering an amnesty to pirated keys in exchange for legitimate licences. How does it work? Well according to the Malwarebytes website, if you try, well not you, but if someone attempts to activate a pirated licence key, a message will appear informing them of two options. One is to contact Malwarebytes for a new 12 months key before its disabled with the second option being for paid customers of legitimate licences.

Malwarebytes aims to roll out a new licensing system which is stronger and also hopes to determine which keys are for which owners. The offer is for a limited time only but as of writing, there is no defined end date to which this offer will end. It’s a brave move to offer a free key to pirates, but in turn the company is not threatening users with legal action etc which might build a stronger reputation with users in the long run.

Or this could be just the case of spreading a huge net to see who bytes, bites, I am speaking in tech, either way it will be interesting to follow the progress of this offer.

Thank you Malwarebytes and Forum for providing us with this information

Image courtesy of degreedix